An application firewall is a form of firewall that controls

input/output In computing, input/output (I/O, i/o, or informally io or IO) is the communication between an information processing system, such as a computer, and the outside world, such as another computer system, peripherals, or a human operator. Inputs a ...

system call In computing, a system call (syscall) is the programmatic way in which a computer program requests a service from the operating system on which it is executed. This may include hardware-related services (for example, accessing a hard disk drive ...

s of an application or service. It operates by monitoring and blocking communications based on a configured policy, generally with predefined rule sets to choose from. The two primary categories of application firewalls are ''network-based'' and ''host-based''.

History

Gene Spafford of

Purdue University Purdue University is a Public university#United States, public Land-grant university, land-grant research university in West Lafayette, Indiana, United States, and the flagship campus of the Purdue University system. The university was founded ...

, Bill Cheswick at AT&T Laboratories, and Marcus Ranum described a third-generation firewall known as an application layer firewall. Marcus Ranum's work, based on the firewall created by Paul Vixie, Brian Reid, and Jeff Mogul, spearheaded the creation of the first commercial product. The product was released by DEC, named the DEC SEAL by Geoff Mulligan - Secure External Access Link. DEC's first major sale was on June 13, 1991, to Dupont. Under a broader DARPA contract at TIS, Marcus Ranum, Wei Xu, and Peter Churchyard developed the Firewall Toolkit (FWTK) and made it freely available under license in October 1993. The purposes for releasing the freely available, not for commercial use, FWTK were: to demonstrate, via the software, documentation, and methods used, how a company with (at the time) 11 years experience in formal security methods, and individuals with firewall experience, developed firewall software; to create a common base of very good firewall software for others to build on (so people did not have to continue to "roll their own" from scratch); to "raise the bar" of firewall software being used. However, FWTK was a basic application proxy requiring the user interactions. In 1994, Wei Xu extended the FWTK with the Kernel enhancement of IP stateful filter and socket transparent. This was the first transparent firewall, known as the inception of the third generation firewall, beyond a traditional application proxy ( the second generation firewall), released as the commercial product known as Gauntlet firewall. Gauntlet firewall was rated one of the top application firewalls from 1995 until 1998, the year it was acquired by Network Associates Inc, (NAI). Network Associates continued to claim that Gauntlet was the "worlds most secure firewall" but in May 2000, security researcher Jim Stickley discovered a large vulnerability in the firewall, allowing remote access to the operating system and bypassing the security controls. Stickley discovered a second vulnerability a year later, effectively ending Gauntlet firewalls' security dominance.

Description

Application layer An application layer is an abstraction layer that specifies the shared communication protocols and interface methods used by hosts in a communications network. An ''application layer'' abstraction is specified in both the Internet Protocol Su ...

filtering operates at a higher level than traditional security appliances. This allows packet decisions to be made based on more than just source/destination IP Address or ports and can also use information spanning across multiple connections for any given host.

Network-based application firewalls

Network-based application firewalls operate at the application layer of a TCP/IP stack and can understand certain applications and protocols such as

File Transfer Protocol The File Transfer Protocol (FTP) is a standard communication protocol used for the transfer of computer files from a server to a client on a computer network. FTP is built on a client–server model architecture using separate control and d ...

(FTP),

Domain Name System The Domain Name System (DNS) is a hierarchical and distributed name service that provides a naming system for computers, services, and other resources on the Internet or other Internet Protocol (IP) networks. It associates various information ...

(DNS), or

Hypertext Transfer Protocol HTTP (Hypertext Transfer Protocol) is an application layer protocol in the Internet protocol suite model for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide Web, wher ...

(HTTP). This allows it to identify unwanted applications or services using a non standard port or detect if an allowed protocol is being abused. Modern versions of network-based application firewalls can include the following technologies: * Encryption offloading *

Intrusion prevention system An intrusion detection system (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations. Any intrusion activity or violation is typically either reported to an administrator or collec ...

* Data loss prevention Web application firewalls (WAF) are a specialized version of a network-based appliance that acts as a reverse proxy, inspecting traffic before being forwarded to an associated server.

Host-based application firewalls

A host-based application firewall monitors application system calls or other general system communication. This gives more granularity and control, but is limited to only protecting the host it is running on. Control is applied by filtering on a per process basis. Generally, prompts are used to define rules for processes that have not yet received a connection. Further filtering can be done by examining the process ID of the owner of the data packets. Many host-based application firewalls are combined or used in conjunction with a packet filter. Due to technological limitations, modern solutions such as sandboxing are being used as a replacement of host-based application firewalls to protect system processes.

Implementations

There are various application firewalls available, including both free and open source software and commercial products.

Mac OS X

Starting with Mac OS X Leopard, an implementation of the TrustedBSD MAC framework (taken from FreeBSD), was included. The TrustedBSD MAC framework is used to sandbox services and provides a firewall layer, given the configuration of the sharing services in

Mac OS Mac operating systems were developed by Apple Inc. in a succession of two major series. In 1984, Apple debuted the operating system that is now known as the classic Mac OS with its release of the original Macintosh System Software. The system ...

X Leopard and Snow Leopard. Third-party applications can provide extended functionality, including filtering out outgoing connections by app.

Linux

This is a list of security software packages for Linux, allowing filtering of application to OS communication, possibly on a by-user basis: * AppArmor * Kerio Control — a commercial product from Kerio Technologies * ModSecurity — also works under Windows, Mac OS X, Oracle Solaris and other versions of

Unix Unix (, ; trademarked as UNIX) is a family of multitasking, multi-user computer operating systems that derive from the original AT&T Unix, whose development started in 1969 at the Bell Labs research center by Ken Thompson, Dennis Ritchie, a ...

. ModSecurity is designed to work with the Web servers IIS, Apache2 and NGINX. * Portmaster — an activity monitoring application by Safing. It is also available for

Microsoft Windows Windows is a Product lining, product line of Proprietary software, proprietary graphical user interface, graphical operating systems developed and marketed by Microsoft. It is grouped into families and subfamilies that cater to particular sec ...

. * Systrace * Zorp firewall

Windows

* Portmaster * Microsoft Defender Firewall * WinGate

Network appliances

These devices may be sold as hardware, software, or virtualized network appliances. Next-Generation Firewalls: *Cisco Firepower Threat Defense * Check Point * Fortinet FortiGate Series *

Juniper Networks Juniper Networks, Inc. is an American multinational corporation headquartered in Sunnyvale, California. The company develops and markets networking products, including Router (computing), routers, Network switch, switches, network management so ...

SRX Series * Palo Alto Networks * SonicWALL TZ/NSA/SuperMassive Series Web Application Firewalls/LoadBalancers: * A10 Networks Web Application Firewall * Barracuda Networks Web Application Firewall/Load Balancer ADC * Citrix NetScaler * F5 Networks BIG-IP Application Security Manager * Fortinet FortiWeb Series * KEMP Technologies * Imperva Others: *

CloudFlare Cloudflare, Inc., is an American company that provides content delivery network services, cybersecurity, DDoS mitigation, wide area network services, reverse proxies, Domain Name Service, ICANN-accredited domain registration, and other se ...

* Meraki * Smoothwall * Snapt Inc

References

External links

Web Application Firewall
Open Web Application Security Project
Web Application Firewall Evaluation Criteria
from th
Web Application Security ConsortiumSafety in the cloud(s): 'Vaporizing' the Web application firewall to secure cloud computing
{{DEFAULTSORT:Application Firewall Firewall software Packets (information technology) Data security Cyberwarfare