An application firewall is a form of
firewall that controls
input/output
In computing, input/output (I/O, i/o, or informally io or IO) is the communication between an information processing system, such as a computer, and the outside world, such as another computer system, peripherals, or a human operator. Inputs a ...
or
system call
In computing, a system call (syscall) is the programmatic way in which a computer program requests a service from the operating system on which it is executed. This may include hardware-related services (for example, accessing a hard disk drive ...
s of an application or service. It operates by monitoring and blocking communications based on a configured policy, generally with predefined rule sets to choose from. The two primary categories of application firewalls are ''network-based'' and ''host-based''.
History
Gene Spafford of
Purdue University
Purdue University is a Public university#United States, public Land-grant university, land-grant research university in West Lafayette, Indiana, United States, and the flagship campus of the Purdue University system. The university was founded ...
,
Bill Cheswick at
AT&T Laboratories, and
Marcus Ranum described a third-generation firewall known as an application layer firewall. Marcus Ranum's work, based on the firewall created by
Paul Vixie,
Brian Reid, and Jeff Mogul, spearheaded the creation of the first commercial product. The product was released by DEC, named the DEC SEAL by
Geoff Mulligan - Secure External Access Link. DEC's first major sale was on June 13, 1991, to Dupont.
Under a broader DARPA contract at TIS, Marcus Ranum, Wei Xu, and Peter Churchyard developed the Firewall Toolkit (FWTK) and made it freely available under license in October 1993. The purposes for releasing the freely available, not for commercial use, FWTK were: to demonstrate, via the software, documentation, and methods used, how a company with (at the time) 11 years experience in formal security methods, and individuals with firewall experience, developed firewall software; to create a common base of very good firewall software for others to build on (so people did not have to continue to "roll their own" from scratch); to "raise the bar" of firewall software being used. However, FWTK was a basic application proxy requiring the user interactions.
In 1994, Wei Xu extended the FWTK with the Kernel enhancement of IP stateful filter and socket transparent. This was the first transparent firewall, known as the inception of
the third generation firewall, beyond a traditional application proxy (
the second generation firewall), released as the commercial product known as Gauntlet firewall. Gauntlet firewall was rated one of the top application firewalls from 1995 until 1998, the year it was acquired by Network Associates Inc, (NAI). Network Associates continued to claim that Gauntlet was the "worlds most secure firewall" but in May 2000, security researcher
Jim Stickley discovered a large vulnerability in the firewall, allowing remote access to the operating system and bypassing the security controls.
Stickley discovered a second vulnerability a year later, effectively ending Gauntlet firewalls' security dominance.
Description
Application layer
An application layer is an abstraction layer that specifies the shared communication protocols and interface methods used by hosts in a communications network. An ''application layer'' abstraction is specified in both the Internet Protocol Su ...
filtering operates at a higher level than traditional security appliances. This allows packet decisions to be made based on more than just source/destination IP Address or ports and can also use information spanning across multiple connections for any given host.
Network-based application firewalls
Network-based application firewalls operate at the application layer of a
TCP/IP stack and can understand certain applications and protocols such as
File Transfer Protocol
The File Transfer Protocol (FTP) is a standard communication protocol used for the transfer of computer files from a server to a client on a computer network. FTP is built on a client–server model architecture using separate control and d ...
(FTP),
Domain Name System
The Domain Name System (DNS) is a hierarchical and distributed name service that provides a naming system for computers, services, and other resources on the Internet or other Internet Protocol (IP) networks. It associates various information ...
(DNS), or
Hypertext Transfer Protocol
HTTP (Hypertext Transfer Protocol) is an application layer protocol in the Internet protocol suite model for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide Web, wher ...
(HTTP). This allows it to identify unwanted applications or services using a non standard port or detect if an allowed protocol is being abused.
Modern versions of network-based application firewalls can include the following technologies:
*
Encryption offloading
*
Intrusion prevention system
An intrusion detection system (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations. Any intrusion activity or violation is typically either reported to an administrator or collec ...
*
Data loss prevention
Web application firewalls (WAF) are a specialized version of a network-based appliance that acts as a
reverse proxy, inspecting traffic before being forwarded to an associated server.
Host-based application firewalls
A host-based application firewall monitors application
system calls or other general system communication. This gives more granularity and control, but is limited to only protecting the host it is running on. Control is applied by filtering on a per process basis. Generally, prompts are used to define rules for processes that have not yet received a connection. Further filtering can be done by examining the process ID of the owner of the data packets. Many host-based application firewalls are combined or used in conjunction with a packet filter.
Due to technological limitations, modern solutions such as
sandboxing are being used as a replacement of host-based application firewalls to protect system processes.
Implementations
There are various application firewalls available, including both free and open source software and commercial products.
Mac OS X
Starting with Mac OS X Leopard, an implementation of the TrustedBSD MAC framework (taken from FreeBSD), was included. The TrustedBSD MAC framework is used to sandbox services and provides a firewall layer, given the configuration of the sharing services in
Mac OS
Mac operating systems were developed by Apple Inc. in a succession of two major series.
In 1984, Apple debuted the operating system that is now known as the classic Mac OS with its release of the original Macintosh System Software. The system ...
X Leopard and Snow Leopard. Third-party applications can provide extended functionality, including filtering out outgoing connections by app.
Linux
This is a list of security software packages for Linux, allowing filtering of application to OS communication, possibly on a by-user basis:
*
AppArmor
* Kerio Control — a commercial product from
Kerio Technologies
*
ModSecurity — also works under Windows, Mac OS X,
Oracle Solaris and other versions of
Unix
Unix (, ; trademarked as UNIX) is a family of multitasking, multi-user computer operating systems that derive from the original AT&T Unix, whose development started in 1969 at the Bell Labs research center by Ken Thompson, Dennis Ritchie, a ...
. ModSecurity is designed to work with the Web servers IIS, Apache2 and NGINX.
* Portmaster — an activity monitoring application by Safing. It is also available for
Microsoft Windows
Windows is a Product lining, product line of Proprietary software, proprietary graphical user interface, graphical operating systems developed and marketed by Microsoft. It is grouped into families and subfamilies that cater to particular sec ...
.
*
Systrace
* Zorp firewall
Windows
* Portmaster
*
Microsoft Defender Firewall
*
WinGate
Network appliances
These devices may be sold as hardware, software, or virtualized network appliances.
Next-Generation Firewalls:
*Cisco Firepower Threat Defense
*
Check Point
*
Fortinet FortiGate Series
*
Juniper Networks
Juniper Networks, Inc. is an American multinational corporation headquartered in Sunnyvale, California. The company develops and markets networking products, including Router (computing), routers, Network switch, switches, network management so ...
SRX Series
*
Palo Alto Networks
*
SonicWALL TZ/NSA/SuperMassive Series
Web Application Firewalls/LoadBalancers:
*
A10 Networks Web Application Firewall
*
Barracuda Networks Web Application Firewall/Load Balancer ADC
*
Citrix NetScaler
*
F5 Networks BIG-IP Application Security Manager
*
Fortinet FortiWeb Series
*
KEMP Technologies
*
Imperva
Others:
*
CloudFlare
Cloudflare, Inc., is an American company that provides content delivery network services, cybersecurity, DDoS mitigation, wide area network services, reverse proxies, Domain Name Service, ICANN-accredited domain registration, and other se ...
*
Meraki
*
Smoothwall
*
Snapt Inc
See also
*
ModSecurity
*
Computer security
Computer security (also cybersecurity, digital security, or information technology (IT) security) is a subdiscipline within the field of information security. It consists of the protection of computer software, systems and computer network, n ...
*
Content-control software
An Internet filter is software that restricts or controls the content an Internet user is capable to access, especially when utilized to restrict material delivered over the Internet via the Web, Email, or other means. Such restrictions can be appl ...
*
Proxy server
*
Information security
Information security is the practice of protecting information by mitigating information risks. It is part of information risk management. It typically involves preventing or reducing the probability of unauthorized or inappropriate access to data ...
*
Application security
*
Network security
References
External links
Web Application Firewall Open Web Application Security Project
Web Application Firewall Evaluation Criteria from th
Web Application Security ConsortiumSafety in the cloud(s): 'Vaporizing' the Web application firewall to secure cloud computing
{{DEFAULTSORT:Application Firewall
Firewall software
Packets (information technology)
Data security
Cyberwarfare