Application firewall: Difference between revisions

Content deleted Content added

Inline

Latest revision as of 22:37, 29 April 2024

An application firewall is a form of firewall that controls input/output or system calls of an application or service. It operates by monitoring and blocking communications based on a configured policy, generally with predefined rule sets to choose from. The two primary categories of application firewalls are network-based and host-based.

History[edit]

Gene Spafford of Purdue University, Bill Cheswick at AT&T Laboratories, and Marcus Ranum described a third-generation firewall known as an application layer firewall. Marcus Ranum's work, based on the firewall created by Paul Vixie, Brian Reid, and Jeff Mogul, spearheaded the creation of the first commercial product. The product was released by DEC, named the DEC SEAL by Geoff Mulligan - Secure External Access Link. DEC's first major sale was on June 13, 1991, to Dupont.

Under a broader DARPA contract at TIS, Marcus Ranum, Wei Xu, and Peter Churchyard developed the Firewall Toolkit (FWTK) and made it freely available under license in October 1993.^[1] The purposes for releasing the freely available, not for commercial use, FWTK were: to demonstrate, via the software, documentation, and methods used, how a company with (at the time) 11 years experience in formal security methods, and individuals with firewall experience, developed firewall software; to create a common base of very good firewall software for others to build on (so people did not have to continue to "roll their own" from scratch); to "raise the bar" of firewall software being used. However, FWTK was a basic application proxy requiring the user interactions.

In 1994, Wei Xu extended the FWTK with the Kernel enhancement of IP stateful filter and socket transparent. This was the first transparent firewall, known as the inception of the third generation firewall, beyond a traditional application proxy (the second generation firewall), released as the commercial product known as Gauntlet firewall. Gauntlet firewall was rated one of the top application firewalls from 1995 until 1998, the year it was acquired by Network Associates Inc, (NAI). Network Associates continued to claim that Gauntlet was the "worlds most secure firewall" but in May 2000, security researcher Jim Stickley discovered a large vulnerability in the firewall, allowing remote access to the operating system and bypassing the security controls.^[2] Stickley discovered a second vulnerability a year later, effectively ending Gauntlet firewalls' security dominance.^[3]

Description[edit]

Application layer filtering operates at a higher level than traditional security appliances. This allows packet decisions to be made based on more than just source/destination IP Address or ports and can also use information spanning across multiple connections for any given host.

Network-based application firewalls[edit]

Network-based application firewalls operate at the application layer of a TCP/IP stack^[4] and can understand certain applications and protocols such as File Transfer Protocol (FTP), Domain Name System (DNS), or Hypertext Transfer Protocol (HTTP). This allows it to identify unwanted applications or services using a non standard port or detect if an allowed protocol is being abused.^[5]

Modern versions of network-based application firewalls can include the following technologies:

Web application firewalls (WAF) are a specialized version of a network-based appliance that acts as a reverse proxy, inspecting traffic before being forwarded to an associated server.

Host-based application firewalls[edit]

A host-based application firewall monitors application system calls or other general system communication. This gives more granularity and control, but is limited to only protecting the host it is running on. Control is applied by filtering on a per process basis. Generally, prompts are used to define rules for processes that have not yet received a connection. Further filtering can be done by examining the process ID of the owner of the data packets. Many host-based application firewalls are combined or used in conjunction with a packet filter.^[6]

Due to technological limitations, modern solutions such as sandboxing are being used as a replacement of host-based application firewalls to protect system processes.^[7]

Implementations[edit]

There are various application firewalls available, including both free and open source software and commercial products.

Mac OS X[edit]

Starting with Mac OS X Leopard, an implementation of the TrustedBSD MAC framework (taken from FreeBSD), was included.^[8] The TrustedBSD MAC framework is used to sandbox services and provides a firewall layer, given the configuration of the sharing services in Mac OS X Leopard and Snow Leopard. Third-party applications can provide extended functionality, including filtering out outgoing connections by app.

Linux[edit]

This is a list of security software packages for Linux, allowing filtering of application to OS communication, possibly on a by-user basis:

AppArmor
Kerio Control - a commercial Product
ModSecurity - also works under Windows, Mac OS X, Solaris and other versions of Unix. ModSecurity is designed to work with the web-servers IIS, Apache2 and NGINX.
Portmaster by Safing is an activity monitoring application. It is also available on Windows.^[9]
Systrace
Zorp

Windows[edit]

Portmaster

Microsoft Defender Firewall

WinGate

Network appliances[edit]

These devices may be sold as hardware, software, or virtualized network appliances.

Next-Generation Firewalls:

Cisco Firepower Threat Defense
Check Point
Fortinet FortiGate Series
Juniper Networks SRX Series
Palo Alto Networks
SonicWALL TZ/NSA/SuperMassive Series

Web Application Firewalls/LoadBalancers:

A10 Networks Web Application Firewall
Barracuda Networks Web Application Firewall/Load Balancer ADC
Citrix NetScaler
F5 Networks BIG-IP Application Security Manager
Fortinet FortiWeb Series
KEMP Technologies
Imperva

Others:

References[edit]

^ "Firewall toolkit V1.0 release". Retrieved 2018-12-28.
^ Kevin Pulsen (May 22, 2000). "Security Hole found in NAI Firewall". securityfocus.com. Retrieved 2018-08-14.
^ Kevin Pulsen (September 5, 2001). "Gaping hole in NAI's Gauntlet firewall". theregister.co.uk. Retrieved 2018-08-14.
^ Luis F. Medina (2003). The Weakest Security Link Series (1st ed.). IUniverse. p. 54. ISBN 978-0-595-26494-0.
^ "What is Layer 7? How Layer 7 of the Internet Works". Cloudflare. Retrieved Aug 29, 2020.
^ "Software Firewalls: Made of Straw? Part 1 of 2". Symantec.com. Symantec Connect Community. 2010-06-29. Retrieved 2013-09-05.
^ "What is sandbox (software testing and security)? - Definition from WhatIs.com". SearchSecurity. Retrieved 2020-11-15.
^ "Mandatory Access Control (MAC) Framework". TrustedBSD. Retrieved 2013-09-05.
^ "Safing Portmaster". safing.io. Retrieved 2021-11-04.

External links[edit]

Web Application Firewall, Open Web Application Security Project
Web Application Firewall Evaluation Criteria, from the Web Application Security Consortium
Safety in the cloud(s): 'Vaporizing' the Web application firewall to secure cloud computing

[1] "Firewall toolkit V1.0 release". Retrieved 2018-12-28.

[2] Kevin Pulsen (May 22, 2000). "Security Hole found in NAI Firewall". securityfocus.com. Retrieved 2018-08-14.

[3] Kevin Pulsen (September 5, 2001). "Gaping hole in NAI's Gauntlet firewall". theregister.co.uk. Retrieved 2018-08-14.

[4] Luis F. Medina (2003). The Weakest Security Link Series (1st ed.). IUniverse. p. 54. ISBN 978-0-595-26494-0.

[5] "What is Layer 7? How Layer 7 of the Internet Works". Cloudflare. Retrieved Aug 29, 2020.

[Symantec-6] "Software Firewalls: Made of Straw? Part 1 of 2". Symantec.com. Symantec Connect Community. 2010-06-29. Retrieved 2013-09-05.

[7] "What is sandbox (software testing and security)? - Definition from WhatIs.com". SearchSecurity. Retrieved 2020-11-15.

[8] "Mandatory Access Control (MAC) Framework". TrustedBSD. Retrieved 2013-09-05.

[9] "Safing Portmaster". safing.io. Retrieved 2021-11-04.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

@@ Line 1: / Line 1: @@
+<!-- READ BEFORE EDITING!
-''''''''''In [[computer networking]], an '''application layer firewall''' is a [[firewall (networking)|firewall]] operating at the [[application layer]] of a [[protocol stack]].  Generally it is a host using various forms of [[proxy server]]s to proxy traffic instead of [[routing]] it.  As it works on the application layer, it may inspect the contents of the traffic, blocking what the firewall administrator views as inappropriate content, such as certain websites, viruses, attempts to exploit known '''logical''' flaws in client software, and so forth.
+before editing this page, please make sure the information being added explicitly relates to the unique qualities of application firewalls. Also, check to see if another article does not already exist that covers the content being added. Try to cite as much as possible as this information can be easily incorrectly explained, and the network security articles seem to follow a trend of not citing information.
+-->
+{{short description|Layer 7/application layer network security system}}
+{{about|a sub-type of network firewall|the primary topic of firewalls|Firewall (computing)}}
+{{More citations needed|date=February 2010}}
+An '''application firewall''' is a form of [[Firewall (computing)|firewall]] that controls [[input/output]] or [[system call]]s of an application or service. It operates by monitoring and blocking communications based on a configured policy, generally with predefined rule sets to choose from. The two primary categories of application firewalls are ''network-based'' and ''host-based''.
-An application layer firewall does not route traffic on the [[network layer]].  All traffic stops at the firewall''' '''which may initiate its own connections if the traffic satisfies the rules'''.
-'''''''
-== See also ==
-*[[Computer security]]
-*[[Firewall (networking)|Firewall]]
-== Useful links ==
+== History ==
+[[Gene Spafford]] of [[Purdue University]], [[Bill Cheswick]] at [[AT&T Laboratories]], and [[Marcus Ranum]] described a third-generation firewall known as an application layer firewall. Marcus Ranum's work, based on the firewall created by [[Paul Vixie]], [[Brian Reid (computer scientist)|Brian Reid]], and Jeff Mogul, spearheaded the creation of the first commercial product. The product was released by DEC, named the DEC SEAL by [[Geoff Mulligan]] - Secure External Access Link. DEC's first major sale was on June 13, 1991, to Dupont.
-*[http://www.owasp.org The Open Web Application Security Project]
+Under a broader DARPA contract at TIS, Marcus Ranum, Wei Xu, and Peter Churchyard developed the Firewall Toolkit (FWTK) and made it freely available under license in October 1993.<ref>{{cite web |url=http://www.avolio.com/papers/FWTKv1.0Announcement.html |title=Firewall toolkit V1.0 release |access-date=2018-12-28}}</ref> The purposes for releasing the freely available, not for commercial use, FWTK were: to demonstrate, via the software, documentation, and methods used, how a company with (at the time) 11 years experience in formal security methods, and individuals with firewall experience, developed firewall software; to create a common base of very good firewall software for others to build on (so people did not have to continue to "roll their own" from scratch); to "raise the bar" of firewall software being used. However, FWTK was a basic application proxy requiring the user interactions.
-== Application Layer Firewall Vendors ==
-*[http://www.armorlogic.com Armorlogic]
-*[http://www.binarysec.com BinarySEC]
-*[http://www.citrix.com Citrix]
-*[http://www.denyall.com Deny All]
-*[http://www.f5.com F5]
-*[http://www.imperva.com Imperva]
-*[http://www.securecomputing.com/sidewinder Secure Computing - Sidewinder]
-*[[Kerio WinRoute Firewall]]
+In 1994, Wei Xu extended the FWTK with the Kernel enhancement of IP stateful filter and socket transparent. This was the first transparent firewall, known as the inception of [[Firewall (computing)#Application layer|the third generation firewall]], beyond a traditional application proxy ([[Firewall (computing)#Connection tracking|the second generation firewall]]), released as the commercial product known as Gauntlet firewall. Gauntlet firewall was rated one of the top application firewalls from 1995 until 1998, the year it was acquired by Network Associates Inc, (NAI). Network Associates continued to claim that Gauntlet was the "worlds most secure firewall" but in May 2000, security researcher [[Jim Stickley]] discovered a large vulnerability in the firewall, allowing remote access to the operating system and bypassing the security controls.<ref>{{cite web|title=Security Hole found in NAI Firewall|url=https://www.securityfocus.com/news/40|author=Kevin Pulsen|date=May 22, 2000|access-date=2018-08-14|publisher=securityfocus.com}}</ref> [[Jim Stickley|Stickley]] discovered a second vulnerability a year later, effectively ending Gauntlet firewalls' security dominance.<ref>{{cite web|title=Gaping hole in NAI's Gauntlet firewall|url=https://www.theregister.co.uk/2001/09/05/gaping_hole_in_nais_gauntlet/|author=Kevin Pulsen|date=September 5, 2001|access-date=2018-08-14|publisher=theregister.co.uk}}</ref>
-[[Category:Firewall software]]
+== Description ==
-[[de:Web Application Firewall]]
+[[Application layer]] filtering operates at a higher level than traditional security appliances. This allows packet decisions to be made based on more than just source/destination IP Address or ports and can also use information spanning across multiple connections for any given host.
+=== Network-based application firewalls ===
-{{compu-network-stub}}
+{{see also|Web application firewall}}
+Network-based application firewalls operate at the application layer of a [[protocol stack| TCP/IP stack]]<ref>{{cite book|title=The Weakest Security Link Series|edition=1st|url=https://books.google.com/books?id=Yz34zXV7VB8C&q=application+layer+firewall&pg=PA54|author=Luis F. Medina|year=2003|page=54|isbn=978-0-595-26494-0|publisher=IUniverse}}</ref> and can understand certain applications and protocols such as [[File Transfer Protocol]] (FTP), [[Domain Name System]] (DNS), or [[Hypertext Transfer Protocol]] (HTTP). This allows it to identify unwanted applications or services using a non standard port or detect if an allowed protocol is being abused.<ref>{{Cite web|title=What is Layer 7? How Layer 7 of the Internet Works| url=https://www.cloudflare.com/learning/ddos/what-is-layer-7/ | access-date=Aug 29, 2020| website=Cloudflare}}</ref>
+Modern versions of network-based application firewalls can include the following technologies:
+*[[TLS acceleration| Encryption offloading ]]
+*[[Intrusion prevention system]]
+*[[Data loss prevention]]
+Web application firewalls (WAF) are a specialized version of a network-based appliance that acts as a [[reverse proxy]], inspecting traffic before being forwarded to an associated server.
+=== Host-based application firewalls ===
+A host-based application firewall monitors application [[System call| system calls]] or other general system communication. This gives more granularity and control, but is limited to only protecting the host it is running on. Control is applied by filtering on a per process basis. Generally, prompts are used to define rules for processes that have not yet received a connection. Further filtering can be done by examining the process ID of the owner of the data packets. Many host-based application firewalls are combined or used in conjunction with a packet filter.<ref name="Symantec">{{cite web|url=https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=54428548-10f1-4643-92d9-487740e72db7&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments|title=Software Firewalls: Made of Straw? Part 1 of 2|website=Symantec.com|publisher=Symantec Connect Community|date=2010-06-29|access-date=2013-09-05}}</ref>
+Due to technological limitations, modern solutions such as [[sandbox (computer security)| sandboxing]] are being used as a replacement of host-based application firewalls to protect system processes.<ref>{{Cite web|title=What is sandbox (software testing and security)? - Definition from WhatIs.com|url=https://searchsecurity.techtarget.com/definition/sandbox|access-date=2020-11-15|website=SearchSecurity|language=en}}</ref>
+== Implementations ==
+There are various application firewalls available, including both free and open source software and commercial products.
+=== Mac OS X ===
+Starting with Mac OS X Leopard, an implementation of the TrustedBSD MAC framework (taken from FreeBSD), was included.<ref>{{cite web|url=http://www.trustedbsd.org/mac.html|title=Mandatory Access Control (MAC) Framework|publisher=TrustedBSD|access-date=2013-09-05}}</ref> The TrustedBSD MAC framework is used to sandbox services and provides a firewall layer, given the configuration of the sharing services in [[Mac operating systems|Mac OS]] X Leopard and Snow Leopard. Third-party applications can provide extended functionality, including filtering out outgoing connections by app.
+=== Linux ===
+This is a list of security software packages for Linux, allowing filtering of application to OS communication, possibly on a by-user basis:
+* [[AppArmor]]
+*[[Kerio Control]] - a commercial Product
+* [[ModSecurity]] - also works under Windows, Mac OS X, [[Solaris (operating system)|Solaris]] and other versions of [[Unix]]. ModSecurity is designed to work with the web-servers IIS, Apache2 and NGINX.
+*[[Portmaster]] by Safing is an activity monitoring application. It is also available on [[Windows]].<ref>{{Cite web |title=Safing Portmaster |url=https://safing.io/portmaster/ |access-date=2021-11-04 |website=safing.io}}</ref>
+* [[Systrace]]
+* [[Zorp firewall|Zorp]]
+=== Windows ===
+* Portmaster
+* [[Windows Defender Firewall|Microsoft Defender Firewall]]
+* [[WinGate]]
+=== Network appliances ===
+These devices may be sold as hardware, software, or virtualized network appliances.
+'''Next-Generation Firewalls:'''
+*Cisco Firepower Threat Defense
+*[[Check Point]]
+*[[Fortinet]] FortiGate Series
+*[[Juniper Networks]] SRX Series
+*[[Palo Alto Networks]]
+*[[SonicWALL]] TZ/NSA/SuperMassive Series
+'''Web Application Firewalls/LoadBalancers:'''
+*[[A10 Networks]] Web Application Firewall
+*[[Barracuda Networks]] Web Application Firewall/Load Balancer ADC
+*[[Citrix Systems|Citrix NetScaler]]
+*[[F5 Networks]] BIG-IP Application Security Manager
+*[[Fortinet]] FortiWeb Series
+*[[KEMP Technologies]]
+*[[Imperva]]
+'''Others:'''
+*[[CloudFlare]]
+*[[Cisco Meraki|Meraki]]
+*[[Smoothwall]]
+*[[Snapt Inc]]
+== See also ==
+{{Div col|colwidth=15em}}
+* [[ModSecurity]]
+* [[Computer security]]
+* [[Content-control software]]
+* [[Proxy server]]
+* [[Information security]]
+* [[Application security]]
+* [[Network security]]
+{{Div col end}}
+== References ==
+{{Reflist|30em}}
+== External links ==
+*[http://www.owasp.org/index.php/Web_Application_Firewall Web Application Firewall], Open Web Application Security Project
+*[http://www.webappsec.org/projects/wafec/ Web Application Firewall Evaluation Criteria], from the [http://www.webappsec.org Web Application Security Consortium]
+*[http://www.net-security.org/article.php?id=1270 Safety in the cloud(s): 'Vaporizing' the Web application firewall to secure cloud computing]
+{{Computer security}}
+{{Firewall software}}
+{{DEFAULTSORT:Application Firewall}}
+[[Category:Firewall software]]
+[[Category:Packets (information technology)]]
+[[Category:Data security]]
+[[Category:Cyberwarfare]]

v t e Information security
Related security categories	Computer security Automotive security Cybercrime Cybersex trafficking Computer fraud Cybergeddon Cyberterrorism Cyberwarfare Electromagnetic warfare Information warfare Internet security Mobile security Network security Copy protection Digital rights management	vectorial version
Threats	Adware Advanced persistent threat Arbitrary code execution Backdoors Hardware backdoors Code injection Crimeware Cross-site scripting Cross-site leaks DOM clobbering History sniffing Cryptojacking Botnets Data breach Drive-by download Browser Helper Objects Viruses Data scraping Denial-of-service attack Eavesdropping Email fraud Email spoofing Exploits Hacktivism Insecure direct object reference Keystroke loggers Logic bombs Time bombs Fork bombs Zip bombs Fraudulent dialers Malware Payload Phishing Voice Polymorphic engine Privilege escalation Ransomware Rootkits Scareware Shellcode Spamming Social engineering Spyware Software bugs Trojan horses Hardware Trojans Remote access trojans Vulnerability Web shells Wiper Worms SQL injection Rogue security software Zombie
Defenses	Application security Secure coding Secure by default Secure by design Misuse case Computer access control Authentication Multi-factor authentication Authorization Computer security software Antivirus software Security-focused operating system Data-centric security Obfuscation (software) Data masking Encryption Firewall Intrusion detection system Host-based intrusion detection system (HIDS) Anomaly detection Security information and event management (SIEM) Mobile secure gateway Runtime application self-protection Site isolation