Dude! You Say I Need an Application Layer Firewall?!

Application Layer Firewall:

Application layer firewalls are popular tools for security practitioners.  Application layer firewall products that are brought to market based on significantly different technical design philosophies and different go-to-market strategies quite naturally introduce consumer trade-offs that should be weighed when making buying decisions. Certain application layer firewall design trade-offs, for example, favor security over convenience, and certain application layer firewall go-to-market strategies favor platform performance over security.

As a result of robust global market competition in the application layer firewall space, and the growing demand for ever-improving perimeter security, software and appliance products sold as firewalls have evolved into a collection of products falling along a broad spectrum of features, benefits and, in some cases, pitfalls to take note of. From the author's point of view, there is a clear and easily observable divide in application layer firewall types available for purchase today when they are sorted into two simple categories based upon the manufacturer's security design objectives. There are application layer firewall product designs ranging from highly conservative and security-focused architectures, to designs that are highly appealing to the broad market because they offer good security "theater" in the look, feel, and marketing story but under the surface offer only simple security controls. Not all application layer firewalls are created equal...on purpose.

In this paper, we will describe the evolution of application layer firewalls from the standpoint of the controls that they apply on data, and we will explain why the currently accepted "state-of-the-art" firewall really represents a step backwards in most cases for securing perimeters. To many, this may seem contradictory. One only need consider the high growth rate of the installed-base of firewalls while simultaneously taking note of the dramatic increase in the number of networks being penetrated, to realize that something is going wrong in the world of perimeter security.

The Premise of an Application Layer Firewall

In 1989, Steve Bellovin, one of AT&T Bell Labs' early innovators in the field of application layer firewalls, described a firewall as, "a device separating them and us for any value of them." Much has been made of the importance of a firewall's policy - the rules by which you instruct a firewall what to permit or deny - but the firewall's policy is only approximately half of the story.

To use an analogy, the Application Layer Firewall is a guard at the perimeter of your network which you have instructed whom to shoot and whom to allow past. Obviously, it's important that your guard remembers the rules you gave him (the policy) but it's equally important that your guard uses reliable means to determine if the people he's letting back and forth are truly who they appear to be, and in addition that they are not carrying anything dangerous in their pockets. To stretch the analogy to near the breaking-point, application layer firewalls have to deal with a more post 9/11-style environment in which even highly recognized, authorized individuals should be thoroughly checked for dangerous weapons. In fact, that is exactly the case with firewalls.