Application Layer Filtering

I know I’ve been off the blogging wagon a bit but hopefully we can turn this ship around. Today I will be talking about some industry frustrations I’ve had for the past couple of years. As one might imagine with the title, this is about firewalls and network security vendors hype and FUD (Fear, Uncertainty & Doubt).

What is the definition of a firewall? Most people think it’s there to protect you from naughty viruses and other malware, and to a certain extent that can/will be the case. Too bad most firewalls don’t. The sad reality is that the industry is protecting you from the threats of yesterday and not of the real vulnerabilities of today and tomorrow. Let me explain.

Hardware firewalls rarely stop you from getting a virus anymore. Usually how you get infected is by visiting a web site or downloading malicious software onto your computer. Is your firewall preventing you from doing that? If not than you're a perfect canidate for the latest worm. Understand that hardware firewalls are protecting you from the Network layer and Transport layer vulnerabilities. Problem is, nobody is really taking advantage of those anymore. When was the last time a serious virus/worm took advantage of a vulnerability in the way TCP segments were handled? You don't. The soft underbelly of a PC/network is at the Application layer. When you visit that web page that has malicious code embedded and your browser isn't patched. Or that Facebook application that lets you get "Beer Mail". Most of the attacks these days happen at a much higher level and yet the hardware based firewalls don't care about whats inside the packet, just the properties that make up the packet itself.

When the hardware vendors say they provide "comprehensive security" they are really lying to you in my opinion. When you want comprehensive security you want to take a look at the entire life-cycle of the data...from creation in the app to termination on the other side of the stack. We need to talk about Application layer filtering (ALF).

Application layer filtering is just that. Instead of taking a look at just the properties and attributes that make up the frame/packet/segment it goes a bit further and determines what type of data is being encapsulated. And then going a step further determining the data type and has a specific set of rules or policies that define the correct syntax for said data.

Here is an example: An HTTP packet gets sent across the line and hits an ALF firewall. The firewall opens up that packet, determines that there is HTTP data inside and then goes further to determine what that protocol is trying to accomplish. It has detailed knowledge of the HTTP protocol and understands the GET command and error messages. It knows certain properties can only have a certain length...say a URL. And if that URL is beyond the specified length or size, it knows that the frame could be exploiting a buffer overrun vulnerability and gets dropped. And HTTP is only one example. SMTP, FTP and DNS are all good examples. ALF firewalls have an understanding on how the protocol is constructed and destructed so it knows when something is wrong.

Hardware firewall vendors are slowly waking up to this realization. They are incorporating more features into the products like the ability to fight spam and some low form of content filtering. I'm all about purpose built devices/processes so when you include spam filtering in the firewall to me it just adds another layer of complexity to an already overflowing stack. But in the end, if you want comprehensive it's time to start protecting your network across the entire spectrum of threats. I've been a big supporter of Microsoft ISA Server (which is now being renamed Forefront Threat Management Gateway) as it's specifically sold as an Application Layer firewall. You can find this in the standard and premium versions of Essential Business Server 2008 and also sold sperately.

So the concept I want you to take away from this is to think of the true objective of "comprehensive" security. Protect all layers of your network. Hardware firewalls have their place. Just know what they're protecting you against and what they are not