Despite the best efforts of the IT industry, attackers are becoming more proficient at writing software exploits, and cyber attacks have become more numerous, persistent and sophisticated over recent years. Some sources estimate that anything between 500 and 800 new viruses, worms and exploits are released into the computing environment each month.
What's more, according to industry reports, more than 70 percent of web attacks target the application layer. Attackers have progressed from scanning network ports and creating denial-of-service attacks to targeting software such as web browsers, web servers, email programs and even database servers.
Since certain network ports must be open to do business, attackers know that a good way to get into the network is through application-layer attacks that take advantage of those openings.
The traditional firewall typically scans only the headers of packets – the envelopes. So attackers work to pass undetected through that initial screen and deliver their malicious payload to the application layer. The richness of HTTP and SMTP applications and the growing use of HTTP as a transport protocol make this target that much more attractive.
Because of this situation, application-layer filtering technology has become a must. Application-layer firewalls add several types of protection to prevent these sophisticated attacks, and there are some important things to look for when choosing an application-layer filtering technology to protect your organization.
To use an analogy, rather than a set of doors, the application-layer filter has a lobby. Rather than just one security guard watching people go in and out, it employs a team of guards to shake down each application request – an HTTP filter for web servers, an SMTP filter for email servers, an FTP filter for file transfers, and so on.
Data from the internet is delivered to the lobby, and the application-layer firewall inspects the contents before forwarding it on to its destination. This allows the application-layer filter "security guard" to perform advanced inspection. Beyond that, the filter may also check to see what the software intends to do and ensure that traffic maps to RFC standards.
It's important to realize that these attacks morph regularly, and the application firewall must be able to adapt and keep pace. The solution should come with preset policies that help protect against certain known attacks.
However, since the attacks are constantly evolving, those presets can become stale rather quickly.
To be effective over the long term, an application firewall solution must be easily customizable to allow for quick updates as attacks change, and should also integrate easily with existing infrastructure to facilitate a richer set of solution scenarios.
For example, a policy may state that email containing executable code is screened out unless there is a good reason to run it in the corporate environment. Such a rule might disallow executable files unless they are addressed to the IT department. The company might want to block peer-to-peer applications such as instant messaging for its customer service department, but keep that capability for the sales department.
The ability to customize the firewall and integrate it with the range of applications makes this kind of in-depth protection possible.
A critical element of effective application-layer filtering is the HTTP filter. HTTP's use as a transport protocol makes it a particularly important area to address, and this kind of filtering technology has made a dramatic leap over the past four or five years.
HTTP filtering allows organizations to block malicious traffic from entering the network based on several properties.
It is important to note that this capability also allows companies to move quickly and respond to new HTTP-based attacks as they occur. It does so by examining a network packet containing a specific attack and then blocking any traffic that contains the same HTTP "signature," a specific string of characters unique to the attack.
This is a capability that organizations looking for a firewall solution should pay attention to. Some application-layer filtering solutions on the market today do not provide the option to customize HTTP filters, and some do not even do HTTP filtering.
An effective HTTP filter should provide the ability to block or allow content based on parameters such as requesting payload (blocking requests that exceed a specified payload length), length of URL, HTTP request method and request/ response header, and should allow organizations to specify a string in the header or body of a request or message – thus enabling them to block signatures or patterns if it is warranted.
With so much to keep track of, ease of use is another critical piece of any security solution.
Misconfiguration of the solution can lead to serious consequences. Some analyst reports suggest that more than 90 percent of security breaches in firewalls were actually caused by misconfiguration. The solution should be easy to set up and use, easy to customize, and easy to integrate with the existing technology infrastructure.
Finally, whatever platform you choose should also be extensible.
It is important for the solution to have a software development kit environment whereby partners can create add-on solutions. Ideally, there should be a set of partners already working hard to develop solutions that expand and enhance the capabilities of the firewall.
A range of providers currently on the market specialize in offerings such as anti-virus protection, instant-messaging protection and content filtering.
The most effective firewall platform solutions will be those that enable the organization to select best-of-breed products for each area, easily integrate those technologies into a unified solution, and adjust and customize that integrated solution over time.
Josue Fontanez is senior product manager in the Security Business and Technology Unit at Microsoft Corporation