Application Firewalls
|
|
An Application Firewall is a network defense that is designed to protect a specific type of application, usually a web server (for example, Apache or Microsoft® Internet Information Server). It is usually a software package that can sometimes be run on the same server as the software that it is protecting, or is sometimes run on a separate dedicated server.
Besides defending your servers in real-time as attacks are launched, another option is to test your servers for vulnerabilities before you put them on the Internet. This proactive approach is dicussed on the Application Scanning Tools section of this web site.
SecurityAppraisers® installs and maintains the following Application Firewalls:
| Product | Manufacturer | Protected Applications |
Platform(s) it runs from | Price |
| NGSecureWeb |  |
Apache, IIS |
Linux, Windows | $599 |
| InterDo |  |
Apache, IIS |
Linux, Windows | $10,800 |
| ApShield |  |
Apache, IIS |
Windows, Solaris | $20,000 |
your individual requirements should be the most important factor in choosing a product.
"How does an Application Firewall work?"
It acts as a transparent 'middleman' for all requests being submitted to the web or database server. If it sees a request that is known to be malevolent (or in some cases, suspicious) and will cause the server to be compromised, like a censor it refuses to forward that particular request.
"If I am running a web or database server, does it always need an Application Firewall?"
IF you knew how a web or database server was built, and that great care was taken to make the server's code secure, probably not. Besides the expense of purchase and maintenance, Application Firewalls will add a delay and might serve as another point of failure. But often companies inherit an obligation to host a web server or database that they did not design (example: deployment of an aftermarket web or database application is mandated by management for business reasons, and you might have no idea as to how secure the application really is. To do a code review of the application might be cost-prohibitive, if not at all possible. Running such an application behind an Application Firewall will serve to offer the best possible security, given the business process constraints you might be working under. Whether a server is known to be designed from the ground up with security in mind, or not, ALL servers should be scanned for vulnerabilities before they are placed on the Internet. This proactive approach is dicussed on the Application Scanning Tools section of this web site.
"If I stay on top of applying security patches to my application (such as my web server), what's the point of an Application Firewall?"
Sometimes manufacturing a security patch can take more time than it takes for the Application Firewall Manufacturer to identify a malicious request that can be posted to an application. On occasion, Application Firewalls have succeeded in defending web servers before a patch for an exploit was even developed. Also, security patches on occasion are themselves defective and can impair the correct functioning of the application. An Application Firewall affords a greater window of opportunity for testing a security patch before it is applied to a production server.
"Is an Application Firewall all I need to implement computer security?"
No. An Application Firewall alone does not constitute a complete computer security program; it can be a good supplemental defense, but other defenses should be put in place, including (Network Layer) Firewalls, Content Inspection, Proactive Security Monitoring, Software Security Updates and Security Policy Enforcement, Security Tokens, Virus Scanning, and Secure Network Protocols. Confer with the other sections of this web site to learn about these security techniques.
"I read that some Application Firewalls listed here previously had a security problem (which has since been fixed). Why should I even consider using any that had these problems?"
Generally, the more popular an Application Firewall is, the more likely hackers will exploit it. Consequently, vulnerabilities found in an Application Firewall product, and subsequently fixed, do not necessarily indicate the level of security that the Firewall currently affords. Rather, an important consideration is the speed and consistency with which the Application Firewall manufacturer addresses these incidents as they occur. SecurityAppraisers® has assisted manufacturers in identifying holes in their products, and has implemented updates for their customers.