Skip Links

The evolution of application layer firewalls

By , Network World
February 02, 2004 12:04 AM ET

Page 2 of 2

Now with the NetScreen boxes in place, those remote machines and the traffic they send are deemed clean, he says. Physicians who extend their workday take a NetScreen appliance home if they think they'll log on to the hospital network, Rein says.

The hospital also has NetScreen's more comprehensive application-layer screening Intrusion Detection/ Prevention (IDP) device at the hospital. It can find potential malicious traffic that the appliances might miss, but at $400, the 5XT appliances are affordable at every site, he says, and reduce the number of alarms that the IDP triggers.

Some customers say application firewalls can protect servers even if the servers have known flaws. In the case of Regal Entertainment in Knoxville, Tenn., a movie theater chain, Check Point's Application Intelligence software was so effective that a security consultant hired to try to take down Regal servers could not exploit a known vulnerability caused by missing patches on a particular server.

The Check Point software headed off the application-layer attacks that the consultant tried through Port 80 before they got to the server, says Andrew Bagrin, director of security and network management for the chain. "It's still critical to patch, but now we can be more flexible so we're not so worried," he says.

Vendors such as NetScreen are putting versions of their application inspection software on low-cost appliances for sites where risk is deemed lower than would warrant a more expensive IDP system. These boxes include stateful firewalls, virus protection and VPN support. Such an appliance costs $1,700 vs. an IDP box that can cost 10 times as much.

A new way of looking at protection

While established vendors are working on pricing and features, a new company called WebCohort is touting a new way of looking at the same problem. The Palo Alto company's software, called SecureSphere, culls individual suspicious events to find enough evidence of a malicious user to conclude that an attack is underway.

The company's CEO, Schlomo Kremer, says the appliances can protect custom applications that represent the majority of traffic in major corporate networks - something its competitors can't do.

The device learns any application by discovering such things as what URLs applications use, their structure and how they employ cookies, and then builds a profile of how the application works and how it is used, according to Kremer. It builds a model to analyze actual behavior and spot anomalies that can be blocked automatically or be flagged for IT staff to check out, he says.

Kremer says other intrusion-protection technology protects against known attacks against commonly used applications. "They are useless against targeted attacks on custom code," he says.

Read more about security in Network World's Security section.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News