Search /
Advanced search  |  Help  |  Site map
Click for Layer 8! No, really, click NOW!
Networking for Small Business
FCC defends new net neutrality proposal
New iPad rumor rollup for week ending April 23
Dell adds Big Switch to its SDN mix
Google Plus now minus chief Vic Gundotra
Heartbleed prompts joint vendor effort to boost OpenSSL, security
Microsoft Surface Mini seems likely to ship soon
China working on Linux replacement for Windows XP
FCC adds $9 billion to broadband subsidy fund
Raspberry Pi alternatives emerge to fill need for speed
It's now possible to wirelessly charge 40 smartphones from 16 feet away
Ex-FCC commissioner to head CTIA in latest Washington shuffle
Go time traveling with Google Maps
While Heartbleed distracts, hackers hit US universities
Survey respondents shun much-hyped mobile shopping technologies
7 Ways to Advance Your Project Management Career
How Apple's billion dollar sapphire bet will pay off
US to vote on sharp increase in broadband subsidies
iPhone 6 rumor rollup for the week ending April 18
NSA spying revelations have tired out China's Huawei
Arista co-founder may have switch maker by its jewels
Open source pitfalls – and how to avoid them
AT&T's expanded 1 Gbps fiber rollout could go head to head with Google
Verizon: Web apps are the security punching bag of the Internet

Technology Update /

Web application firewalls protect data

By Izhar Bar-Gad

While traditional firewalls address network access control, blocking unauthorized network-level requests, application firewalls address the application layer by enforcing requests within application sessions. An application firewall specifically protects the Web application communication stream and all associated application resources from attacks that happen via the Web protocol.

Application firewalls address browser and HTTP attacks that manipulate application behavior for malicious purposes. These include data attacks, which use special characters or wild cards to change data; logic content attacks, which go after command strings or logic statements; and target attacks, which focus on accounts, files or hosts.

There are two approaches for an application firewall - a positive security model, which enforces positive behavior; and a negative security model, which blocks recognized attacks.


A positive security model enforces positive behavior by learning the application logic and then building a security policy of valid known requests as a user interacts with the application. The approach is as follows:

1. The initial policy contains a list of valid starting pages. The user's initial request must match the starting pages before creating a session policy.

2. The application firewall examines downloaded page requests, including page links, drop-down menus and form fields, and builds a policy of all allowable requests that can be made during the user's session.

3. User requests are verified as valid before being passed to the server. Requests not recognized by the policy are blocked as invalid requests.

4. The session policy is destroyed when the user session terminates. A new policy is created for each new session.

A negative security model blocks recognized attacks by relying on a database of expected attack signatures. The approach is as follows:

1. The policy is created with a set of known attack signatures.

2. There is no downstream page analysis to update the policy.

3. Recognized attacks are blocked, and unknown requests (good or bad) are assumed to be valid and passed to the server for processing.

4. All users share the same static policy.

Application firewalls install between the firewall and the application server, functioning at Layer 7 of the ISO model. All session information, both upstream and downstream, runs through the application firewall. Downstream requests are channeled through the application firewall, and in the case of a positive model, parsing occurs to build the policy. This requires an application firewall to sit in front of a cache server to ensure request validation.

Upstream requests also are channeled through the application firewall allowing only valid requests, thereby off-loading bad requests from the server.

Application firewalls understand inbound and outbound session requests. They offer in-line integration with existing applications and are compatible with Web application technologies. They work in real time to address threats before they reach the application.

An application firewall listens on TCP Ports 80 and 443, and accepts incoming HTTP/Secure HTTP requests from the client, parses them, associates them with a session or creates a session if required, and then matches requests to the policy for the session.

If this request is permitted (that is, the link is allowed), it is forwarded to the Web server. If it is not permitted, it is rejected. The Web server's response arrives at the application firewall, is associated with the same session the request belongs to, is parsed, and policy update (new links that are allowed) is extracted and associated to the session.

If this is the response of the first request, a cryptographic session cookie also is attached to the response to identify the client session in further communications. The application firewall finally forwards the response to the client.

Related Links

Bar-Gad is CTO at Sanctum. He can be reached at

NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.