Search /
Advanced search  |  Help  |  Site map
Click for Layer 8! No, really, click NOW!
Networking for Small Business
Where's my gigabit Internet, anyway?
Americans cool with lab-grown organs, but not designer babies
IE6: Retired but not dead yet
Enterprise who? Google says little about Apps, business cloud services in Q1 report
DDoS Attackers Change Techniques To Wallop Sites
Can we talk? Internet of Things vendors face a communications 'mess'
AMD's profitability streak ends at two quarters
Michaels says breach at its stores affected nearly 3M payment cards
Exclusive: Google's Project Loon tests move to LTE band in Nevada
H-1B loophole may help California utility offshore IT jobs
How a cyber cop patrols the underworld of e-commerce
For Red Hat, it's RHEL and then…?
Will the Internet of Things Become the Internet of Broken Things?
Kill switches coming to iPhone, Android, Windows devices in 2015
Israeli start-up, working with GE, out to detect Stuxnet-like attacks
Galaxy S5 deep-dive review: Long on hype, short on delivery
Google revenue jumps 19 percent but still disappoints
Windows XP's retirement turns into major security project for Chinese firm
Teen arrested in Heartbleed attack against Canadian tax site
Still deploying 11n Wi-Fi?  You might want to think again
Collaboration 2.0: Old meets new
9 Things You Need to Know Before You Store Data in the Cloud
Can Heartbleed be used in DDoS attacks?
Secure browsers offer alternatives to Chrome, IE and Firefox
Linksys WRT1900AC Wi-Fi router: Faster than anything we've tested

Technology Update /

Web application firewalls protect data

By Izhar Bar-Gad

While traditional firewalls address network access control, blocking unauthorized network-level requests, application firewalls address the application layer by enforcing requests within application sessions. An application firewall specifically protects the Web application communication stream and all associated application resources from attacks that happen via the Web protocol.

Application firewalls address browser and HTTP attacks that manipulate application behavior for malicious purposes. These include data attacks, which use special characters or wild cards to change data; logic content attacks, which go after command strings or logic statements; and target attacks, which focus on accounts, files or hosts.

There are two approaches for an application firewall - a positive security model, which enforces positive behavior; and a negative security model, which blocks recognized attacks.


A positive security model enforces positive behavior by learning the application logic and then building a security policy of valid known requests as a user interacts with the application. The approach is as follows:

1. The initial policy contains a list of valid starting pages. The user's initial request must match the starting pages before creating a session policy.

2. The application firewall examines downloaded page requests, including page links, drop-down menus and form fields, and builds a policy of all allowable requests that can be made during the user's session.

3. User requests are verified as valid before being passed to the server. Requests not recognized by the policy are blocked as invalid requests.

4. The session policy is destroyed when the user session terminates. A new policy is created for each new session.

A negative security model blocks recognized attacks by relying on a database of expected attack signatures. The approach is as follows:

1. The policy is created with a set of known attack signatures.

2. There is no downstream page analysis to update the policy.

3. Recognized attacks are blocked, and unknown requests (good or bad) are assumed to be valid and passed to the server for processing.

4. All users share the same static policy.

Application firewalls install between the firewall and the application server, functioning at Layer 7 of the ISO model. All session information, both upstream and downstream, runs through the application firewall. Downstream requests are channeled through the application firewall, and in the case of a positive model, parsing occurs to build the policy. This requires an application firewall to sit in front of a cache server to ensure request validation.

Upstream requests also are channeled through the application firewall allowing only valid requests, thereby off-loading bad requests from the server.

Application firewalls understand inbound and outbound session requests. They offer in-line integration with existing applications and are compatible with Web application technologies. They work in real time to address threats before they reach the application.

An application firewall listens on TCP Ports 80 and 443, and accepts incoming HTTP/Secure HTTP requests from the client, parses them, associates them with a session or creates a session if required, and then matches requests to the policy for the session.

If this request is permitted (that is, the link is allowed), it is forwarded to the Web server. If it is not permitted, it is rejected. The Web server's response arrives at the application firewall, is associated with the same session the request belongs to, is parsed, and policy update (new links that are allowed) is extracted and associated to the session.

If this is the response of the first request, a cryptographic session cookie also is attached to the response to identify the client session in further communications. The application firewall finally forwards the response to the client.

Related Links

Bar-Gad is CTO at Sanctum. He can be reached at

NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.