[sclug] Firewall question

[Alex Butcher]

On Wed, 1 May 2013, Neil Haughton wrote:

> This is not specifically a Linux question, but there seem to be a lot of
> knowledgable networking people lurking here so I'm going to take a punt.
>
> What is the difference between a conventional 'firewall' and an
> 'application firewall'? I've read the wikipedia page and am none the wiser.
> I guess that an app firewall concentrates on traffic for a specific app,
> but does the application itself (I'm thinking a web app) need to know about
> the app firewall, or provide special hooks or anything like that? Can I
> take an arbitrary web app, for example, say "FooApp", and shove an
> arbitrary app firewall, say "Bar App Firewall 2013", in front of it, and
> with suitable configuration expect the app firewall to protect the web app?

Depends on the context.

Originally, I'd have said an application firewall was one which operated at
the application layer of the OSI network model, i.e.  it was a proxy.  That
would require a proxy setting in the application, unless it was combined
with some transparent translation to redirect an unaware application to the
proxy.

Using proxies harms performance, so the transparent translation techniques
have morphed into Deep Packet Inspection and Intrusion Prevention.  You can
view Linux's nf_conntrack_* netfilter kernel modules as primitive forms of
this, and things like the Snort-based HogWash as the beginning of the the
more modern approaches.

Conceivably, one might also use application firewall to define things like
database firewalls which impose security policies upon the types of queries
that can be executed and the results that can be returned. I think that
would be a contentious definition, however.

A regular firewall is generally taken to refer to a pure network protocol
filter, which may or may not be connection state aware, but is not aware of
the application layer at all.

Does that help?

HTH,
Alex