[sclug] Firewall question

[Neil Haughton]

Hi Alex,

I'm not sure if it does help what I trying to understand. If you are able
to answer the last part of my question, namely

"...does the application itself (I'm thinking a web app) need to know about
the app firewall, or provide special hooks or anything like that? Can I
take an arbitrary web app, for example, say "FooApp", and shove an
arbitrary app firewall, say "Bar App Firewall 2013", in front of it, and
with suitable configuration expect the app firewall to protect the web app?"

it will be more helpful. I am trying to ascertain whether our particular
web app product would need to be modified if the customer wants to use it
in conjuction with an "app firewall" . or is the app firewall simply
something sitting between a web app and the outside world, that does not
care what the web app is or does?

TIA

Neil



On 1 May 2013 13:00, Alex Butcher <lug at assursys.co.uk> wrote:

> On Wed, 1 May 2013, Neil Haughton wrote:
>
>  This is not specifically a Linux question, but there seem to be a lot of
>> knowledgable networking people lurking here so I'm going to take a punt.
>>
>> What is the difference between a conventional 'firewall' and an
>> 'application firewall'? I've read the wikipedia page and am none the
>> wiser.
>> I guess that an app firewall concentrates on traffic for a specific app,
>> but does the application itself (I'm thinking a web app) need to know
>> about
>> the app firewall, or provide special hooks or anything like that? Can I
>> take an arbitrary web app, for example, say "FooApp", and shove an
>> arbitrary app firewall, say "Bar App Firewall 2013", in front of it, and
>> with suitable configuration expect the app firewall to protect the web
>> app?
>>
>
> Depends on the context.
>
> Originally, I'd have said an application firewall was one which operated at
> the application layer of the OSI network model, i.e.  it was a proxy.  That
> would require a proxy setting in the application, unless it was combined
> with some transparent translation to redirect an unaware application to the
> proxy.
>
> Using proxies harms performance, so the transparent translation techniques
> have morphed into Deep Packet Inspection and Intrusion Prevention.  You can
> view Linux's nf_conntrack_* netfilter kernel modules as primitive forms of
> this, and things like the Snort-based HogWash as the beginning of the the
> more modern approaches.
>
> Conceivably, one might also use application firewall to define things like
> database firewalls which impose security policies upon the types of queries
> that can be executed and the results that can be returned. I think that
> would be a contentious definition, however.
>
> A regular firewall is generally taken to refer to a pure network protocol
> filter, which may or may not be connection state aware, but is not aware of
> the application layer at all.
>
> Does that help?
>
> HTH,
> Alex
>