A hot new trend in firewalls is the application-layer firewall, sometimes called an application shield. Although the attack sequences we used in this roundup could be described as "application layer" attacks, because they exploit weaknesses at the application protocol level, these types of attacks are not what application shields are meant to protect.
Survey the last few months of Microsoft Corp. security flaws and you'll get a better idea of the impetus behind application-layer firewalls. Programmers, and not only those in Redmond, don't always code with security foremost in mind. A clumsily coded application can often provide a loophole for hackers to exploit and gain access to confidential data. Witness Microsoft's Internet Explorer Web browser, and even its Windows operating system, which have been exploited in this manner multiple times in the past, usually rendering the host system completely vulnerable at the root level.
Although companies such as Check Point Software Technologies Ltd. are working to create wide-ranging application shields, including Check Point's SmartDefense software. Today these devices are usually very tightly integrated with a specific application resource -- usually at the server level. For example, you'd typically install an application shield dedicated to a specific database server platform, such as IBM Corp.'s DB2, or a specific e-mail server platform, such as Microsoft Exchange Server.
Because application firewalls are so closely tuned to the specific application they are protecting, they are usually able to offer not only an extra layer of user authentication, but traffic verification as well. This capability stems from the application firewall's close knowledge of the host application and allows it to verify that traffic stemming from that application is safe to travel across your network.
In a layered security approach consisting of perimeter security, encryption, intrusion detection, and other solutions architected to provide an overall secure environment, application shields can play an important role as a final layer of protection. Designing an appropriate application-layer scheme means more than simply installing software, however. Your applications and the traffic patterns they generate will need to be prioritized.
Performance testing is crucial at this stage because you're already facing a performance hit from your other security layers, so an additional traffic-inspection layer could cripple throughput if it's not installed properly. This step is made even more important because application shields aren't enough to protect your network by themselves. They're simply powerful security layers aimed at very specific application servers. You'll still need the other more traditional security layers in place for an application layer to have its desired effect.