Why is your network firewall falling short?

Your network is secure, your servers are safe, and you’ve done everything to protect your network, corporate assets and intellectual property. You have a network firewall, so your perimeter is secure. Your network devices and servers are only accessible through your corporate VPN via two-factor authentication, and all external ports are blocked to non-authenticated traffic.

No one gets into your network except for safe, authenticated users and anonymous web users on ports 80 and 443. These anonymous web users are the ones surfing your sites, using your web applications, logging in as normal users, and browsing without intervention or observation. These same anonymous users are the next major threat to your network, so how do you secure data flowing over ports 80 and 443?

Traditional network-based firewalls have come a long way toward providing total perimeter security. These are strong, safe devices that all network administrators use, understand and trust with good reason. For network layers 3 and 4, these devices are designed to do their job and do it well. By design, network firewalls focus on protection against connection-based attacks: attacks that occur during the first few steps when establishing a new network connection. These guys are the big, heavy-weight bouncers at the door that don't let anyone into the club, except those who are authenticated and on "the list." However, these devices are not designed to protect data in the application layer - the layer "above" the network layers. They aren't concerned with digging into the payload of a packet for data evaluation. Network firewalls don't know when your web applications are under attack by someone looking to harvest private credit card information, or when someone is trying to use your website to deliver malicious trojan/viral code to unsuspecting users. These types of attacks are all targeted at the application layer and buried deep within the packet, deeper than network firewalls are willing to dig. Attacks targeted at harvesting data though code-based applications rose 54 per cent in the first half of 20051. Attacks that used to be focused on broadly sweeping the network perimeter are now re-focusing on web, and client-side application data. For application protection against this new breed of attacks and attackers, you need a specialized device - a web application firewall.

Web application firewalls secure session-based traffic, traffic that has already successfully passed through the connection-based screening done by your perimeter firewalls. They inspect all bi-directional application data traffic after it enters your network but before it reaches your web applications. Web application firewalls screen for attacks that are targeted at your critical applications, acting as a second-level firewall device that is specially tuned for and fully aware of your specific application data and usage patterns. They understand what types of web data and traffic should be allowed, how the web application is accessed and what types of traffic behaviors should be blocked. Application firewalls are extensions of your already secure network, complementing your existing network firewall devices. They already know who's allowed in your club, but now they want to know what their intentions are while they're visiting. Web application firewall devices provide the next logical step in network security, protecting the data that should be allowed into and on your network, and preventing attacks from the new breed of application-focused security threats.

Application firewalls are a relatively new breed of security device; they're operating in a new market and their task ahead is a daunting one. Unlike traditional network firewall devices, application firewalls must be customized for individual site content and security needs. We understand how to protect the physical, network and transport layers because the structure of those layers and the data they contain don't change. By contrast, every application that passes data in the application layer is unique. In addition, the application layer also contains a myriad of web application services, each with their own type of data structure. HTTP data differs from XML data, which differs from JavaScript data, etc.

The missing piece of the network security puzzle is the ability to inspect, control and manipulate the web application data that's allowed transport on and through the network. Although networks function as data transport engines, they are transporting critical application data and services that are key to day-to-day operations. Where networks used to simply be bit-buckets and highways, they're now migrating to robust application delivery networks, managing data that is just as critical as the networks themselves. By extending the security perimeter to include the data that's already traversing the perimeter firewalls, web application firewalls should become one of your key weapons in your network security arsenal. Web application firewalls must be intelligent devices, not simply dumb network devices with pattern matching capabilities. The task ahead for web application firewalls is to become the defacto standard, bridging the gap between autonomous and intelligent protection with ease of management and deployment. Web application firewalls extend network security to its next logical destination, the applications that make the networks so critical.

The author is product management engineer at F5 Networks

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.