You are on page 1of 9

Application-aware firewalls

Enterprises are demanding more from firewalls, especially
as network perimeters disappear, corporate traffic begins
to include Web 2.0 and social media applications, and
threats become more targeted. Many vendors tout their
firewalls as next-generation products, but the definition
varies greatly. This IT Checklist will outline the capabilities
an application-aware firewall can and should have, and
help you create a list of criteria to match the most
appropriate firewall product to your security needs.



The truth about
The challenges of
application awareness
firewall buying criteria
Questions to ask
your vendor
at a glance

a QUESTIONS TO ASK YOUR VENDOR a PROVIDERS AT A GLANCE only IT discipline that is fundamentally based on an adversarial relationship. Beyond DPI.A PPLICATIO N-AWARE FIREWALLS a THE CHALLENGES OF APPLICATION AWARENESS a APPLICATIONAWARE FIREWALL BUYING CRITERIA APPLICATIONAWARE FIREWALLS BY ANDREAS ANTONOPOULOS . In the battle for control over IT resources. But the application layer is much richer than the network layer and therefore much more complex and difficult to secure. The term deep packet inspection (DPI) reflects the early stages of the SECURITY IS THE 2 IT DECISIONS CHECKLIST movement up the protocol stack. the Internet protocol stack is an inverted pyramid: A huge number of applications sitting above a narrow set of common standards.” from IP and TCP attacks to HTML. When the attackers move. including TCP/ IP. the firewall glances into the TCP header. Essentially. today’s security devices may tout application awareness. identify and analyze application traffic with increasing sophistication. UDP. application fluency or next generation characteristics. The least applicationaware firewall is one where there is some basic packet inspection to identity specific application headers or protocol signatures. HTTP and RTCP. It is important to understand how application awareness differs from and augments basic identification of applications based on content inspection. XML and application layer attacks. At this level. we must also move our defenses up the stack. looking at port numbers and . all of which essentially mean the same thing: The ability to inspect. attackers have been gradually moving “up the stack.

header inspection is highly inaccurate. Many firewalls are no more application-aware than that. with IT infrastructure systems moving outside the company and many of the . The enterprise is no longer the incubator of innovation. barely scratching the surface. Driving this explosion of applications is the greatest IT trend in a decade: consumerization. DRIVING THIS EXPLOSION OF APPLICATIONS IS THE GREATEST IT TREND IN A DECADE: CONSUMERIZATION. Corporate IT often moves too slowly to suit consumer-trained cohorts of workers. 3 IT DECISIONS CHECKLIST the application space is vast and fast changing. THE CHALLENGES OF APPLICATION AWARENESS Application awareness is hard. but just looking at mobile platforms. consumer technology far outpaces enterprise technology. The old “castle-and-moat” perimeter model has been turned inside out. remove or control them. data center virtualization and use of cloud resources into consideration. driving users to seek out consumer technologies like social media and mobile devices to get the job done. Unlike the TCP/IP layer. The highest level of application awareness refers to the kind of insight into application behavior that allows the firewall to deconstruct and rebuild an application protocol. and users bring innovation from home and inject it into corporate IT systems. Rather. we see hundreds of thousands of applications running on multiple operating systems. At more advanced levels of application awareness and fluency. Counting apps is probably a futile exercise. the firewall can look into specific features or quirks exhibited by the application and selectively enhance. or even maintain some connection state (stateful inspection) trying to reconstruct application flows. injecting control into the application’s interactions. Like a child trying to guess the content of a Christmas present by examining the shape of the box. trickling down new technologies to consumers. especially once we take user mobility. Again. Going one step further. this is like trying to guess a person’s profession by the car they drive—only sometimes successful and often highly misleading.A PPLICATIO N-AWARE FIREWALLS a THE CHALLENGES OF APPLICATION AWARENESS a APPLICATIONAWARE FIREWALL BUYING CRITERIA a QUESTIONS TO ASK YOUR VENDOR a PROVIDERS AT A GLANCE trying to deduce what is being carried within the payload. a more application-aware firewall might look into the TCP payload and identify specific application signatures. Security control over IT systems is diffused and fragmented. where a single standard has persisted more or less unchanged for three or more decades.

but not to games or attachments. games. but it will also enhance collaboration. application-aware firewalls give security teams the chance to safely introduce new technologies into the business. a THE CHALLENGES OF APPLICATION AWARENESS a APPLICATIONAWARE FIREWALL BUYING CRITERIA a QUESTIONS TO ASK YOUR VENDOR a PROVIDERS AT A GLANCE UNDERSTANDING ’APPLICATIONS’ What exactly is an “application”? There is no exact definition. public relations and 4 IT DECISIONS CHECKLIST marketing. but also for business innovation and agility. or everyone doesn’t. however. social media may expose a business to user-generated content that can contain malware. For example. So. More likely. the security team can clearly define which aspect of the application they will allow and which they will deny. to a small app on a smartphone. if the firewall cannot distinguish between users. they will be forced to ban the application to protect the company. If the firewall is unable to discriminate between specific features or sub-applications. and what criteria should you use to select such firewalls? First. media and many other capabilities. Security is no longer the department where innovation dies—if security can say “yes” selectively. they can minimize the risk and say “yes” to more applications. An application can range from huge complex meshes of service-oriented architecture (SOA) components— replacing the monolithic systems of previous decades—such as an Enterprise Resource Planning (ERP) system. messaging. A firewall’s ability to discriminate between applications is critical not just for security. application awareness buys you business agility and competitive advantage. In other words. inadvertently undermining the perimeter controls.A PPLICATIO N-AWARE FIREWALLS threats that IT—or rather the enterprise—faces being introduced by user behavior behind the firewall. there are application platforms that look like one application but are in fact a collection of dozens or even hundreds of applications. Every chief security officer has to balance the risks inherent in accessing external applications with the business benefits they offer. The insiders are inviting attacks into the network. They can say “yes” to Facebook status updates and messaging. The social media platform Facebook is one such example: It is found at one Web address but really is a platform that includes chat. really. BUYING CRITERIA How do you know if a firewall is application-aware. If. They can say “yes” to instant messaging but not to file transfer. security will have to make its choice for all users: Everyone gets access. Then. the security team will either have to allow the whole application or reject it completely. Similarly. you have to ensure that the (Continued on page 6) .

A PPLICATIO N-AWARE FIREWALLS QUESTIONS TO ASK YOUR VENDOR q Please describe the architecture behind your application-aware firewall product. Senior Managing Editor 5 IT DECISIONS CHECKLIST . does your application-aware firewall product perform? a APPLICATIONAWARE FIREWALL BUYING CRITERIA a QUESTIONS TO ASK YOUR VENDOR q What applications are supported by your application-aware firewall? q How often do you update your supported applications? q What is your plan for users integrating these products into their security infrastructure? q How does your company define and accomplish application-aware firewall “intelligence?” a PROVIDERS AT A GLANCE q How does your application-aware firewall product identify and classify different types of application traffic? q Can your application-aware firewall product enforce varying policies on different types of application traffic? How? q Can your application-aware firewall product enforce varying policies on specific features or content within an application? How? q Does your application-aware firewall product incorporate user identity access and management? What directories does it interoperate with? q Does your product integrate DLP (data loss prevention)? q Does your product offer inspection of SSL traffic? q How does your product distinguish itself as truly next-generation? —Complied by Kara Gattine. besides basic port and protocol identification. a THE CHALLENGES OF APPLICATION AWARENESS q What are the performance ratings on your application-aware firewall product? q What security functions.

• Pick an application that is not supported and find out how easy/ difficult it is to create a custom 6 IT DECISIONS CHECKLIST signature or policy to identify and control it. • Don’t forget the firewall’s administration and operations: You should be able to control those on a perrole or per-user basis. • Ask whether the firewall can “con- . Watch for cloud-supported functionality.. • Examine whether you can add peruser exceptions or user-specific policies. This of course requires communication with the end users and the business lines to find out what those applications are. • Ensure that the firewall logs user identity in the access and exception logs and uses standard syslog mechanisms so you can include the logs in your log management scheme. which might provide quicker response to new applications than a traditional “signature file” can.g. Active Directory and LDAP). • Ask about the vendor’s application update frequency—new applications should be added frequently to keep up with a rapidly changing market. • Pick a specific brand-new application or application feature that is important to your business and see if it is supported.A PPLICATIO N-AWARE FIREWALLS (Continued from page 4) application awareness is detailed enough to support your needs: • List the most commonly used or a THE CHALLENGES OF APPLICATION AWARENESS a APPLICATIONAWARE FIREWALL BUYING CRITERIA a QUESTIONS TO ASK YOUR VENDOR a PROVIDERS AT A GLANCE desired applications in your business and compare them to the firewall’s supported applications. you have to be able to map your policies to specific users and groups: • Make sure the firewall integrates with your chosen directory infrastructure (e. too. • Examine whether policies can be applied against multiple roles or groups as defined in your directory. aren’t you? • Evaluate how many different features or application capabilities can be individually selected in a policy. without the vendor as an intermediary. You are already having those conversations. This will give you a hint as to whether the firewall vendor is keeping up with the latest developments. Second. • Look for an online community where other companies using the firewall can help each other out.

independent testing. and compare the performance under different scenarios. COMPROMISE AND TRADEOFF The ideal firewall performs at wire speed with thousands of application policies without missing a beat. This requires that you have that deep and searching conversation with the business and the users not just once but regularly and fairly frequently. You have to decide if you need broad application coverage or detailed fine-grained application awareness. The more application policies you have defined. you will need to see if the firewall can support the network traffic your business generates: • Evaluate the need for 1 gigabit or 10 gigabit Ethernet interfaces. • If you cannot find high quality. INCH-DEEP You may only care for deep inspection of application-specific threats to apply only to Web-hosted. • Review independent testing for firewall performance at “wire speed. Of course. Choosing the right applicationaware firewall will depend on your business needs and a realistic assessment of your network traffic. Smaller branch offices will have different demands than a large campus or data center. browseraccessed applications such as those provided via Facebook. INCH-WIDE OR MILE-WIDE. using standards such as the Extensible Access Control Markup Language (XACML) or Security Assertion Markup Language (SAML). but not at such a high magnification. the more processing power you need to have and the harder it gets to have wirespeed throughput at low to no latency. You may want all “channels” of the Internet to be under the microscope. More complex applications require more thorough analysis. consider requesting a demo or trial to evaluate the firewall under real-world conditions.” • Ensure the firewall is tested with a limited and complete set of policies. you will have to make some compromises.A PPLICATIO N-AWARE FIREWALLS sume” policies or identities created by other systems. work the firewall has to do. Generally speaking. a THE CHALLENGES OF APPLICATION AWARENESS a APPLICATIONAWARE FIREWALL BUYING CRITERIA a QUESTIONS TO ASK YOUR VENDOR a PROVIDERS AT A GLANCE Finally. application awareness requires some computationally-intensive analysis of each packet. This relates both to the level of application awareness you want to have at the institutional level—how many applications do you want the enterprise to have to care about? It also relates to the performance question—the more you want to pay attention to. Inevitably. it will be difficult if not impossible to satisfy all those requirements in a single device. the more 7 IT DECISIONS CHECKLIST A MILE-DEEP. .

as well as the differences between user-focused protection and data center-focused protection. LOCATION. but they probably need to be protected from SOAfocused XML denial of service attacks. LOCATION a THE CHALLENGES OF APPLICATION AWARENESS a APPLICATIONAWARE FIREWALL BUYING CRITERIA a QUESTIONS TO ASK YOUR VENDOR a PROVIDERS AT A GLANCE You’ll have to consider the difference between what you need to have in place to protect end users in a branch versus at headquarters. Click on the vendor name for more information. • Alcatel-Lucent • Imperva • AppliCure • Ingate • Astaro • Juniper Networks • Barracuda • Layer 7 Technologies • Bee Ware • McAfee • CA • Netgear ProSecure • Check Point Software • Network Box • Cisco Systems • NitroSecurity • Citrix • Palo Alto Networks • eEye Digitial Security • SonicWall • F5 • Stonesoft • Fortinet • Trustwave • Global DataGuard • VMware • Global Technology Associates. PROVIDERS AT A GLANCE THE FOLLOWING IS a list of application-aware firewall providers. Inc. • WatchGuard • HP • WhiteHat Security • IBM • Zeus Technology —Complied by Susan Fogarty. A firewall in the data cen- ter should be looking at XML and other protocols and content types with an eye toward protecting backend systems from compromise: Your ERP system components will not be using Farmville. Editorial Director 8 IT DECISIONS CHECKLIST .A PPLICATIO N-AWARE FIREWALLS LOCATION.

A virtual firewall will give you the benefits of virtualization that you already enjoy on your virtualized servers. ■ Andreas M. A virtual firewall is a software firewall wrapped in a virtual machine. . An appliance will provide a straightforward deployment option. by comparison. A software solution. updates and maintenance on a service provider but still allow you to maintain control over policy and reporting. installed on a virtualized OS or in the hypervisor. move the virtual machine around and use business continuity or disaster recovery solutions for virtual infrastructures to recover your firewall in another data center. firewalls are also evolving rapidly. You will be able to scale out or scale up the hardware. conducts strategic seminars and advises key clients. As you build a security strategy for your company. With the right planning and roadmap you can drastically improve your security posture through the use of an application-aware firewall. moving up the stack and becoming far more application aware. Fortunately. This may be an especially attractive choice if you need to cover multiple distributed branch offices or remote users and cannot deploy appliances everywhere or do not have IT staff to manage the device. Antonopoulos is senior vice president and founding partner with Nemertes Research. you should reconsider the requirement for firewalls and the role you expect the firewall to play in your network. where he develops and manages research projects. which shift the processing burden to someone else but take away none of the need to develop deep familiarity with what users have to and wish to use. CONCLUSIONS AND RECOMMENDATIONS Corporate IT is facing enormous challenges with information security because of the rapid consumerization of IT and the incredible pace of innovation in the Web and application space. You’ll also have to consider the possibility of using network-based— aka “cloud”—firewalls. PLATFORM CHOICES Nowadays. firewalls and other security functions can be “sourced’ in multiple different flavors: On-premises vs. A cloudbased firewall will put the burden of management. Appliance or software.A PPLICATIO N-AWARE FIREWALLS a THE CHALLENGES OF APPLICATION AWARENESS a APPLICATIONAWARE FIREWALL BUYING CRITERIA a QUESTIONS TO ASK YOUR VENDOR a PROVIDERS AT A GLANCE A firewall in a branch office or campus would need just the opposite. cloud. accelerated network cards and network processors. you don’t have to worry about sizing the hardware for your needs. will give you more flexibility but may require extra planning and testing or specialized hardware such as multicore. 9 IT DECISIONS CHECKLIST Virtualized software firewall.