An application layer firewall is a neutral term for providing filtering capabilities on application layer (i.e. layer 5 and 6). In order to do so it must be able to understand application specialties on the session layer and content specialties on the application layer.
An application layer firewall can be implemented as a standalone entity, or as a built in functionality on the application server (e.g. as web server plugin). This functionality is also part of next generation firewalls, sometimes also under the label of deep packet inspection.
The degree of required application awareness becomes a key issue if the application layer is complex. This is the case for securing web applications. It is a lot of effort, not only because it requires a large number of protocols to be fully implemented, it might also require the understanding of correct application behavior workflows, and to catch also technology differences of some implementations e.g. of web servers or browsers of different vendors.
A WAF is a special version of an application layer firewall because it simply would be too much to implement it on a standard firewall or similar generic security device. However, there is a trend to enrich generic security devices with simplified WAF functionality. Nevertheless, dedicated WAF solutions would not be so popular if web application security would be easy to implement and to operate.
Other reverse or forward proxies which are not http based can also be considered as application layer firewalls if they provide filtering capabilities on layer 5 or 6. However, many such proxy solutions do not provide such filtering because they are merely used as connection proxies. It always makes sense to consider filtering and connection capabilities of such proxy solutions separately.
In this sense, a networked WAF like the Airlock can also be considered as http router having WAF filtering capabilities.
2016/02/05 © ACROSEC Inc.
A proxy is a standalone entity doing something on behalf of someone else. In the IT world it usually is an intermediary function between a client and a server communicating over the network. Thus a proxy must provide connection capabilities. Different terms are used for covering outbound (forward proxy) and inbound scenarios (reverse proxy). However, such a distinction is usually only made for http but rarely for other protocol families, where mainly the generic word “proxy” is used as catch-all.
A further distinction needs to be made regarding the degree of which the proxy is aware of both parties (client/server). The absolute minimum is to provide services on a particular connection protocol layer. Any additional functionality on a higher protocol layer would also mean to implement at least parts of this protocol stack.
A proxy which would be able to fully simulate client, server or both would need to implement all required protocols including their behavior. Sometimes the word full proxy is also being heard of. In that sense, an Airlock WAF is a full proxy regarding awareness of all involved communication and presentation layers but with limited business logic awareness only. Such a solution can therefore be considered as infrastructure counterpart to the application.
2016/02/05 © ACROSEC Inc.
A WAF is an application firewall dedicated for web applications. There are multiple approaches how to implement a WAF depending on scenario and requirements.
A WAF security solution is normally used for securing web applications in order to protect against attacks on the application layer. It filters bad requests that exploit typical application programming errors as application weaknesses or other vulnerabilities on the application platform or underlying system.
A WAF would actually not be needed in the ideal world as secure applications would be developed in the first place. However, application security is difficult to achieve for various reasons. Furthermore it is difficult to achieve the same security level for all external facing web applications. A WAF is able to catch these shortcomings and lift the security level for all applications behind it.
Another important WAF business case is to implement virtual patching on the WAF instead of patching them in the application. This is especially important for large environments because it allows the application teams to buy precious time and schedule such application changes in an orderly way within the application development cycle. Otherwise, the teams would be constantly overflown with emergency changes every time when a new vulnerability is discovered.
2016/02/05 © ACROSEC Inc.
A reverse proxy with WAF filtering capacities and centrally managed authentication/authorization services for controlling the access to web applications.
Such an access infrastructure might elsewhere also be known as WAM/WAF combination (WAM: Web Access Management) or application access gateway server.
The term “Web Entry Server” is mainly used in the German speaking part of Europe and signifies that it is the central entrance point through which all web applications must be accessed.
Such solutions originated in Swiss Banking which additionally required an appropriately designed hardened DMZ infrastructure, capable of hosting high security applications like Internet banking. The separated placement of public and non-public application is an important security measure by its own.
Public applications are exposed to the whole world compared to applications with identified users or customers. Strict network separation prevents that a hacked public application would be a stepping stone to other applications.
2016/02/05, 2018/07/10 ©ACROSEC Inc.
A reverse proxy with WAF filtering capacities and centrally managed authentication/authorization services for controlling the access to web applications.
Such an access infrastructure might elsewhere also be known as WAM/WAF combination (WAM: Web Access Management) or application access gateway server.
The term Web Entry Server is mainly used in the German speaking part of Europe and signifies that it is the central entrance through which all web applications must be accessed.
2016/02/05 ©ACROSEC Inc.
