What is an application layer firewall?

An application layer firewall is a neutral term for providing filtering capabilities on application layer (i.e. layer 5 and 6). In order to do so it must be able to understand application specialties on the session layer and content specialties on the application layer.

An application layer firewall can be implemented as a standalone entity, or as a built in functionality on the application server (e.g. as web server plugin). This functionality is also part of next generation firewalls, sometimes also under the label of deep packet inspection.

The degree of required application awareness becomes a key issue if the application layer is complex. This is the case for securing web applications. It is a lot of effort, not only because it requires a large number of protocols to be fully implemented, it might also require the understanding of correct application behavior workflows, and to catch also technology differences of some implementations e.g. of web servers or browsers of different vendors.

A WAF is a special version of an application layer firewall because it simply would be too much to implement it on a standard firewall or similar generic security device. However, there is a trend to enrich generic security devices with simplified WAF functionality. Nevertheless, dedicated WAF solutions would not be so popular if web application security would be easy to implement and to operate.

Other reverse or forward proxies which are not http based can also be considered as application layer firewalls if they provide filtering capabilities on layer 5 or 6. However, many such proxy solutions do not provide such filtering because they are merely used as connection proxies. It always makes sense to consider filtering and connection capabilities of such proxy solutions separately.

In this sense, a networked WAF like the Airlock can also be considered as http router having WAF filtering capabilities.

2016/02/05 © ACROSEC Inc.


Category: WAF FAQ

← What is an application layer firewall?