An application firewall is a form of firewall that controls input, output and access from, to, or by an application or service. It operates by monitoring and potentially blocking the input, output or system service calls that do not meet the configured policy of the firewall. The application firewall is typically built to control all network traffic on any OSI layer up to the application layer. It is able to control applications or services specifically, unlike a stately network firewall which is without additional software-unable to control network traffic regarding a specific application.
There are two primary categories of an application firewall which are:
- Network-based application firewalls
- Host-based firewalls
Network-Based Application Firewalls
This network –based application layer firewall is a computer networking firewall operating at the application layer of a protocol stack and is also known as a proxy-based or reverse-proxy firewall. Application firewall specific to a particular kind of network traffic may be titled with the service name such as a web application firewall.
They may be implemented through software running on a host or a stand-alone piece of network hardware. Often, it is host using various forms of proxy servers to proxy traffic before passing it on to the client or server. Because it acts on application layer, it may inspect the contents of traffic blocking specified content, such as certain websites, viruses, or attempts to exploit known logical flaws in client software.
Modern application firewalls may also offload encryption from servers, block application input/output from detected intrusions or malformed communication manage or consolidate authentication or block content that violates policies.
Host-Based Application Firewalls
A host-based application firewall can monitor any application input, output and system service calls made from, to, by an application. This is done by examining information passed through system calls instead of or in addition to a network stack. A host-based application firewall can only provide protection to the applications running on the same host.
Application firewalls function by determining whether a process should accept any given connection. Applications firewalls accomplish their functions by hooking into socket calls to filter the connections between the application layer and the lower layers of the OSI model. Application firewalls that hook into sockets are also referred to as socket filters.
Application firewalls work much like a packet filter but application filters apply filtering rules (allow/block) on a per process basis instead of filtering connections on a per port basis. Generally, prompts are used to define rules for processes that have not yet received a connection. It is rare to find application firewalls not combined or used in conjunction with packet filter
Application firewalls further filter connections by examining the process ID of data packets against a ruleset for the local process involved in the data transmission. The extent of the filtering that occurs is defined by the provided ruleset. Given the variety of software that exists, applications firewalls only have more complex rulesets have limited efficacy in filtering every possible association that may occur with other processes.
These per process ruleset cannot defend against modification of the process via exploitation, such as memory corruption exploits. Because of these limitations, application firewalls are beginning to be supplanted by a new generation of application firewalls that rely on mandatory access control (MAC), also referred to as sandboxing, to protect vulnerable services.
You may also want to learn about Database Firewall.