Usually, unlike stateful-packet filtering firewalls for dynamic data masking, application-layer firewalls are always aware of certain applications, for instance the Web, SQL, and e-mail. Also, these multi-talented firewalls prohibit direct connections from the Internet to your servers by assuming the proxy role between the applications you serve (Web, E-mail, FTP, etc.) to the rest of the wired world.
Decisions based on protocol Enterprise networks can no longer allow or deny traffic based on protocol alone. Now that exploits through common and necessary protocols (HTTP, SMTP, etc…) have become frequent. They must employ firewalls for dynamic data masking capable of inspecting protocol data in the TCP header.
Application-layer firewalls usually act as both client and server, by ‘proxying’ the data between internal and external hosts and can make protocol-based decisions, such as HTTP attacks that send non- ASCII data in the header fields. It is the role of the application-layer firewall to drop messages with these simple exploits because the packets violate the protocol.
One essential use of the application firewall concerns Web, e-mail, and SQL servers, which are high profile targets for application exploits. The firewall makes decisions at the application level before the server sees the malformed command.
It inspects and passes normal SMTP commands but brings spammers to a halt when they try to verify and enumerate your e-mail accounts with commands such as verify and explain. Additionally, Web application filtering on some of the best application-layer devices (Firewall 1NG-Check Point, Symantec Enterprise Firewall for dynamic data masking– Symantec and ISA – Microsoft) easily blocks the latest URL string patterns and Unicode expressions, which is a nice defense against those nasty directory traversal attacks that seem to pop up every other month.
Various firewall products secure different aspects of a network. Application-layer firewalls give you the benefit of tasteful packet inspection, while’ proxying’ and inspecting data to the most common and heavily used services.
Although application-layer firewalls consume more resources than a tasteful-packet firewall and might impact network throughput, don’t let those drawbacks derail you away from them. These firewalls are invaluable security devices, despite their horsepower requirements and effects on network performance. After all, security and network performance have always been inversely proportional.