Security Basics mailing list archives

Re: Application Firewall

From: Adriel Desautels <adriel () netragard com>
Date: Fri, 18 Jul 2008 11:50:04 -0400

Honestly,

Apache with mod_security setup as a reverse proxy is quite good. I'veused that particular configuration in many instances and I have nocomplaints what so ever. You can build it yourself, or you can get anappliance from the ModSecurity folks. I HIGHLY recommend this solution.


http://www.modsecurity.org/


Regards,
        Adriel T. Desautels
        Chief Technology Officer
        Netragard, LLC.
        Office : 617-934-0269
        Mobile : 617-633-3821
        http://www.linkedin.com/pub/1/118/a45

        Join the Netragard, LLC. Linked In Group:
        http://www.linkedin.com/e/gis/48683/0B98E1705142

---------------------------------------------------------------
Netragard, LLC - http://www.netragard.com  -  "We make IT Safe"
Penetration Testing, Vulnerability Assessments, Website Security

Netragard Whitepaper Downloads:
-------------------------------
Choosing the right provider : http://tinyurl.com/2ahk3j
Three Things you must know  : http://tinyurl.com/26pjsn


Bryan S. Sampsel wrote:

Sidewinder from Secure Computing is an excellent application-proxy firewall.

So is Borderware.

IPCOP has aspects that qualify.

No, the ASA is a packet filter only firewall.  It's quite good at what it
does, but it does not handle the application layer.  And no, deep packet
inspection does not qualify.

O'Reilly made an awesome firewall book that you should read.  It's a
little dated, but the concepts are solid: Building Internet Firewalls.

For most of 'em, you'll need some coin.  Neither Sidewinder nor Borderware
come cheap.  IPCOP is ok for a SOHO setup, perhaps as many as 25
users...not sure beyond that.  But it's not engineered to be an enterprise
solution...though I'm sure someone has created a flavor of it that is.

Application proxy firewalls do give you some additional protection over
straight packet filter firewalls.  If you're talking a massive enterprise,
it takes more hardware to drive it as well, as there is some footprint
increase because of the proxies themselves.  However, when a user goes out
through a proxy, a hardened IP stack protects them, as no direct
connections are made between client and remote end.  With a packet filter,
the client talks directly to the remote end.

Hope that helps a bit.

Sincerely,

Bryan S. Sampsel
LibertyActivist.org


ams.sec () gmail com wrote:

Hi everyone,

Can anyone please list out some name of application level firewalls. Would
Cisco ASA qualify as a application firewall? I have heard it needs certain
addons to provide application screening functionality. Thanks a zillion.

Ams

Current thread:

Application Firewall ams . sec (Jul 18)
- Re: Application Firewall ॐ aditya mukadam ॐ (Jul 18)
  - Re: Application Firewall Bryan S. Sampsel (Jul 21)
    - Re: Application Firewall ॐ aditya mukadam ॐ (Jul 22)
  - Re: Application Firewall Sanjay R (Jul 31)
- Re: Application Firewall Adriel Desautels (Jul 18)
  - Re: Application Firewall Ivan . (Jul 21)
- Re: Application Firewall Bryan S. Sampsel (Jul 18)
  - Re: Application Firewall Adriel Desautels (Jul 21)
    - Re: Application Firewall Paul Wong (Jul 27)
- <Possible follow-ups>
- Re: Application Firewall Kyu Kwak (Jul 21)
  - RE: Application Firewall Roni Bachar (Jul 30)
- Re: Re: Application Firewall antman84ca (Jul 21)
- Re: RE: Application Firewall anonymous (Jul 31)