WebApp Sec mailing list archives

RE: web appliaction security products (AKA application firewalls)

From: "Lars Troen" <Lars.Troen () proxycom no>
Date: Sun, 24 Nov 2002 21:00:25 +0100

Application firewalls are normally considered as more secure than packet filtering/stateful inspection based firewalls.
This because they know each protocol that they provide trafic for in detail. This also can also make the configuration
options for each protocol on a detailed level. You can set options that restrict a user to only read files through
cifs (smb/netbios), or other protocols.

OTOH such firewalls are harder to get things to work through, because you only have support for a number of
applications. So most application firewalls has now also support for stateful inspection. But beware that there are two
definitions on this topic. The definition checkpoint has of stateful inspection does to some extent support some things
that an application proxy provide, because you can check every aspect of a packet in a session and you change things in
the packet if you want. But this (inspect language) is not very well documented and you have to write routines for
"your" protocols yourself. And by default there's no options to limit accesses through such (pre-defined inpect
protocols) protocols (from gui) unless using the security servers (app proxies). Other firewalls often use "stateful
inspection" for ip tables functionality, keeping state of each session in a table instead of using syn/ack flags like
old packet filters did.

Modern application proxies usually has support for ip tables in addition to it's application proxies so you are not as
lost with an application proxy as you were a few years ago.

Products that I have used here is Checkpoint firewall-1/Pix (these are basicly stateful inspection, but has limited
support for application proxies) and Symantec (Raptor) Enterprise firewall/MS Proxy (ISA) (these do also provide
stateful inspection if you need it).

Or are you thinking of tools that protect a service like SecureIIS from eEye? Or an integrated IDS/Firewall tool like
Hogwash/Inline Snort or Black Ice Defender?

Lars

-----Original Message-----
From: Shimon Silberschlag [mailto:shimons () bll co il]
Sent: Wednesday, November 20, 2002 09:21
To: webappsec () securityfocus com
Subject: web appliaction security products (AKA application firewalls)


What is the group experience with these type of devices? Any good, bad
or horror stories about using/maintaining them? Any specific
recommendations?

I know the charter doesn't really cater for discussion of commercial
tools so please keep answers
generic and objective

Shimon Silberschlag

+972-3-9352785
+972-51-207130

Current thread:

web appliaction security products (AKA application firewalls) Shimon Silberschlag (Nov 22)
- Re: web appliaction security products (AKA application firewalls) Skip Carter (Nov 23)
- Re: web appliaction security products (AKA application firewalls) Kevin Spett (Nov 23)
- RE: web appliaction security products (AKA application firewalls) Fernando Martins (Nov 24)
- Re: web appliaction security products (AKA application firewalls) Jason Childers (Nov 24)
  - Re: web appliaction security products (AKA application firewalls) Bennett Todd (Nov 25)
- <Possible follow-ups>
- RE: web appliaction security products (AKA application firewalls) Lars Troen (Nov 24)
  - Re: web appliaction security products (AKA application firewalls) Dave Aitel (Nov 24)
- Re: web appliaction security products (AKA application firewalls) securityarchitect (Nov 24)
  - Re: web appliaction security products (AKA application firewalls) Dave Aitel (Nov 24)