ABSTRACT

When looking beyond denial of service (DoS) attacks, the Internet attack vector has clearly moved to the application layer. This shift has required vendors of commoditized “stateful packet filter”-based products to reinvent themselves with some form of application-layer product offerings. The long-running and often heated debate regarding firewall technologies — stateful filtering firewall

versus

application proxy firewall — is finally over, with application proxies emerging as the clear winner; however, stateful firewall vendors are not simply rolling over and admitting defeat. They are pushing their filtering technologies up the Open Systems Interconnection (OSI) model into the application layer, and a new debate has quickly emerged: application-layer filtering

versus

application proxies. Moore’s law has eliminated the historical trade-off between speed and security; current technology

application proxy firewalls running on the new AMD 64-bit platforms are achieving proxy throughputs well above wire speed gigabit. The focus is now shifting from speed to granularity and application support. Enterprises are continuing to expand their use of the Internet and are adopting more Internet-based applications, with HTTP/S becoming the protocol of choice for encapsulating traffic for application deployment. Traditional gateway security technologies tend to cripple the functionality of these applications, and trade-offs between functionality and security are unfortunately becoming all too common for the security community at large. The issue does not pertain to only HTTP, as it extends to many other business applications. Most application proxies are really not as “application” aware as vendors claim they are. Most are really only protocol aware and are based solely on protocol RFC guidelines; that is, a proxy for Simple Mail Transfer Protocol (SMTP) based on RFC guidelines may do a fair job of securing Sendmail while at the same time it cripples Microsoft Exchange.