3

I'm studying for the CCSP and my training material isn't very clear on the definition between "application-aware firewall" and "web application firewall".

The training material states:

Early on, these devices were limited to simply port blocking with no ability to see inside the packets traversing the interface. Then stateful packet inspection came into the picture, which allowed firewalls to prevent inbound traffic from entering unless the connection had been initiated from inside the network.

Today's application-aware firewalls are far superior to their predecessors of even a few years ago. However, the battle rages on with attackets and their wily ways, which leads us to the web application firewall (WAF).

The material then goes on to talk about how WAFs function (at layer 7 of the OSI model) but there's no more information about "application-aware firewalls".

What's the difference here? Is an "application-aware" firewall the same thing as a software firewall installed on the user workstation?

Mike B
  • 3,336
  • 4
  • 29
  • 39

1 Answers1

3

An application-aware firewall understands not only ports, but that specific applications listen to specific ports. They are indeed host based (installed on a user workstation or a server) and prevent malware from listening on a port that would normally be used by a legitimate application.

For instance, you might open port 80 on a traditional firewall because you have IIS running, and want to allow web traffic. If malware were to kill IIS and start listening on port 80 instead, the traditional network firewall is going to happily deliver traffic to it, because all it knows is that it has a rule saying that it should allow traffic specified for port 80.

An application-aware firewall on the other hand, has a rule allowing traffic to IIS specifically, and if malware shuts it down, then the firewall will start blocking traffic to the ports that IIS listened on, and in the absence of additional rules allowing that traffic, the malware is effectively blocked by default.

The inbound example is real, but slightly contrived. Where this becomes particularly useful is in situations where you have a very locked down host and a limited set of applications that need to be allowed to communicate outbound. You now no longer need to allow outbound traffic via open ports through the firewall at all, but can simply set application specific rules allowing only the set of applications that need to communicate outbound to do so. Done correctly, this can severely restrict the ability of malware then to communicate with command & control infrastructure, to exfiltrate data, or to be used for further lateral movement in a network.

A web application firewall, on the other hand, is application-aware in a different sense, in that while it is still just a network based firewall, it has a specific understanding of what HTTP traffic looks like, and can inspect the traffic and apply rules to identify and stop potentially malicious traffic before it gets to the HTTP application. So, it doesn't care if the web server application is IIS, Apache, or malware for that matter, but if it sees an inbound request that contains a common SQL injection pattern, for instance, it can refuse to forward the request on to the web server, protecting it from attacks that it may not be designed to protect itself from.

Xander
  • 35,525
  • 27
  • 113
  • 141
  • Sorry - I'm still a little confused... Is there a typo and you mean't to reference "web application firewall" somewhere in your answer? – Mike B Apr 18 '18 at 17:48
  • @MikeB Nope, got carried away answering the last sentence of your question, and forgot about it. I'll add to it to cover a web application firewall. – Xander Apr 18 '18 at 18:17