8.6 Application Layer Filtering

At this point in our configuration, our stateful filtering firewall is fairly robust and may at this point meet the requirements of our security policy. As previously noted in this chapter, however, stateful packet filters still suffer from some significant weaknesses compared to the number of threats they face in normal operation. Each one of these threats is able to take advantage of the fact that a stateful packet filter still only makes filtering decisions upon the information in the network or transport layer headers. What we need to fully protect our information is something that is able to look deeper into the packet and make a determination as to the legitimacy of the packet itself. This, of course, is the domain of the application layer firewall.

Configuring a router to operate as an application layer firewall used to be unheard of. To some extent that is still true, in that the most complex application layer filtering is still the province of dedicated hardware and software, but a surprising amount of functionality can be found on most modern routers, functionality that is advanced enough to keep up with the emerging virus, worm, and Trojan threats.

Unlike the transition from a packet filter to a stateful packet filter, adding application layer filtering is not going to significantly change our existing packet filters. Instead, application layer filtering is going to complement our stateful packet filtering.

An example of the usefulness of an application layer filter would be in the detection of a Nimda, Code Red, or Klez infection. A router, sitting at the edge of the network, would be a logical place to drop HTTP or SMTP headers with information specific to the virus, preventing the attacks from reaching your network altogether. Of course, this may be a poor example as these two worms can only successfully attack unpatched systems and everyone's systems have been patched long ago. Have they not?