Where Application Firewalls Fit in a Network

The closer you come to the resource that needs to be protected, the more intelligent and specific you can get in filtering traffic directed at that resource. Because application firewalls enable you to perform deep packet inspection and filter based on the raw application data, they are best suited for implementation close to the resources they protect. There are a couple of reasons for this.

First, many application firewalls cannot filter traffic for which a proxy does not exist. As a result, if an application firewall receives traffic that it cannot proxy, it is forced to drop the traffic. The closer to the resources being protected that the application firewall is implemented, the less the likelihood is that it will have to deal with traffic other than traffic that is actually destined for the protected resource.

Second, because application firewalls typically perform a more detailed inspection of the data, they perform worse than a comparable stateful packet-filtering firewall. By placing the firewall closest to the resources being protected, you reduce the volume of extraneous traffic that the firewall must filter, thus preventing the firewall from becoming a performance bottleneck.

Application firewalls are most commonly implemented in a dual-firewall architecture as the interior firewall. This setup allows the firewall to perform the most in-depth inspection of the traffic that is actually destined for your internal network.