Since several ports of a computer need to be open at various times in order for applications to be allowed to bring data in to the user and send it out from the user, (applications such as internet browsers ( - hyper-text transfer protocol) , e-mail programs (smtp - simple mail transfer protocol) and FTP programs ( - file transfer protocol) ), most types of firewalls are necessarily unable to stop the flow of unwanted content via the ports that they have been configured to allow.
Hardware firewalls are connected to the computer where the phone-line modem or cable modem allows data into the computer and out of the computer. They are external hardware. They can be configured such that only data bound for designated ports (virtual ways in/out of the computer) are routed to the OS services. A port is essentially only an abstract address since the true data pathway is the cable itself and the modem's jack. Ports are authorizations (in the OS) of data flow to the OS. The hardware firewall's function is, therefore, to filter out data coming from restricted origins and thus keep it from accessing the Operating System's services. The net result is that only data bound for ports which were set by the user to be open (in the firewall's configuration) will always be passed on to the OS services, and to the computer's hardware resources.
An application layer firewall is a firewall software operating at the application layer of a protocol stack. Generally it is a host using various forms of proxy servers to proxy traffic instead of routing it. As it works on the application layer, it may inspect the contents of the traffic, blocking what the firewall administrator views as inappropriate content, such as certain websites, viruses, attempts to exploit known logical flaws in client software, and so forth. An application layer firewall does not route traffic on the network layer, but from the application to the OS.
In this context, the hardware resources are the bottom layer, the BIOS is the 2nd layer, the Operating System Kernel and OS services are the 3rd layer, and the application layer firewall is running as a 4th layer, at the same level as other applications such as word processors or internet browsers. (Layer 4 in the TCP/IP Model; OSI Model would be layer 7)
Microsoft, the author of the Windows OS, has included in its latest service pack (SP2), for Windows XP, a feature which they call Data Execution Prevention (DEP). Since new data must be executed as instruction code, using system services, in order to be harmful to the existing data or virtual memory on a hard disk, preventing its execution would seem to be the protection needed against exploit code. A processor capable of enforcing DEP, (as of the time of writing, July 2005, being 64-bit processors only), would consider the data portion of RAM to be non-executable, or NX (referred to as 'No-Execute' by AMD), or XD (referred to as eXecution Disable by Intel). Therefore, such a processor combined with SP2 would refuse to execute software code originating in the area of RAM designed for data only. Instruction code is only intended by Windows and other operating systems to be run from the instruction code area of RAM.
The DEP is a good start, but it only addresses the problem of buffer overflow exploits of the logical software coding flaws which we refer to as vulnerabilities. Such an exploit usually writes executable code in the data area of RAM and then overwrites legitimate code in the protocol stack such that when the system service returns to retrieve the next instruction, the substituted instruction tells the processor to look in the data area for the details -- and the details are malicious. However, there still lie in the internet and computer arenas such other significant threats to data and to privacy as viruses, keystroke loggers, Trojan horse viruses, spying software, advertisement-generating software and other forms of maliciously designed software code which DEP will not address.
If discretion could be given to the OS services to refuse to run code which is either originating from a RAM buffer overflow, or is originating from unwanted software not needing to exploit vulnerabilities in order to achieve its damage or its theft of information, then perhaps the protection loophole would close -- at least more tightly.
This is the purpose of an application firewall -- to close the loophole around the OS more tightly and to make the chance of unwanted code execution extremely slim. Windows users have the benefit of one such application firewall software, OSsurance, developed in 2005 by OS Security, which functions much as DEP protection. In addition, however, this software refuses to allow the system services to run executable files which have not purposely been added to an inventory of accepted programs by the user when the software was installed, it refuses the running of DLLs which have been substituted or altered, and it refuses to allow the running of a program which has changed itself in name or in content. This more comprehensive type of firewall has not yet been made available to the other major operating systems (see buffer overflow). Various other combinations, or omissions, of components of this application firewall approach exist, with varying degrees of success. Anti-Execute, developed by Faronics, is one example of using selected components of an application firewall. DEP, by Microsoft, is another.
A limited form of application filtering is also possible by using filtering by UID in iptables.