Application firewall

An application firewall (also called application filtering firewall) limits the access which software applications have to the operating system services, and consequently to the internal hardware resources found in a computer, much as a car firewall limits access of heat, or even fire, to the passengers of the vehicle. The reason that application firewalls are needed in today's internet and data-sharing world is that the other types of firewalls in existence do not control the execution of data, only of the flow of data to the computer's processor.

Hardware firewalls

The computer's hardware resources are essentially: the processor, the RAM, and the hard disk. Virtual memory is the content of RAM that is temporarily written onto the hard disk in order to free the RAM chips to hold other content or to supply other data for mathematical processing. For this reason, the virtual memory is open to internet attack just as the RAM is.

Since several ports of a computer need to be open at various times in order for applications to be allowed to bring data in to the user and send it out from the user, (applications such as internet browsers ([] - hyper-text transfer protocol) , e-mail programs (smtp - simple mail transfer protocol) and FTP programs ([] - file transfer protocol) ), most types of firewalls are necessarily unable to stop the flow of unwanted content via the ports that they have been configured to allow.

Hardware firewalls are connected to the computer where the phone-line modem or cable modem allows data into the computer and out of the computer. They are external hardware. They can be configured such that only data bound for designated ports (virtual ways in/out of the computer) are routed to the OS services. A port is essentially only an abstract address since the true data pathway is the cable itself and the modem's jack. Ports are authorizations (in the OS) of data flow to the OS. The hardware firewall's function is, therefore, to filter out data coming from restricted origins and thus keep it from accessing the Operating System's services. The net result is that only data bound for ports which were set by the user to be open (in the firewall's configuration) will always be passed on to the OS services, and to the computer's hardware resources.

Software firewalls

Let us now contrast software firewalls (personal firewall). They attempt to perform the function of a hardware firewall, but in the form of running software which is configured to filter out data traffic designated for restricted ports. Ideally, only the data bound for the desired ports would be passed on to the processor.

An application layer firewall is a firewall software operating at the application layer of a protocol stack. Generally it is a host using various forms of proxy servers to proxy traffic instead of routing it. As it works on the application layer, it may inspect the contents of the traffic, blocking what the firewall administrator views as inappropriate content, such as certain websites, viruses, attempts to exploit known logical flaws in client software, and so forth. An application layer firewall does not route traffic on the network layer, but from the application to the OS.

In this context, the hardware resources are the bottom layer, the BIOS is the 2nd layer, the Operating System Kernel and OS services are the 3rd layer, and the application layer firewall is running as a 4th layer, at the same level as other applications such as word processors or internet browsers. (Layer 4 in the TCP/IP Model; OSI Model would be layer 7)

Firewall vulnerabilities

An application layer firewall is, then, a software firewall. Unfortunately, firewall-type applications developed for Microsoft Windows, Macintosh, or other operating systems may contain the type of logical flaws exploited by computer system hackers. A vulnerability, or logical flaw, in the running firewall software might be exploited in the very same way that internet browser code vulnerabilities or e-mail software code vulnerabilities often are. What this amounts to is that the software firewalls of both descriptions, software- and application layer-, might be circumvented by malicious software through exploitation of the firewalls' own logical software coding flaws. In that case, an attack written to exploit a software firewall's vulnerability could also include an attack on the internet browser and make it through to the browser despite the firewall. In that event there would normally not be any protection against the attack on the browser.

Microsoft, the author of the Windows OS, has included in its latest service pack (SP2), for Windows XP, a feature which they call Data Execution Prevention (DEP). Since new data must be executed as instruction code, using system services, in order to be harmful to the existing data or virtual memory on a hard disk, preventing its execution would seem to be the protection needed against exploit code. A processor capable of enforcing DEP, (as of the time of writing, July 2005, being 64-bit processors only), would consider the data portion of RAM to be non-executable, or NX (referred to as 'No-Execute' by AMD), or XD (referred to as eXecution Disable by Intel). Therefore, such a processor combined with SP2 would refuse to execute software code originating in the area of RAM designed for data only. Instruction code is only intended by Windows and other operating systems to be run from the instruction code area of RAM.

The DEP is a good start, but it only addresses the problem of buffer overflow exploits of the logical software coding flaws which we refer to as vulnerabilities. Such an exploit usually writes executable code in the data area of RAM and then overwrites legitimate code in the protocol stack such that when the system service returns to retrieve the next instruction, the substituted instruction tells the processor to look in the data area for the details -- and the details are malicious. However, there still lie in the internet and computer arenas such other significant threats to data and to privacy as viruses, keystroke loggers, Trojan horse viruses, spying software, advertisement-generating software and other forms of maliciously designed software code which DEP will not address.

If discretion could be given to the OS services to refuse to run code which is either originating from a RAM buffer overflow, or is originating from unwanted software not needing to exploit vulnerabilities in order to achieve its damage or its theft of information, then perhaps the protection loophole would close -- at least more tightly.

This is the purpose of an application firewall -- to close the loophole around the OS more tightly and to make the chance of unwanted code execution extremely slim. Windows users have the benefit of one such application firewall software, OSsurance, developed in 2005 by OS Security, which functions much as DEP protection. In addition, however, this software refuses to allow the system services to run executable files which have not purposely been added to an inventory of accepted programs by the user when the software was installed, it refuses the running of DLLs which have been substituted or altered, and it refuses to allow the running of a program which has changed itself in name or in content. This more comprehensive type of firewall has not yet been made available to the other major operating systems (see buffer overflow). Various other combinations, or omissions, of components of this application firewall approach exist, with varying degrees of success. Anti-Execute, developed by Faronics, is one example of using selected components of an application firewall. DEP, by Microsoft, is another.


The assessment of whether a user's data is safe from tampering must necessarily weigh the pros and cons of all of the following:

  1. Intrusion prevention approaches such as hardware and software firewalls, (eg. Linksys, ZoneAlarm, respectively) and application layer firewalls.
  2. Intrusion detection approaches such as selected software firewalls, application layer firewalls, antivirus and anti-spyware programs and other applications.
  3. Intrusion protection approaches such as DEP and the application firewall.

Application firewalls for Linux

This is a list of security software packages for Linux, allowing filtering of application to OS communication, possibly on a by-user basis:

A limited form of application filtering is also possible by using filtering by UID in iptables.

External links

Search another word or see guarddogon Dictionary | Thesaurus |Spanish
Copyright © 2014, LLC. All rights reserved.
  • Please Login or Sign Up to use the Recent Searches feature