The Difference Between Application and Session Layer Firewalls
In today's application centric interconnected environments, the next generation of firewalls (application layer firewalls) are required to reduce the attack surface area.
The story so far, in a time long ago man first used trees and logs to protect their livestock within their village, many potential threats like lions and other external tribesmen were deterred, but not stopped. As technology improved the nomads become farmers and fences were developed that were made out of stone, these fences were not only superior to the wooden logs but were harder to circumvent. Eventually entire villages were at the centre of the fortress, the high fortress walls were able to keep the livestock and population safe.
In the beginning
The same is true for firewalls; in the beginning only routers with access lists were available because that is all that was required. Managing a network using only access control lists and some basic filtering was more than enough protection for deterring unauthorised users. This was the case because routers were at the heart of every network and more specifically these devices were used to route traffic to and from WAN connections like branch offices and the Internet.
The fact is, very little has changed with regards to routers other than some slight modifications to the way they filter traffic and the organisations that manufacture these devices have focused on increasing security up to the layer that these devices are capable of performing at. What am I saying? A fence built out of logs will always be a fence made of wood, not as good as stone.
Session layer firewalls are also known as Circuit level firewalls or circuit gateways. These session layer firewalls have the following features; they operate at the TCP layer of the OSI model. Typically these firewalls use NAT (Network Address Translation) to protect the internal network and these gateways have little or no connection to the application layer, thus cannot filter more complicated connections. These firewalls are only able to protect traffic on a basic rule base like source destination port.
As technology has developed, the need to govern access to the outbound networks was required. Users were able to browse the internet and take advantage of the log-built fence weakness because they could bypass the fence by just pretending to be sheep when in fact they were wolves in sheep's clothing.
This meant that the user could easily bypass the Layer 5 device's security by telneting to a port that was open outbound but was not a telnet port (from port 23 telnet to port 80). The Router with access lists would allow the user to connect to the port although the port was not the telnet port but was a port for another service. This meant that the router was not inspecting the packet (sheep) as it passed through the fence. The router was only doing a simple inspection, if it looks like a sheep and is leaving the barn to go out into the field then I will let it through. So the wolves could easily roam amongst the sheep. This technology was implemented in both directions and in the 90s was the state of most firewalls.
In the late 90s mainstream proxy servers came on the scene that incorporated basic firewalling technology. These "proxy firewalls" were able to intercept the traffic between the source and the destination, subject and object and because the "proxy firewall" is in the middle it has the ability to inspect the packets against predefined rule sets that have more restrictive components.
More about the technology
Session layer firewalls operate at Layer 5 of the OSI model. Previously this would be enough protection for a network in the 90s but as attacks developed into application level attacks and as the growth of the internet and sophistication of hosted code has developed, session layer firewalls are no longer adequate. The result is that a firewall without an application layer protection mechanism will result in any misconfiguration and operating system vulnerability being directly exposed to the Internet by virtue of the fact that all the session layer firewall is able to provide is a routing table and access control list as a basic level of protection.
Small advances in session layer firewalls enable the firewall to inspect traffic at a deeper level for common protocols, but these measures are easily bypassed with tools like metasploit and backtrack. In today's online environment the only option is to install an application layer firewall that does more than ACL and source destination port. Deeper packet inspection, stateful connection management and application layer filtering is a vital component that is necessary when interacting with modern applications. For this reason organisations that are serious about security would not consider session layer firewalls (routers with access lists) over application layer firewalls.
Third generation firewalls are known as an Application layer firewall or proxy firewall, this firewall has the capability to proxy in both directions thus protecting both the subject and the object from ever coming into direct contact with each other. The proxy mediates the connection and thus is able to filter and manage the access and content to and from the object or subject. This can be enabled in various ways with integration into already existing directories, like LDAP for user and user group access.
The application layer firewall is also able to emulate the server that it is exposing to the internet so that the visiting user experiences a faster more secured connection. The fact is that when the user visits the published server the user is actually visiting the Layer 7 firewall's published port and the request is inspected and then parsed through the rule base for processing. Once this passes the rule base and it matches the respective rule it is then passed on to the server, but the difference is that this connection can be served out of perfected cache thus improving performance and the security of the connection.
The above diagram depicts the OSI model, Layer 5 is the Session layer, and Layer 7 is the Application layer. The layer above the application layer is referred to as Layer 8 and this is typically the layer that houses the Users and Policies.
Put simply, the OSI model is a layered model of network architecture. This model governs how two systems that are interconnected communicate.
The top layer (application layer) is typically the layer at which the "proxy based firewalls" operate at. Application layer firewalls are third generation firewalls, these firewalls scan down to the layers below. When compared to a session layer or circuit layer firewall the application layer firewall incorporates the features of the session layer firewall and other more improved features like reverse proxy for secure website publishing.
For more detail please click here
In the future
Today attacks are already so advanced that most session layer firewalls do not even stop the most basic application attacks. For this reason older Layer 5 based firewalls need to be complimented or replaced with more secure "application layer firewalls" For this reason PCI DSS only allows these types of firewalls to be in place when protecting credit card information.
No matter how much we hang on to our old habits and old technology, newer improved methods of firewalling are here. The Internet is attempting to collapse into port 80 and 443 and security professionals are being challenged with the management of the users that learn how to encrypt their traffic to avoid management. The solution is to implement application layer firewalls that are able to scan within encrypted streams. On the outside more structured application level attacks are being crafted on a daily basis, the only way to deal with such threats is to use newer more sophisticated application layer firewalls.