Stateful Firewall - Application-level Filters

Application-level Filters

Packet filtering alone is not regarded as providing enough protection. In order to effectively block peer-to-peer-related network traffic, what is needed is a firewall that does application filtering, which can be regarded as an extension to stateful packet inspection. Stateful packet inspection can determine what type of protocol is being sent over each port, but application-level filters look at what a protocol is being used for. For example, an application-level filter might be able to tell the difference between HTTP traffic used to access a Web page and HTTP traffic used for file sharing, whereas a firewall that is only performing packet filtering would treat all HTTP traffic equally.

Even though application layer firewalls are more secure than packet filtering, they are generally slower than stateful inspection. Application-layer firewalls are sometimes implemented using application proxies. Two TCP connections are established: one between the packet source and the firewall, another between the firewall and the packet destination. Application proxies intercept arriving packets on behalf of the destination, examine application payload, and then relay permitted packets to the destination. Suspicious data is dropped and the client and server never communicate directly with each other. Proxies necessarily involve more protocol stack overhead than inspecting packets at the network layer. Furthermore, because a unique proxy is required for each application, proxy firewalls can be less flexible and slower to upgrade than stateful inspection firewalls. Nevertheless, because application-level proxies are application-aware, the proxies can more easily handle complex protocols like H.323 or or SIP, which are used for videoconferencing and VoIP (Voice over IP).