Where Application Firewalls Fit in a Network The closer you come to the resource that needs to be protected, the more intelligent and specific you can get in filtering traffic directed a
Trang 1Where Application Firewalls Fit in a Network
The closer you come to the resource that needs to be protected, the more intelligent and specific you can get in filtering traffic directed at that resource Because application firewalls enable you to perform deep packet inspection and filter based on the raw
application data, they are best suited for implementation close to the resources they protect There are a couple of reasons for this
First, many application firewalls cannot filter traffic for which a proxy does not exist As
a result, if an application firewall receives traffic that it cannot proxy, it is forced to drop the traffic The closer to the resources being protected that the application firewall is implemented, the less the likelihood is that it will have to deal with traffic other than traffic that is actually destined for the protected resource
Second, because application firewalls typically perform a more detailed inspection of the data, they perform worse than a comparable stateful packet-filtering firewall By placing the firewall closest to the resources being protected, you reduce the volume of extraneous traffic that the firewall must filter, thus preventing the firewall from becoming a
performance bottleneck
Application firewalls are most commonly implemented in a dual-firewall architecture as the interior firewall This setup allows the firewall to perform the most in-depth
inspection of the traffic that is actually destined for your internal network