Application Layer Filtering - Firewall Advanced Security
What is Application Layer Filtering - Third Generation
From the traditional attacks such as scanning of open ports on network firewalls, hackers are now attacking applications directly. Packet filtering or stateful firewalls alone can not detect application layer attacks. This is because they analyse the ports, protocols and states of the packets but do not look deep inside the packet. In other words they do not completely disassemble a packet and its content and analyse the content including the payload. This has lead to the emergence of application layer defense mechanisms.
Application layer gateway firewalls also known as proxy based firewalls can monitor and filter on the application layer (Layer 7), as well as doing the traditional filtering such as packet filtering and stateful packet inspection. Application layer proxies are able to look deep within the packets (traffic) content, and look for inconsistencies, invalid or malicious commands, and executable programs.
Many of today's firewalls come with a package of application layer proxies. These proxies will be dedicated to a service or protocol, and understand the granular workings of the protocol. For example a dedicated proxy for the SMTP protocol can be used to detect for invalid commands and parameters used for potential attacks, though blocking these. HTTP and HTTPS application proxies can check for tampering of cookies and invalid character encoding and much more.
Filtering on the application layer offers the best level of security however it is slower and so require more processing power when inspecting each packet. It requires a powerful firewall, however this of course comes with a bigger cost. That said, today's hardware technology such as quad core CPU's have evolved rapidly and so are able to handle resource intensive applications.
For further reading, there's some excellent electronic ebooks available for download from eBooks.com