Welcome to the Proxy Update, your source of news and information on Proxies and their role in network security.

Thursday, July 3, 2008

Application Firewall: The Next Generation Proxy?

There's a lot of talk lately around application firewalls. While the idea sounds intriguing there's a lot of issues still before this idea can gain wide acceptance. The idea behind an application firewall is to marry the proxy and the firewall into a single device that has the application layer security and visibility of the proxy with the packet layer security and visibility of the firewall.

While this sounds great in theory, there's a lot of practical hurdles to overcome in implementation. First off it marries two different groups in most IT organizations, the network layer group and the security group. That alone makes it a tough sell in many larger IT organizations.

The other big hurdle? Most organizations that would implement an application firewall already have both a firewall and a proxy already, typically devices they have a considerable investment in, not only in hardware and software costs, but also in training, reporting, monitoring and other intangible investments.

Is the added benefit of a combined device enough to overcome the expense and create enough justification to remove the existing firewall and proxy? Some IT admins I've spoken to don't think so, they view the application firewall as just a fad, and expect that the proxy vendors and firewall vendors will add enough new features in their products to prevent the application firewall from getting a toehold, especially when there aren't enough compelling reasons to buy the application firewall. Yet.

No comments: