Sidewinder from Secure Computing is an excellent application-proxy firewall.

So is Borderware.

IPCOP has aspects that qualify.

No, the ASA is a packet filter only firewall. It's quite good at what it
does, but it does not handle the application layer. And no, deep packet
inspection does not qualify.

O'Reilly made an awesome firewall book that you should read. It's a
little dated, but the concepts are solid: Building Internet Firewalls.

For most of 'em, you'll need some coin. Neither Sidewinder nor Borderware
come cheap. IPCOP is ok for a SOHO setup, perhaps as many as 25
users...not sure beyond that. But it's not engineered to be an enterprise
solution...though I'm sure someone has created a flavor of it that is.

Application proxy firewalls do give you some additional protection over
straight packet filter firewalls. If you're talking a massive enterprise,
it takes more hardware to drive it as well, as there is some footprint
increase because of the proxies themselves. However, when a user goes out
through a proxy, a hardened IP stack protects them, as no direct
connections are made between client and remote end. With a packet filter,
the client talks directly to the remote end.

Hope that helps a bit.

Sincerely,

Bryan S. Sampsel
LibertyActivist.org

ams.sec (at) gmail (dot) com [email concealed] wrote:
> Hi everyone,
>
> Can anyone please list out some name of application level firewalls. Would
> Cisco ASA qualify as a application firewall? I have heard it needs certain
> addons to provide application screening functionality. Thanks a zillion.
>
> Ams
>

[ reply ]