- Where Application Firewalls Fit in a Network
The closer you come to the resource that needs to be protected, the more intelligent and
specific you can get in filtering traffic directed at that resource. Because application
firewalls enable you to perform deep packet inspection and filter based on the raw
application data, they are best suited for implementation close to the resources they
protect. There are a couple of reasons for this.
First, many application firewalls cannot filter traffic for which a proxy does not exist. As
a result, if an application firewall receives traffic that it cannot proxy, it is forced to drop
the traffic. The closer to the resources being protected that the application firewall is
implemented, the less the likelihood is that it will have to deal with traffic other than
traffic that is actually destined for the protected resource.
Second, because application firewalls typically perform a more detailed inspection of the
data, they perform worse than a comparable stateful packet-filtering firewall. By placing
the firewall closest to the resources being protected, you reduce the volume of extraneous
traffic that the firewall must filter, thus preventing the firewall from becoming a
Application firewalls are most commonly implemented in a dual-firewall architecture as
the interior firewall. This setup allows the firewall to perform the most in-depth
inspection of the traffic that is actually destined for your internal network.