Know Your Firewall: Layer 3 vs. Layer 7
Discussing firewalls does not rank high on most folks’ lists of ways to have a good time. But if you want to secure modern, microservices-based applications, understanding how your firewall works under the hood is essential. To that end, this article explains one of the important technical nuances of firewalls: the differences between layer 3 and layer 7.
In a basic sense, understanding what a firewall does is pretty simple. It blocks certain types of network traffic and allows other types of traffic. In this way, firewalls help to prevent potential intruders from being able to talk to your applications and services, which does much to prevent security exploits (although a firewall is hardly the only security defense that you should include in your security toolset, of course).
But how does a firewall determine which traffic to let in, and which to block? Answering that question requires us to delve a bit deeper into the nuances of how firewalls work—and specifically, firewall layers.
When it comes time to tell your firewall which types of traffic are OK to admit and which ones it should block, there are multiple ways to categorize traffic into “OK” and “not OK” categories. Each approach corresponds to a different firewall “layer,” as defined by the OSI model.
Layer 3 Firewalls (Network Firewalls)
One way is to categorize traffic according to IP addresses, port numbers and service protocols. In other words, you could tell your firewall to accept traffic from certain IP addresses while blocking all other traffic (this would constitute a whitelisting strategy). Alternatively, you could blacklist IP addresses that you know to be sources of abuse.
You could make things more granular by configuring your firewall to accept traffic from certain IP addresses only on certain ports, or when the traffic uses a certain protocol.
If you categorize traffic in these ways, you’re operating on layer 3 of your firewall. This is also sometimes known as the network layer. Layer 3 firewalls filter traffic based on the TCP/IP stack. This approach is sometimes also referred to as packet filtering, because you’re essentially allowing and blocking individual network packets depending on where they originated and which ports they want to talk to.
Layer 7 Firewalls (Application Firewalls)
The other common approach to firewall configuration involves layer 7, which is also known as the application layer.
Layer 7 lets you sort traffic according to which application or application service the traffic is trying to reach, and what the specific contents of that traffic are. Rather than simply blocking all traffic on a certain port, you could use an application firewall to accept traffic on that port in general, but block any traffic that contains a known vulnerability (such as a SQL injection attack or a malicious telnet command).
Layer 3 vs. Layer 7
If layer 7 provides the greatest opportunity for advanced firewall configuration, why would we talk about layer 3 at all? The answer is that they’re different tools that mitigate different kinds of risks and it’s not an either/or question. In most cases, you’d use both a L3 and an L7 firewall and the two complement each other.
L3 firewalls make decisions based on a much more narrow set of variables (IPs and ports) than L7 firewalls, which look at a literally infinite amount of unique requests. Thus, L3 firewalls are generally able to have much greater throughput than L7 firewalls. Further, because they address a lower level of the stack, L3 firewalls cover a wider variety of scenarios than an L7 firewall, which has to have protocol-specific logic for handling each kind of traffic flow it protects. L3 firewalls, conversely, simply allow or deny based on source and destination ports, without awareness of the traffic within, and thus work universally across any IP based scenarios.
The lack of protocol awareness, though, is a significant blind spot the L7 firewalls address. Especially as HTTP has become the universal app protocol, attackers are more likely to probe and exploit weaknesses within the app layer. So, if you have just an L3 firewall that allows all traffic to port 80, you’re blind to those risks. An L7 firewall is able to look within the app layer and make decisions regarding whether to allow a request based on what it contains—not just the port it’s trying to reach. This is a more computationally costly operation, but one that provides significantly greater security.
Because of these trade-offs, the best model for most scenarios is to use multiple layers of defense in depth; specifically, have an L3 firewall at the edge that only allows inbound traffic on the specific ports your apps use. Those ports should then be routed to an L7 firewall for deep inspect at the app protocol level. This model leverages the strengths of each approach with the L3 firewall efficiently dropping all packets but those from allowed sources and destined to allowed ports, thus allowing the L7 firewall to focus exclusively on inspecting the content of the requests to those ports.