From Citrix Systems
Summary:
The threat profile facing enterprise organizations has undeniably shifted from network-layer exploits to more formidable attacks against applications, primarily Web and Web services applications. This radical change has been recognized by numerous IT security vendors, which have rushed to deliver products that shield Web applications from a new generation of attacks.
Protecting an application from attack requires a complete understanding of all application communications. Unless a device can “see” the same data as the application it is protecting, it will be unable to identify application-layer threats. This means that to secure any common Web-based application, a security device must perform a full deconstruction of the HTML data payload, as well as track the state of each application session.
It is technologically impossible for any device to understand application communications or analyze application behavior via the deep inspection of IP packets, either individually or reassembled into their original sequence. Network firewalls and intrusion prevention systems (IPS) are useful for validating the format of application header information to ensure standards compliance.
Complete Report: Protecting Web Applicatrions from Attack and Misuse