A Case Against Layer 4 Security Tools

March 1, 2023

We often talk about how Layer 4 tooling such as VPNs are bad for security, so this post is going to dig into why. If you just want the conclusion, it's simple: Layer 4 tooling is fundamentally blind to its own traffic and Layer 7 tooling is not, which leads to different results for auditing, logging, and continuous verification.

This isn’t to say Layer 4 tools are all bad; it has its place in networking. But for the purpose of web applications and other Layer 7 traffic, organizations should understand the fundamental reasonings why Layer 4 security and access tools will cause security gaps and shift to Layer 7 tools when appropriate.

For those who don’t know, the Open Systems Interconnection (OSI) model is a conceptual framework that describes how data moves between devices on a network. It is divided into seven layers, each responsible for a specific set of functions. Layer 4 and Layer 7 are two of these layers, and this blog post will lay out their pros and cons.

Image source: BMC.com

Layer 4

Layer 4, also known as the Transport layer, is responsible for end-to-end communication between devices. It provides reliability and error-checking mechanisms to ensure that data is transmitted accurately and completely.

Pros of Layer 4:

  • Reliable transport: Layer 4 protocols, such as TCP (Transmission Control Protocol), provide reliable transport by establishing a connection between devices, ensuring that data is delivered in the correct order, and retransmitting lost or corrupted packets.

  • Efficiency: The transport layer is responsible for segmenting data into smaller units, known as segments, to optimize the use of network resources and improve efficiency. It also ensures that data is transmitted at a rate that the receiver can handle, by using flow control mechanisms such as sliding window protocols.

  • Fast: Layer 4 is typically faster than Layer 7, as it operates at a lower level of abstraction.

For communication tools or networking needs where these three things are high necessity, Layer 4 is the place to be.

And that’s good! Layer 4 is absolutely important for many things, like low-latency gaming, Zoom calls, and more. Anything that requires data to be delivered in a timely fashion without compromising too hard on quality. But our reasons for turning away from Layer 4 isn’t because it’s a bad layer, but because certain types of security tools simply should not run on this layer.

A determined individual can certainly eat soup with a fork, but spoons were invented for a reason. Let’s look at what Layer 4 is bad at.

Cons of Layer 4:

  • Less intelligent: Layer 4 is less intelligent than Layer 7, as it does not understand the content of the data being transmitted.

  • No content control: Layer 4 provides no control over the content of the data being transmitted. This means that it cannot differentiate between different types of traffic, such as HTTP or FTP.

While Layer 4 is a great place to run data, it’s a terrible place to run the basics of security: monitoring, auditing, and logging. Sure, a Layer 4 security tool can tell you when a user established a connection, when they terminated it, and even where they did it from, but that’s just not enough.

For example, if you installed a camera at your door and were alerted during a vacation that someone entered your house at 3 AM, left 30 minutes later, and drove off, what’s your next question?

I imagine it would be: What the heck did they actually do in my house?

Layer 4 tools (like corporate VPNs) has limited visibility into the data that runs through their pipes, and that’s why we say Layer 4 security tools are blind.

Layer 7

Layer 7, also known as the Application layer, is responsible for managing user applications and data. It provides access to network services for applications, including file sharing, message handling, and database access. The most common protocols at the application layer are HTTP, FTP, SMB/CIFS, TFTP, and SMTP. If that’s confusing, just know that this layer the one that most users interact with on the internet.

Pros of Layer 7:

  • Intelligent: Layer 7 is more intelligent than Layer 4, as it can understand the content of the data being transmitted and provide application-specific functionality.

  • Content control: The Application layer provides more control over the content of the data being transmitted. It can differentiate between different types of traffic and apply policies accordingly.

  • Security: Layer 7 provides more advanced security features, such as deep packet inspection and content filtering.

Cons of Layer 7:

  • Slower: Layer 7 is typically slower than Layer 4, as it operates at a higher level of abstraction and requires more processing power.

  • Less reliable: Layer 7 does not provide the same level of reliability as Layer 4, as it does not have the same error-checking mechanisms.

Well, let’s not be coy about this. Layer 7 trades speed and reliability (in the sense of checking the sent data for errors) for the ability to monitor everything in that data. While this does mean that tools running in this layer aren’t as fast and can have errors, it provides an important aspect of security: visibility.

Still using our analogy from earlier, would you rather have high definition video footage of someone entering your house then leaving thirty minutes later, or would you rather have gray footage of seeing everything they did and where they went inside your house?

In conclusion, Layer 4 protocols provide reliable transport, efficiency, and speed; while Layer 7 protocols provide intelligent content control and advanced security features. While Layer 4 is great for fast and reliable communication, Layer 7 security tools are better suited for advanced security features such as deep packet inspection and content filtering. Ultimately, this means that while Layer 4 tools can provide basic security, they are not sufficient for a comprehensive security solution.

This is the reason why we actively encourage pivoting away from company VPNs, or at least deprecating their use. Not only do VPNs disrupt productivity, their inability to monitor and reliance on an incomplete security model produces more workload for organizations that use them.

4 to 7 in 3 Easy Steps

Step 1: Determine if the organization can accept the security gap and lack of fine-grain auditing/logging

Step 2: Adopt Layer 7 tooling if the organization wants a better solution and results

Step 3: Stay productive and secure with better auditing capabilities and fine-grained access control for every single request

The good news is you can easily replace the VPN without disrupting productivity and company operations. In fact, that’s why we built Pomerium, an identity and context-aware access control gateway which runs on Layer 7 to utilize the advantages detailed above while avoiding the problems of Layer 4 tooling. Productivity does not need to be impacted and administration has never been easier.

Pomerium is the top choice for companies looking for an open-source context-aware access gateway to manage secure, identity-aware access to applications and services. Our customers depend on us to secure zero trust, clientless access to their web applications everyday.

Check out our open-source Github Repository or give Pomerium a try today!


More Blog Posts

See All Blog Posts
Introducing Pomerium Zero
Skip the SSO tax with Pomerium
Announcing Pomerium v0.26

Your Security

Embrace Seamless Resource Access, Robust Zero Trust Integration, and Streamlined Compliance with Our App.

Pomerium logo
© 2024 Pomerium. All rights reserved