There are three basic categories of firewalls: packet filtering firewalls, stateful inspection firewalls and application proxy firewalls. Often, people refer to packet filtering firewalls and stateful inspection firewalls using the term gateway server firewall. Each of these three approaches builds upon the previous one(s), offering greater protection to an enterprise network. Here's how they work:
- Packet filtering firewalls are the most basic firewall technology available. Each network packet reaching the firewall is evaluated based upon its source, destination IP address and port to determine whether it is allowed to pass through the firewall. The firewall does not have any information about active connections, so it makes this decision each time it receives a packet. Packet filter firewalls are not common and users of this technology are typically writing rules that run on their routers.
- Stateful inspection firewalls are the most commonly deployed firewalls in enterprises today. They build upon packet filters by having the firewall maintain information about the state of each active connection. When a new packet arrives at the firewall, the filtering mechanism first checks to determine whether the packet is part of a currently active (and previously authorized) connection. Only if it doesn't appear on the list of active connections does the firewall evaluate the packet against its rulebase. There's a reason stateful inspection firewalls are so common: They're the most efficient and cost-effective firewalls, and are generally suitable for protecting most network borders.
- Application proxy firewalls go a step beyond stateful inspection firewalls in that they don't actually allow any packets to directly pass between protected systems. Instead, the firewall creates a proxy connection on the destination network and then passes traffic through that proxied connection. Proxy firewalls often contain advanced application inspection capabilities, allowing them to detect sophisticated application-layer attacks, such as buffer overflow attempts and SQL injection attacks. They're much more expensive than stateful inspection firewalls, however, and are normally only used to protect data centers and other networks containing publicly accessible, high-value servers.
The choice of an appropriate firewall mix for your organization will depend upon budget, the types of systems on the network and the enterprise's risk tolerance. For more on this topic, read my tip How to choose a firewall.
For more information:
This was first published in May 2009