What is the difference between circuit-level gateways and application-level gateways relative to network firewalls?
Good question. First, let's clarify some terminology. Security professionals use a number of different terms that all mean the same thing. Circuit-level gateways are often referred to as stateful inspection firewalls. Application-level gateways are often referred to as proxy firewalls or application proxy firewalls.
There are three general classes of firewalls: packet filtering firewalls, stateful inspection firewalls and proxy firewalls. All three analyze inbound packets against a rule base and decide to block or allow the packet based upon those rules. Packet filtering firewalls don't do anything else. They analyze each packet in isolation and don't have any context (or "state") information to compare the current packet with previous packets.
Stateful inspection firewalls go a bit further. They monitor the connection setup and teardown process to keep tabs on connections at the TCP/IP level. This allows them to keep track of state information and determine which systems have open, authorized connections at any given point in time. They only reference the rule base when a new connection is requested. Packets belonging to existing connections are compared to the firewall's state table of open connections, saving time and providing added security.
Proxy firewalls are the most advanced. Like stateful inspection firewalls, they're connection-aware. But unlike the other two, they intercept all connections and perform an in-depth application layer analysis. Each time an external client requests a connection with an internal server (or vice versa), the client opens a connection with the firewall. If the connection meets the criteria in the firewall rule base, the proxy firewall will open a connection to the requested server. This places the firewall in the middle of the logical connection and allows it to watch the traffic for any signs of malicious activity at the application level.
For more on firewalls, read the Firewall Architecture Guide.
Dig deeper on Application Firewall Security
Related Q&A from Mike Chapple, Enterprise Compliance
Social media compliance is not typically considered a big issue for companies, but expert Mike Chapple explains why it should be.continue reading
Metadata tagging is not just for security. Expert Mike Chapple explains how tagging tools can be used to achieve PCI DSS compliance.continue reading
Before using the HIPAA-compliant cloud services from Google, there are some things companies need to know, according to expert Mike Chapple.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.