Firewall comparison: Packet-filtering firewalls versus proxy firewalls

Stateful packet-filtering firewalls account for more than 90% of the market, but the proxy firewall folks haven't rolled up their tents yet. In this firewall comparision you will discover which is better for your enterprise?

The firewall industry split into two camps in the early '90s. On one side was the traditional proxy-based firewall...

gang; on the other were some upstarts, led by Check Point Software Technologies, looking for faster technology and greater flexibility with packet-filtering. The debates were furious, the mud-slinging intense, but the market eventually sided with Check Point. Today, stateful packet-filtering firewalls account for more than 90% of the market. The technology is so commonplace that packet filtering is built into $99 SOHO devices.

However, the proxy firewall folks haven't rolled up their tents yet. They continue to sell product because their basic argument holds true: Proxy firewalls, with two independent TCP connections for each application, can be more secure than packet filters. With no IP-layer packets passing directly between the inside and the outside, proxies are inherently immune to most kinds of reconnaissance and spoofing attacks. Proxy-based firewalls can easily do all kinds of application-layer validity checking, antivirus scanning and content filtering, as well as granular access control, because they are truly aware of the application data flow. This is particularly important given the rise in application attacks over port 80.

"For granular control, HTTP is the most important [protocol] to us due to application-level attacks," says Rob Leggett, senior security analyst for Chicago-based Clearing Corporation, which deploys CyberGuard firewalls to secure futures trading transactions by verifying matches between buyers and sellers. "Obviously, this becomes more and more important as our business grows, as the number of Web-based applications increase and as other attacks rise."

Proxy firewalls still have a loyal following

Packet filters excel at speed and scalability. It takes very little CPU power and not much memory for a packet-filtering firewall to run rings around a high-end, high-priced proxy firewall. While proxy-based firewalls were struggling to meet the needs of companies with their newfound Internet T1 lines, packet filters stepped up to the challenge and quickly dominated the market.

The trade-off between security and performance has been acceptable to many network managers. Nevertheless, proxy firewalls continue to have a following, especially in the most conservative and security-aware organizations: government, military, financial services and health care. Proxy firewall vendors, sensitive to their performance constraints, have added packet filtering where appropriate.

More resources on comparing firewalls

Evaluating top firewalls for application-layer attack defense

Choosing a next-generation firewall: Vendor comparison

Next-generation firewall comparisons show no product is perfect

The sharp rise in application-layer security attacks has revived the debates. After years of considering simple access control "good enough," many security managers are demanding granular and powerful application-layer controls found in proxy firewalls to compensate for poorly written applications.

So, it's no surprise that packet-filter firewall vendors are building application-layer controls into their products, as we found in our testing. Although the products will never look like each other on the inside, they are moving to meet a common standard of security.

Next Steps

How do proxy servers and proxy firewalls differ?

How do circuit-level gateways and application-level gateways differ?

Using your firewall to transparently proxy protocols

This was last published in March 2004

Dig Deeper on Network Firewalls, Routers and Switches

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

2 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What do you think is more secure -- a packet-filtering or a proxy firewall? Why?
Cancel
This is an open ended question as it depends on the situation, mostly a better way is to use proxy firewall but not to disregard the packet filters as it do its job great. With time and new adaptability it has been seen and increase in the efficiency of packet filters but yet still are vulnerable to attacks on the other hand the proxy firewall has a tradeoff by having a higher horsepower to process request and to allow data in the network with memory usage for a system.

It depends but for me in situation which I have implemented are mostly proxy firewalls. As the company pay for the system and want their data to be safe and secure let them incur the cost afterall
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close