How Do Firewall Types Differ?

Firewalls are a vital tool to protect your business systems. But not all firewalls are created equal.

Much like a metal detector at the entrance of a castle, firewalls check data packets for suspicious characteristics to prevent cyberattacks. They can allow or block incoming and outgoing data packets based on pre-established security rules.

Packet Filtering Firewalls

Packet filtering firewalls examine data packets at network interfaces and block or allow them based on predefined rules, IP addresses, ports, and protocols. They’re ideal for small applications and home/small-business networks. They work swiftly and are among the lightest, most affordable, easy-to-use firewall solutions.

While highly effective, they cannot protect against advanced or zero-day threats. For instance, they’re vulnerable to IP address spoofing, as they rely on header information alone rather than contextual clues.

Another drawback is that they operate as routers at the OSI model’s network layer (layer 3) and don’t check the application protocol layers. It makes them unsuitable for organizations requiring granular control of application-layer traffic or securing web-based applications.

A stateless firewall, sometimes referred to as a reversible packet filtering firewall, is an option that monitors incoming and outgoing data packets without retaining any connection data. They are an excellent option for businesses who want to avoid the extra capabilities of other firewalls, such as a firewall that monitors and records traffic or a firewall with the same architecture as the network it is securing. However, they require sophisticated features like TCP handshake checks and deep packet inspection. They can also increase network load and have slower data packet transfer speeds. They demand more security knowledge and are more vulnerable to attack. These are the differences between each firewall type.

Stateful Inspection Firewalls

Stateful inspection firewalls monitor active network connections and analyze the contents of each packet to determine whether or not to allow it through. They use IP addresses, protocols, and source/destination ports to identify network traffic. In addition, they examine the information contained in each packet to see if it matches existing security rules. As a result, they are much more effective than their predecessors and provide a higher level of protection against advanced threats.

This traffic analysis method is often used for TCP streams, UDP datagrams, and ICMP messages. Firewall vendors also apply state flags to the connection to identify it as listening, established, or closed. Firewalls then keep a table of these sessions and each subsequent related packet to ensure they are approved for communication under the configured security policy. This type of firewall can be slow and consume a lot of CPU cycles, especially when handling heavy traffic.

Circuit-level gateways are another type of firewall that works at the session OSI layer and looks for TCP handshakes between local and remote systems. As a result, they are quick to approve or deny traffic and can work well for specific networks but should be used in conjunction with other network security measures.

Circuit-Level Gateways

Circuit-level gateway firewalls work at the session layer of the open systems interconnection (OSI) model and verify established transmission control protocol (TCP) connections while keeping track of active sessions. They’re similar to packet filtering firewalls in that they only perform a single check and consume minimal resources. They help protect networks from unauthorized external access by keeping internal devices’ identities and IP addresses hidden when communicating with remote hosts.

These firewalls also don’t inspect application data, so they only tackle threats at the beginning of a communication session rather than as it continues. They can do this by monitoring TCP handshake messages as two entities, SYN and ACK, begin communicating. It helps prevent spoof attacks by verifying whether the remote system is genuine.

Once a connection is established, the circuit-level gateway firewall creates a virtual circuit between the host networks and transmits TCP segments. The firewall keeps a table to help validate these connections and check which network packets contain data to pass by comparing them against the stored information. Once a TCP session is complete, the firewall removes an entry from this table and closes the virtual circuit connection between hosts. Cable/DSL home routers typically use this method of firewalling in conjunction with Internet sharing.

Next-Generation Firewalls

NGFWs differ from other firewall types because they filter packets based on their content rather than the port or protocol. This granularity makes it harder for cyber attackers to evade detection by changing their attack methods. NGFWs also support network micro-segmentation and application awareness and can identify malicious activity based on reputation-based security intelligence.

This protection level identifies an application’s good aspects from its bad parts. For example, the NGFW would allow the remote desktop protocol (RDP) to be used by authorized personnel while blocking anyone else from accessing it. The ability to distinguish the two is made possible by NGFWs using deep-packet inspection and monitoring the entire context of each packet, including its destination IP address and port.

The NGFW can then make a more informed decision about whether the connection should be allowed to continue and its parameters. It can help organizations avoid allowing malware to enter the internal network that could do extensive damage.

Choosing the right NGFW for your business will depend on how many devices you have and the security features you want to include. Regardless of the type of firewall you select, you must ensure you have the resources to manage it correctly. Many NGFWs have built-in or optional centralized management capabilities, which can reduce the number of humans required for monitoring and maintenance. For instance, a cloud-managed NGFW (also known as firewall-as-a-service or FWaaS) will perform all the same functions as an on-premises device but is remotely managed by the firewall vendor.