For more than 30 years, firewalls have been essential to network and data security. A firewall generally sits on the outer border of your network and acts as a security gateway for all incoming network traffic. It uses a variety of technologies and techniques to monitor and analyze data packets. Different types of firewall architectures inspect packets at different layers of the OSI (Open Systems Interconnection) model, as explained below:
OSI Layer
What it Does
Protected By
Layer 7 — Application
Receives data directly from users and displays incoming data to the user.
Examples of protocols:
HTTP, Telnet, FTP
Application-Level Gateway, NGFW, Cloud-based Firewall
Layer 6 — Presentation
Translates data from the application layer into a format usable by the network layer, and vice versa; encrypts and decrypts data.
Examples of protocols:
SSL, TLS
NGFW, Cloud-based Firewall
Layer 5 — Session
Creates, coordinates, and terminates network sessions between devices.
Examples of protocols:
NetBIOS, SDP, SMB
Circuit-Level Gateway, NGFW, Cloud-based Firewall
Layer 4 — Transport
Coordinates data transfer between systems. Determines the size of a data packet, the sender and recipient, the transport speed, and other factors.
Examples of protocols:
TCP, UDP
NGFW, Cloud-based Firewall, some Stateful Firewall
Layer 3 — Network
Breaks up data into packets, determines the best path to the destination, and reassembles packets once they’ve reached their destination.
Examples of protocols:
IP, ARP, NAT
Packet-Filtering Firewall, Stateful Firewall, NGFW, Cloud-based Firewall
Layer 2 — Data Link
Handles node-to-node data transfer and error correction within the internal network.
Examples of protocols:
LLC, MAC
NGFW, Cloud-based Firewall
Layer 1 — Physical
Handles physical cable or wireless connections and transmits raw data in binary format.
Examples of protocols:
USB, Ethernet, Wi-Fi
N/A
Most firewall architectures have traditionally focused on analyzing traffic on one specific layer of the OSI model — packet filtering on layer 3, for example. However, advanced firewall technologies operate on multiple layers, providing more comprehensive protection.
This blog defines and compares six of the most common firewall types to help illustrate the importance of an advanced firewall architecture for protecting your network.
While there are many different firewall technologies and architectures, this blog focuses on six of the most common: packet filtering, stateful inspection, circuit-level gateway, application-level gateway, next-generation firewall, and cloud-based firewall.
The oldest and simplest type of firewall architecture is packet filtering. A packet-filtering firewall monitors traffic on layer 3 (the network layer). Packet filtering inspects the outside of a data packet for information about the source and destination IP addresses, the type of data in the packet (text, photo, etc.), and the port number. Basic packet filtering does not look at any information contained within the data packet, which means it can’t detect viruses or other threats that are disguised as something else. However, packet filtering is fast and inexpensive, which is why smaller organizations may still use this firewall architecture. It’s not recommended as your only line of defense, but it’s often used in conjunction with other firewall technologies.
A stateful firewall performs stateful inspection, which is also known as dynamic packet filtering. Like a standard packet-filtering firewall, stateful inspection runs on layer 3 (though some stateful firewalls can also monitor layer 4) and looks at the outside of a data packet. A stateful firewall also monitors the state of active connections to determine whether or not the packet is part of a trusted, established session on your network. A stateful firewall architecture provides a higher degree of security than packet filtering, but is more expensive in terms of negatively impacting network speed and performance. Like a packet-filtering firewall, a stateful firewall cannot inspect the actual content of data packets, so it can still be spoofed by artful hackers.
A circuit-level gateway monitors network protocol session initiation messages, such as TCP handshakes, to determine whether the source can be trusted and whether the session is legitimate. A circuit-level gateway operates at layer 5 — the session layer — and acts as a proxy (or gateway) between the untrusted outside client and the internal recipient. It doesn’t inspect the packet itself, instead looking at things like the SYN flags, ACK flags, and sequence numbers in a TCP handshake to determine if a session is valid. When a circuit-level gateway is used in conjunction with a standard or stateful packet filter, the firewall has more information to determine the safety of a network connection. However, a circuit-level gateway does not provide adequate network security on its own.
An application-level gateway, like a circuit-level gateway, acts as a proxy firewall, intercepting all data packets coming into the network before sending them along to their final destination. An application-level gateway inspects traffic on layer 7 (the application layer) and uses an application protocol, such as HTTP-proxy or FTP-proxy, to relay data packets. It performs deep layer inspection to open and verify the contents of packets before repackaging and forwarding them to their intended recipient. This makes application-level gateways a highly secure firewall architecture, but it also makes them slow and resource-intensive.
A next-generation firewall (NGFW) rolls up multiple firewall architectures, as well as other network security functionalities, into one device. For example, an NGFW usually includes not just stateful packet inspection but also deep packet inspection (DPI), which examines the actual data within the packet to determine whether it’s safe. An NGFW can also inspect traffic on layers 2-7 of the OSI model, providing more comprehensive network security than other firewall architectures. Some NGFWs also include AI (artificial intelligence) traffic analysis, which is better at detecting subtle indicators of a threat than traditional signature-based firewalls. However, NGFWs are more expensive than traditional firewalls, which can be a barrier to smaller organizations.
Cloud-based firewall architectures are software firewalls that are designed and optimized to protect cloud, multi-cloud, and hybrid cloud environments. For example, firewall as a service (FWaaS) takes NGFW functionality and makes it available as a cloud-based service, giving your cloud and SaaS resources the same level of security as your on-premises resources. Cloud-based firewalls are hosted externally, which means you don’t need to support or maintain the hardware yourself. They’re also easily scalable as your business grows since you can simply add on new services at any time without needing to upgrade or replace any physical hardware.
Firewall technology is growing more advanced over time to keep up with the increased number and sophistication of network security threats. A single method of defense, like packet filtering, is no longer enough to protect you from modern attacks like advanced persistent threats. That’s why you need an advanced firewall architecture like NGFW that defends multiple layers and combines multiple security technologies like DPI, artificial intelligence, and more. In addition, if you’re seeking DevOps maturity and digital transformation by adopting cloud technology, you need a firewall architecture that offers the same degree of protection in the cloud, like FWaaS.