This article will dig deeper into the most common type of network firewalls. We will elaborate stateful firewalls, stateless or packet-filtering firewalls, application-level gateway firewalls, and next-generation firewalls. We are going to define them and describe the main differences, including both their advantages and disadvantages.
A firewall can be a software firewall, a hardware firewall, or a combination of both. Software firewalls are applications or programs installed on devices. Hardware firewalls, on the other hand, are physical devices.
Stateful Inspection Firewall
A stateful firewall is located at Layer 3 (source and destination IP addresses) and Layer 4 (Transmission Control Protocol/TCP and User Datagram Protocol/UDP) of the OSI model. It is a type of firewall that monitors the status of active network connections while analyzing incoming packets for potential threats.
Essential firewall functions include preventing malicious traffic from entering or leaving the private network. Monitoring the state and context of network communications is critical because this information can be used to identify threats based on where they come from, where they go, or the content of their data packets. Stateful firewalls can detect unauthorized network access attempts and analyze data within packets to see if it contains malicious code.
Advantages of Stateful Inspection Firewalls:
- Connection state-aware
- Does not open a large range of ports to permit traffic
- Extensive logging capabilities
- Robust attack prevention
Disadvantages of Stateful Firewalls:
- It can be complex to configure
- Cannot avoid application-level attacks
- Does not have user authentication capability
- Not all protocols have state information
- Additional overhead in maintaining state table
Stateless Firewall
We can also call it a packet-filtering firewall. We can also call it a packet-filtering firewall. It is the oldest and most basic type of firewalls. Stateless packet-filtering firewalls operate inline at the network’s perimeter. These firewalls, however, do not route packets; instead, they compare each packet received to a set of predefined criteria, such as the allowed IP addresses, packet type, port number, and other aspects of the packet protocol headers. Packet filters provide a basic level of security that can give protection against known threats. The packet filter does not maintain a connection state table.
Packet-filtering Firewall Advantages:
- A single device can filter traffic for an entire network
- Extremely fast processing of packets
- Inexpensive
Packet-filtering Firewall Disadvantages:
- It can be complex to configure and hard to manage
- Cannot avoid application-level attacks
- Does not have user authentication capability
- Limited logging capabilities
- Prone to certain types of TCP/IP protocol attacks
Application-Level Gateway Firewalls
Application-level gateway firewalls work on Layer 7, application layer, of the OSI reference model. They inspect and route internet traffic to and from the requested web address and the user. Moreover, they also address network security and privacy policies and support internet traffic regulation and usage. Proxy firewalls are the most common type of application-level gateway firewalls. The connections coming from outside the network are established through the proxy firewall.
Application-Level Gateway Firewalls Advantages:
- Content caching
- Increased network performance
- Easier to log traffic
- Prevents direct connections from outside the network
Application-Level Gateway Firewalls Disadvantages:
- Impact throughput capabilities
- Impact applications
Next-Generation Firewalls
The Next-Generation Firewall (NGFW) is a deep-packet inspection firewall that expands beyond port/protocol inspection and blocking to include application-level inspection (up to Layer 7 of the OSI), intrusion prevention, and intelligence from outside the firewall.
NGFW is a more advanced version of traditional firewalls that provides the same benefits. NGFW, like traditional firewalls, employ both static and dynamic packet filtering and VPN support to secure all connections between the network, internet, and firewall. Both types of firewalls should be able to do NAT and PAT.
There are also significant differences between traditional and next-generation firewalls. The ability of an NGFW to filter packets based on applications is the most apparent distinction between the two. These firewalls have a high level of control and visibility over the applications that they can identify through analysis and signature matching. They can use whitelists or a signature-based intrusion prevention system to distinguish between safe and malicious applications, which are then identified using SSL decryption. Unlike most traditional firewalls, NGFWs also include a path for receiving future updates.
Next-Generation Firewalls Advantages:
- More secure
- Supports application-level inspection up to Layer 7 of the OSI model
- Capable of user authentication
- Detailed logging
Next-Generation Firewalls Disadvantages:
- Take a lot more system resources
- Can be more expensive than some firewall options
- Requires more fine-tuning to limit false positives and false negatives
Download our Free CCNA Study Guide PDF for complete notes on all the CCNA 200-301 exam topics in one book.
We recommend the Cisco CCNA Gold Bootcamp as your main CCNA training course. It’s the highest rated Cisco course online with an average rating of 4.8 from over 30,000 public reviews and is the gold standard in CCNA training:
