Sergey Nivens - Fotolia

What are the 5 types of network firewalls and how are they different?

As they monitor and filter network traffic, some firewalls can provide some pretty advanced security controls. But added packet inspection can slow network performance.

For decades, firewalls have played an important role in protecting private networks from potentially harmful traffic from third-party networks and the public internet. Firewalls provide a line of defense by monitoring inbound and outbound traffic activity. The firewall can block traffic that does not adhere to policy or is otherwise known to be potentially damaging.

Today, five types of network firewalls differ in how they assess traffic and affect network performance. The different types of network firewalls are packet filtering firewalls, circuit-level gateways, stateful inspection firewalls, application or proxy firewalls, and next-generation firewalls.

A packet filtering firewall reflects the original approach to providing a perimeter security system for deflecting malicious traffic at the router or switch. By inspecting incoming and outgoing data packets at the switch or router, the firewall can get basic data on destination and origin IP address, port number and packet type. If the packet does not meet security policy, the firewall won't forward it to its destination.

Because packet filtering firewalls don't have to open the packet, they can process traffic information quickly. However, these are fairly basic systems that are relatively easy to circumvent.

Circuit-level gateways track the TCP handshake between packets to determine if it's a valid session. Traffic is allowed through or rejected based on session policies. These gateways don't reveal data about the network they are protecting, but they also don't inspect packets. They may easily miss malicious traffic.

A stateful inspection firewall examines each packet in the context of the TCP session in which it is engaged, tracking activity from the start of the session to the end. This type of firewall accepts or rejects traffic on the basis of both security policy and data collected from prior activity that was part of the same connection. Stateful inspection firewalls provide more advanced controls than packet filtering firewalls, but they are slower to process packets, which puts a drag on network performance.

In this video, see how firewalls filter packets and safeguard enterprise networks.

An application or proxy firewall filters incoming traffic at the application layer. The proxy firewall makes a connection at the traffic's point of origination, inspecting the packet for malicious content or policy violations, including known viruses, flagged websites and exploits. While application firewalls can be particularly effective, they can also slow network performance.

Next-generation firewalls represent the most modern and broadest class of security gateways. These firewalls blend traditional packet filtering and stateful inspection capabilities with more sophisticated features, such as deep packet inspection and encrypted traffic inspection. Next-generation firewalls might also add other functionalities outside the bounds of traditional gateway systems, such as quality of service, bandwidth management and identity management.

Dig Deeper on Network security

Unified Communications
Mobile Computing
Data Center