Ask the Expert

How do circuit-level gateways and application-level gateways differ?

What is the difference between circuit-level gateways and application-level gateways relative to network firewalls?

Requires Free Membership to View

Good question. First, let's clarify some terminology. Security professionals use a number of different terms that all mean the same thing. Circuit-level gateways are often referred to as stateful inspection firewalls. Application-level gateways are often referred to as proxy firewalls or application proxy firewalls.

There are three general classes of firewalls: packet filtering firewalls, stateful inspection firewalls and proxy firewalls. All three analyze inbound packets against a rule base and decide to block or allow the packet based upon those rules. Packet filtering firewalls don't do anything else. They analyze each packet in isolation and don't have any context (or "state") information to compare the current packet with previous packets.

Stateful inspection firewalls go a bit further. They monitor the connection setup and teardown process to keep tabs on connections at the TCP/IP level. This allows them to keep track of state information and determine which systems have open, authorized connections at any given point in time. They only reference the rule base when a new connection is requested. Packets belonging to existing connections are compared to the firewall's state table of open connections, saving time and providing added security.

Proxy firewalls are the most advanced. Like stateful inspection firewalls, they're connection-aware. But unlike the other two, they intercept all connections and perform an in-depth application layer analysis. Each time an external client requests a connection with an internal server (or vice versa), the client opens a connection with the firewall. If the connection meets the criteria in the firewall rule base, the proxy firewall will open a connection to the requested server. This places the firewall in the middle of the logical connection and allows it to watch the traffic for any signs of malicious activity at the application level.

For more on firewalls, read the Firewall Architecture Guide.

This was first published in July 2006