Gateways - Firewalls

First of all, you might have noticed, that we avoid the term "Firewall" throughout these web pages. As anything from simple packet filters (ACLs), stateful and stateful inspection packet filters to proxies und hybrids are all called "firewall" by the vendors, we chose to prefer the more neutral term "secure gateway". But let's have a closer look at the various "Firewall" types:

Simple Packet Filter / Access Control Lists (ACLs)
Description
These filters only check on the source and target IP addresses of each packet. If the IP addresses of a packet match an "allow" rule, the packet is forwarded, else it is dropped.
For all connections one has to implement rules as well for the request (e.g. TCP/80 for http access) as for the answer (which is TCP/1024-65535 with reply-bit set for most TCP protocols e.g. http).
Advantages
Easy to implement
Fastest of all filter types (read: cheaper as slower CPU can be used).
Disadvantages
Does not protect against attacks with malformed packets
Does not protect against protocol-based attacks (i.e. most propably buffer-overflows)
Usually allows arbitraty "answer" sessions to be opened from outside - exploitable with specialized daemons like Reverse Pimpage or by issuing DoS attacks (e.g. SYN-flooding) against the internal network.
Examples
Software: Linux IPFW (Kernel < 2.4), Sinus Firewall (Linux), Drawbridge (*BSD)
"Appliances": normal routers (e.g. Cisco ACLs)

Stateful Packet Filters
Description
These filters too only check on the source and target IP addresses of each packet. If the IP addresses of a packet match an "allow" rule, the packet is forwarded, else it is dropped.
Usually (read: TCP connections) only the allowed outgoing protocols are configured. When an outgoing packet passes the filter (opening a connection), the one matching port for the answer is opened for the duration of the connection. After that the answer port is closed again. This behaviour (remembering the status or state of the connection) is where the name comes from...
Advantages
Comparatively easy to implement. Standard protocols are very easy to configure.
Among the fastest filter types (read: cheaper as slower CPU can be used).
Protects against "answer" session exploits and some DoS like SYN-flooding.
Disadvantages
Does not protect against attacks with malformed packets
Does not protect against protocol-based attacks (i.e. most propably buffer-overflows)
Examples
Software: Linux NetFilter (Kernel 2.4), *BSD IPF, OpenBSD PF
Appliances: Watchguard, Netscreen, Rapidstream

Stateful Inspection Packet Filters
Description
These are Stateful Packet Filters with Inspection Modules. These Modules (available for the most popular protocols) check wether the session opened really seems to be the protocol which corresponds to the port used. If not, the session is terminated.
For example a normal HTTP inspection module checks, if the first line of a TCP request on port 80 starts with the characters PUT, POST or GET. If so, the session is assumed to be HTTP and thus valid.
Advantages
As Stateful Packet Filters - plus some guard against possible misuse of open ports for other protocols than intended.
In principle this technique should be faster than proxies or hybrid firewalls (theoretically).
Disadvantages
As Stateful Packet Filters - and depending on the quality of the inspect modules only minor guard against port misuse.
Examples
Software: Checkpoint Firewall-1, Linux (Kernel 2.6 L7-Filter)
Appliances: Sonicwall (inspection for HTTP only)

(Hardened) Proxies
Description
Specialized proxies / relay services for each protocol are used. In most cases this will be standard proxies or servers with a more paranoid configuration (compared to the out-of-the-box configurations), but there are some specialized security-aware services available, too.
Advantages
As proxies re-pack all packages, protection against malformed IP packets (which might affect the gateway server, but not the protected network).
Protection against most protocol-based attacks as the proxy has to read (and "understand") the requests or commands in order re-send them.
Blocking and anonymizing unwanted protocol options (or headers) possible, thus enhancing invisibility of the internal network.
NAT (Network Address Translation) comes "for free" - but cannot be switched off, either.
Disadvantages
Theoretically this technique is slower than the packet filters.
One needs a specialized proxy for each and every protocol - which is a problem in most cases except HTTP, SMTP and DNS.
NAT cannot be switched off.
Examples
Software: Obtuse smtpd/smtpfwdd, Tinyproxy,
any standard proxy (like Squid, Exim, Sendmail etc.) with proper (!) configuration should be able to match the requisities.
Appliances: AirGap, Gatekeeper - most of these employ a method of physically separating the networks involved. The data is transmitted via a non-network link between the two independent proxies (one on each side).

Hybrid Firewalls
Description
Hybrid firewalls check IP packet headers and protocol before forwardung the request. Or: a tight-coupled combination of stateful packet filtering and hardened proxies.
Advantages
Best control over protocols allowed (very hard to find IP backdoors) including control of protocol options.
Combines security of Stateful Inspection and Proxies (theoretically).
Disadvantages
Theoretically this technique is the slowest of all gateways.
For optimum performance one needs a specialized proxy for each and every protocol - which is a problem in most cases except HTTP, SMTP and DNS. Generic "proxies" (read: forwarders) are available on all hybrids, but they do not offer the security options of a proxy.
Examples
Software: Symantec/Axent/Eagle Raptor Firewall, TIS/Gauntlet/Sidewinder, Novell BorderManager
Appliances: Cisco Pix, Cobalt/Symantec Velociraptor, Symantec SGS-54xx, GenuaGate