Gateways - Firewalls

First of all, you might have noticed, that we avoid the term "Firewall" throughout these web pages. As anything from simple packet filters (ACLs), stateful and stateful inspection packet filters to proxies und hybrids are all called "firewall" by the vendors, we chose to prefer the more neutral term "secure gateway". But let's have a closer look at the various "Firewall" types:

Simple Packet Filter / Access Control Lists (ACLs)

Description: These filters only check on the source and target IP addresses of each packet. If the IP addresses of a packet match an "allow" rule, the packet is forwarded, else it is dropped.
For all connections one has to implement rules as well for the request (e.g. TCP/80 for http access) as for the answer (which is TCP/1024-65535 with reply-bit set for most TCP protocols e.g. http).
Advantages: Easy to implement
Fastest of all filter types (read: cheaper as slower CPU can be used).
Disadvantages: Does not protect against attacks with malformed packets
Does not protect against protocol-based attacks (i.e. most propably buffer-overflows)
Usually allows arbitraty "answer" sessions to be opened from outside - exploitable with specialized daemons like Reverse Pimpage or by issuing DoS attacks (e.g. SYN-flooding) against the internal network.
Examples: Software: Linux IPFW (Kernel < 2.4), Sinus Firewall (Linux), Drawbridge (*BSD); "Appliances": normal routers (e.g. Cisco ACLs)

Stateful Packet Filters

Description: These filters too only check on the source and target IP addresses of each packet. If the IP addresses of a packet match an "allow" rule, the packet is forwarded, else it is dropped.
Usually (read: TCP connections) only the allowed outgoing protocols are configured. When an outgoing packet passes the filter (opening a connection), the one matching port for the answer is opened for the duration of the connection. After that the answer port is closed again. This behaviour (remembering the status or state of the connection) is where the name comes from...
Advantages: Comparatively easy to implement. Standard protocols are very easy to configure.
Among the fastest filter types (read: cheaper as slower CPU can be used).
Protects against "answer" session exploits and some DoS like SYN-flooding.
Disadvantages: Does not protect against attacks with malformed packets
Does not protect against protocol-based attacks (i.e. most propably buffer-overflows)
Examples: Software: Linux NetFilter (Kernel 2.4), *BSD IPF, OpenBSD PF; Appliances: Watchguard, Netscreen, Rapidstream

Stateful Inspection Packet Filters

Description: These are Stateful Packet Filters with Inspection Modules. These Modules (available for the most popular protocols) check wether the session opened really seems to be the protocol which corresponds to the port used. If not, the session is terminated.
For example a normal HTTP inspection module checks, if the first line of a TCP request on port 80 starts with the characters PUT, POST or GET. If so, the session is assumed to be HTTP and thus valid.
Advantages: As Stateful Packet Filters - plus some guard against possible misuse of open ports for other protocols than intended.
In principle this technique should be faster than proxies or hybrid firewalls (theoretically).
Disadvantages: As Stateful Packet Filters - and depending on the quality of the inspect modules only minor guard against port misuse.
Examples: Software: Checkpoint Firewall-1, Linux (Kernel 2.6 L7-Filter); Appliances: Sonicwall (inspection for HTTP only)

(Hardened) Proxies

Description: Specialized proxies / relay services for each protocol are used. In most cases this will be standard proxies or servers with a more paranoid configuration (compared to the out-of-the-box configurations), but there are some specialized security-aware services available, too.
Advantages: As proxies re-pack all packages, protection against malformed IP packets (which might affect the gateway server, but not the protected network).
Protection against most protocol-based attacks as the proxy has to read (and "understand") the requests or commands in order re-send them.
Blocking and anonymizing unwanted protocol options (or headers) possible, thus enhancing invisibility of the internal network.
NAT (Network Address Translation) comes "for free" - but cannot be switched off, either.
Disadvantages: Theoretically this technique is slower than the packet filters.
One needs a specialized proxy for each and every protocol - which is a problem in most cases except HTTP, SMTP and DNS.
NAT cannot be switched off.
Examples: Software: Obtuse smtpd/smtpfwdd, Tinyproxy,
any standard proxy (like Squid, Exim, Sendmail etc.) with proper (!) configuration should be able to match the requisities.; Appliances: AirGap, Gatekeeper - most of these employ a method of physically separating the networks involved. The data is transmitted via a non-network link between the two independent proxies (one on each side).

Hybrid Firewalls

Description: Hybrid firewalls check IP packet headers and protocol before forwardung the request. Or: a tight-coupled combination of stateful packet filtering and hardened proxies.
Advantages: Best control over protocols allowed (very hard to find IP backdoors) including control of protocol options.
Combines security of Stateful Inspection and Proxies (theoretically).
Disadvantages: Theoretically this technique is the slowest of all gateways.
For optimum performance one needs a specialized proxy for each and every protocol - which is a problem in most cases except HTTP, SMTP and DNS. Generic "proxies" (read: forwarders) are available on all hybrids, but they do not offer the security options of a proxy.
Examples: Software: Symantec/Axent/Eagle Raptor Firewall, TIS/Gauntlet/Sidewinder, Novell BorderManager; Appliances: Cisco Pix, Cobalt/Symantec Velociraptor, Symantec SGS-54xx, GenuaGate