What Are the Three Types of Firewalls?


Disclosure: Our content is reader-supported, which means we earn commissions from links on Digital. Commissions do not affect our editorial evaluations or opinions.

Firewalls are an old network security technology. The first firewall was developed in 1989 by Jeff Modul of the Digital Equipment Corp. That means that some firewall technologies companies use today are more than 30 years old. While some may see this as outdated, firewalls are a timeless concept.

Key takeaways: 

  • Firewalls protect your network from attacks by hackers and malicious software.
  • The three main types of firewalls (packet-filtering, stateful inspection, and proxy) offer progressively more advanced protection levels.
  • Firewalls don’t inspect application-level traffic, which can lead to blocking safe traffic or websites such as YouTube under certain circumstances.

What Is a Firewall?

firewall is a sort of gatekeeper that logs, inspects, and sometimes blocks the traffic entering and sometimes leaving your network. The firewall is an old security technology that has evolved to include new capabilities and variations to meet the demands of networks. What started as a manually controlled gatekeeper has turned into a smart inspection tool that exists on local servers and in the cloud.

What Are the Capabilities and Limits of a Firewall?

A firewall is an exceptionally powerful tool for protecting your network but with a few caveats. Firewalls are meant to protect you at the packet level, meaning they handle protocol inspections.

Firewalls can:

  • Log and inspect traffic.
  • Restrict traffic types based on corporate policies.
  • Keep lists of allowed sources of traffic.
  • Block out malicious traffic types or sources.

Firewalls are necessary for protecting your network, but they’re not flawless. I’ll explain why.

Two types of traffic are sent over networks:

  1. User datagram protocol (UDP): A lightweight protocol that doesn’t require any “handshakes” between the device requesting the traffic and the source delivering the traffic. So UDP traffic can stream data like gaming, video, or streaming service sites to recipients. However, this content stream isn’t guaranteed, which occasionally leads to packet loss.
  2. Transmission control protocol (TCP): This protocol requires a handshake (this synchronizes the connection between two points and acknowledges the transfer of packets) between senders and receivers to ensure quality delivery with no packet loss.

The problem with firewalls is that most of them only evaluate traffic on these basic levels without any deeper inspection. This can lead to clumsy attempts at blocking certain actions by halting certain traffic, such as YouTube videos that use UDP. This can affect the delivery of other valid traffic that uses the same protocol. An example is Zoom, which also uses UDP.

Firewalls don’t inspect traffic at the application level, which is why other tools, such as secure web gateways (SWG) were created, which gives security professionals an added layer of control. Think of it this way: A firewall is a sledgehammer. In some cases, a sledgehammer is needed to fix a problem. But, in other cases, a more detailed solution is needed that a firewall can’t handle.

An Overview of the Three Main Firewall Types

Stateless packet-filtering firewall

A packet filtering firewall is the oldest form of firewall. These firewalls live on the edge of a perimeter security-based network and require manual inputs from a security professional to set the parameters for traffic without any learning capabilities. An administrator creates an access control list (ACL) to either allow or deny packets from certain internet protocol (IP) addresses. It’s essentially a “dumb” firewall.

Firewall diagram for a network perimeter.
This is a very basic layout of a network perimeter minus other key aspects, such as intrusion prevention systems (IPSs) and demilitarized zones (DMZs), which show the standard location of a firewall. Source: Created in Canva

What makes these firewalls “stateless” is the lack of any packet inspection, source logging, or validation capabilities. The problem with stateless packet-filter firewalls is the implied trust that’s given to IP addresses allowed by administrators. While these firewalls block traffic from denied sources, not all threats originate from malicious addresses.

In some cases, trusted addresses can be hijacked and used to pass along malicious traffic through your perimeter security — all under the nose of a stateless packet filter. Think of this like a trusted mail carrier passing along a package with a bomb in it without building security knowing.

Stateful inspection firewalls

If you’re looking for an upgrade from 1990s capabilities, that would be the stateful inspection firewall.

This firewall type is “stateful” because while it does use access control lists to regulate incoming and outgoing packets, the firewall also inspects packet traffic, logs the relevant data — originating address, packet type, destination, and so on — and compares future traffic against that log to validate it.

Here’s an illustration:

Firewall diagram for a stateful inspection firewall.
In this example, you see the firewall compares and allows traffic based on previous traffic from the originating address. Source: Created in Canva

This firewall operates under the concept of “this traffic was safe before, so if it’s the same, it’s safe now.” While this is an upgrade from using simple ACLs, this type of firewall is prone to two specific vulnerabilities.

The first issue is that stateful inspection firewalls are process-intensive and tend to bottleneck traffic due. This makes them potential targets for distributed denial-of-service (DDOS) attacks.

The second issue is that their inspection is still limited. This makes it possible for hijacked traffic through the firewall so long as the traffic type isn’t unexpected. This makes stateful firewalls vulnerable to “man-in-the-middle” (MITM) attacks where hackers intercept the connection and begin sending altered packets of the same type back through the firewall. Your firewall won’t know that the traffic is malicious since it’ll look like it’s coming from an expected source.

Proxy firewalls

Out of the three firewall types, a proxy firewall is the most secure. The concept works the same as using a middleman to receive sensitive materials, inspecting them at a secure location, then delivering them to you once they are declared “safe.”

Instead of allowing traffic to reach the network perimeter before it’s inspected, a proxy firewall filters packets through a server with a firewall installed:

Proxy firewall example diagram.
It’s always best to keep threats at a distance from your network and a proxy firewall acts as that distant go-between with your network and the Wild West of the internet. Source: Created in Canva

Most proxy firewalls employ security capabilities not shared by the last two, such as:

  • Deep packet inspection (DPI): DPI searches for signatures of malware, outgoing sensitive data, and monitors for restricted content, such as unmanaged virtual private network (VPN) traffic or inappropriate websites.
  • Sandboxing: The biggest benefit of a proxy firewall is the distance it creates between threats and your network. This creates a “sandboxing” capability that allows threats to play out in a safe environment that only harms the specific firewall it contacts. Most security infrastructures create redundant proxy firewalls that take over in case one is down.
  • Traffic validation: Like standard stateful firewalls, proxy firewalls also use administrative tools like ACLs and logging to validate traffic from recognized sources.

Firewalls Are Moving to the Cloud

As businesses rapidly shift to the cloud, the demands on the old network perimeter are too much for a standard firewall. Packet filters and stateful firewalls aren’t enough to protect networks, data, and devices from the long list of external and internal threats that exist today.

That’s why firewalls are becoming firewalls as a service (FWaaS). These new firewalls converge with other technologies, such as secure web gateways (SWG), zero-trust architectures, cloud access security brokers (CASB), and other security functions, into a new paradigm known as secure access service edge (SASE) architecture.

This convergence makes firewalls more effective at inspecting traffic and protecting your assets and data from new threats that would otherwise evade your standard packet-filtering firewall.

Frequently Asked Questions About Firewalls

Do I need a firewall?

While almost every computer today has basic built-in protections, your business is vulnerable without the advanced features of a dedicated firewall that covers your network.

What are the risks of not using a firewall?

You’re opening up your network, data, and devices to unnecessary risk if you don’t install a firewall. You have no way of knowing who’s connected to your servers. Someone could take remote control of them and steal vital data.

What are some of the major firewall brands?

Sophos, Check Point, pfSense, FortiGate, Plato Alto, Azure, SonicWall, Cisco, and Huawei are among the best-known firewall makers.

Nick Morpus Avatar
Scroll to Top