Firewall Types and Reference

Firewalls constitute a foundational layer of network security architecture, functioning as the primary control boundary between trusted internal networks and untrusted external environments. This page covers the major classifications of firewall technology, the mechanisms that distinguish each type, the deployment scenarios where each applies, and the decision criteria used by security professionals to select and configure them. The regulatory frameworks administered by agencies including CISA and the National Institute of Standards and Technology (NIST) directly reference firewall controls as baseline requirements across federal and private-sector security programs.

Definition and scope

A firewall is a network security device — implemented in hardware, software, or a combination of both — that monitors and controls incoming and outgoing network traffic based on a defined set of security rules. NIST SP 800-41 Rev 1, Guidelines on Firewalls and Firewall Policy, defines firewalls as devices that "examine network traffic and, based on policies, allow or deny the traffic to pass through." That publication remains the primary federal technical reference for firewall deployment guidance in civilian environments.

The scope of firewall technology spans five structurally distinct categories, each defined by the OSI layer at which inspection occurs and the depth of traffic analysis performed:

  1. Packet filtering firewalls — inspect individual packets at the network layer (Layer 3) using static rules based on source IP, destination IP, protocol, and port number. No session state is maintained.
  2. Stateful inspection firewalls — track the state of active connections at the transport layer (Layer 4), making decisions based on connection context rather than individual packets alone.
  3. Application layer firewalls (proxy firewalls) — operate at Layer 7 of the OSI model, analyzing the full content of application-level traffic such as HTTP, FTP, and DNS.
  4. Next-generation firewalls (NGFW) — integrate stateful inspection with deep packet inspection (DPI), intrusion prevention system (IPS) capabilities, and application-aware traffic classification. NIST categorizes NGFWs within its guidance on intrusion detection and prevention in NIST SP 800-94.
  5. Web application firewalls (WAF) — specialized appliances that protect HTTP/HTTPS applications by filtering and monitoring traffic against known attack signatures such as SQL injection and cross-site scripting (XSS), as documented in OWASP's Web Application Firewall guidance.

Federal information systems subject to the Federal Information Security Modernization Act (FISMA, 44 U.S.C. § 3551 et seq.) must meet firewall control baselines defined in NIST SP 800-53 Rev 5, specifically controls SC-7 (Boundary Protection) and AC-17 (Remote Access).

How it works

Firewall enforcement relies on rule sets — ordered lists of conditions and actions that the device evaluates against each traffic flow. The evaluation model and the scope of data examined differ substantially across firewall types.

Packet filtering applies rules at the interface level. Each packet is compared against an access control list (ACL); if no rule matches, a default-deny or default-permit policy applies. Because no connection context is retained, packet filtering cannot distinguish a legitimate response packet from a malicious one that mimics the same source/destination pair.

Stateful inspection maintains a connection state table. When a TCP handshake initiates, the firewall records the session tuple (source IP, destination IP, source port, destination port, protocol). Return traffic is validated against this table rather than evaluated blindly as a new packet. This closes the vulnerability that pure packet filtering leaves open to spoofed reply packets.

Application layer firewalls act as proxies: the device terminates the client connection, inspects the full application-layer payload, and if acceptable, establishes a separate connection to the destination server. This allows detection of protocol violations, malicious payloads, and data exfiltration encoded inside permitted protocols (e.g., DNS tunneling or HTTP-wrapped command-and-control traffic).

NGFWs extend stateful inspection with three additional inspection engines running in parallel:
- Deep packet inspection (DPI) — reconstructs and analyzes application content regardless of port or protocol
- Intrusion Prevention System (IPS) — matches traffic against a continuously updated signature database
- Application identification — classifies traffic by application identity rather than port number, enabling policy enforcement based on application category

WAFs operate in a request/response inspection loop against a rule set aligned to the OWASP Top 10 vulnerability categories. WAFs are deployed in line (blocking mode) or out-of-band (detection mode) and are commonly required under the Payment Card Industry Data Security Standard (PCI DSS v4.0, Requirement 6.4) for any system that stores, processes, or transmits cardholder data.

Common scenarios

Firewall deployment scenarios are structured by the trust boundary being enforced and the type of traffic requiring inspection.

Enterprise perimeter defense remains the canonical stateful firewall use case. A stateful inspection or NGFW device sits at the edge between the internal corporate network and the public internet, enforcing egress and ingress policy. NIST SP 800-41 Rev 1 identifies the internet-facing perimeter as the highest-priority firewall placement zone.

Data center segmentation uses internal firewalls to enforce east-west traffic controls between application tiers — separating database servers from web servers even within the same organization. This architecture directly supports the zero-trust network model described in NIST SP 800-207.

Cloud-native and hybrid environments increasingly rely on virtual firewall appliances and cloud provider-native security groups. CISA's Cloud Security Technical Reference Architecture identifies firewall policy consistency between on-premises and cloud workloads as a recurring gap in federal agency deployments.

Healthcare and financial sector compliance environments frequently require WAF deployment as a regulatory baseline. The HIPAA Security Rule (45 CFR Part 164.312) mandates technical safeguards for electronic protected health information (ePHI), and HHS guidance identifies network access controls — including firewalls — as addressable implementation specifications under § 164.312(a)(1).

Organizations navigating the broader landscape of qualified security service providers can reference the Digital Security Listings for categorized vendor entries across network security disciplines.

Decision boundaries

Selecting the appropriate firewall type depends on four structured criteria: inspection depth required, throughput constraints, regulatory mandate, and deployment environment.

Criterion Packet Filtering Stateful Inspection NGFW WAF
OSI Layer 3 3–4 3–7 7 (HTTP/S)
Connection awareness No Yes Yes Yes
Application visibility No Limited Yes Yes (web only)
IPS capability No No Yes Partial
Typical throughput impact Minimal Low Moderate–High Moderate
Primary compliance driver General ACL policy Perimeter baseline FISMA, NIST 800-53 SC-7 PCI DSS 6.4, OWASP

Packet filtering vs. stateful inspection: Packet filtering is appropriate only where connection tracking overhead is prohibitive (e.g., embedded systems or legacy network hardware) or where the security policy is extremely simple. Stateful inspection supersedes packet filtering in virtually all modern enterprise perimeter deployments because it eliminates spoofed-response vulnerabilities at negligible performance cost.

Stateful inspection vs. NGFW: Organizations subject to FISMA or NIST 800-53 Rev 5 SC-7 controls, or those managing complex application portfolios, require NGFW capabilities. Stateful firewalls cannot identify application-layer threats that exploit permitted ports — a gap that NGFWs address through DPI and IPS integration.

NGFW vs. WAF: These are not mutually exclusive. An NGFW governs general network traffic policy; a WAF governs HTTP/HTTPS application traffic specifically. PCI DSS v4.0 Requirement 6.4 mandates WAF deployment as a distinct control from perimeter firewall coverage. Environments hosting public-facing web applications require both layers.

Host-based vs. network-based deployment: Host-based firewalls (software running on individual endpoints) enforce per-device policy independently of network infrastructure. NIST SP 800-41 Rev 1 recommends host-based firewalls as a supplementary control, not a replacement for network-layer enforcement. The purpose and scope of this directory provides additional context on how network security service categories are organized within this reference.

For security professionals evaluating managed firewall services or third-party security operations, the Digital Security Listings provide a structured entry point into categorized service provider segments.

References

📜 2 regulatory citations referenced  ·  🔍 Monitored by ANA Regulatory Watch  ·  View update log

Read Next

Digital Security Listings Coverage spans the full range of service categories recognized under the NIST Cybersecurity Framework — from managed detection... Digital Security Directory: Purpose and Scope This page defines the directory's inclusion criteria, classification logic, geographic scope, and navigation structure. How to Use This Digital Security Resource This page describes how the directory is organized, how content is classified and verified, and how different professional...