Firewalls are usually capable of operating at all layers below the highest layer they are capable of. The Linux Netfilter for example is capable of operating at all 7 layers of the OSI model. The Windows Server 2008 firewall can operate from layers 1 through 5 and the Windows XP firewall operates on Layers 1 through 3.
Layer 3 Firewall Network | Layer 5 Firewall Session |
Layer 7 Firewall Application | |
---|---|---|---|
Called | Port-based firewall | Circuit level Gateway Firewall SPI Firewall (Stateful Firewall) |
Application Layer Gateway Firewall Proxy Server/Firewall |
Examples | Windows XP Firewall | Iptables, Windows Server 2008 | Netfilter (iptables with layer7 patch) Very expensive proprietary systems |
Action | Each packet is compared against a list of rules and if necessary filtered (source/destination address, source/destination port, protocol). | Monitor the TCP/IP handshake and the state of connections. Packets are or are not allowed based on traffic rules and the state of the connection. | Unauthorized application activity is logged, prevented or terminated |
Filters | IP protocol information, IP addresses, and TCP or UDP port numbers. | Based on connection state. | Filter (inspect) actual application data. |
Weaknesses | IP spoofing | Denial of Service attacks where the tables are filled with fake connections | Require large amount of system resources. High level of administrative difficulty. |
Protects From | Access by unauthorized IP addresses, networks and ports. | Applications operating on non standard ports. | |
Deep Packet Inspection | No | No | Yes |
Shallow Packet Inspection (SPI) – The act, by a firewall, of inspecting the TCP and UDP headers of network packets.
Monitors the establishment and the state of connections. Also called Stateful Packet Inspection.
Deep Packet Inspection (DPI) – Combines roles of firewall and intrusion detection systems. Identifies and authenticates protocols, applications and sessions. Reasons for implementing deep packet inspection include per-service rates and copyright protection by service providers, quality of service, intrusion detection and intrusion prevention.