In the world of firewalls, there are two main that may be chosen from - packet filter and proxy firewalls. Packet filters came into the ring in the early 1990’s as a result of administrators wanting more performance and flexibility with firewall applications. The traditional proxy-based firewalls are from becoming obsolete, however - and the debate rages on as to which firewall is the best.
A Look at the Packet Filter Method
In packet filtering, the basic idea is to quickly inspect incoming data based on pre-set rules, and decide whether or not it is going to be permitted. If the packet is deemed to be potentially dangerous or unwanted the packets are simply discarded. This method constructs a direct link to the client and server, so filtering based on the location of the incoming data is also possible.
The packet filtering firewall has undergone some extra work, however - and the stateful packet filtering method was released. This firewall is extremely similar to the previous design of packet filters, only some extra functionality and protection are included. One of the major flaws with the simple packet filters was that attackers could use port 80, the internet traffic port, to send disguised data. With stateful packet filtering the information is rejected because the filter “remembers” which connections the host has initiated - which are likely to be secure. Connections they haven’t initiated are mostly likely from attack attempts, and likewise are denied access.
Some versions of the stateful packet filters even include the ability to inspect the incoming data. This method becomes aware of the data that is coming in - not just matching it to a set of rules and sending it back out. These are called stateful inspection packet filters, and act much like a proxy firewall would. Stateful inspection packet filters still retain their low-resource usage, and have thus become known as a hybrid between packet filtering and proxy firewalls.
A Look at the Proxy Firewall
The biggest advantage of proxy firewalls is that no direct physical connection is initiated between the server and client. The proxy acts as a buffer between the two - which will render many kinds of spoofing attacks useless. Packet filters are generally susceptible to spoofing attacks, which will cover up the identity of attackers - or even give them access to confidential material on your network.
Another big advantage that proxy firewalls have is the ability to inspect traffic in the application layer of the OSI model. This means that a decent proxy firewall will theoretically be more secure than any packet filter firewall. This is because the proxy firewall can act just like an anti-virus if needed, and will filter out any “bad” traffic automatically. Of course this will take extra resources to run such scanning processes - which make proxy firewalls a bad choice for those who can’t afford to spare any system resources.
The best firewall to date is the firewall that is the best configured to withstand an attack. If we were to assume that a proxy firewall and packet filter were configured the same, the best firewall would be a matter of opinion. Those looking for performance will inevitably choose the packet filtering method. For extra tight security the proxy firewall will do a better job - but at a cost of performance.
There are also critics who say that proxy firewalls aren’t as secure as they claim, and that a hybrid of both will be the best fit in most applications. Other critics say that as technology becomes more advanced the extra resources that proxy firewalls take will be a nonissue.
Security speculators have estimated that the rise in application-layer attacks will continue to increase. This would obviously give the upper hand to proxy firewalls, which can scan the data before deciding what to do with it. Packet filters, on the other hand, would likely miss most application-layer attacks. As these types of attacks increase, the firewall industry may need to invest in a hybrid between proxy and packet filter technologies.
The real decision ultimately comes down to the buyer and what they need. The majority of firewall users are using the packet filtering method, since this method is generally secure for most applications. For more specifically secure situations exploring the proxy firewall is a better idea.
The real excitement will come when we see the two technologies combine to form a well-suited hybrid. Until then there is more than one way to skin a cat, the only problem is deciding how.