Help
  • FAQ
    browse most common questions
  • Live Chat
    talk with our online service
  • Email
    contact your dedicated sales:
0

What Is a Firewall? Common Firewall Types Explained

Author : AIVON February 12, 2026

Content

 

What is a firewall?

What is a firewall?

A firewall is a security device or program that monitors network traffic and detects potential threats. Acting as a protective barrier, it allows only non-threatening traffic and blocks dangerous traffic. Firewalls are a fundamental element of network security in client-server models, but they are vulnerable to attacks such as:

  • Social engineering attacks, for example, stolen credentials used for fraud.
  • Insider threats, for example, someone inside the network intentionally changing firewall settings.
  • Human error, for example, staff forgetting to enable the firewall or ignoring update notifications.

firewall-overview-diagram

 

How do firewalls work?

Enterprises place inline firewalls at the boundary between external sources and protected systems. Administrators create inspection points where the firewall examines all packets entering and leaving the network, including:

  • Payload (the actual content).
  • Headers (information about the data, such as sender and recipient).

The firewall analyzes packets against predefined rules to distinguish benign from malicious traffic. Rule sets define how the firewall checks items such as:

  • Source and destination IP addresses.
  • Content within the payload.
  • Packet protocols (for example, whether the connection uses TCP/IP).
  • Application protocols (HTTP, Telnet, FTP, DNS, SSH, etc.).
  • Data patterns indicative of specific network attacks.

The firewall blocks any packets that do not match the rules and routes safe packets to their intended recipients. When a firewall blocks traffic, it can either silently drop the request or send an error message to the sender. Silently dropping requests is often preferred to limit information that an attacker could use to probe firewall behavior.

 

Firewall types by deployment

Based on deployment method, firewalls can be classified as hardware firewalls, software (host) firewalls, or cloud-based firewalls.

firewall-deployment-types

Software (host) firewall

A software firewall is installed directly on a host device. This type protects a single machine (endpoints, desktops, laptops, servers, etc.), so an administrator must install and configure it on every device to be protected. Because the software firewall runs on the host, it consumes some system RAM and CPU, which can be an issue in resource-constrained environments.

Advantages:

  • Provides strong protection for the specific device.
  • Isolates individual network endpoints from each other.
  • High precision security: administrators can control exactly which programs are allowed.
  • Readily available.

Disadvantages:

  • Consumes host CPU, RAM, and storage.
  • Requires configuration on every host device.
  • Daily maintenance can be difficult and time-consuming.
  • Not all devices are compatible with every firewall, so different solutions may be needed on the same network.

Hardware firewall

A hardware firewall is a standalone device that filters traffic entering and leaving a network. Unlike software firewalls, these devices have their own resources and do not use host CPU or RAM. Hardware firewalls are often suitable for large organizations with multiple subnets and many hosts. Small and medium businesses may prefer deploying host firewalls on each machine.

Advantages:

  • Protects many devices using a single solution.
  • Provides strong perimeter security since malicious traffic is stopped before reaching hosts.
  • Does not consume host resources.
  • Administrators manage one firewall for the entire network.

Disadvantages:

  • Higher cost than software firewalls.
  • Insider threats remain a significant weakness.
  • Configuration and management require more specialized skills than software-based firewalls.

Cloud-based firewall

Cloud-based firewalls are delivered over the Internet on demand. Also called Firewall-as-a-Service (FaaS), they may run as IaaS or PaaS offerings. Cloud firewalls are well suited for:

  • Highly distributed organizations.
  • Teams with gaps in security resources.
  • Companies lacking internal expertise.

Like hardware solutions, cloud firewalls can provide strong perimeter security and can also be configured on a per-host basis.

Advantages:

  • The provider handles management tasks such as installation, deployment, patching, and troubleshooting.
  • Users can scale cloud resources to meet traffic demands.
  • No internal hardware required.
  • High availability.

Disadvantages:

  • Lack of transparency about how the provider runs the firewall.
  • Like other cloud services, migration to a different provider can be difficult.
  • Routing traffic through a third party may increase latency and raise privacy concerns.
  • High ongoing operational costs can make it expensive over time.

 

Firewall types by operation

Below are five firewall types based on functionality and the OSI model.

firewall-operation-types

Packet-filtering firewall

Packet-filtering firewalls function at the network layer, comparing header information from each packet against a set of predefined criteria. These firewalls check header-based information such as:

  • Destination and source IP addresses.
  • Packet type.
  • Port numbers.
  • Network protocol.

Packet-filtering firewalls analyze surface-level details without opening packets to inspect payloads. They examine each packet independently of existing traffic flows, making them suitable for small organizations that need basic protection against known threats.

Advantages:

  • Low cost.
  • Fast packet filtering and processing.
  • Good at filtering traffic between internal departments.
  • Low resource consumption.
  • Minimal impact on network speed and user experience.
  • Effective as a first line of defense in multi-layered strategies.

Disadvantages:

  • Do not inspect packet payloads.
  • Relatively easy to bypass for experienced attackers.
  • Cannot filter at the application layer.
  • Vulnerable to IP spoofing because they treat each packet independently.
  • Lack user authentication and logging features.
  • Setting and managing access control lists can be challenging.

Circuit-level gateway

Circuit-level gateways operate at the OSI session layer and monitor the TCP handshake between local and remote hosts. They can quickly approve or deny traffic without heavy resource use. However, these systems do not inspect packets, so if the TCP handshake succeeds, a malicious request may still gain access.

Advantages:

  • Handle only the transactions they are asked to handle and deny all other traffic.
  • Easy to set up and manage.
  • Resource and cost efficient.
  • Provide strong protection for address exposure.
  • Minimal impact on user experience.

Disadvantages:

  • Not a standalone solution because they do not filter content.
  • Often require adjustments to software and network protocols.

Stateful inspection firewall

Stateful inspection firewalls, also called dynamic packet-filtering firewalls, monitor incoming and outgoing packets at the network and transport layers. These firewalls combine packet inspection with TCP handshake validation.

Stateful firewalls maintain a table database that tracks all open connections, allowing the system to inspect existing traffic flows. The database stores information related to key packets, including:

  • Source IP.
  • Source port.
  • Destination IP.
  • Destination port for each connection.

When a new packet arrives, the firewall checks the established connection table. Packets that match known connections are allowed through without further inspection, while unmatched traffic is evaluated against the rule set.

Advantages:

  • Automatically allows previously inspected packets when filtering traffic.
  • Effective at blocking attacks that exploit protocol weaknesses.
  • Reduces the need to open many ports for traffic, narrowing the attack surface.
  • Detailed logging supports digital forensics.
  • Reduces exposure to port scanners.

Disadvantages:

  • More expensive than packet-filtering firewalls.
  • Require high skill levels for proper configuration.
  • Can impact performance and introduce network latency.
  • Do not verify the identity of spoofed traffic sources.
  • Vulnerable to TCP flood attacks that exploit pre-established connections.

Proxy firewall

Proxy firewalls, or application-level gateways, act as intermediaries between internal and external systems. They shield client requests before they reach the host, protecting the network. Running at the application layer, proxy firewalls perform deep packet inspection (DPI) and can inspect both payload and header information.

When a client requests network access, the message first reaches the proxy server. The firewall checks:

  • Any prior communications between the client and devices behind the firewall.
  • Header information.
  • The content itself.

The proxy then masks the request and forwards it to the web server, hiding the client's identity. The server response goes to the proxy, which then passes the data back to the original client. Proxy firewalls are commonly used to protect web applications from malicious users.

Advantages:

  • DPI inspects both headers and payloads.
  • Adds an isolation layer between clients and the network.
  • Hides internal IP addresses from potential threat actors.
  • Detects and blocks attacks invisible at the network layer.
  • Enables fine-grained control over network traffic.
  • Can bypass geographic restrictions.

Disadvantages:

  • Increased latency due to thorough packet inspection and extra communication steps.
  • Higher processing overhead makes them more costly than other types.
  • Setup and management are challenging.
  • Not compatible with all network protocols.

Next-generation firewall (NGFW)

Next-generation firewalls integrate multiple functions from other firewall types into a single device or program. These systems typically provide:

  • Deep packet inspection (DPI) that analyzes content.
  • TCP handshake checks.
  • Layered packet inspection.

NGFWs also include additional network security measures such as:

  • IDS and IPS.
  • Malware scanning and filtering.
  • Advanced threat intelligence (pattern matching, protocol-based detection, anomaly detection, etc.).
  • Antivirus integration.
  • Network address translation (NAT).
  • Quality of Service (QoS) features.
  • SSH inspection.

NGFWs are common in regulated industries such as healthcare and finance.

Advantages:

  • Combine traditional firewall functions with advanced network security features.
  • Inspect traffic from the data link layer up to the application layer.
  • Provide extensive logging.

Disadvantages:

  • More expensive than other firewall types.
  • Introduce a single point of failure.
  • Deployment can be slow.
  • Require significant expertise to configure and operate.
  • Can impact network performance.

 

Conclusion

No single protection layer is sufficient to fully protect an organization. Enterprises often deploy multiple firewall types within the same network. Choosing the right firewall starts with understanding the network architecture and operational needs to determine which firewall types and policies are most appropriate. In most cases, a layered firewall strategy that protects the perimeter and segments different assets within the network makes it more difficult for attackers to penetrate.

AIVON AIVON

As the company's official voice, AIVON shares authoritative insights on PCB technology and industry best practices. It covers PCB ordering, cost control, supply chain decisions, and lead-time optimization, helping engineers make informed choices. Its content reflects the brand’s expertise, reliability, and commitment to supporting the global electronics community.

Related Tags

Related Blogs
Security Analysis of Query and SMS Bombing

Security Analysis of Query and SMS Bombing

Read More
Firewall Basics vs Routers and Switches

Firewall Basics vs Routers and Switches

Read More
Rockwell PLC Authentication and Communication Vulnerabilities

Rockwell PLC Authentication and Communication Vulnerabilities

Read More
Connect with us
Products & Service
Company
About AIVON
Contact
News
Blog
Support
FAQ
Payment Options
Shipping Method
How to Order
Certification
Payment
2026 AIVON.COM All Rights Reserved
Intellectual Property Rights | Terms of Service | Privacy Policy | Refund Policy