A wide range of firewall options is available for applications ranging from a single PC with a broadband Internet connection to a large corporate network. Firewalls can be software that runs on a PC or separate hardware device that has built-in firewall software.
Packet filtering or network layer (Layer 3) firewalls make decisions based on the source and destination addresses and ports in IP packets. This fastest and simplest form of firewall protection is really no more than a simple sorting algorithm. Generally, they enable you to have some control through the use of access lists. Packet filtering can also often be performed by other network devices such as routers and is generally what you get when you download free firewall software.
Packet filtering works well for small networks but when applied to larger networks can quickly become very complex and difficult to configure. Packet filtering also cannot be used for content-based filtering and cannot, for instance, remove e-mail attachments. This type of firewall has little or no logging capability, making it difficult to determine if it's been attacked.
The more sophisticated proxy or application layer firewalls deal with network traffic by passing all packets through a separate "proxy" application that examines data at an application level.
A proxy firewall doesn't allow a direct connection between your network and the Internet. Instead, it accepts requests and executes them on behalf of the user. For instance, if you're behind a proxy firewall and type http://www.blackbox.com, the request goes to the firewall, which gets the page on your behalf and passes it to you. This process is transparent to users.
This proxy system enables you to set a firewall to accept or reject packets based on, not only addresses and port information but also application information. For instance, you can set the firewall to filter out all incoming packets belonging to EXE files, which are often infected with viruses and worms. Proxy firewalls generally keep very detailed logs, including information on the data portions of packets.
Proxy firewalls are slower and require more hardware than packet filtering, however, their greater versatility enables you to enforce tighter security policies.
When a firewall is described as stateful inspection, it means that it examines packets at the network layer like packet filtering does but, rather than just applying simple filtering rules to this information, it uses it in an intelligent way to block out unauthorized traffic. It analyzes data to make sure connection requests occur in the proper sequence. This firewall tracks each communications session from start to end and enforces set rules based on protocol, port, and source and destination addresses.
By maintaining all session data, the firewall can quickly verify that new incoming packets meet the criteria for authorized traffic. Packets that aren't part of an authorized session are rejected.
Stateful inspection firewalls have the advantage of being both smart and fast.
Packet-based, proxy, and stateful inspection used to be distinctly different types of firewalls, but today nearly all modern firewall appliances are hybrids which provide packet-based, proxy, and stateful inspection firewalling.