Firewall Types and Selection Guide

Firewalls represent the foundational control layer in network security architecture, governing which traffic is permitted to cross network boundaries based on defined rule sets, protocol inspection, or behavioral analysis. This page covers the principal firewall classifications, the mechanisms that distinguish them, the deployment scenarios each addresses, and the decision criteria used by security architects to match firewall type to operational requirements. The frameworks referenced include standards from NIST and regulatory mandates from bodies such as CISA and the Payment Card Industry Security Standards Council.

Definition and scope

A firewall is a network security device — hardware, software, or a combination of both — that monitors and controls incoming and outgoing network traffic according to predetermined security rules (NIST SP 800-41 Rev. 1). The boundary a firewall enforces may exist between an internal network and the public internet, between two internal network segments, or at the host level on an individual endpoint.

Firewalls are classified by the OSI layer at which they operate, the depth of inspection they perform, and the form factor in which they are deployed. The five primary classifications recognized in NIST SP 800-41 Rev. 1 are:

  1. Packet-filtering firewalls — inspect individual packets at the network layer (Layer 3) using source/destination IP addresses, ports, and protocols.
  2. Stateful inspection firewalls — track the state of active connections and make decisions based on connection context, not individual packets alone.
  3. Application-layer (proxy) firewalls — operate at Layer 7, proxying connections and inspecting application-specific protocol content such as HTTP, FTP, or DNS.
  4. Next-generation firewalls (NGFWs) — combine stateful inspection with deep packet inspection, intrusion prevention, TLS decryption, and application-layer awareness in a single platform.
  5. Web application firewalls (WAFs) — purpose-built Layer 7 controls specifically targeting HTTP/S traffic to protect web-facing applications from threats classified in the OWASP Top 10.

Within regulated industries, firewall deployment is not discretionary. The PCI DSS standard Requirement 1 mandates firewall installation and maintenance for all entities that store, process, or transmit cardholder data. HIPAA's Security Rule under 45 CFR §164.312(e)(1) requires technical security measures to guard against unauthorized access to ePHI transmitted over electronic communications networks, a requirement commonly fulfilled in part through firewall controls.

The Network Security Providers on this reference site index service providers organized by these technical categories.

How it works

Each firewall classification operates through a distinct inspection mechanism.

Packet-filtering applies access control lists (ACLs) to each packet in isolation. A rule permitting TCP traffic on port 443 from any source to a specific destination IP passes matching packets without evaluating whether the traffic belongs to an established session. This creates exposure to IP spoofing and fragmentation attacks because no session context is retained.

Stateful inspection, introduced commercially in the early 1990s, maintains a state table of active TCP and UDP connections. When a new packet arrives, the firewall checks whether it belongs to an existing, established session. Packets that do not correspond to any known session state are dropped by default. This mechanism closes the spoofing gap inherent in pure packet-filtering but still operates below the application layer.

Application-layer (proxy) firewalls terminate both ends of a connection. The firewall acts as the endpoint for the client, establishes a separate connection to the destination server, and inspects the full application-layer payload in between. This allows inspection of HTTP methods, DNS query content, or FTP command sequences, but introduces latency and requires a dedicated proxy engine for each supported protocol.

Next-generation firewalls integrate deep packet inspection (DPI), application identification by signature or behavioral pattern, intrusion prevention system (IPS) engines, and — in most enterprise implementations — TLS inspection via certificate interception. According to NIST SP 800-41 Rev. 1, NGFW platforms are expected to enforce policies based on application identity rather than port and protocol alone, addressing the widespread use of non-standard ports by modern applications.

WAFs apply signature-based and behavioral rule sets specifically targeting web application attacks: SQL injection, cross-site scripting (XSS), path traversal, and the other categories enumerated in the OWASP Top 10. WAFs may be deployed inline in hardware form, as reverse-proxy software, or as cloud-based services. CISA's Known Exploited Vulnerabilities Catalog consistently lists web application vulnerabilities as high-frequency targets, reinforcing WAF deployment at public-facing application boundaries.

Common scenarios

Perimeter defense for enterprise networks — Stateful inspection or NGFW appliances deployed at the network edge, separating internal LAN segments from internet-facing DMZ zones. NIST SP 800-41 Rev. 1 recommends a minimum two-firewall DMZ architecture for organizations hosting public-facing services, placing web and mail servers in a segment separated from both the internet and the internal trusted network.

Segmentation inside the network perimeter — Internal firewalls or micro-segmentation policies enforced by host-based firewall rules limit lateral movement following a perimeter breach. The NIST Cybersecurity Framework (Function: Protect, Category: PR.AC) identifies network segmentation as a core protective control.

Cloud and hybrid environments — Virtual firewall appliances or cloud-native security groups fulfill stateful packet-filtering roles within AWS VPCs, Azure Virtual Networks, or Google Cloud VPC configurations. Each major cloud provider publishes reference architectures aligning with CIS Benchmarks for their respective platforms.

Payment card processing environments — PCI DSS Requirement 1 specifies firewall rule sets must restrict inbound and outbound traffic to only that which is necessary for the cardholder data environment, with a formal change-management process for rule modifications.

Web application protection — Organizations subject to FTC Act Section 5 enforcement related to unfair or deceptive data security practices, or subject to state data protection statutes in California (CCPA) or Virginia (VCDPA), deploy WAFs as a technical safeguard for consumer-facing web applications.

Those researching vendor and service provider options can reference the Network Security Providers organized by deployment type and capability tier.

Decision boundaries

Selecting a firewall type involves matching technical capability to the specific threat model, compliance obligation, and operational context. The following criteria define the primary decision boundaries:

OSI layer of required inspection — If threat vectors are limited to network-layer attacks and port-based access control is sufficient, stateful inspection provides adequate coverage at lower processing overhead. If application-layer threats — including encrypted malicious payloads — are present in the threat model, NGFW or WAF deployment is required.

Packet-filtering vs. stateful inspection — Packet-filtering is appropriate only in environments with strict bandwidth constraints and well-controlled point-to-point topologies, such as industrial control system (ICS) segments where NIST SP 800-82 Rev. 3 governs OT network security. For general enterprise traffic, stateful inspection is the minimum accepted baseline.

NGFW vs. dedicated WAF — These are not mutually exclusive. NGFWs provide broad north-south and east-west traffic control but are not optimized for deep HTTP/S application protocol analysis at web-application layer granularity. WAFs are purpose-built for that layer and are recommended as a distinct, additive control for public-facing web applications, not a replacement for network-layer firewalls.

Hardware vs. software vs. cloud-native — Hardware appliances provide deterministic throughput and are preferred in high-volume on-premises environments. Software-defined virtual firewalls suit data center virtualization and hybrid cloud topologies. Cloud-native security groups and WAF services reduce management overhead but require alignment with the shared responsibility model documented by cloud service providers.

Throughput and latency requirements — Application-proxy firewalls introduce measurable latency because every connection is terminated and re-established. In latency-sensitive environments — financial trading infrastructure, real-time communications — the inspection depth of a full application proxy may be architecturally incompatible with service-level requirements.

For the broader regulatory and standards landscape governing firewall selection, the Network Security Authority purpose and scope page provides the framework context within which these controls are evaluated. Professionals assessing how this reference is structured and organized can consult the How to Use This Network Security Resource page.

References

📜 1 regulatory citation referenced  ·   · 

Read Next

Intrusion Detection and Prevention Systems (IDS/IPS) ANA › Professional Services Authority › National Cyber › Network Security Authority Intrusion Detection and Prevention Systems (IDS/IPS)... VPN Technologies and Protocols ANA › Professional Services Authority › National Cyber › Network Security Authority VPN Technologies and Protocols Virtual Private... DNS Security and Filtering ANA › Professional Services Authority › National Cyber › Network Security Authority DNS Security and Filtering DNS security and...