Chapter 66 Β· Concepts

Firewall Types β€” Concept Reference

Firewall type comparison, OSI layer mapping, UTM feature inventory, NGFW vs. traditional firewall, WAF deployment model, and use-case selection guide.

Firewall Type Comparison β€” At a Glance

Firewall TypeOSI LayerFiltering BasisKey CapabilitiesPrimary Use CaseKey Limitation
Traditional Network FirewallLayer 3–4IP address, port number, protocolNAT, VPN, routing, packet filtering by port/IPNetwork boundary; ingress/egress controlCannot identify application β€” any traffic on an allowed port passes through
UTM (Unified Threat Management)Primarily Layer 4 (some Layer 7)Port/protocol + limited application detectionFirewall, IDS/IPS, URL filter, malware scan, spam filter, VPN, bandwidth shaping β€” all in oneSMB environments needing multi-function security in one boxPerformance degrades with multiple features enabled; typically Layer 4 not Layer 7
NGFW (Next-Generation Firewall)Layer 7 (all layers)Application identity, user identity, contentDPI, app control (regardless of port), integrated IPS, URL categorization, full packet decodeEnterprise network boundary; application-aware policy enforcementHigher processing demand than traditional; requires more resources per-packet
WAF (Web Application Firewall)Layer 7 β€” HTTP/HTTPS onlyHTTP input validation (URL, parameters, headers, body)SQL injection/XSS/path traversal blocking; input sanitization; application behavior validationProtecting web-facing applications; PCI DSS compliance for e-commerceOnly protects HTTP/HTTPS β€” not a general-purpose network firewall; must be paired with NGFW

OSI Layer Decision Map β€” Which Firewall Sees What

OSI LayerData at This LayerTraditional FirewallUTMNGFWWAF
Layer 3 β€” NetworkSource/destination IP addressβœ“ Yesβœ“ Yesβœ“ YesPartial (sees IP in HTTP headers)
Layer 4 β€” TransportTCP/UDP port number, protocolβœ“ Yesβœ“ Yesβœ“ YesPort (HTTP=80, HTTPS=443)
Layer 7 β€” ApplicationApplication identity, user data, protocol contentβœ— NoLimitedβœ“ Full decodeβœ“ HTTP/HTTPS only
HTTP InputURL, query parameters, POST body, cookies, headersβœ— Noβœ— NoPartial (app ID)βœ“ Full validation

UTM Feature Inventory

UTM FeatureWhat It DoesOSI Layer
FirewallPort and protocol-based traffic filtering; allow/deny by IP and portLayer 3–4
URL Filtering / Content InspectionBlock access to websites by category or URL; enforce acceptable use policyLayer 7
Malware InspectionScan file transfers and downloads against malware signaturesLayer 7
Spam FilterBlock unwanted email at the network perimeter before delivery to mail serversLayer 7
IDS/IPSDetect and block known attack signatures in trafficLayer 4–7
VPN EndpointTerminate site-to-site and remote-access VPN tunnelsLayer 3–4
Bandwidth Shaping / QoSPrioritize critical business traffic over recreational trafficLayer 4–7
Routing / SwitchingAct as the gateway router; some models include switch portsLayer 2–3
CSU/DSUWAN interface hardware for connecting to carrier circuits (T1, DS3)Layer 1

Performance caveat: Enabling more UTM features simultaneously increases processing load. A UTM running all features at once will have significantly lower throughput than the same device running only firewall functions. Size the UTM to handle peak load with all required features enabled.

Traditional Firewall vs. NGFW β€” Application Identification

Scenario: Organization uses port 443 (HTTPS). Three different applications all use port 443.

ApplicationPort UsedWhat Traditional Firewall SeesWhat NGFW SeesNGFW Policy Applied
YouTube (viewing)443HTTPS β€” allowed (port 443 open)YouTube video streaming β€” identified by DPIAllow viewing; block uploading
Twitter (posting)443HTTPS β€” allowed (same rule)Twitter API β€” identified by DPIAllow reading; block posting
Microsoft SQL Server (via SSL)443 (non-standard)HTTPS β€” allowed (same rule)SQL Server TDS protocol β€” identified by DPIAllow from authorized DB server IPs only
Peer-to-peer (tunneled through HTTPS)443HTTPS β€” allowed (same rule)BitTorrent over HTTPS β€” identified by DPIBlock β€” P2P policy

The traditional firewall sees four identical entries: "TCP 443 inbound β€” allow." The NGFW sees four different applications and applies four different policies.

WAF Deployment Architecture

Internet traffic
    β†“
[NGFW / Perimeter Firewall]
    Function: Network-level filtering
    Blocks: Bad source IPs, non-HTTP protocols, unauthorized ports
    Sees: IP addresses, ports, application type (HTTPS)
    β†“
[WAF β€” deployed as Reverse Proxy]
    Function: HTTP/HTTPS input validation
    Blocks: SQL injection, XSS, path traversal, HTTP anomalies
    Sees: Full HTTP request β€” URL, parameters, headers, POST body, cookies
    β†“
[Web Application Server]
    Receives only clean, validated HTTP requests
    Never sees blocked attack traffic β€” WAF absorbed it upstream
    β†“
[Database Server]
    No SQL injection reaches here β€” WAF blocked it at the HTTP layer

Firewall Selection Guide β€” Matching Requirements to Type

RequirementBest Firewall TypeWhy
Block access to social media for all employeesNGFW (or UTM)Requires application identification β€” social media uses HTTPS; a traditional firewall cannot distinguish it from other HTTPS traffic
Protect a payment processing web application from SQL injectionWAFSQL injection is HTTP input-level β€” requires HTTP payload inspection, not network-level filtering
PCI DSS compliance for e-commerce siteWAF (mandatory)PCI DSS explicitly requires WAF for cardholder data environment web applications
Small business needs firewall + IPS + VPN + spam filter in one boxUTMUTM bundles all of these in a single device; cost-effective for SMB scale
Allow SQL Server traffic only from authorized internal servers, any portNGFWRequires application identification (SQL Server protocol) regardless of port β€” only NGFW DPI can do this
Block all outbound traffic to "gambling" category websitesNGFW (or UTM)URL categorization is a feature of NGFW and UTM, not traditional firewalls
Simple port-based filtering at network edge with NAT and site-to-site VPNTraditional firewallLayer 4 rules, NAT, and VPN are traditional firewall capabilities; no need for NGFW overhead if application identification is not required

NGFW Alternative Names β€” Same Technology, Different Labels

TermWhat It EmphasizesMeaning
Next-Generation Firewall (NGFW)Evolution beyond traditional firewallsLayer 7 application-aware firewall with DPI, IPS integration, and URL categorization
Application Layer GatewayWhich OSI layer it operates atFirewall that understands and makes decisions based on Layer 7 application protocols
Stateful Multilayer InspectionHow it inspects traffic (state + multiple layers)Combines stateful connection tracking with inspection across Layers 3–7
Deep Packet Inspection (DPI)The inspection technique usedFull payload decode of every packet β€” identifies application, content, and behavior

On the exam, any question describing a firewall that operates at Layer 7, identifies specific applications, or performs deep packet inspection is asking about an NGFW β€” regardless of which term is used.