Type of Firewall and Placement

CISSPGOALCISSPGOAL Posts: 27Member ■□□□□□□□□□
I have compiled the following for sharing. If it is incorrect, please do let me know.

Firewall Generation

Firewall Type


OSI Layer

Generation 1 Firewall

Packet Filtering

Examines both the source and destination addresses of the incoming data packet and applies ACL’s to them.

Layer 3 (Network Layer) or Layer 4 Transport Layer

Generation 2 Firewall

Application and Circuit FW are the only types of proxy based firewall

Proxy Server

2 types of proxy firewall

1) circuit level proxy

-Often called a Proxy Server. It works by transferring a copy of each accepted data packet from one network to another.

-Looks only at the header packet information/make decision based on header information and not the protocol structure e.g Socks firewall

Layer 5 (Session Layer)

2) Application Proxy

Look deeps into packets and make granular access control decision. It required one proxy per protocol

Layer 7 (Application Layer)

Generation 3 Firewall

Stateful inspection

Packets are captured by the inspection engine operating at the network layer and then analyzed at all layers

Layer 3 (Network Layer)

Generation 4 Firewall

Dynamic packet filtering

Makes informed decisions on the ACL’s to apply

Layer 3 (Network Layer)

Generation 5 Firewall

Kernel Proxy

- Very specialized architecture that provides modular kernel-based, multi-layer evaluation and runs in the NT executive space
- Faster because processing is done at the kernel.
- One network stake is created for each packet

Layer 7 (Application Layer)

Notes :
1) Application and Circuit are only types of proxy based firewall
2) Packet and stateful firewall do not use proxy





Client Server Model

Peer to Peer model

Client Server Model

Client Server Model





Combine Authentication, Authorization and accounting service

Authentication & Authorization not done by DIAMETER BASE protocol but by diameter application

Separates authentication, authorization, and accounting services

Separates authentication, authorization, and accounting services

User Name is not encrypted

-Only encrypt password between RADIUS client and RADIUS server.

RADIUS support 28 attribute-value pairs

DIAMETER is peer to peer

RADIUS and TACACS+ are client to server

DIAMETER support 232 attribute-value pairs

Users send an ID and a static (reusable) password for authentication (Used fixed password for authentication

Entire TACAC+ Packet is encrypted

Can use multiple authentication type (PAP, CHAP, EAP)

Remote Authentication Dial-in User Service (RADIUS) is an authentication protocol that allows users to dial into an environment and authenticate over a PPP or SLIP connection


PPP, AppleTalk, NetBIOS, IPX, and others

PPP, AppleTalk, NetBIOS, IPX, and others

Uses UDP port 1812 (Authentication), and auditing 1813 (Accounting)

TACACS+ uses TCP port 49

Used by ISP

Mobile IP (Wireless Device Technology)

Diameter Advantage over RADIUS
- Diameter use more reliable TCP protocol instead of UDP
- A Diameter session can be encrypted with SSL (TLS)


  • Spin LockSpin Lock Posts: 142Member
    Thanks for taking the time to put this together and sharing it.

    I've got two comments about the AAA chart:

    1. TACACS, I believe, supports both TCP and UDP.

    2. You chart describes DIAMETER as a peer to peer protocol, which I've seen it referred to as well. However, DIAMETER still defines systems as clients and servers. So when a user authenticates, it will be with a DIAMETER client which then sends that information to a DIAMETER server. The point I'm trying to make is, not to get confused and assume "peer to peer" means any DIAMETER node can perform client and server duties simultaneously.

    RFC 3588 defines DIAMETER, and this is what it says about DIAMETER being a peer to peer implementation:

    Any node can initiate a request. In that sense, Diameter is a peer- to-peer protocol.... ...A Diameter client generates Diameter messages to request authentication, authorization, and accounting services for the user. A Diameter agent is a node that does not authenticate and/or authorize messages locally; agents include proxies, redirects and relay agents. ...A Diameter server performs authentication and/or authorization of the user. A Diameter node MAY act as an agent for certain requests while acting as a server for others.
  • SirkassadSirkassad Posts: 32Member ■■□□□□□□□□
    I realize I'm a little late to the 'firewall' party but you did say if we have any corrections to let you know. In your 2nd generation firewall you have proxy server and you say:
    Generation 2 Firewall
    Application and Circuit FW are the only types of proxy based firewall

    Which is wrong because the 5th generation 'Kernel Proxy' firewall (you even call Kernel a proxy firewall so you should have caught it yourself) is also a proxy based firewall, meaning that the Application Proxy , Circuit level Proxy, and Kernel proxy firewalls all break the connection between sender and receiver and act as the middleman. The main difference is that the Kernel builds a 'virtual' protocol stack based on the type of application packet it receives.
  • OliLueOliLue Posts: 3Registered Users ■□□□□□□□□□
    Great work. Thanks for this help and the discussion.
Sign In or Register to comment.