Firewalls and their generations

Hello everyone,

I came accross with a question regarding firewall generations and by looking at different sources I am unable to reach to a conclusion

This question is from Sybex CISSP: Certified Information Systems Security Professional Study Guide, Sixth Edition

If you look at the chapter contents it does not mention anything about generations but the question claims that Stateful Inspection Firewalls are 3rd generation.

When I go to chapter contents the order the firewalls are listed is:

Static packet filtering
Application level gateway
Circuit Level Gateway
Stateful inspection

When I read the same chapter from CISSP All-in-One Exam Guide, Sixth Edition by Shon Harris the list looks like

Packet filtering
Stateful
Proxy
Dynamic packet filtering
Kernel proxy

Could you please help me understand which order is correct?

Find more posts tagged with

Comments

Mjoshi

Hi Hunter85.

Please find the below understanding of the correct order for firewall generations:

Packet filters - 1st generation.
Application Proxy / Circuit level proxy - 2nd generation
Stateful - 3rd generation .
Dynamic Packet filtering - 4th generation.
Kernel Proxy - 5th generation

Hunter85

Thank you for the response,

Could you also explain how dynamic packet filtering and kernel proxy firewalls work according to CISSP standards

There are different descriptions even between CISSP study books. (Some books use different naming conventions)

Mjoshi

Hi,

1. Dynamic packet filtering works as the name states " dynamic" i.e. you do not configure any firewall rules and firewall has the capability to create the rules on the fly as per the application demand. Also referred as "pin hole" and sometimes.
Eg. There are applications like SIP, FTP which are very dynamic in nature and requires negotiating of multiple sessions from the originated session on random ports which are usually blocked on the firewall. Hence firewall inspects these sessions& protocols and dynamically creates a specific rule to allow these traffic till the session lifetime.

2. Kernel proxies: To be very honest I am not sure how it works but read that these are some specialized kernel level firewalls introduced in windows.

Thanks,