Firewalls and their generations

Hunter85Hunter85 Member Posts: 60 ■■■□□□□□□□
Hello everyone,

I came accross with a question regarding firewall generations and by looking at different sources I am unable to reach to a conclusion

This question is from Sybex CISSP: Certified Information Systems Security Professional Study Guide, Sixth Edition

If you look at the chapter contents it does not mention anything about generations but the question claims that Stateful Inspection Firewalls are 3rd generation.

When I go to chapter contents the order the firewalls are listed is:

Static packet filtering
Application level gateway
Circuit Level Gateway
Stateful inspection

When I read the same chapter from CISSP All-in-One Exam Guide, Sixth Edition by Shon Harris the list looks like
  • Packet filtering
  • Stateful
  • Proxy
  • Dynamic packet filtering
  • Kernel proxy

Could you please help me understand which order is correct?


  • MjoshiMjoshi Member Posts: 17 ■□□□□□□□□□
    Hi Hunter85.

    Please find the below understanding of the correct order for firewall generations:

    Packet filters - 1st generation.
    Application Proxy / Circuit level proxy - 2nd generation
    Stateful - 3rd generation .
    Dynamic Packet filtering - 4th generation.
    Kernel Proxy - 5th generation
  • Hunter85Hunter85 Member Posts: 60 ■■■□□□□□□□
    Thank you for the response,

    Could you also explain how dynamic packet filtering and kernel proxy firewalls work according to CISSP standards

    There are different descriptions even between CISSP study books. (Some books use different naming conventions)
  • MjoshiMjoshi Member Posts: 17 ■□□□□□□□□□

    1. Dynamic packet filtering works as the name states " dynamic" i.e. you do not configure any firewall rules and firewall has the capability to create the rules on the fly as per the application demand. Also referred as "pin hole" and sometimes.
    Eg. There are applications like SIP, FTP which are very dynamic in nature and requires negotiating of multiple sessions from the originated session on random ports which are usually blocked on the firewall. Hence firewall inspects these sessions& protocols and dynamically creates a specific rule to allow these traffic till the session lifetime.

    2. Kernel proxies: To be very honest I am not sure how it works but read that these are some specialized kernel level firewalls introduced in windows.

Sign In or Register to comment.