Firewalls are devices or programs that control network traffic flow between networks or hosts in different security zones using various technologies such as packet filtering, stateful inspection, proxy, stateful protocol analysis, etc.
Stateless Packet Filtering and Stateful Connection Inspection
The most basic firewall feature is packet filtering at the network or transport layer without maintaining the context or monitoring communication states. In other words, it scans every packet.
A firewall capable of stateful inspection improves the functions of packet filters by tracking the state of connections and blocking packets that deviate from the expected state; this is accomplished by incorporating greater awareness of the transport layer.
Proxy
A proxy is an agent “that acts as an intermediary between two hosts that wish to communicate with each other, and never allows a direct connection between them. Each successful connection attempt actually results in the creation of two separate connections—one between the client and the proxy server, and another between the proxy server and the true destination.” (NIST SP 800-41 R1)
Proxies are commonly working at the session or application layer. Session-level proxies are also known as circuit-level gateways or circuit proxies. Application-level proxies can be implemented as a firewall feature called an application-proxy gateway or deployed as a dedicated proxy server.
Circuit-Level Gateways/Circuit Proxies
“Circuit-level gateways work at the session layer of the OSI model, or as a ‘shim-layer’ between the application layer and the transport layer of the TCP/IP stack. They monitor TCP handshaking between packets to determine whether a requested session is legitimate. Information passed to a remote computer through a circuit-level gateway appears to have originated from the gateway.” (Wikipedia)
Circuit-level gateways are typically implemented as a proxy that does not filter individual packets. “SOCKS is a de facto standard for circuit-level gateways (level 5 gateways).” (Wikipedia)
Application-Level Proxies
In addition to circuit-level gateways (aka circuit proxies) working at the session layer, most proxies are application-specific. An application-proxy gateway is an application-level proxy implemented as a firewall feature and acting as a gateway; as a result, it can also inspect the actual content of the traffic. However, a dedicated proxy server typically provides much more limited firewall capabilities, so it is commonly deployed to collaborate with firewalls, as the following diagram depicts:
Application Firewalls
Application firewalls conduct stateful protocol analysis (aka deep packet inspection), an advanced feature of stateful inspection, for content filtering.