Firewall: 101

How well do you know your firewall?

Do you know how your firewall works? Firewalls are an essential part of your infrastructure’s defense. It decides which network traffic to reach your computer. The two layers that are involved from the OSI model are 3; Network layer, and 7; Application Layer. Layer 7 interacts directly with the software applications, while layer 3 transfers data.

Firewall Layers

When it comes time to tell your firewall which types of traffic are OK to admit and which ones it should block, there are multiple ways to categorize traffic into “OK” and “not OK” categories. Each approach corresponds to a different firewall “layer,” as defined by the OSI model.

Layer 3 Firewalls (Network Firewalls)

One way is to categorize traffic according to IP addresses. You could tell your firewall to accept traffic from certain IP addresses while blocking all other traffic. Alternatively, you could blacklist IP addresses that you know to be sources of abuse.

If you categorize traffic in these ways, you’re operating on layer 3 of your firewall. You’re essentially allowing and blocking individual network packets depending on where they originated and which ports they want to talk to.

Layer 7 Firewalls (Application Firewalls)

The other common approach to firewall configuration involves layer 7, which is also known as the application layer.

Layer 7 lets you sort traffic according to which application or application service the traffic is trying to reach, and what the specific contents of that traffic are. Rather than simply blocking all traffic on a certain port, you could use an application firewall to accept traffic on that port in general, but block any traffic that contains a known vulnerability.

Layer 3 vs. Layer 7

If layer 7 provides the greatest opportunity for advanced firewall configuration, why would we talk about layer 3 at all? The answer is that they’re different tools that mitigate different kinds of risks and it’s not an either/or question. In most cases, you’d use both a L3 and an L7 firewall and the two complement each other.

L3 firewalls make decisions based on a much more narrow set of variables (IPs and ports) than L7 firewalls, which look at a literally infinite amount of unique requests. Thus, L3 firewalls are generally able to have much greater throughput than L7 firewalls. Further, because they address a lower level of the stack, L3 firewalls cover a wider variety of scenarios than an L7 firewall.

The lack of protocol awareness, though, is a significant blind spot the L7 firewalls address. Especially as HTTP has become the universal app protocol, attackers are more likely to probe and exploit weaknesses within the app layer. So, if you have just an L3 firewall that allows all traffic to port 80, you’re blind to those risks. An L7 firewall is able to look within the app layer and make decisions regarding whether to allow a request based on what it contains—not just the port it’s trying to reach.

Because of these trade-offs, the best model for most scenarios is to use multiple layers of defense in depth; specifically, have an L3 firewall at the edge that only allows inbound traffic on the specific ports your apps use.


Ideally, then, you’ll have the ability to use both layer 3 firewall filtering and layer 7 filtering as needed. By being able to filter both at the network level and the application level, you have maximum ability to protect your infrastructure and services against intruders.

Article written by John Morello at Security Boulevard.


Here at CITON, we believe knowledge is power. We hope this article provides you some insight as to how important our firewall software is to your business. Call us for more information (218) 720-4435.