What is the difference between a SPI Firewall and an Application Layer Firewall? In what circumstances would I prefer one over the other?
What is the difference between a SPI Firewall and an Application Layer Firewall? In what circumstances would I prefer one over the other?
I don't know about 'gen2' vs 'gen3', but what I can tell you is this:
SPI firewalls filter on Session 'States'
This firewall keeps track of the State of a TCP or UDP session. This provides an advantage over simpler firewalls for example
This can happen even after the session has supposedly ended by crafting packets with the same details as the session. Stateful firewalls depend on the Three Way Handshake between the two nodes for TCP connections, and will not let traffic through if the handshake hasn't taken place (except, of course, the handshake packets themselves). For UDP Traffic, A technique called UDP Hole Punching is used, and the sessions usually get the ESTABLISHED state right away. While nothing is fullproof, SPI firewalls have certainly proved their worth.
Application layer firewalls filter on 'Protocol Signatures'
Now, what does this mean? Consider the following:
Well we know that doesn't really do much, since I run my ssh server on port 443, since most networks allow 443 for general https web traffic. This would be allowed by SPI firewalls because the Session state is typically independent of the protocol.
Application layer firewalls on the other hand look at the traffic and say Hey, this looks more like SSH traffic and not https traffic, I'm stopping this conversation because we don't allow ssh traffic.
In short, each protocol has it's own signature, if you will. App layer firewalls look at the signatures and 'try' to determine the applications using it, and filter from there.
I know you didn't ask this, but it all depends on your needs. You may need one, the other, or both.