What Is a Packet-Filtering Firewall? Is It Right For You?

Enterprise Networking Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

A packet-filtering firewall is a firewall that controls data flow into and out of a network. It’s a solution that allows packets to travel between networks while controlling their flow through the use of user-defined IP addresses, protocols, ports, and rules. Routing of packets is only successful when they have satisfied the predetermined filtering rules.

How Packet Filtering Works

Packet filtering determines whether to grant or deny packet access based on source and destination IP addresses, protocols, ports, flags, and whether the packets are incoming or outgoing.

Most computer networks today are based on packet-switched networks (PSNs), which break down communication into packets before transferring them across the network. As soon as these packets pass through a firewall, they are reordered to reach their destination in the order required to present the information correctly.

Each packet contains two key components: a header and a payload.

  • Headers ensure that data is routed to the correct destination.
  • Payloads contain the data seeking to be delivered.

Packet-filtering firewalls search for information in each packet’s IP, TCP, and UDP headers and check that information against the network’s access control lists to decide whether to block or allow the packet. If the packet is verified, the firewall allows it to pass through and extract the payload.

Permission to pass through the firewall is completely dependent on the firewall’s predetermined filtering rules. This allows administrators to configure packet filtering rules that reject all packet transmission except for packets from specific IP addresses and ports.

Top 4 Advantages of Packet-Filtering Firewalls

Packet-filtering firewalls offer several advantages over later and more complex stateful firewalls, including speed, cost-effectiveness, ease of use, and transparency.

Speed

The decisions made by packet-filtering firewalls are based on simple, predetermined formulas that don’t require deep packet inspection (DPI). As a result, they are typically able to accept or reject packets relatively quickly.

Cost-effectiveness

Since packet-filtering firewalls only need one filtering router to provide security to the internal network, they are quite cost-effective. Additionally, packet filtering functionality is built into most popular software and hardware routing devices, and most websites infuse such functionality into their routers, so they don’t require purchasing additional solutions to function effectively.

Ease of use

Packet-filtering firewalls are among the most basic firewalls and do not require much additional training to use them effectively once they are implemented. And since only one router is required to secure a network, users don’t have multiple routers to manage simultaneously.

Transparency

In most cases, packet filtering is carried out autonomously by these firewalls, meaning that human awareness and intervention are not required until a packet has been rejected. Either way, because the rules are preset by the user, there is a clear reason for the firewall’s decision.

Top 4 Disadvantages of Packet-Filtering Firewalls

Although packet-filtering firewalls have their place, there are some concerns that users should be aware of. They are less secure than newer firewalls, lack logging capabilities, can be challenging to set up, and are incompatible with some protocols and policies.

Less secure

The most important thing to be aware of regarding packet-filtering firewalls is that they are less secure than their more modern counterparts. Since packet-filtering firewalls favor IP addresses and port information instead of context or application information, they lack the context that other types of firewalls have. And since they only check packet headers and not payloads, they are vulnerable to spoofing.

Lack of logging capabilities

Packet-filtering firewalls don’t retain data about how packets move around the network. The absence of any sort of logging functionality may interfere with some organizations’ compliance requirements.

Challenging setup

While packet-filtering firewalls are easy to use once they’ve been established, it can be challenging and time-consuming to build the initial required filters. Users also have to be cautious when entering rules as they are checked in sequential order, which can create a tangle of read errors in larger installations.

Protocol incompatibilities and policy enforcement difficulties

Some protocols, such as remote procedure call (RPC)-based protocols, prove to be unsuitable for packet-filtering security. Additionally, some policies may prove difficult to enforce using basic packet-filtering firewalls as the firewalls make it difficult to impose limitations on specific users and may render higher-level protocols ineffective.

Types of Packet-Filtering Firewalls

There are two main types of packet-filtering firewalls: stateless, or static packet-filtering, and stateful, or dynamic packet-filtering. Stateful firewalls are undeniably the more advanced of the two, but there are still qualified uses for stateless firewalls as well.

Stateless firewalls, aka static packet filtering

The most basic type of packet-filtering firewalls, a static packet-filtering firewall is a type of firewall whose rules are manually established and the connection status between external and internal networks is either open or closed until it is manually changed. 

As these firewalls require human intervention, administrators must regularly check, configure, and manage access control lists, rules, IP addresses, and ports.

Though stateless firewalls remain the most common type, they are becoming less widespread today. However, they’re still useful to service providers who offer low-power customer premises equipment. Their set-it-and-forget-it practicality makes them suitable for simple home or small business networks.

Stateful firewalls, aka dynamic packet filtering

A dynamic packet-filtering firewall is a firewall whose rules can be adjusted based on the context and whose ports remain open for a limited period before closing. 

These firewalls operate at the network, transport, and session layers and can track not only individual packets but all ongoing network activity using extensions such as TCP and UDP streams. Stateful firewalls discern between harmless and harmful traffic and packages by detecting the full context of incoming packets—not only their headers.

Dynamic packet-filtering firewalls are more flexible than static firewalls since they enable administrators to put customizable parameters and automatable procedures in place. These firewalls are effective for protocols like the File Transfer Protocol (FTP) which dynamically allocate ports.

Best 3 Packet-Filtering Firewalls

Due to the evolution of the networking and security landscape, it’s common to find packet-filtering features within a much more comprehensive firewall solution to cater for the shortcomings of standalone packet-filtering solutions. Below are three firewall solutions that exemplify this.

Cisco ASA firewall

Cisco ASA delivers a firewall and network security platform that offers its users highly secure data and resource access. Cisco ASA offers a network firewall that implements stateful packet inspection to prevent access to unauthorized traffic. The firewall checks access control lists to determine whether to grant or deny access. Its packet-filtering features enable users to create rules of greater complexity and block traffic based on the protocols in use.

Key features:

  • Integrated intrusion prevention system (IPS), virtual private network (VPN), and unified communications capabilities
  • Cisco TrustSec for software-defined segmentation and context awareness

Pros

  • Offers high availability for high-resiliency applications
  • Uses identity-based firewall technology to provide context awareness
  • Uses high-performance, multisite, and multinode clustering to enable enterprises to raise capacity and performance
  • Provides support for next-generation encryption standards

Cons

  • Its GUI has room for improvement.
  • Users may find ASA to be complex in configuration and troubleshooting.

Pricing

Cisco doesn’t list pricing for its ASA firewall, but it provides multiple avenues for contacting the company to discuss options, either by live chat, phone, or sales form to request a direct call in 15 minutes or less.

FortiGate NGFW

FortiGate NGFWs offer enterprise security for the campus edge to deliver full visibility into applications and users. Although this is an NGFW, one of its tools is packet capture, which enables users to manually look inside the headers of packets. Users can record the packets seen by a network interface, trace connection states to their points of failure, and more, while leveraging Fortinet’s state-of-the-art NGFW features.

Key features

  • FortiGuard services provide comprehensive controls and threat intelligence
  • FortiOS enables automated workflows and network convergence on a single operating system

Pros

  • A suite of firewall solutions to select from
  • Threat protection against advanced threats
  • Multilayered protection as NGFWs are not limited to upper inspection layers
  • AI-powered security

Cons

  • Upfront costs may be higher than those of standalone firewall solutions.
  • A greater impact on network performance as compared to standalone firewall solutions.

Pricing

You can contact Fortinet for pricing information on their NGFWs, or request a free product demo to explore features up close.

Check Point Quantum firewall

Check Point Quantum firewalls offer modern features that cover security functionality as well as mature, cloud-based, centralized management. Check Point’s advanced threat detection across its security portfolio makes it an extensive security platform solution. The firewall has features like Packet Flow, which checks the source IP address and port, destination IP address and port, as well as the protocol to determine whether to allow or discard packets.

Key features

  • SandBlast Threat Prevention
  • Maestro Hyper-scale Networking for scalable, high-speed protection against Gen V cyberattacks
  • Secure remote access with VPN and multifactor authentication (MFA)

Pros

  • Highly customizable to enable customers to tailor the firewall to their needs
  • Integrability with other security products
  • Autonomous threat prevention

Cons

  • May be complex to manage and require more technical knowledge compared to standalone firewall products.
  • Technical support has room for improvement.

Pricing

Check Point invites prospective customers to either request a free demo or contact their sales team to discuss pricing.

Who Should and Shouldn’t Use Packet-Filtering Firewalls?

The short answer is, everyone should be using a packet-filtering firewall. Although these firewalls may be unable to deliver the level of security required for every use case, they provide an effective, inexpensive base level of security for organizations of any size.

Any organization that wants to implement the first step in securing its internal users from external threats should consider a packet-filtering firewall. This category might include small businesses or those with a limited budget that are seeking a basic level of security against known threats.

For environments with reporting and compliance requirements, packet-filtering firewalls may be a poor choice due to their lack of logging capabilities. Furthermore, considering today’s ever-evolving threat landscape, it’s a risk to wholly depend on packet-filtering firewalls as your only defense from external threats. Larger organizations should especially avoid dependence on packet-filtering firewalls as their only firewall option. However, they can and should incorporate them as part of a layered defense for monitoring traffic between various internal departments.

Bottom Line: Packet-Filtering Firewalls Are a Foundation of Network Security

Packet filtering firewalls provide a fast, cost-effective, transparent, and easy-to-use firewall for users to secure their internal networks against known threats. 

However, as today’s threats become more and more sophisticated, it would be beneficial to consider combining these firewalls with other firewall solutions and overall security solutions applicable to your networks to ensure that your networks are fully protected and compliant and to get the best out of your packet-filtering firewall.

If you’re looking for a more comprehensive security package, here are the best network security companies to trust with your organization’s data.

Collins Ayuya
Collins Ayuya
Collins Ayuya is a contributing writer for Enterprise Networking Planet with over seven years of industry and writing experience. He is currently pursuing his Masters in Computer Science, carrying out academic research in Natural Language Processing. He is a startup founder and writes about startups, innovation, new technology, and developing new products. His work also regularly appears in TechRepublic, ServerWatch, Channel Insider, and Section.io. In his downtime, Collins enjoys doing pencil and graphite art and is also a sportsman and gamer.

Get the Free Newsletter!

Subscribe to Daily Tech Insider for top news, trends, and analysis.

Latest Articles

Follow Us On Social Media

Explore More