Know Your Firewall: Layer 3 vs. Layer 7

Discussing firewalls does not rank high on most folks’ lists of ways to have a good time. But if you want to secure modern, microservices-based applications, understanding how your firewall works under the hood is essential. To that end, this article explains one of the important technical nuances of firewalls: the differences between layer 3 and layer 7.

Firewall Basics

In a basic sense, understanding what a firewall does is pretty simple. It blocks certain types of network traffic and allows other types of traffic. In this way, firewalls help to prevent potential intruders from being able to talk to your applications and services, which does much to prevent security exploits (although a firewall is hardly the only security defense that you should include in your security toolset, of course).

But how does a firewall determine which traffic to let in, and which to block? Answering that question requires us to delve a bit deeper into the nuances of how firewalls work—and specifically, firewall layers.

Firewall Layers

When it comes time to tell your firewall which types of traffic are OK to admit and which ones it should block, there are multiple ways to categorize traffic into “OK” and “not OK” categories. Each approach corresponds to a different firewall “layer,” as defined by the OSI model.

Layer 3 Firewalls (Network Firewalls)

One way is to categorize traffic according to IP addresses, port numbers and service protocols. In other words, you could tell your firewall to accept traffic from certain IP addresses while blocking all other traffic (this would constitute a whitelisting strategy). Alternatively, you could blacklist IP addresses that you know to be sources of abuse.

You could make things more granular by configuring your firewall to accept traffic from certain IP addresses only on certain ports, or when the traffic uses a certain protocol.

If you categorize traffic in these ways, you’re operating on layer 3 of your firewall. This is also sometimes known as the network layer. Layer 3 firewalls filter traffic based on the TCP/IP stack. This approach is sometimes also referred to as packet filtering, because you’re essentially allowing and blocking individual network packets depending on where they originated and which ports they want to talk to.

Layer 7 Firewalls (Application Firewalls)

The other common approach to firewall configuration involves layer 7, which is also known as the application layer.

Layer 7 lets you sort traffic according to which application or application service the traffic is trying to reach, and what the specific contents of that traffic are. Rather than simply blocking all traffic on a certain port, you could use an application firewall to accept traffic on that port in general, but block any traffic that contains a known vulnerability (such as a SQL injection attack or a malicious telnet command).

Layer 3 vs. Layer 7

If layer 7 provides the greatest opportunity for advanced firewall configuration, why would we talk about layer 3 at all? The answer is that they’re different tools that mitigate different kinds of risks and it’s not an either/or question. In most cases, you’d use both a L3 and an L7 firewall and the two complement each other.

L3 firewalls make decisions based on a much more narrow set of variables (IPs and ports) than L7 firewalls, which look at a literally infinite amount of unique requests. Thus, L3 firewalls are generally able to have much greater throughput than L7 firewalls. Further, because they address a lower level of the stack, L3 firewalls cover a wider variety of scenarios than an L7 firewall, which has to have protocol-specific logic for handling each kind of traffic flow it protects. L3 firewalls, conversely, simply allow or deny based on source and destination ports, without awareness of the traffic within, and thus work universally across any IP based scenarios.

The lack of protocol awareness, though, is a significant blind spot the L7 firewalls address. Especially as HTTP has become the universal app protocol, attackers are more likely to probe and exploit weaknesses within the app layer. So, if you have just an L3 firewall that allows all traffic to port 80, you’re blind to those risks. An L7 firewall is able to look within the app layer and make decisions regarding whether to allow a request based on what it contains—not just the port it’s trying to reach. This is a more computationally costly operation, but one that provides significantly greater security.

Because of these trade-offs, the best model for most scenarios is to use multiple layers of defense in depth; specifically, have an L3 firewall at the edge that only allows inbound traffic on the specific ports your apps use. Those ports should then be routed to an L7 firewall for deep inspect at the app protocol level. This model leverages the strengths of each approach with the L3 firewall efficiently dropping all packets but those from allowed sources and destined to allowed ports, thus allowing the L7 firewall to focus exclusively on inspecting the content of the requests to those ports.

Conclusion

Ideally, then, you’ll have the ability to use both layer 3 firewall filtering and layer 7 filtering as needed. By being able to filter both at the network level and the application level, you have maximum ability to protect your infrastructure and services against intruders.

John Morello

Avatar photo

John Morello

John Morello is the Co-Founder and CTO of Gutsy. Previously, he was the CTO of Twistlock and helped take the company to over 400 customers, including 45% of the Fortune 100, and a $.5B exit to Palo Alto Networks where he served as VP of Product for Prisma Cloud. John holds multiple cybersecurity patents and is an author of NIST SP 800-190, the Container Security Guide. Prior to Twistlock, he was the CISO of an S&P 500 global chemical company. Before that, he spent 14 years at Microsoft where he worked on security technologies in Windows and Azure and consulted on security projects across the DoD, intelligence community, and at the White House. John graduated summa cum laude from LSU and lives in Baton Rouge with his wife and two sons. A lifelong outdoorsman and NAUI Master Diver and Rescue Diver, he's the former board chair of the Coalition to Restore Coastal Louisiana and current board member of the Coastal Conservation Association.

john-morello has 4 posts and counting.See all posts by john-morello