Circuit-level gateway firewalls provide protection between user datagram protocols (UDPs) and transmission control protocols (TCPs), acting as a handshaking device between trusted clients or servers and untrusted hosts.
Enterprise organizations often use circuit-level gateways within their comprehensive security approaches, which likely include a wide range of protections. On their own, circuit-level gateways are insufficient to adequately protect sprawling enterprise networks consisting of hundreds or thousands of endpoints. Their capabilities are more narrow in scope but nonetheless serve an important role.
Table of Contents
- How Circuit-Level Gateways Work
- Circuit-Level Gateways Features
- Benefits of Circuit-Level Gateways
- Disadvantages of Circuit-Level Gateways
- How Much Do Circuit-Level Gateways Cost?
- When Should You Use a Circuit-Level Gateway?
- Top 8 Circuit-Level Gateway Providers
- Bottom Line: Circuit-Level Gateways
How Circuit-Level Gateways Work
In simple terms, a circuit-level gateway verifies the TCP handshake to check incoming traffic without consuming a great deal of time and resources. This means the circuit-level gateway is one of the most efficient types of firewalls because it impacts network performance less than other firewall types.
Working at the session layer, circuit-level gateways verify established TCP connections and track active sessions. Similar to packet-filtering firewalls, they perform a single check and use minimal resources. When an internal device initiates a remote host connection, circuit-level gateways establish a virtual connection on behalf of the internal device, keeping the identity and IP address of internal users hidden.
Circuit-level gateways work at the session layer of the open systems interconnection (OSI) model, which is a conceptual framework used to describe a network’s system functions. With OSI, there is a universal set of rules and requirements used to establish interoperability between different software and products.
To determine whether a session request should be confirmed or not, a circuit-level gateway examines the “handshake” between packets. Next, information about the handshake is passed to a remote computer. This information appears as though it is being initiated from the gateway, keeping information hidden within protected networks.
A valid session established by a circuit-level gateway contains four components:
- The destination addresses, source addresses, and ports.
- The time of delay.
- The protocol being used.
- The user ID and password.
A circuit-level gateway setup is often composed of two TCP connections that create a connection between the gateway and an inner host TCP and an outer host of TCP users. Once the connection is ready, the gateway passes TCP segments from one to the other without regard for the contents.
The gateway maintains a table that is used to validate connections. It also checks which network packets contain data to pass whenever network packet information matches an entry in the table. Should the firewall terminate the connection, it tries to remove the corresponding entry in the table, and the circuit between the nodes is closed.
Once a session is permitted, no further checks at the individual packet level are executed.
Learn more about firewalls in this guide.
Circuit-Level Gateways Features
Circuit-level gateways typically include a few key features:
- Works at the session layer of the OSI model or in between the application and transport layer of TCP/IP.
- Keeps information about the protected network private.
- Operates as a stand-alone system.
- Often includes reporting information that can be reviewed to fine-tune security approaches.
Benefits of Circuit-Level Gateways
There are several key benefits of selecting a circuit-level gateway over other firewall types. Ideally, circuit-level gateways are used alongside other network security tools to achieve these and other optimal benefits.
Circuit-Level Gateways Protect Privacy
A circuit-level gateway serves as a proxy for hiding the internal host from the serving host. This can be a significant advantage for organizations that protect sensitive data, especially personal identifiable information (PII), medical records, and financial data. Including a circuit-level gateway under an overarching security umbrella can help organizations fulfill requirements laid out in regulatory compliance guidelines related to data privacy.
Individual Packets Do Not Need to Be Filtered
Because individual packets do not need to be filtered for this type of firewall to work, overall system performance is usually not impacted. The speed and efficiency of circuit-level gateways are significant benefits for many users.
Circuit-Level Gateways Are Inexpensive
Circuit-level gateways are among the most cost-effective approaches to handling security measures around TCP handshakes, in particular.
Circuit-Level Gateways Are Straightforward to Understand and Implement
Security operations teams can turn over circuit-level gateway management and oversight to less experienced team members. This allows department resources to be better allocated; more expensive, experienced analysts can concentrate on higher-level tasks. This technology is also relatively easy to explain to non-technical members of an organization, including financial decision-makers.
Each Application Does Not Require a Separate Proxy Server
Unlike with some other firewall types, applications protected by circuit-level gateways do not require individual proxy servers. This keeps this part of network security streamlined and more manageable.
Disadvantages of Circuit-Level Gateways
Despite their many advantages, circuit-level gateways are not meant to provide stand-alone network protection. Here are a few potential disadvantages of circuit-level gateways to bear in mind.
Circuit-Level Gateways Do Not Filter Individual Packets
The inability to inspect data packet content means circuit-level gateways are not sufficient to act as complete security solutions on their own. If a data packet contains malware, for example, it can easily bypass a circuit-level gateway as long as it has a legitimate TCP handshake.
Circuit-Level Gateways Require Frequent Updates
Like many other security products, circuit-level gateways must be updated frequently — and often manually — in order to remain effective against network infiltration. These updates can be done at the vendor level or through a third-party managed service provider, but they often take up the time of onsite security teams.
Circuit-Level Gateways Don’t Protect Against Data Leakage
These devices don’t provide protection against the kind of data leakage that can indicate a significant breach or vulnerability, even when managing the TCP/IP handshake. It is critical to include supplemental tools that offer this kind of protection.
Circuit-Level Gateways Do Not monitor Network Traffic
While these firewalls add benefits to other security solutions, they are limited in scope. For example, they are not capable of monitoring for suspicious behavior outside of questionable security handshakes.
TCP/IP Stacks Must Be Modified by the Vendor
End users typically cannot modify TCP/IP stacks. Instead, security teams have to rely on vendors to make these important updates in a timely manner.
How Much Do Circuit-Level Gateways Cost?
Stand-alone circuit-level gateway firewalls range in price from around $100 to around $1,000 per unit. However, circuit-level gateway technology is often packaged as part of a managed security solution or a suite of security tools.
When Should You Use a Circuit-Level Gateway?
When a simple, affordable security solution is needed, a circuit-level gateway firewall may be the ideal choice. These products are also helpful for connecting the devices of two disparate networks that each have a distinct structure. Circuit-level gateways do not look at traffic flow between networks, however, so they are not the best choice for stand-alone protection. They are almost always used in tandem with other security solutions.
Top 8 Circuit-Level Gateway Providers
These eight circuit-level gateway firewall providers are among the most popular and well-rated options on the market:
- Perimeter 81
- Zscaler
- Gen Digital Inc
- Forcepoint
- Fortinet
- Barracuda Networks
- McAfee
- Sophos
Bottom Line: Circuit-Level Gateways
Circuit-level gateways (or “firewalls” for the purposes of this analysis) are simple to use, integrate well within larger network security approaches, and are affordable when compared to other firewalls. Still, these products do not provide full coverage network security — in particular, they do not examine network traffic behavior. Instead, they focus on protocols like TCP, adding assurance that these security “handshakes” are secure.
When shopping for a circuit-level gateway firewall, it’s important to be mindful of how a given product will work within a broader network of security tools. Not all firewalls interoperate with other security solutions sold by different vendors; that is why these tools are often one part of a multifaceted suite of tools.
Read more: 7 Different Types of Firewalls & Deployment Options Explained