What Is a Circuit-Level Gateway? Ultimate Guide

Enterprise Storage Forum content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

Circuit-level gateway firewalls provide protection between user datagram protocols (UDPs) and transmission control protocols (TCPs), acting as a handshaking device between trusted clients or servers and untrusted hosts.

Enterprise organizations often use circuit-level gateways within their comprehensive security approaches, which likely include a wide range of protections. On their own, circuit-level gateways are insufficient to adequately protect sprawling enterprise networks consisting of hundreds or thousands of endpoints. Their capabilities are more narrow in scope but nonetheless serve an important role.

Table of Contents

How Circuit-Level Gateways Work

In simple terms, a circuit-level gateway verifies the TCP handshake to check incoming traffic without consuming a great deal of time and resources. This means the circuit-level gateway is one of the most efficient types of firewalls because it impacts network performance less than other firewall types.

Working at the session layer, circuit-level gateways verify established TCP connections and track active sessions. Similar to packet-filtering firewalls, they perform a single check and use minimal resources. When an internal device initiates a remote host connection, circuit-level gateways establish a virtual connection on behalf of the internal device, keeping the identity and IP address of internal users hidden.

Circuit-level gateways work at the session layer of the open systems interconnection (OSI) model, which is a conceptual framework used to describe a network’s system functions. With OSI, there is a universal set of rules and requirements used to establish interoperability between different software and products.

To determine whether a session request should be confirmed or not, a circuit-level gateway examines the “handshake” between packets. Next, information about the handshake is passed to a remote computer. This information appears as though it is being initiated from the gateway, keeping information hidden within protected networks.

A valid session established by a circuit-level gateway contains four components:

  1. The destination addresses, source addresses, and ports.
  2. The time of delay.
  3. The protocol being used.
  4. The user ID and password.

A circuit-level gateway setup is often composed of two TCP connections that create a connection between the gateway and an inner host TCP and an outer host of TCP users. Once the connection is ready, the gateway passes  TCP segments from one to the other without regard for the contents.

The gateway maintains a table that is used to validate connections. It also checks which network packets contain data to pass whenever network packet information matches an entry in the table. Should the firewall terminate the connection, it tries to remove the corresponding entry in the table, and the circuit between the nodes is closed.

Once a session is permitted, no further checks at the individual packet level are executed.

Learn more about firewalls in this guide.

Circuit-Level Gateways Features

Circuit-level gateways typically include a few key features:

  • Works at the session layer of the OSI model or in between the application and transport layer of TCP/IP.
  • Keeps information about the protected network private.
  • Operates as a stand-alone system.
  • Often includes reporting information that can be reviewed to fine-tune security approaches.

Benefits of Circuit-Level Gateways

There are several key benefits of selecting a circuit-level gateway over other firewall types. Ideally, circuit-level gateways are used alongside other network security tools to achieve these and other optimal benefits.

Circuit-Level Gateways Protect Privacy

A circuit-level gateway serves as a proxy for hiding the internal host from the serving host. This can be a significant advantage for organizations that protect sensitive data, especially personal identifiable information (PII), medical records, and financial data. Including a circuit-level gateway under an overarching security umbrella can help organizations fulfill requirements laid out in regulatory compliance guidelines related to data privacy.

Individual Packets Do Not Need to Be Filtered

Because individual packets do not need to be filtered for this type of firewall to work, overall system performance is usually not impacted. The speed and efficiency of circuit-level gateways are significant benefits for many users.

Circuit-Level Gateways Are Inexpensive

Circuit-level gateways are among the most cost-effective approaches to handling security measures around TCP handshakes, in particular.

Circuit-Level Gateways Are Straightforward to Understand and Implement

Security operations teams can turn over circuit-level gateway management and oversight to less experienced team members. This allows department resources to be better allocated; more expensive, experienced analysts can concentrate on higher-level tasks. This technology is also relatively easy to explain to non-technical members of an organization, including financial decision-makers.

Each Application Does Not Require a Separate Proxy Server

Unlike with some other firewall types, applications protected by circuit-level gateways do not require individual proxy servers. This keeps this part of network security streamlined and more manageable.

Disadvantages of Circuit-Level Gateways

Despite their many advantages, circuit-level gateways are not meant to provide stand-alone network protection. Here are a few potential disadvantages of circuit-level gateways to bear in mind.

Circuit-Level Gateways Do Not Filter Individual Packets

The inability to inspect data packet content means circuit-level gateways are not sufficient to act as complete security solutions on their own. If a data packet contains malware, for example, it can easily bypass a circuit-level gateway as long as it has a legitimate TCP handshake.

Circuit-Level Gateways Require Frequent Updates

Like many other security products, circuit-level gateways must be updated frequently — and often manually — in order to remain effective against network infiltration. These updates can be done at the vendor level or through a third-party managed service provider, but they often take up the time of onsite security teams.

Circuit-Level Gateways Don’t Protect Against Data Leakage

These devices don’t provide protection against the kind of data leakage that can indicate a significant breach or vulnerability, even when managing the TCP/IP handshake. It is critical to include supplemental tools that offer this kind of protection.

Circuit-Level Gateways Do Not monitor Network Traffic

While these firewalls add benefits to other security solutions, they are limited in scope. For example, they are not capable of monitoring for suspicious behavior outside of questionable security handshakes.

TCP/IP Stacks Must Be Modified by the Vendor

End users typically cannot modify TCP/IP stacks. Instead, security teams have to rely on vendors to make these important updates in a timely manner.

How Much Do Circuit-Level Gateways Cost?

Stand-alone circuit-level gateway firewalls range in price from around $100 to around $1,000 per unit. However, circuit-level gateway technology is often packaged as part of a managed security solution or a suite of security tools.

When Should You Use a Circuit-Level Gateway?

When a simple, affordable security solution is needed, a circuit-level gateway firewall may be the ideal choice. These products are also helpful for connecting the devices of two disparate networks that each have a distinct structure. Circuit-level gateways do not look at traffic flow between networks, however, so they are not the best choice for stand-alone protection. They are almost always used in tandem with other security solutions.

Top 8 Circuit-Level Gateway Providers

These eight circuit-level gateway firewall providers are among the most popular and well-rated options on the market:

  1. Perimeter 81
  2. Zscaler
  3. Gen Digital Inc
  4. Forcepoint
  5. Fortinet
  6. Barracuda Networks
  7. McAfee
  8. Sophos

Bottom Line: Circuit-Level Gateways

Circuit-level gateways (or “firewalls” for the purposes of this analysis) are simple to use, integrate well within larger network security approaches, and are affordable when compared to other firewalls. Still, these products do not provide full coverage network security — in particular, they do not examine network traffic behavior. Instead, they focus on protocols like TCP, adding assurance that these security “handshakes” are secure.

When shopping for a circuit-level gateway firewall, it’s important to be mindful of how a given product will work within a broader network of security tools. Not all firewalls interoperate with other security solutions sold by different vendors; that is why these tools are often one part of a multifaceted suite of tools.

Read more: 7 Different Types of Firewalls & Deployment Options Explained

Sarah Hunt
Sarah Hunt
Sarah Bricker Hunt covers wide-ranging topics for various audiences, including tech-focused features on data privacy, telecom, corporate and consumer technology trends, and more. Hunt's work is frequently featured in print publications, B2B and B2C trade journals, and numerous high-profile websites.

Get the Free Newsletter!

Subscribe to Cloud Insider for top news, trends, and analysis.

Latest Articles

15 Software Defined Storage Best Practices

Software Defined Storage (SDS) enables the use of commodity storage hardware. Learn 15 best practices for SDS implementation.

What is Fibre Channel over Ethernet (FCoE)?

Fibre Channel Over Ethernet (FCoE) is the encapsulation and transmission of Fibre Channel (FC) frames over enhanced Ethernet networks, combining the advantages of Ethernet...

9 Types of Computer Memory Defined (With Use Cases)

Computer memory is a term for all of the types of data storage technology that a computer may use. Learn more about the X types of computer memory.