Terminology can be confusing between the different souces as both CBK and AIO3 call an application layer firewall a proxy and proxy servers are generally classified as either circuit-level proxies or application level proxies.
The distinction is that a circuit level proxy creates a conduit through which a trusted host can communicate with an untrusted one and doesn’t really look at the application contents of the packet (as an application level proxy does). SOCKS is one of the better known circuit-level proxies.
Firewalls Packet Filtering Firewall -First Generation
n Screening Router n Operates at Network and Transport level n Examines Source and Destination IP Address n Can deny based on ACLs n Can specify Port
Application Level Firewall -Second Generation n Proxy Server n Copies each packet from one network to the other n Masks the origin of the data n Operates at layer 7 (Application Layer) n Reduces Network performance since it has do analyze each packet and decide what to do with it. n Also Called Application Layer Gateway
Stateful Inspection Firewalls – Third Generation n Packets Analyzed at all OSI layers n Queued at the network level n Faster than Application level Gateway
Dynamic Packet Filtering Firewalls – Fourth Generation n Allows modification of security rules n Mostly used for UDP n Remembers all of the UDP packets that have crossed the network’s perimeter, and it decides whether to enable packets to pass through the firewall. Kernel Proxy – Fifth Generation n Runs in NT Kernel n Uses dynamic and custom TCP/IP-based stacks to inspect the network packets and to enforce security policies. “Current level firewall” is incorrect. This is an amost-right-sounding distractor to confuse the unwary. “Cache level firewall” is incorrect. This too is a distractor.
“Session level firewall” is incorrect. This too is a distractor. References CBK, p. 466 -467 AIO3, pp. 486 -490 CISSP Study Notes from Exam Prep Guide