As an example of how circuit level gateways work, say computer A is in a network protected by a circuit level gateway firewall, and wants to view a web page on computer B which is outside the firewall. Computer A sends the request for the web page to computer B, which is intercepted and recorded by the firewall before being passed on. Computer B receives the request, which as far as it is concerned came from the address of the firewall, and starts sending the web-page data back across the Internet. When it reaches the firewall, it is compared to computer A's request to see if the IP address and the port match up, then the data is either allowed or dropped.
A major advantage to using this method is that non-requested data from outside the firewall is not allowed in, period. All ports are closed until the firewall opens them. The main disadvantage is that unless it is combined with some other form of filtering, any type of data requested from inside the firewall will be allowed though.
Software or hardware firewalls that use the circuit level
gateway method will also include some method of internet sharing, since this is
part of the function of this type of firewall. As you can probably guess,
cable/DSL home routers use this method primarily. More specifically, they use
Network Address Translation (NAT) which is a combination of circuit level gateway functions with Internet sharing.
Application level gateways
Application level gateways, also known as proxies, are outwardly similar in operation to circuit level gateways in that they act as the only entrance into or out of a protected network and deny all non-requested data from outside. The major difference is in the way they handle information.
While a circuit level gateway only examines the
address and port information contained in data it receives, not the content, an
application level gateway is more in-depth. A firewall using this method runs proxy applications to view common types of data (like HTTP for web-pages, FTP, SMTP or POP3 for email, etc.) before it is allowed through the firewall.
This has two major advantages. Firstly, no direct communication is allowed between outside sources and computers behind the firewall, since everything must first pass through a proxy, and secondly, filtering can now be done using the actual content of the data, as opposed to just where it came from and where it's going.
For example, using an application level gateway firewall, you can not only control which computers inside your network can access internet web pages, but also specify which web pages they are allowed to view, since the proxy for HTTP can read the contents of the data sent from a web server and check for restricted websites.
Application level gateways are considered very secure, because of the level of control they offer, but can require significant configuration to get the most out of them. They are also slower at passing information than other firewalls, because of the proxy applications. Client computers on a network with an application level gateway firewall need to be configured to be able to use the proxies to access resources outside the network.
Application level gateway firewalls will have integrated Internet sharing, since this is necessary to their function. They are generally intended for business use, protecting large networks. A good example of an application level gateway software package is Microsoft's ISA (internet Security and Acceleration) server, though this has several features beyond the firewall service.