Is there any difference between circuit vs application level gateway except that one operates in layer 3 and another at layer 7 of OSI model?

Question

1. Question#1

whitewinterwolf answer says

the circuit level gateway CHANGES the source ip address of outgoing packet(from the internal network point of view).

Two different TCP connection are formed, inbound and outbound.

2. Question#2

I didn't get what Adi was trying to say. The example was cool but it didn't make any sense later on to me.

Yuri says-:

application level gateway can look up to all layers of OSI model whereas circuit level gateway only look up to network layer.

Makes sense indeed. but I've seen people saying circuit level gateway is more powerful than application level gateway. Plus the order in which they teach also would mean that circuit level gateway is better than application level gateway.

so I have confusion(and what I have learnt)-:

1. Application gateway opens 2 TCP connection inbound and outbound and so does circuit gateway.

2. Application gateway just authenticates with username and password but circuit level gateway does not authenticate(then how does it trust the incoming and outgoing users), it is confusing.(or does it authenticates?) Many books are signaling it doesn't do it.

3. Application gateway doesn't examine the content(like packet filtering) and neither does circuit level gateway afaik.

4. only one difference that I have found is that application gateway doesn't changes the source IP address of packet but circuit level gateway does. so somehow circuit level gateway is transparent.(and the ones I told above)

Answer 1

You can read this for more information!

Basic stuffs is that:

• Application level gateway firewall is application specific. i.e to filter http traffic, you need http proxy; to filter ftp traffic, you need ftp proxy; to filter email traffic, you need smtp,pop,imap proxy and so on!

• Application level gateway firewall scans whole OSI level from top to bottom. I don't need to tell about this :)

• That's why application firewall requires more time, more resources; so it's also called deep-inspection firewall.

• Since application level gateway firewall scans application data but circuit level gateway doesn't do it directly. i.e

Here as you see in the figure, circuit level gateway can't read application data directly. Instead it's encapsulated and encrypted(if VPN/IPSec is used in some mode-AH or ESP), so security would not be more. Imagine someone encrypted a virus in application data where you click the link and it eats your PC! You won't find that in circuit level gateway.

You can look the below figure for better comparison of whatever I've said above.

It's taken from this link.