From Wikipedia, I understand that circuit level gateways look at TCP handshakes to filter illegitimate traffic and that application level gateways somehow filter application specific traffic.
But I don’t really see the difference--beyond the obvious fact that application-level gateways seem to operate on a higher level of the network protocol stack. Can someone flesh out the key differences?
Good question. Let's think about it this way:
You're going to take a basic maths exam and the sign on the door says
"No Masters-level students. No calculators allowed."
A normal inspector (firewall) would ask you for a student ID to make sure you're not an Masters student, then they'd let you in. A Masters student who looks just like you comes to the door, the firewall would remember that he checked him a couple of minutes ago and he'd let him in, therefor breaking the exam's security.
After checking your identity, a circuit-level gateway would've given you a watermarked paper that says you've been checked, so when your doppelgänger has to show the watermarked paper or else he'd have to go through an ID check, and his true identity as a Masters student will be revealed.
An application-level gateway, however, would've frisked you (DPI) looking for a calculator. As a calculator (application-specific command) isn't part of your identity, so it's something that sits on a higher level that the circuit-level gateway doesn't understand.
An application-level gateway understands all the protocols it supports, it doesn't care if your IP is whitelisted on the circuit-level, it can read your FTP traffic and figure out when you use the delete command and drop that exact packet. It can dissect your HTTP traffic and stop you from sending POST requests.
