A screening router is the simplest form of a firewall, and is usually very effective. Routers look at each packet of information and screen them based on a number of customizable factors such as type (FTP, mail, etc), source, destination, and size. An example of how this would be effective is in the case of forged source headers on packets. A router can be set to ignore any packets falsely claiming to be from inside the network because it sits on the border between the interior and exterior of the network.

A proxy gateway is a firewall that simulates the effects of the outside world to the inside network, and appears as the inside world to the outside. The proxy intrudes in the connection protocol between the sender and destination, acting like the destination to the original sender, and seeming like the sender to the original destination. This gives the firewall the opportunity to screen the information and requests passed to it, denying anything that seems improper or doesn't fit customized filters. A proxy firewall is typically a machine with very limited capability, having only the bare minimum of programs installed. It is useful for limiting what can be seen of the inside of a network. Only information and applications that you wish to be seen can be accessed. The chief distinction of a proxy over a screening router is that the proxy interprets the data stream itself rather than just the external header of the packet.

A guard is a more sophisticated version of a proxy gateway. A guard interprets protocols sent to it, determines if the action is allowable, and passes through the same or a modified protocol. It decides what services to perform based on the information available to it, and the only limit of control is the extent that it is computable. An example of this would be a company that wishes for its employees to be able to get files using FTP, but wants all of these files passed through a virus scanner. The only drawback to extensive customization of control is the possible crunch of resources that could slow transfer speeds. There is no clear-cut line of where a proxy becomes sophisticated enough to be considered a guard. A guard makes its decision based on a characteristic of the data being sent, and must be more complex because of this. Added complexity means more opportunities for failure and exploitation, so guards have more ways to be subverted or fail than a simpler firewall system.