What Does a Layer 3,4 Firewall do that a Layer 7 Does Not?

It sounds like you're getting a bit of misleading jargon. The technical definitions for these types of firewalls are:

  • Layer 3 firewalls (i.e. packet filtering firewalls) filter traffic based solely on source/destination IP, port, and protocol.
  • Layer 4 firewalls do the above, plus add the ability to track active network connections, and allow/deny traffic based on the state of those sessions (i.e. stateful packet inspection).
  • Layer 7 firewalls (i.e. application gateways) can do all of the above, plus include the ability to intelligently inspect the contents of those network packets. For instance, a Layer 7 firewall could deny all HTTP POST requests from Chinese IP addresses. This level of granularity comes at a performance cost, though.

Since the proper definitions don't line up with their pricing scheme, I think they're using Layer 7 as a (technically incorrect) reference to a software firewall running on your VPS. Think along the lines of iptables or Windows Firewall. Should you pony up the extra fees, they'll put your VPS behind a proper network firewall. Maybe.

If they can't be bothered to use proper terminology when describing their VPS solution to potential customers, I'd question their competence in other areas as well.


The first is an application layer firewall. It probably works as an HTTP(s) proxy where the requests are made to the proxy, that filters all the request and than send them to your server. If the company you're going to buy use an http proxy, your server IP will be totally hidden from the web, whats really good. If you just need to protect your websites this is the most simple solution you can have and "just works". This is the method that CloudFlare use, for example.

The second is a network layer firewall. It's a more advanced firewall, that filter all trafic before reaching your server. This one is by far the most effective an efficient, as you can protect any kind of aplication, but you'd need a really big setup with BGP announces, filtered IPs blocks, tunnels and so on. This is commonly used with services that receive big DDoS attacks and host critical aplications, ecommerce and games.

Keeping it shot: If you just need to secure your websites use the Layer 7 solution. If you need an advanced firewall that filter any kind of application, protection against DDoS attacks and so on, use the Layer 3-4 solution.

Here you can read more about CloudFlare, that I think it's the right solution to you: https://www.quora.com/How-does-CloudFlare-work