• Susceptive to implementation flaws or configuration errors
• More expensive; one may compromise the others.
• Difficult to configure correctly
• Must consider rule set in its entirety Difficult to test completely
• Performance penalty for complex rule sets Stateful packet filtering much more expensive
• Enforces ACLs at layer 3 + 4, without knowing any application details.