Systems, devices, and methods relating to network firewalls and VPN gateways for controlling and securing access to networks. An integrated VPN/firewall system comprises at least one policy engine module, a switch module, a cryptographic engine module, and at least one flow engine module. Each flow engine module receives DTUs from either side of the integrated VPN/firewall system. The DTUs are then compared to entries in a listening table and entries in a flow table. The entries in these tables consist of characteristics of DTUs expected to arrive for specific flows. Entries to both listening tables and flow tables are made by the policy engine with listening table entries generally denoting flows potentially allowed by policy to be established between computers on opposite sides of the system. Flow tables, on the other hand, correspond to flows already allowed to be established between computers on opposite sides of the firewall system.