Stateful firewalls play an essential role in state machine theory, and state machines are widely used across many disciplines. Stateful firewalls have much more functionality than stateless counterparts. Still, they are only one part of a network security system that should include intrusion detection systems (IDS) or intrusion prevention systems (IPS), among other technologies.
What Is A Stateful Firewall?
A stateful firewall is a network security system that controls and restricts traffic flow between networks, typically in response to the state of existing connections.
A Stateful firewall inspects every packet passing through it for more than just port number or IP address. Stateful firewalls can track information about sessions by keeping state tables of past communications within those sessions.
Stateful firewalls can keep state records of how each packet relates to a session created by the first packet and allow packets that belong to an authorized session while blocking those that do not.
The state table is used as a reference for what information should be included in future communications within the same session, defining the allowable state of the session and what Stateful firewall rules should be applied to it. It is important as it can help protect against most types of attacks and block traffic.
Stateful Vs. Stateless Firewall
| Stateful FirewallStateless FirewallStateful firewalls inspect additional information in each data packet to determine whether or not it matches an existing connection, such as Transmission Control Protocol (TCP) sequence numbers. If a match is found, the stateful firewall allows the packet to pass; if no match is found, the stateful firewall discards the packet. | A stateless firewall filters packets based on the packet’s network address and port number. |
| You can think of a stateless firewall like your home alarm system: it will detect and report when an intruder enters or leaves your property. | A stateful security system can tell you exactly which door the intruder entered or whether your valuables are still in place. |
| In contrast, a stateful firewall looks at all these details and TCP sequencing information (sequence number) and Transmission Control Block (TCB) to determine if a packet belongs or doesn’t belong to an existing connection state. | To determine if it should allow traffic through, a stateless firewall will only look at the source and destination IP, port numbers, packet type (TCP/UDP), protocol number, flags, etc. For example, if someone sends a TCP packet with Flag ACK set to your server, the stateless firewall will not understand that this packet is part of an existing connection, and it should allow the traffic. |
List of Stateful Firewall Examples
- Cisco ASA Firewall is a stateful firewall that continuously monitors network connections and dynamically creates state entries to facilitate communication between trusted hosts.
- Check Point Security Gateway is a stateful firewall, which allows state tracking of connections between trusted hosts.
- Juniper Networks SRX Series services gateways are stateful firewalls, which allow state tracking of traffic flows between trusted hosts using session keys.
- SonicWall Next-Generation Firewall is a stateful firewall that provides methods for collecting and analyzing state information from network traffic flows.
- Palo Alto Networks Next-Gen Firewall (NGFW) is a stateful firewall that allows state tracking of connections between trusted hosts.
- F-Secure ProShield is a stateful firewall, which monitors network traffic and dynamically creates state entries to facilitate communication between trusted hosts.
- NetScaler ADC is a stateful firewall, which protects against all types of DDoS attacks by automatically detecting and mitigating malicious activity without requiring additional configuration.
- Fortinet Fortigate is a stateful firewall, which protects against all types of DDoS attacks by automatically detecting and mitigating malicious activity without requiring additional configuration.
- Barrier Reef Systems M-Series Advanced Firewall Management Appliance (AFMA) uses a stateful firewall to monitor network traffic and dynamically create state entries to facilitate communication between trusted hosts. Etc.
State Firewall OSI Layer
OSI Layers are a way to group network hardware and protocols into a conceptual model for computer networks. The stateful firewall is a layer of the Open Systems Interconnect (OSI) model between Layer Four, known as the Transport Layer, and Layer Three, known as Internet Protocol.
When discussing stateful firewalls, it is helpful to learn about the OSI model. The stateful firewall sits at the top of the OSI stack and analyzes each packet to determine if it is part of an existing connection or a new request for a connection.
Connection-State Database
When data packets enter stateful firewalls, they are compared against information in a connection state database (CSD). This state information is critical for allowing/blocking traffic based on existing connections.
What’s in a Connection?
Each connection state entry contains the following data:
- Source IP address and source TCP or UDP port number of the sender, as well as destination IP address and destination TCP or UDP ports
- Protocol type (TCP, UDP, or ICMP)
- The state of the connection according to RFC 1700
- Timers for how long each state will be used before expiring and being deleted from the state table. This is important because expired connections are removed so that new ones can use that port number/address combination again. If this were not done, stateful firewalls would be very easy to attack.
Connection-State Database Example
If we have a stateful firewall that has two ports open for traffic, both of those connections are related and share an IP address and protocol type (TCP). The first port state has an established state, while the other is in a new request/response state. To put it simply, this stateful firewall will allow traffic to enter the port because two states match these criteria.
Blocked Packets
Even though connections look good when they arrive at the stateful firewall, they may pose security risks if they are not authenticated or encrypted. A stateful firewall would block this traffic because it does not meet the requirements of an existing connection state in its CSD.
Conclusion
In conclusion, stateful firewalls are essential to include in your network security architecture. They control stateless traffic and monitor state, and block unwanted outbound packets that may be trying to escape the firewall ruleset.
Stateful firewalls are vital to ensuring network security, so be sure you deploy the proper stateful firewall for your organization.
