Last Updated on Wed, 05 Oct 2022 | SCND
This topic explains how dynamic or stateful inspection packet filtering provides improved network security and performance.
Stateful packet filters, or stateful firewalls, are the most versatile and therefore the most common firewall technologies in use. Stateful filtering provides dynamic packet filtering capabilities to firewalls. Stateful inspection is firewall architecture that works at the network layer. Unlike static packet filtering, which examines a packet based on the information in its header, stateful inspection tracks each connection traversing all interfaces of the firewall and confirms that they are valid. Stateful packet filtering maintains a state table. The state table is part of the internal structure of the firewall and tracks all sessions and inspects all packets passing through the firewall. If packets have the expected properties predicted by the state table, the firewall allows them to pass. The state table changes dynamically according to traffic flow.
Stateful firewalls keep track of the actual communication process by using a state table. Stateful firewalls operate at Layers 3, 4, and 5. From a transport layer perspective, the firewall examines information in the headers of Layer 3 packets and Layer 4 segments. For example, the firewall looks at the TCP header for SYN, RST, ACK, FIN, and other control codes to determine the state of the connection. In this scenario, the session layer is responsible for establishing and tearing down the connection.
When an outside service is accessed, the stateful packet filter firewall "remembers" certain details of the request by saving the state of the request in the state table. Each time a TCP or UDP connection is established for inbound or outbound connections, the firewall logs the information in a stateful session flow table. When the outside system responds to your request, the firewall server compares the received packets with the saved state to allow or deny network access.
OSI Model
OSI Model
4-18 Securing Cisco Network Devices (SND) v2.0
© 2006 Cisco Systems, Inc.
The stateful session flow table contains the source and destination addresses, port numbers, TCP sequencing information, and additional flags for each TCP or UDP connection associated with that particular session. This information creates a connection object used by the firewall to compare all inbound and outbound packets against session flows in the stateful session flow table. The firewall permits data only if an appropriate connection exists to validate the passage of that data.
More advanced stateful firewalls include the ability to parse FTP port commands and update the state table to allow FTP to work transparently through the firewall. TCP sequence number interpretation and DNS query and response matching ensure that the firewall only allows packets to return in response to queries that originate from inside the network. These features reduce the threat of TCP RST flood attacks and DNS cache poisoning.
© 2006 Cisco Systems, Inc. Cisco IOS Firewall Configuration 4-19
Continue reading here: Stateful firewalls do not support user authentication of connections
Was this article helpful?
What is stateful inspection in networking?
Stateful inspection, also known as dynamic packet filtering, is a firewall technology that monitors the state of active connections and uses this information to determine which network packets to allow through the firewall. Stateful inspection is commonly used in place of stateless inspection, or static packet filtering, and is well suited to Transmission Control Protocol (TCP) and similar protocols, although it can also support protocols such as User Datagram Protocol (UDP).
Stateful inspection is a network firewall technology used to filter data packets based on state and context. Check Point Software Technologies developed the technique in the early 1990s to address the limitations of stateless inspection. Stateful inspection has since emerged as an industry standard and is now one of the most common firewall technologies in use today.
Stateful inspection operates primarily at the transport and network layers of the Open Systems Interconnection (OSI) model for how applications communicate over a network, although it can also examine application layer traffic, if only to a limited degree. Packet filtering is based on the state and context information that the firewall derives from a session's packets:
- State. The state of the connection, as it's specified in the session packets. In TCP, for example, the state is reflected in specific flags, such as SYN, ACK and FIN. The firewall stores state information in a table and updates the information regularly.
- Context. Information such as source and destination Internet Protocol (IP) addresses and ports, sequence numbers and other types of metadata. The firewall also stores context information and updates it regularly.
By tracking both state and context information, stateful inspection can provide a greater degree of security than with earlier approaches to firewall protection. The stateful firewall inspects incoming traffic at multiple layers in the network stack, while providing more granular control over how traffic is filtered. The firewall can also compare inbound and outbound packets against the stored session data to assess communication attempts.
What are stateful and stateless inspection?
Stateful inspection has largely replaced stateless inspection, an older technology that checks only the packet headers. The stateless firewall uses predefined rules to determine whether a packet should be permitted or denied. It relies on only the most basic information, such as source and destination IP addresses and port numbers, and never looks past the packet's header, making it easier for attackers to penetrate the perimeter.
For example, an attacker could pass malicious data through the firewall simply by indicating "reply" in the header.
Stateful inspection can monitor much more information about network packets, making it possible to detect threats that a stateless firewall would miss. A stateful firewall maintains context across all its current sessions, rather than treating each packet as an isolated entity, as is the case with a stateless firewall. However, a stateful firewall requires more processing and memory resources to maintain the session data, and it's more susceptible to certain types of attacks, including denial of service.
With stateless inspection, lookup operations have much less of an impact on processor and memory resources, resulting in faster performance even if traffic is heavy. That said, a stateless firewall is more interested in classifying data packets than inspecting them, treating each packet in isolation without the session context that comes with stateful inspection. This also results in less filtering capabilities and greater vulnerability to other types of network attacks.
How does stateful inspection work?
Stateful inspection monitors communications packets over a period of time and examines both incoming and outgoing packets. The firewall tracks outgoing packets that request specific types of incoming packets and allows incoming packets to pass through only if they constitute a proper response.
A stateful firewall monitors all sessions and verifies all packets, although the process it uses can vary depending on the firewall technology and the communication protocol being used.
For example, when the protocol is TCP, the firewall captures a packet's state and context information and compares it to the existing session data. If a matching entry already exists, the packet is allowed to pass through the firewall. If no match is found, the packet must then undergo specific policy checks. At that point, if the packet meets the policy requirements, the firewall assumes that it's for a new connection and stores the session data in the appropriate tables. It then permits the packet to pass. If the packet doesn't meet the policy requirements, the packet is rejected.
The process works a little differently for UDP and similar protocols. Unlike TCP, UDP is a connectionless protocol, so the firewall cannot rely on the types of state flags inherent to TCP. Instead, it must use context information, such as IP addresses and port numbers, along with other types of data. In effect, the firewall takes a pseudo-stateful approach to approximate what it can achieve with TCP.
In a firewall that uses stateful inspection, the network administrator can set the parameters to meet specific needs. For example, an administrator might enable logging, block specific types of IP traffic or limit the number of connections to or from a single computer.
In a typical network, ports are closed unless an incoming packet requests connection to a specific port and then only that port is opened. This practice prevents port scanning, a well-known hacking technique.
This was last updated in August 2021
Continue Reading About stateful inspection
- Top 4 firewall-as-a-service security features and benefits
- What are the 5 types of network firewalls and how are they different?
- The benefits of application proxy firewalls
- Introduction to intrusion detection and prevention technologies
- What is secure remote access in today's enterprise?
Dig Deeper on Network security
-
next-generation firewall (NGFW)
By: Casey Clark
-
deep packet inspection (DPI)
By: Rahul Awati
-
DPU market heats up with tech from Nvidia, Intel
By: Ed Scannell
-
firewall
By: Ben Lutkevich