How a Stateful Firewall Works | Inside Network Perimeter Security (2nd Edition)

The stateful firewall spends most of its cycles examining packet information in Layer 4 (transport) and lower. However, it also offers more advanced inspection capabilities by targeting vital packets for Layer 7 (application) examination, such as the packet that initializes a connection. If the inspected packet matches an existing firewall rule that permits it, the packet is passed and an entry is added to the state table. From that point forward, because the packets in that particular communication session match an existing state table entry, they are allowed access without call for further application layer inspection. Those packets only need to have their Layer 3 and 4 information (IP address and TCP/UDP port number) verified against the information stored in the state table to confirm that they are indeed part of the current exchange. This method increases overall firewall performance (versus proxy-type systems, which examine all packets) because only initiating packets need to be unencapsulated the whole way to the application layer.

Conversely, because these firewalls use such filtering techniques, they don't consider the application layer commands for the entire communications session, as a proxy firewall would. This equates to an inability to really control sessions based on application-level traffic, making it a less secure alternative to a proxy. However, because of the stateful firewall's speed advantage and its ability to handle just about any traffic flow (as opposed to the limited number of protocols supported by an application-level proxy), it can be an excellent choice as the only perimeter protection device for a site or as a role player in a more complex network environment.

Note

Using a single perimeter protection device is often a financial necessity for smaller sites. However, despite the fact that only a single firewall is being implemented, other defense-in-depth options such as intrusion detection systems (IDSs), logging and monitoring servers, and host-level protection should also be used for a more secure network implementation.

Now that we have discussed the stateful firewall, for a better understanding of its function, let's discuss the meaning of state and how it is tracked in network communications.

Using a Firewall as a Means of Control

An important point that should be considered when discussing perimeter security is the concept of a firewall as a network chokepoint. A chokepoint is a controllable, single entry point where something is funneled for greater security. However, as the name implies, this area of limited entry also can be a place where bandwidth is restricted. A good example of a chokepoint in the real world is a metal detector at an airport. Imagine if the metal detector was the size of an entire hallway in the airport, and 20 or more people could walk through a single gate at one time. If the detector goes off, it would be difficult for the inspectors to determine which party had triggered it and to be able to stop that person to examine him or her further. More fine-grained traffic control is needed in such a situation. That is why the concept of a chokepoint is necessary in such a case; it allows one inspector to watch one party go through one metal detector at a time. The chokepoint offers additional control of the parties entering the airport. Like other chokepoints, this channeling of people for additional control can also lead to slowdowns in the process; therefore, lines often form at airport metal detectors.

Similar to an airport metal detector, a firewall offers a chokepoint for your network segment. All traffic that enters or leaves your network needs to pass through it for inspection. This additional control not only helps protect inbound and outbound traffic flows but also allows a single point for examining and logging such traffic, verifying that if a breach exists, it is recorded.