Summary | Inside Network Perimeter Security (2nd Edition)

The firewall provides a secured method of controlling what information moves in to or out of a defined ingress/egress point of your network. This concept of a network "chokepoint" allows increased control and a single target for the monitoring and logging of network traffic. This extra control does come at a price: an overall cost in performance.

The stateful firewall adds intelligence to the packet-filtering method of network communication control. Stateful filtering has been popularly used to define the filtering of the state of packet flows based on information from Layers 4 and below. This definition is ambiguous because the amount of protocol information that is considered in the filtering can deviate among vendor implementations. Items such as source and destination IP addresses and port numbers, sequence and acknowledgment numbers, as well as flags and other Layer 4 information can all be considered.

Stateful inspection also monitors Layer 4 information (just like stateful filtering) and adds application-level examination to provide insight into the communication session. This offers a secure means to handle nonstandard TCP/IP traffic flows. Stateful inspection offers a much more secure environment than a "dumb" packet filter as well as performance advantages over a proxy firewall, making it an excellent compromise between the two technologies. However, the same features that give stateful application inspection a performance advantage over a proxy firewall also make it less secure in environments where all aspects of application-level communication must be considered.

In any case, the stateful firewall is an excellent fit as a single perimeter security solution for smaller environments. It performs well as a role player in larger or more complex environments where multiple firewall technologies are implemented. Clearly, the stateful firewall is a solid choice and a strong performer in the current network landscape. In the next chapter, we examine a way to filter network traffic by taking advantage of application-level restraints that can be implemented using proxy firewalls.