In computing, a stateful firewall is a
network-based firewall that individually tracks sessions of network connections traversing it. Stateful packet inspection, also referred to as dynamic packet filtering, is a security feature often used in non-commercial and business networks.
Description
A stateful firewall keeps track of the state of network connections, such as
TCP streams,
UDP datagrams, and
ICMP messages, and can apply labels such as ''LISTEN'', ''ESTABLISHED'', or ''CLOSING''. State table entries are created for TCP streams or UDP datagrams that are allowed to communicate through the firewall in accordance with the configured security policy. Once in the table, all ''RELATED'' packets of a stored session are streamlined allowed, taking fewer
CPU cycles than standard inspection. Related packets are also permitted to return through the firewall even if no rule is configured to allow communications from that host. If no traffic is seen for a specified time (implementation dependent), the connection is removed from the state table. Applications can send
keepalive
A keepalive (KA) is a message sent by one device to another to check that the link between the two is operating, or to prevent the link from being broken.
Description
Once a TCP connection has been established, that connection is defined to be v ...
messages periodically to prevent a firewall from dropping the connection during periods of no activity or for applications which by design have long periods of silence.
The method of maintaining a session's state depends on the
transport
Transport (in British English), or transportation (in American English), is the intentional movement of humans, animals, and goods from one location to another. Modes of transport include air, land (rail and road), water, cable, pipeline, an ...
protocol being used. TCP is a connection oriented protocol
and sessions are established with a
three-way handshake
The Transmission Control Protocol (TCP) is one of the main protocols of the Internet protocol suite. It originated in the initial network implementation in which it complemented the Internet Protocol (IP). Therefore, the entire suite is commonly ...
using ''SYN'' packets and ended by sending a ''FIN'' notification. The firewall can use these unique connection identifiers to know when to remove a session from the state table without waiting for a timeout. UDP is a connectionless protocol,
which means it does not send unique connection related identifiers while communicating. Because of that, a session will only be removed from the state table after the configured time-out.
UDP hole punching
UDP hole punching is a commonly used technique employed in network address translation (NAT) applications for maintaining User Datagram Protocol (UDP) packet streams that traverse the NAT. NAT traversal techniques are typically required for clie ...
is a technology that leverages this trait to allow for dynamically setting up data tunnels over the internet. ICMP messages are distinct from TCP and UDP and communicate control information of the network itself. A well known example of this is the
ping
Ping may refer to:
Arts and entertainment Fictional characters
* Ping, a domesticated Chinese duck in the illustrated book '' The Story about Ping'', first published in 1933
* Ping, a minor character in ''Seinfeld'', an NBC sitcom
* Ping, a c ...
utility.
ICMP responses will be allowed back through the firewall. In some scenarios, UDP communication can use ICMP to provide information about the state of the session so ICMP responses related to a UDP session will also be allowed back through.
Stateful inspection firewall advantages
* Monitors the entire session for the state of the connection, while also checking IP addresses and payloads for more thorough security
* Offers a high degree of control over what content is let in or out of the network
* Does not need to open numerous ports to allow traffic in or out
* Delivers substantive logging capabilities
Stateful inspection firewall disadvantages
* Resource-intensive and interferes with the speed of network communications
* More expensive than other firewall options
* Doesn't provide authentication capabilities to validate traffic sources aren't spoofed
See also
*
Computer security
Computer security, cybersecurity (cyber security), or information technology security (IT security) is the protection of computer systems and networks from attack by malicious actors that may result in unauthorized information disclosure, the ...
*
Netfilter
Netfilter is a framework provided by the Linux kernel that allows various networking-related operations to be implemented in the form of customized handlers. Netfilter offers various functions and operations for packet filtering, network addre ...
References
{{DEFAULTSORT:Stateful Firewall
Computer network security
Packets (information technology)
Data security
Cyberwarfare