What does a stateful firewall do that a packet filtering firewall does not?

Continue Reading This Article

Enjoy this article as well as all of our content, including E-Guides, news, tips and more.

Step 2 of 2:

• You forgot to provide an Email Address.

  This email address doesn’t appear to be valid.

  This email address is already registered. Please log in.

  You have exceeded the maximum character limit.

  Please provide a Corporate Email Address.

• • I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

  Please check the box if you want to proceed.

• • I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.

  Please check the box if you want to proceed.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

Stateful firewalls

Stateful inspection systems have a constant view of all network connections and maintain a state table based on decisions made, while stateless firewalls do not. A state table enables a stateful firewall to keep track of all open connections, including context of the traffic, such as source and destination IP addresses, packet length, protocol states and port information. When traffic arrives, the system compares the traffic to the state table to determine whether it is part of an established connection.

This means a state table is made up of the sum total of connections established or blocked by the stateful firewall. Future filtering decisions take this history into account when determining if new traffic might be malicious. This also means stateful firewalls can block much larger attacks that may be happening across individual packets.

The deeper packet inspection performed by a stateful firewall can also monitor a TCP handshake between devices and recognize packets as part of existing connections.

However, all this monitoring comes at a higher cost in terms of processing power and speed. The increased processing requirements make stateful firewalls susceptible to distributed denial-of-service attacks and man-in-the-middle attacks, and the higher complexity of the internal code can result in vulnerabilities that can be attacked if software isn't up to date.

Stateless firewalls

Stateless firewalls rely on predetermined rules in access control lists (ACLs) to make decisions on individual packets. They inspect the packet header for information, including source and destination IP addresses, port number and static traffic type (TCP vs. User Datagram Protocol).

As a result, stateless firewalls are more limited in their ability to filter traffic, and because they rely on ACLs, the filtering is only as good as the rules defined by the user. Stateless firewalls are more prone to user error if ACLs aren't managed properly and cannot adapt over time.

While this relative simplicity makes stateless firewalls less resource-intensive, faster and able to handle heavy traffic, the limitations mean they can only be deployed in specific scenarios within an enterprise.

The most common implementation of a stateless firewall today is at an internet-facing router. These devices often implement a basic packet-filtering rule set to weed out obviously unwanted traffic and reduce the load on a stateful inspection firewall immediately behind the router.

Choosing between stateful and stateless firewalls

Stateless firewalls are commonly used by consumers but can also be an option for small businesses with limited budgets and less traffic. Less traffic generally means fewer threats to consider, which would make setting the rules for a stateless firewall a manageable task. Stateless firewalls may also be useful in limited scenarios on internal networks, such as between virtual LANs.

For larger enterprises with more traffic that face more threats, stateful firewalls offer more security features and capabilities. However, if an enterprise uses more modern applications that use more than one port for different services or change ports, it may be necessary to look beyond stateful firewalls to next-generation firewalls, which inspect applications rather than just network connections.