Stateful Firewall

Posted on 11:23 AM by Bharathvn

A stateful firewall was invented to resolve the shortcomings of packet filtering. Originally called a circuit level firewall, the stateful firewall is considered a second-generation technology. As its name implies, this firewall technology is aware of the state of the ongoing communications. This firewall technology is the
most commonly deployed today in firewall products.

The ability to maintain state is crucial for almost all security deployments. Stateful firewall technology is based upon a few important concepts. In contrast to packet filters, stateful firewalls watch and maintain the entire state of a connection. A connection is made up of two separate flows. A client system initiates
a connection to a remote server. This flow starts the session setup. At this point, the firewall must determine the beginning state of the communication. The determination is based upon the type of protocol being used.

We first look at the truly stateful transport protocol TCP (or transmission control protocol). TCP has a clear beginning, middle, and end to each of its network conversations. When a TCP connection begins, it marks the initial packet coming from the client with a SYN flag. This flag tells the remote host that the
client system wants to initialize a connection. The server sends a SYN/ACK packet and acknowledges the original SYN packet. To confirm that this packet was received, the client system sends an ACK back to the server. This process is called a three-way handshake. During the communication, each packet is flagged with a SYN/ACK packet during the conversation. Figure 5-1 shows an example of a three-way

To close the conversation gracefully, the closing host sends a FIN packet and the receiving host sends an ACK packet back. The receiving host sends a FIN packet and the initial closing host sends an ACK packet. This process is called a four-way handshake. A four-way handshake is done to ensure that no data is lost, with both sides acknowledging the close. A host also can abruptly close a session by sending just an RST or reset packet. Figure 5-2 shows an example of the four-way connection close.

Now you can see that identifying the entire state of the communication for a TCP session is possible and allows a stateful firewall to keep track of the state of the session. When creating policies on a stateful firewall, you typically need to match only three components: the source IP, the destination IP, and the service you want to allow or deny. In contrast to a packet filter firewall, the return packets are automatically allowed if they are consistent with the state of the communications. After the session is closed, the return path that was dynamically created through the firewall is closed. This process is much more secure then leaving the return path open via a static ACL such as a packet filter.

UDP and Internet Control Message Protocol (ICMP) are different beasts to deal with, however. Neither of these protocols is truly stateful. Each firewall vendor uses different mechanisms to determine the state of the protocol. Vendors typically create short-lived sessions for these protocols, assuming that they will be short lived. However, the length of the session varies based upon the UDP or ICMP

Some applications do not act in a way that is firewall friendly, which typically means that the application uses another mechanism to communicate the change of state besides the underlying transport protocol. An example is the File Transfer Protocol (FTP). This protocol negotiates a port on which the client will connect to the server. This new port is random and unpredictable from just looking at the transport
protocol. The firewall must look inside the application layer to determine this information. To do this vendors implement what is known as an Application Layer Gateway (ALG). An ALG looks at specific protocols at the application layer, thereby allowing the firewall to monitor for changes that are not done at the transport layer. The firewall can then create a pinhole in the firewall to allow the communication to continue.

Although stateful firewalls are the most popular firewalls and are considered the mainstream technology, they are not without their downside. The biggest challenge is maintaining the sessions. Each session takes up a specific amount of resources on the firewall. A network attack can attempt to overwhelm the firewall by taking up all the available sessions. Doing so can easily crash the firewall and create a service loss on the network. To fight against such an attack, a vendor uses both its hardware and software to mitigate the risk of this occurring.

The second drawback of a stateful firewall is that it is not the most secure type of firewall. A stateful firewall does not do a full protocol decode and typically operates only at the network and transport layers (TCP/UDP/IP). However, stateful firewalls implement several different technologies to overcome this limitation. A stateful firewall provides secure transport between two networks by securing the traffic and allowing the minimal number of ports to be open at any given time. This technology balances speed and security to create the most viable firewall for organizations.

You can find additional information covering the concept of stateful firewalls at

An application proxy is considered the most secure firewall type.