Traffic-Flow Diagram

Network Security 102: Stateful Firewalls

Add Your Comments

Session-based firewalls are probably the most popular type of firewall today.  But how do they work in protecting your network?  In this article we will discuss Stateful Firewalls, and the strengths and weaknesses of this type of firewall.

Stateful Firewalls

Stateful Firewalls, also known as session-based firewalls work by grouping packet flows into sessions, and filtering traffic on a per-session basis.  The firewall also keeps track of the sessions by creating a table in which to match future packet flows in the sessions.  For more about the difference between flows and sessions take a look at my previous article Network Security 101.

Flows and Sessions

Unlike the stateless firewall in the previous article which just checked to see if the single flow was allowed through; the stateful firewall will put the individual packet flows through a series of checks before it decides what to do with it:

These are the steps in which the firewall must perform before allowing a packet flow to go through it.

These are the steps in which the firewall must perform before allowing a packet flow to go through it.

The reason for the sets of rules is to save on the hardware resources of the firewall.  On rule 1, for example allows us to save resources by skipping the unnecessary checks for routing, rules, and actions.  It also allows us to eventually close the session and remove it from table, thus further saving on resources.  Rule 2 saves on resources by dropping all traffic that the firewall will not be able to forward to the proper destination.  Why waste the firewall’s CPU when the firewall can never reach the destination?

The PC and Company.com – now with Stateful Inspection

Using the same example from the last article, we have a Client PC wanting to access the website www.company.com.  When the PC makes a request from their browser to access the site it will stop first at the firewall:

The PC is attempting to access the website www.company.com, but first it must go through the firewall

The PC is attempting to access the website www.company.com, but first it must go through the firewall

Here we see the firewall has performed the session check, the route check, and the policy checks.  Now it can forward the packet flow to the remote server.  Take note though: the firewall in this instance is not performing something called Network Address Translation (NAT).  In this instance both the PC and Server are reachable directly through routing in the firewall.  I will be discussing NAT in a future article as well.  Moving on:

Now that the server has sent its response back to the firewall, the packet flow gets forwarded without going through all the security checks as it is part of the existing session.

Now that the server has sent its response back to the firewall, the packet flow gets forwarded without going through all the security checks as it is part of the existing session.

The server now has sent its response back to the PC.  The firewall is able to determine that the second packet flow is part of the existing session and will simply forward the packet flow toward the PC.  With the session now completed the user now sees their webpage from www.website.com.  Now all that is left is for the firewall to remove the completed session from its session table, and the firewall has done its job.

Advantages to Stateful Firewalls

Stateful Firewalls can provide much more granularity in securing a network.  Just by issuing several simple sanity checks we can offload a great deal of unnecessary work that our flow-based firewall would have had to do.  In addition the ability to track sessions can also allow us to track unusual activity, such as a system making hundreds of connections unexpectedly.  This is useful for determining things such as virus outbreaks or unauthorized access/attempts to a system.

Disadvantages to Stateful Firewalls

Stateful Firewalls are considerably more expensive to implement, because it requires very powerful hardware to perform high-speed filtering.  Because of the cost of hardware the firewall has finite resources to filter traffic, so it can go into states where it cannot forward traffic because it has exceeded the capacity of the firewall’s session table or throughput.  As always network administrators should keep mindful of these facts when choosing a firewall that suits their home or business needs.

– Clay (dark_15 on the forums)

Leave a Reply

Your email address will not be published. Required fields are marked *

Discussion
  1. VinnyTAMU
    Looks good, however I would argue that state firewalls are not grossly more expensive then stateless firewalls.

    Also a article on transparent vs NATing/routing firewalls would help as well.


    I would agree with you on the lower-end firewalls, but I am talking about firewalls that has firewall throughput of over 1Gbps - those are easily $10k or more for session-based filtering, when I can purchase a server for less than half that cost and still achieve the same throughput on flow-based filtering.

    Are you talking about the differences between a layer-2 (transparent) and layer-3 (routing) modes? Or simply just NAT? I do have an article on NAT in the works, but I can definitely add layer-2 (transparent mode) firewalls to the list.

    Thanks everyone for the comments and suggestions! If you have additional articles you would like to see, please feel free to PM me or IM me.
    Looks good, however I would argue that state firewalls are not grossly more expensive then stateless firewalls.

    Also a article on transparent vs NATing/routing firewalls would help as well.