Firewalls serve as the gatekeepers to the Internet for many networks in businesses and individuals alike. But how do they work?
This article is a part of a series of articles to explain how modern firewalls work.
When your PC requests a web page from a web server it makes a one-way connection to the server – this is called a flow. The remote web server will then create a connection back to the host in another flow, as shown in the example below:
When those two flows are grouped together it then makes something we call a session:
Major Firewall Types
While we will be discussing the major types of firewalls in detail in later articles, the two major types of firewalls available today are called Stateless Firewalls and Stateful Firewalls.
Stateless firewalls filter traffic by matching individual flows. Stateful Firewalls filter traffic by monitoring and tracking sessions in a session table and determining whether the individual flows it receives are part of an existing session.
Stateless Firewalls in Detail
Stateless Firewalls, also known as flow-based firewalls, work by matching individual flows of traffic to rules to permit and deny traffic. They lack the ability to track full sessions to and from the original host.
In the following example, we have a Client PC wanting to access the website www.website.com. When the PC makes a request from their browser to access the site, it will stop first at the firewall. The firewall will then take that flow and look at the source address, the destination address, and the port of the traffic to see if it matches a rule in the firewall’s rule base. If the traffic matches a rule, then it will perform an action – usually to either allow or deny the traffic. In our example, the firewall allows a flow from the Client PC to the Server over port 80 (which is usually reserved for HTTP/Web traffic):
The web request is permitted through the firewall and the flow is completed. Any response from the remote Server will come from a new flow. Because of this we will need to create a new rule to permit traffic from the Server back to the Client PC, as shown below:
With both flows permitted, the user now sees their webpage from www.website.com and the firewall has done its job.
Stateless Firewalls have one major advantage: cost.
Since the firewall does not need to track sessions, it does not need as much CPU or Memory to match traffic to policies. As such, Stateless Firewalls can produce as much throughput as a Stateful Firewall using much cheaper commodity hardware.
Stateless Firewalls can be considered less secure than a Stateful Firewall to uninitiated network administrators. Using our previous example, the Stateless Firewall has no way to tell which host started the communication. While we want to allow the Client PC to access the Remote Server, we may not always want the Remote Server to be able to access the Client PC. Unfortunately the Stateless Firewall has no way to control this since it allows flows in both directions. Network administrators will need to use other methods of locking down access from hosts on the Internet to hosts on the LAN.
This is not to say Stateless Firewalls don’t have their place in the world – especially when high throughput is needed; rather network administrators should keep in mind the advantages and disadvantages when choosing a firewall.
This article is part of a series of articles in Network Security 101. Please stay tuned for more updates!