Session-based firewalls are probably the most popular type of firewall today. But how do they work in protecting your network? In this article we will discuss Stateful Firewalls, and the strengths and weaknesses of this type of firewall.
Stateful Firewalls, also known as session-based firewalls work by grouping packet flows into sessions, and filtering traffic on a per-session basis. The firewall also keeps track of the sessions by creating a table in which to match future packet flows in the sessions. For more about the difference between flows and sessions take a look at my previous article Network Security 101.
Flows and Sessions
Unlike the stateless firewall in the previous article which just checked to see if the single flow was allowed through; the stateful firewall will put the individual packet flows through a series of checks before it decides what to do with it:
The reason for the sets of rules is to save on the hardware resources of the firewall. On rule 1, for example allows us to save resources by skipping the unnecessary checks for routing, rules, and actions. It also allows us to eventually close the session and remove it from table, thus further saving on resources. Rule 2 saves on resources by dropping all traffic that the firewall will not be able to forward to the proper destination. Why waste the firewall’s CPU when the firewall can never reach the destination?
The PC and Company.com – now with Stateful Inspection
Using the same example from the last article, we have a Client PC wanting to access the website www.company.com. When the PC makes a request from their browser to access the site it will stop first at the firewall:
Here we see the firewall has performed the session check, the route check, and the policy checks. Now it can forward the packet flow to the remote server. Take note though: the firewall in this instance is not performing something called Network Address Translation (NAT). In this instance both the PC and Server are reachable directly through routing in the firewall. I will be discussing NAT in a future article as well. Moving on:
The server now has sent its response back to the PC. The firewall is able to determine that the second packet flow is part of the existing session and will simply forward the packet flow toward the PC. With the session now completed the user now sees their webpage from www.website.com. Now all that is left is for the firewall to remove the completed session from its session table, and the firewall has done its job.
Advantages to Stateful Firewalls
Stateful Firewalls can provide much more granularity in securing a network. Just by issuing several simple sanity checks we can offload a great deal of unnecessary work that our flow-based firewall would have had to do. In addition the ability to track sessions can also allow us to track unusual activity, such as a system making hundreds of connections unexpectedly. This is useful for determining things such as virus outbreaks or unauthorized access/attempts to a system.
Disadvantages to Stateful Firewalls
Stateful Firewalls are considerably more expensive to implement, because it requires very powerful hardware to perform high-speed filtering. Because of the cost of hardware the firewall has finite resources to filter traffic, so it can go into states where it cannot forward traffic because it has exceeded the capacity of the firewall’s session table or throughput. As always network administrators should keep mindful of these facts when choosing a firewall that suits their home or business needs.
– Clay (dark_15 on the forums)