Stateless vs Stateful Packet Filtering Firewalls
Packet filtering firewalls check the source and destination IP addresses, protocols(User Datagram Protocol (UDP) and Transmission Control Protocol (TCP)), and port addresses as well. If both IP addresses match, the packet is considered secured and verified.
Packet filtering firewalls are divided into two categories :
- Stateless packet filtering firewalls
- Stateful packet filtering firewalls
Before getting into stateless and stateful firewalls, let’s know the meaning of two terms:
These are explained as following below.
1. State –
In simple words, state means the last known or current status of a process, and managing state refers to keeping track of the process. Let’s take TCP-based communication as an example. In TCP, four bits out of the nine assignable control bits are used to control the state of the connection. The four control bits are- 1. SYN 2. ACK 3. FIN and 4. RST.
- At first, a client initiates a connection using a three-way handshake. The TCP stack sets the SYN flag to indicate the start of a new connection.
- Then the connection receives the SYN+ACK by the server, at the point when the firewall has checked the packets from both sides and it promotes its internal connection state to ESTABLISHED. However, when a firewall sees an RST or FIN+ACK packet, it marks the connection state for deletion. Any future packets for this connection will be rejected.
2. Context –
The context of a connection consists of the metadata related to the packets. It includes the IP addresses and the port number of the source and the destination. It also includes packet length, layer 3 information related to reassembly and fragmentation, TCP sequence numbers of layer 4, flags, etc.
Stateful firewalls :
This firewall is situated at Layers 3 and 4 of the Open Systems Interconnection (OSI) model. As the name suggests, a stateful firewall always keeps track of the state of network connections. Once a particular kind of traffic has been approved by a stateful firewall, it is added to a state table. The state table entries are created for TCP (Transmission Control Protocol) streams or UDP (User Datagram Protocol) datagrams that are allowed to communicate through the firewall in accordance with the configured security policy. If no traffic is seen for a specified time (implementation dependent), the connection is removed from the state table.
- Stateful firewalls are highly skilled to detect forged messaging or unauthorized access.
- These firewalls have a powerful memory to retain key aspects of network connections.
- They are intelligent systems. They make future filtering decisions based on the past and present results. It means that it can automatically stop a specific cyber attack in the future once it encountered it, without the need for updates.
- These firewalls do not need many ports open for proper communication.
- Stateful firewalls offer extensive logging capabilities and stronger attack mitigation.
- Stateful firewalls can be vulnerable to distributed denial-of-service (DDoS) attacks.
- These firewalls have to be updated with the latest software releases, otherwise, vulnerabilities may allow hackers to take control over the firewall.
- They can be fooled into allowing a harmful connection to the network and it can happen with a simple action like viewing a webpage.
- These firewalls may be more sensitive to man-in-the-middle (MITM) attacks, which involve an attacker intercepting communication between two people to either spy on the traffic or make changes to it.
Stateless firewalls :
It is also known as an access control list (ACL), does not store information on the connection state. Stateless ACLs are applicable to the network and physical layers, and sometimes the transport layer to find out the source and destination port numbers. When the sender sends a packet and gets filtered through a firewall, the device checks for matches to any of the ACL rules that are configured in the firewall and then drops or rejects the packet accordingly.
- Stateless firewalls do not take as much into account as stateful firewalls, they’re generally considered to be less rigorous. That is why they are fast.
- As it doesn’t get into that many details, it performs quite well in heavy traffic.
- They are generally cheaper than stateful firewalls.
- A stateless firewall cannot analyze all network traffic (or packets), making it unable to identify traffic type. This results in making it less secure compared to stateful firewalls.
- These firewalls, in many instances, may need to be carefully configured by someone familiar with the kinds of traffic and attacks that impact the network. This may require extra time and energy to perform.
Differences between Stateless and Stateful firewalls :
Stateless Packet Filtering Firewalls Stateful Packet Filtering Firewalls 1. The stateless firewalls are designed to protect networks based on static information such as source and destination. Stateful firewalls filter packets based on the full context of the connection. 2. It uses some predefined packet filtering rules, the packets are judged based on that, if it conforms to the predefined rules then it is considered to be “safe” and allowed to pass through. If the conditions are not met, the packet is considered to be “unidentified” or “malicious” and it will be blocked. It uses the concept of a state table where it stores the state of legitimate connections. Stateless firewall filters are only based on header information in a packet but stateful firewall filter inspects everything inside data packets, the characteristics of the data, and its channels of communication. 3. Less secure than stateless firewalls. Stateful firewalls are more secure. 4. Cheaper or cost-efficient. Expensive as compared to stateless firewall 5. Faster than Stateful packet filtering firewall. Slower in speed when compared to Stateless firewall. 6. For small businesses, a stateless firewall could be a better option, as they face fewer threats and also have a limited budget in hand. For larger enterprises, a stateful firewall would be a smarter option, as they have larger outgoing traffic that needs monitoring and enough money to afford it. Stateful firewalls offer dynamic packet filtering, so they can provide a thick security layer to mitigate attacks.
Note: A firewall can be either stateful or stateless but never both.