Stateful vs. Stateless Firewalls: A Comprehensive Comparison

This article will discuss the differences between stateful vs. stateless firewalls, highlighting their unique roles and mechanisms within network security. Specifically, we will delve into the analysis of state tables, packet filtering processes, and attack mitigation techniques to provide a comprehensive understanding of how these firewalls function to secure network environments.

In increasingly complex networks, security is crucial. Stateful and stateless firewalls play an important role in protecting digital infrastructure from a wide range of cyber threats. With the expansion and complexity of networks, these firewalls are becoming increasingly vital in maintaining the confidentiality, integrity, and availability of networked resources.

What is the state of a connection?

The state of a connection refers to the current condition of a link established between two network endpoints. In networking, particularly in firewalls and packet filtering, understanding the state of connections is crucial for managing network traffic. The state of a connection commonly includes various parameters and may include:

1. Source and Destination Addresses

2. Port Numbers

3. Protocol (TCP/UDP)

4. Connection Establishment Phase

5. Connection Termination

6. Sequence Numbers (Just in TCP)

For example, a stateful firewall maintains a table of active network connections, tracking the stateful information associated with each connection. By analyzing this information, the firewall can enforce security policies based on the context of the traffic flow. It can identify authorized traffic from established connections and differentiate these from unauthorized attempts.

Exploring the capabilities of stateful vs. stateless firewalls further, let’s examine how stateless firewalls operate within network security frameworks.

Stateless Firewalls

Not all firewalls are designed to handle complex security functions; stateless models, for example, lack the advanced features found in their stateful counterparts.

A stateless firewall is a network security device or software that filters and controls network traffic based on predetermined rules without keeping or storing any knowledge/Information of the state or context of active connections. Essentially, it evaluates each packet without considering its relationship to previous or subsequent packets.

Here are the key characteristics and features of stateless firewalls:

1. Packet Filtering:

· Stateless firewalls filter packets of data as they pass through the firewall based on predefined criteria such as source and destination IP addresses, port numbers, and protocols. Stateless firewalls work on layers 4 and 3 of the OSI model.

· They decide whether to permit or deny packets based only on these static rules without considering the packet's position within a broader communication session.

2. Simplicity and Speed:

· Stateless firewalls, offering faster speed and more simplicity, do not track or maintain connection state information, unlike their stateful counterparts. They also do not track the state of active sessions or use other security features.

· Stateless firewalls filter incoming and outgoing traffic on a packet-by-packet basis. Therefore, they can process network traffic quickly and efficiently, making them suitable for environments where high throughput and minimal latency are priorities.

3.  Lack of Context Awareness:

· One limitation of stateless firewalls is their lack of context awareness. Because they do not keep state information about active connections, they cannot differentiate between legitimate packets belonging to established connections and potentially malicious code attempting to initiate unauthorized connections.

Stateless firewalls offer simple and efficient packet filtering capabilities based on static rules but need more context awareness and robust attack prevention of stateful firewalls.

Stateful Firewalls

Let’s dive deeper into the stateful vs. stateless firewall comparison. A stateful firewall is a network security device or software that monitors and controls network traffic by maintaining awareness of the state or context of active connections. In addition to monitoring network flows, stateful firewalls also inspect traffic dynamically, allowing for real-time threat detection and mitigation. Unlike stateless firewalls, which evaluate each packet in isolation, stateful firewalls track the state of connections and use this information to make more informed decisions about allowing or denying traffic.

Here are the key characteristics and features of stateful firewalls:

1. Connection Tracking:

· Stateful firewalls keep a state table or connection table that records information about active connections passing through the firewall. This includes source and endpoints, port numbers, protocol types, connection states (e.g., NEW, STABLISHED, RELATED), and timestamps.

· By tracking the state of connections, stateful firewalls can distinguish between legitimate packets belonging to established connections and new connection attempts, thereby enhancing security and reducing the risk of unauthorized access.

2. Stateful Packet Inspection (SPI):

· Stateful firewalls perform stateful packet inspection, which involves analyzing network packets' headers and payloads to determine their relationship to active connections.

· Stateful firewalls use the information stored in the connection table to determine whether a packet belongs to an established connection or is part of a new connection attempt.

3. Granular Access Control:

· Stateful firewalls enable administrators to define granular access control policies based on various network traffic attributes. These policies might include rules to allow or block traffic based on source locations, port numbers, protocols, and connection status.

4. Dynamic Filtering Rules:

· Stateful firewalls dynamically adjust their filtering rules based on changes in active connections and network traffic patterns.   For example, as new connections are established or terminated, the firewall updates its connection table and adjusts its filtering rules accordingly.

5. Advanced Security Features:

· Many stateful firewalls incorporate advanced security features such as intrusion detection and prevention, application-layer filtering, virtual private network (VPN) support, and malware detection and prevention.

6. Session Establishment and Tear-down:

· Stateful firewalls monitor the establishment and teardown of network sessions, such as TCP connections, UDP sessions, and ICMP exchanges. By tracking session establishment and teardown, firewalls can enforce security policies and prevent unauthorized access to network resources.

· When a connection is initiated and allowed through the firewall, the firewall creates a state table entry to track the connection's state. When the connection is no longer needed or reaches its natural conclusion, such as when the session is terminated by one of the parties involved, the firewall tears down or removes the corresponding entry from its state table.

7. Protocol Analysis:

· Stateful firewalls analyze the headers and payloads of packets to identify the protocols and applications they belong to. By understanding the protocols used in network communication, firewalls can enforce protocol-specific security policies and detect anomalous behavior or protocol violations.

8. Behavioral Analysis:

· Stateful firewalls may employ behavioral analysis techniques to detect suspicious or malicious behavior within network traffic. Behavioral analysis involves monitoring network activity patterns, such as traffic volume, frequency of connections, and communication patterns, to identify potential threats or anomalies.

Stateful vs. Stateless Firewalls: How TCP and UDP Connections Are Handled Differently

1. TCP Connection Establishment (Three-Way Handshake):        

When a stateful firewall encounters the initial SYN packet of a TCP connection, it creates a state table entry to track the connection. It allows the SYN packet to pass through based on its filtering or policy rules.

Upon receiving the SYN-ACK response from the destination, the firewall updates the state table with the connection's state. Once the firewall receives the final ACK packet, it considers the TCP connection established and updates the state table accordingly.

Throughout this process, the stateful firewall inspects each packet to ensure it conforms to the expected sequence of the three-way handshake. Any deviation may trigger security rules or alerts.

2. UDP Packet Filtering:                                                                  

UDP is a connectionless protocol, meaning there's no handshake like TCP's three-way handshake. When a UDP packet arrives at the firewall, it examines the packet header and payload to determine its source, destination, and whether it matches any filtering rules.

Unlike TCP, UDP does not have a concept of connection tracking. Each packet is treated independently. The firewall may apply filtering rules based on criteria such as source IPs, targeted ports, and payload specifics. Filtering decisions for UDP packets are typically based on more straightforward criteria than those for TCP, as there is no need to track stateful information or session establishment.

Here is a sample of a stateful firewall table:

Stateful Firewall Hardware

Stateful firewalls typically use specialized processors, and coprocessors are optimized for network packet processing and security tasks. The choice of processor and coprocessor depends on factors such as performance requirements, scalability, power efficiency, throughput, delay, and cost considerations. Here are some common types of processors and coprocessors used in stateful firewalls:

1. Purpose Processors (CPU): Stateful firewalls utilize general-purpose CPUs, such as x86 or ARM processors, for their flexibility and programmability. CPUs handle packet parsing, protocol analysis, security policy enforcement, and management functions. They work on the hardware control plane. Multi-core CPUs are often employed to handle concurrent processing of multiple packets and tasks, improving overall throughput and performance.

2. Network Processors: Network processors are specialized chips explicitly designed for packet processing and networking tasks. These processors often feature multiple processing cores optimized for packet forwarding, routing, and protocol handling. Network processors can offload packet processing tasks from the main CPU, improving overall performance and efficiency. Examples of network processor architectures include Intel's IXP and Cavium's OCTEON.

3. ASICs (Application-Specific Integrated Circuits): ASICs are custom-designed integrated circuits tailored for specific applications, such as packet processing and security. Stateful firewalls may incorporate ASICs to accelerate critical functions like packet filtering, encryption/decryption, and hashing. ASICs offer high performance and low latency but lack the flexibility of general-purpose processors. Some ASIC-based firewalls combine ASICs with general-purpose CPUs to balance performance and flexibility.

4. FPGAs (Field-Programmable Gate Arrays): FPGAs are programmable integrated circuits that can be configured to perform custom logic functions. Stateful firewalls may leverage FPGAs to implement specialized packet processing and security algorithms. FPGAs offer flexibility and reconfigurability, allowing hardware acceleration of specific tasks without needing custom ASIC development. FPGAs can be used with CPUs or ASICs to offload particular processing tasks.

5. Security Coprocessors: Some stateful firewalls incorporate dedicated security coprocessors or security processing units (SPUs) to accelerate cryptographic operations, such as encryption, decryption, and authentication. These coprocessors are optimized for security algorithms and cryptographic protocols, improving performance and reducing CPU and NPU overhead. Security coprocessors enhance the firewall's ability to handle encrypted traffic and enforce security policies without sacrificing performance.

Key Takeaways to Consider When Selecting a Firewall

In the framework of stateful vs. stateless firewalls, stateful firewalls provide advanced security capabilities by maintaining awareness of connection states and using this information to enforce access control policies and analyze network traffic. They offer granular control over network communication, enhance security posture, and mitigate risks associated with unauthorized access and cyber threats.

On the other hand, Stateless firewalls are commonly used in environments where simple packet filtering based on predefined rules is sufficient for network security.

They operate at the network and transport layers, examining each data packet without maintaining the session state. For example, in Filtering traffic between network segments in environments with multiple network segments or VLANs, stateless firewalls can filter traffic between segments based on simple criteria like source and destination IP addresses or in router and switch for simple ACL to deny access to such devices or implement in Perimeter defenses to deny such famous port like TCP/UDP 135 or SQL port.

If you want to consider other features after making this initial decision, read our article "Top Features to Consider When Buying an NGFW Firewall"