Stateful firewalls intercept packets at the network layer and then derive and analyze data from all communication layers to improve security. Information about connection state and other contextual data is stored and dynamically updated. This provides valuable context when evaluating future communication attempts.
Computers use well-defined protocols to communicate over local networks and the Internet
These include low layer transport protocols, such as TCP and UDP, and also higher application layer protocols, such as HTTP and FTP.
Stateful firewalls inspect network packets, tracking the state of connections using what is known about the protocols being used in the network connection. For instance, TCP is a connection-oriented protocol with error checking to ensure packet delivery.
A TCP connection between client and server first starts with a three-way handshake to establish the connection. One packet is sent from a client with a SYN (synchronize) flag set in the packet. The server receiving the packet understands that this is an attempt to establish a connection and replies with a packet with the SYN and ACK (acknowledge) flags set. When the client receives this packet, it replies with an ACK to begin communicating over the connection.
This is the start of a connection that other protocols then use to transmit data or communicate.
For instance, the client’s browser may use the established TCP connection to carry the web protocol, HTTP GET, to get the content of a web page.
When the connection is made the state is said to be established. At the end of the connection, the client and server tear down the connection using flags in the protocol like FIN (finish). As the connection changes state from open to established, stateful firewalls store the state and context information in tables and update this information dynamically as the communication progresses. The information stored in the state tables provides cumulative data that can be used to evaluate future connections.
For stateless protocols such as UDP, the stateful firewall creates and stores context data that does not exist within the protocol itself. This allows the firewall to track a virtual connection on top of the UDP connection rather than treating each request and response packet between a client and server application as an individual communication.
FTP sessions use more than one connection. One is a command connection and the other is a data connection over which the data passes.
Stateful firewalls examine the FTP command connection for requests from the client to the server. For instance, the client may create a data connection using an FTP PORT command. This packet contains the port number of the data connection, which a stateful firewall will extract and save in a table along with the client and server IP addresses and server port.
When the data connection is established, it should use the IP addresses and ports contained in this connection table. A stateful firewall will use this data to verify that any FTP data connection attempt is in response to a valid request. Once the connection is closed, the record is removed from the table and the ports are blocked, preventing unauthorized traffic.
A stateless firewall evaluates each packet on an individual basis. It can inspect the source and destination IP addresses and ports of a packet and filter it based on simple access control lists (ACL). For example, a stateless firewall can implement a “default deny” policy for most inbound traffic, only allowing connections to particular systems, such as web and email servers. For instance allowing connections to specific IP addresses on TCP port 80 (HTTP) and 443 (HTTPS) for web and TCP port 25 (SMTP) for email.
Stateful firewalls, on the other hand, track and examine a connection as a whole. They track the current state of stateful protocols, like TCP, and create a virtual connection overlay for connections such as UDP.
Stateful firewalls have the same capabilities as stateless ones but are also able to dynamically detect and allow application communications that stateless ones would not. Stateless firewalls are not application aware—that is, they cannot understand the context of a given communication.
The Check Point stateful firewall is integrated into the networking stack of the operating system kernel. It sits at the lowest software layer between the physical network interface card (Layer 2) and the lowest layer of the network protocol stack, typically IP.
By inserting itself between the physical and software components of a system’s networking stack, the Check Point stateful firewall ensures that it has full visibility into all traffic entering and leaving the system. No packet is processed by any of the higher protocol stack layers until the firewall first verifies that the packet complies with the network security access control policy.
The Check Point stateful firewall provides a number of valuable benefits, including:
Check Point’s next-generation firewalls (NGFWs) integrate the features of a stateful firewall with other essential network security functionality. To learn more about what to look for in a NGFW, check out this buyer’s guide. You’re also welcome to request a free demo to see Check Point’s NGFWs in action.