What is a Stateless Firewall?

A stateless firewall is one that doesn’t store information about the current state of a network connection. Instead, it evaluates each packet individually and attempts to determine whether it is authorized or unauthorized based on the data that it contains.

Request a Demo NGFW Buyer’s Guide

How a Stateless Firewall Works

The goal of a firewall is to limit access to a protected network. A firewall is installed in line with traffic entering and leaving the protected network, allowing it to inspect each inbound or outbound packet. The firewall makes the decision of whether to allow or drop a packet based on its built-in ruleset.

While there are a few different types of firewalls, a stateless firewall is one that evaluates each packet solely based on the data that it contains, normally the packet header. The packet header contains IP addresses, port numbers, and other information that the firewall can use to determine whether or not the packet is authorized.

A firewall may be configured with rules that limit the set of IP addresses permitted to access the protected network or that only permits certain network protocols to enter or leave the network. For example, a stateless firewall may be set up to allow inbound HTTPS connections but block inbound SSH. Similarly, a firewall may be configured to block traffic from certain geographic regions or from known-bad IP addresses.

Stateful vs. Stateless Firewalls

Stateless firewalls are commonly defined in contrast to stateful firewalls. The main difference between these is that stateful firewalls track some information about the current state of an active network connection, while stateless ones do not.

This is significant because it enables stateful firewalls to identify and block seemingly legitimate but malicious traffic. For example, the TCP handshake involves a SYN packet from the client followed by an SYN/ACK packet from the server followed by an ACK packet from the client. If an attacker sent an ACK packet to a corporate server that wasn’t in response to a SYN/ACK, a stateful firewall would block it, but a stateless one would not. This means that stateless firewalls will overlook certain types of network scans and other attacks that stateful ones would catch and block.

Pros and Cons of Stateless Firewalls

A stateless firewall is designed to process only packet headers and doesn’t store any state. This provides a few advantages, including the following:

  • Speed: A stateless firewall performs relatively little analysis of network traffic when compared to other types of firewalls. As a result, it might offer lower latency than stateful firewalls.
  • Scalability: Stateless firewalls’ limited processing also impacts their scalability. The same hardware may be able to process more connections with a stateless firewall due to the limited processing and data requirements of the firewall.
  • Cost: Stateless firewalls are less complex than other types of firewalls. As a result, they may be available at a lower price point than more sophisticated firewalls.

However, while a stateless firewall has its advantages, these are balanced by significant disadvantages. Stateless firewalls are unable to detect many common types of attacks, including the following:

  • Out-of-Sequence Packets: Stateless packets lack visibility into the current state of a network connection and can’t detect legitimate packets sent deliberately out of sequence. For example, a stateless firewall would be unable to detect many types of TCP scans (ACK, FIN, etc.) or identify a DNS response sent without a corresponding request.
  • Embedded Malware: Stateless firewalls inspect only the headers of network packets, not their contents. This makes it impossible for them to identify if malicious content, such as malware, is contained within a packet’s payload.
  • Application-Layer Attacks: Stateless firewalls’ focus on packet headers also makes them blind to attacks performed at the application layer. For example, the exploitation of web application vulnerabilities or attacks against cloud infrastructure would be invisible to these firewalls.
  • Distributed Denial of Service (DDoS) Attacks: A DDoS attack commonly involves sending a massive volume of spam packets to a target. Since these packets look legitimate and a stateless firewall examines each packet individually, it would miss this type of attack.

Stateless firewalls may be more efficient than stateful firewalls. However, they are completely blind to most modern attacks and provide limited value to an organization.

Firewall Security with Check Point

Choosing the right firewall is essential to the success of an organization’s cybersecurity program. For protection against modern threats, the only option is a next-generation firewall (NGFW) that integrates multiple security capabilities for in-depth security visibility and effective threat prevention. Learn more about what to look for in a firewall in this buyer’s guide to NGFWs.

Check Point offers a range of NGFWs designed to suit the unique needs of any organization. To learn more about the capabilities of Check Point NGFWs and identify the right choice for your organization, sign up for a free demo today.


This website uses cookies for its functionality and for analytics and marketing purposes. By continuing to use this website, you agree to the use of cookies. For more information, please read our Cookies Notice.