A stateless firewall is one that doesn’t store information about the current state of a network connection. Instead, it evaluates each packet individually and attempts to determine whether it is authorized or unauthorized based on the data that it contains.
The goal of a firewall is to limit access to a protected network. A firewall is installed in line with traffic entering and leaving the protected network, allowing it to inspect each inbound or outbound packet. The firewall makes the decision of whether to allow or drop a packet based on its built-in ruleset.
While there are a few different types of firewalls, a stateless firewall is one that evaluates each packet solely based on the data that it contains, normally the packet header. The packet header contains IP addresses, port numbers, and other information that the firewall can use to determine whether or not the packet is authorized.
A firewall may be configured with rules that limit the set of IP addresses permitted to access the protected network or that only permits certain network protocols to enter or leave the network. For example, a stateless firewall may be set up to allow inbound HTTPS connections but block inbound SSH. Similarly, a firewall may be configured to block traffic from certain geographic regions or from known-bad IP addresses.
Stateless firewalls are commonly defined in contrast to stateful firewalls. The main difference between these is that stateful firewalls track some information about the current state of an active network connection, while stateless ones do not.
This is significant because it enables stateful firewalls to identify and block seemingly legitimate but malicious traffic. For example, the TCP handshake involves a SYN packet from the client followed by an SYN/ACK packet from the server followed by an ACK packet from the client. If an attacker sent an ACK packet to a corporate server that wasn’t in response to a SYN/ACK, a stateful firewall would block it, but a stateless one would not. This means that stateless firewalls will overlook certain types of network scans and other attacks that stateful ones would catch and block.
A stateless firewall is designed to process only packet headers and doesn’t store any state. This provides a few advantages, including the following:
However, while a stateless firewall has its advantages, these are balanced by significant disadvantages. Stateless firewalls are unable to detect many common types of attacks, including the following:
Stateless firewalls may be more efficient than stateful firewalls. However, they are completely blind to most modern attacks and provide limited value to an organization.
Choosing the right firewall is essential to the success of an organization’s cybersecurity program. For protection against modern threats, the only option is a next-generation firewall (NGFW) that integrates multiple security capabilities for in-depth security visibility and effective threat prevention. Learn more about what to look for in a firewall in this buyer’s guide to NGFWs.
Check Point offers a range of NGFWs designed to suit the unique needs of any organization. To learn more about the capabilities of Check Point NGFWs and identify the right choice for your organization, sign up for a free demo today.
Check Point Next-Gen Firewalls
Hyper-fast Firewall Comparison