Stateful Firewall Fundamentals: A Better, Easier, More Secure Firewall

A stateful firewall is a firewall that monitors the full state of active network connections. This means that stateful firewalls are constantly analyzing the complete context of traffic and data packets, seeking entry to a network rather than discrete traffic and data packets in isolation.

One of the most basic firewall types used in modern networks is the stateful inspection firewall. This type of firewall has long been a standard method used by firewalls to offer a more in-depth inspection method over the previous packet inspection firewall methods (think ACL's). This article takes a look at what a stateful firewall is and how it is used to secure a network while also offering better network usability and easier network firewall configuration.

 

Previous Firewall Methods

To get a better idea of how a stateful firewall works, it is best to take a quick look at how previous firewall methods operated. For many people this previous firewall method is familiar because it can be implemented with common basic Access Control Lists (ACL). When using this method individual holes must be punched through the firewall in each direction to allow traffic to be allowed to pass. Now imagine that there are several services that are used from inside a firewall and on top of that multiple hosts inside the firewall; the configuration can quickly become very complicated and very long.

 

How Stateful Firewall Works

With a stateful firewall these long lines of configuration can be replaced by a firewall that is able to maintain the state of every connection coming through the firewall. Operationally, traffic that needs to go through a firewall is first matched against a firewall rules list (is the packet allowed in the first place?). If the packet type is allowed through the firewall then the stateful part of the process begins.

The easiest example of a stateful firewall utilizes traffic that is using the Transport Control Protocol (TCP). This is because TCP is stateful to begin with. TCP keeps track of its connections through the use of source and destination address, port number and IP flags. A connection will begin with a three way handshake (SYN, SYN-ACK, ACK) and typically end with a two way exchange (FIN, ACK). For a stateful firewall this makes keeping track of the state of a connection rather simple. An initial request for a connection comes in from an inside host (SYN). This will initiate an entry in the firewall's state table. If the destination host returns a packet to set up the connection (SYN, ACK) then the state table reflects this. Finally, the initial host will send the final packet in the connection setup (ACK). This will finalize the state to established. Once a connection is maintained as established communication is freely able to occur between hosts. With TCP, this state entry in the table is maintained as long as the connection remains established (no FIN, ACK exchange) or until a timeout occurs.

The harder part of the operation of a stateful firewall is how it deals with User Datagram Protocol (UDP) and Internet Control Message Protocol (ICMP). This is because neither of these protocols is connection-based like TCP. With UDP, the firewall must track state by only using the source and destination address and source and destination port numbers. Of course this is not quite as secure as the state tracking that is possible with TCP but does offer a mechanism that is easier to use and maintain than with ACLs. UDP and ICMP also brings some additional state tracking complications. This is because UDP utilizes ICMP for connection assistance (error handling) and ICMP is inherently one way with many of its operations. ICMP itself can only be truly tracked within a state table for a couple of operations. These operations have built in reply packets, for example, echo and echo-reply. For its other one way operations the firewall must maintain a state of related. This state is used when an ICMP packet is returned in response to an existing UDP state table entry.

 

Summary

The operation of a stateful firewall can be very complex but this internal complexity is what can also make the implementation of a stateful firewall inherently easier. Since the firewall maintains a state table through its operation, the individual configuration entries are not required as would be with an ACL configuration. For main firewalls the only thing that needs to be configured is an internal and external interface; this is commonly used by most people without even noticing it. This is because most home Internet routers implement a stateful firewall by using the internal LAN port as the internal firewall interface and the WAN port as the external firewall interface. This allows traffic to freely flow from the internal interface to the Internet without allowing externally initiated traffic to flow into the internal network. Hopefully, the information discussed here gives a better understanding of how a stateful firewall operates and how it can be used to secure internal networks.

If you're looking to further your skills in this area, check out TrainSignal's training on Cisco CCNA Security.