A stateful packet inspection (SPI) firewall internally tracks the state of current network connections. This enables it to identify anomalous traffic that a firewall without this state-tracking capability would miss.
The original firewalls were stateless systems that determined whether or not to allow an incoming packet to pass through based on the packet’s headers. They could block traffic to/from certain IP addresses or use certain network protocols from entering or leaving the network.
However, these early firewalls lacked the ability to determine whether a packet was valid in the context of an existing, active connection. For example, distributed denial of service (DDoS) amplification cyber attacks send a request with a spoofed source IP address to a legitimate service, which sends the response to the indicated address, spamming it with unwanted incoming traffic. While the contents of this response are valid and may not violate any firewall rules, it’s a response without a corresponding request.
However, it’s only possible to determine this with knowledge of past packets.
SPI firewalls internally track the state of network connections based on the source and destination IP addresses and port numbers. This information uniquely identifies a connection and enables the firewall to record its current state.
When the firewall sees a new packet, it looks up the current state of the network connection and determines whether or not the packet is valid in the context of that connection. This additional check — above and beyond the firewall rules used by stateless firewalls — enables it to identify and block different types of attacks such as DDoS amplification attacks, ACK scans, and other malicious traffic that is not valid in context.
The growth of SaaS applications means that a significant percentage of applications communicate over HTTPS, limiting the effectiveness of port and protocol-based traffic filtering.
SPI firewalls offer certain crucial features and functions to an organization, including:
Firewalls are commonly deployed at the perimeter of the corporate network, dividing internal corporate environments from the public Internet. In some cases, an SPI firewall may incorporate routing functionality and act as a multi-function solution.
When selecting and deploying network firewalls, it’s important to consider your organization’s business needs and required features. Some things to consider include:
Check Point Quantum Force NGFWs offer AI-powered threat prevention capabilities to more quickly and accurately identify and block attempted attacks against an organization’s IT assets. Learn more about what to look for in an NGFW by downloading this buyer’s guide.
With AI-enhanced security and integrated threat intelligence, Quantum Force offers industry-leading threat prevention for data centers, enterprise core, perimeter and branches. To explore Quantum Force’s benefits for your organization’s cybersecurity, request a free demo today.
For securing your Cloud network environments, request a demo of Check Point CloudGuard Network firewall.