Stateful vs. Stateless Firewall

The purpose of a firewall is to manage the types of traffic that can enter and leave a protected network. The firewall sits on the network boundary and inspects all traffic attempting to cross that boundary, both inbound and outbound. Based on its defined ruleset, the firewall will allow or block traffic crossing that boundary.

Firewalls come in a variety of forms and can be classified in a few different ways. While knowing the difference between a small business firewall and an enterprise firewall is important, there are even more fundamental distinguishers, such as whether a firewall is stateful or stateless.

Request a Demo NGFW Buyer's Guide

What is a Stateful Firewall?

A stateful firewall is a firewall that maintains a “state” or stores information about active network connections. When a connection is opened, the firewall begins tracking it and updates its internal state as new packets are inspected and processed by the firewall.

The ability to maintain state enables the firewall to identify seemingly legitimate packets that come out of sequence and are invalid. For example, most organizations allow inbound DNS traffic because computers within the organization need to perform DNS requests to determine the IP address associated with various websites. A stateful firewall inspecting the header of an inbound DNS response packet will see that it has a port number of 53, which is a port number that is allowed for inbound traffic under its defined rules.

However, a DNS answer packet is only valid if it comes in response to a corresponding query. A stateful firewall will have a record of DNS queries made by the target system that lack an answer. If a stateful firewall sees a DNS response with no corresponding request, it knows to block that malicious response.

What is a Stateless Firewall?

A stateless firewall differs from a stateful one in that it doesn’t maintain an internal state from one packet to another. Instead, each packet is evaluated based on the data that it contains in its header.

This enables the firewall to perform basic filtering of inbound and outbound connections. Inspecting a packet’s IP address can determine if it is allowed by policy or not. Likewise, a stateless firewall blocks packets using network protocols that are not permitted to enter or leave the protected network.

The Difference Between Stateful and Stateless Firewalls

Stateful and stateless firewalls largely differ in that one type tracks the state between packets while the other does not. Otherwise, both types of firewalls operate in the same way, inspecting packet headers and using the information they contain to determine whether or not traffic is valid based on predefined rules. The state maintained by stateful firewalls enables it to identify various threats that stateless firewalls cannot.

Some types of attacks use and abuse legitimate packets to achieve their goals, including the following:

  • TCP Scans: Some scans will send a TCP packet out of sequence and observe the response. Examples include ACK and FIN scans.
  • Distributed Denial of Service (DDoS) Attacks: DDoS attacks commonly use legitimate packets. The attack arises from the fact that these are sent in large volumes to overwhelm the target application or system.

In both of these cases, each individual packet is legitimate, meaning that a stateless firewall will permit it to pass through. Identifying the attack requires context, which only a stateful firewall would have.

How to Choose a Firewall

A stateful firewall can do everything that a stateless one can, but the opposite is not true. Certain attacks can only be detected with the context that state tracking provides, so companies should always select a stateful firewall over a stateless one.

However, when selecting a firewall, it’s also important to consider other factors. For example, both stateful and stateless firewalls typically inspect only the headers of packets when making their decisions. As a result, they can be blind to attacks in which malicious content is carried in the packet payload. In the modern cyber threat landscape, most cyberattacks fall into this category.

As a result, a next-generation firewall (NGFW) — which has the ability to inspect packets’ contents and integrates other security functions such as an intrusion prevention system (IPS) — is the right choice for organizations looking to protect themselves against modern cyber threats.

NGFW with Quantum

Firewalls come in a few different types, and choosing the right one for your organization is essential to effective cybersecurity. While an NGFW is essential to protect against modern threats, it’s important to know what to look for and how to evaluate your options. Learn more in this buyer’s guide to NGFWs.

Check Point’s range of NGFWs includes a solution for every organization. To learn more about how a Check Point NGFW can enhance your organization’s cybersecurity and get help in choosing the right one for your use cases, sign up for a free demo today.

×
  Feedback
This website uses cookies for its functionality and for analytics and marketing purposes. By continuing to use this website, you agree to the use of cookies. For more information, please read our Cookies Notice.
OK