How Stateful Packet Inspection Firewalls Work
The original firewalls were stateless systems that determined whether or not to allow an incoming packet to pass through based on the packet’s headers. They could block traffic to/from certain IP addresses or use certain network protocols from entering or leaving the network.
However, these early firewalls lacked the ability to determine whether a packet was valid in the context of an existing, active connection. For example, distributed denial of service (DDoS) amplification cyber attacks send a request with a spoofed source IP address to a legitimate service, which sends the response to the indicated address, spamming it with unwanted incoming traffic. While the contents of this response are valid and may not violate any firewall rules, it’s a response without a corresponding request.
However, it’s only possible to determine this with knowledge of past packets.
SPI firewalls internally track the state of network connections based on the source and destination IP addresses and port numbers. This information uniquely identifies a connection and enables the firewall to record its current state.
When the firewall sees a new packet, it looks up the current state of the network connection and determines whether or not the packet is valid in the context of that connection. This additional check — above and beyond the firewall rules used by stateless firewalls — enables it to identify and block different types of attacks such as DDoS amplification attacks, ACK scans, and other malicious traffic that is not valid in context.
Key Features of an SPI Firewall
The growth of SaaS applications means that a significant percentage of applications communicate over HTTPS, limiting the effectiveness of port and protocol-based traffic filtering.
SPI firewalls offer certain crucial features and functions to an organization, including:
Dynamic Packet Filtering: The main differentiating feature between stateless and stateful firewalls is dynamic packet filtering. The ability to track the state of a network connection and permit or block packets based on it enables these firewalls to identify malicious traffic that a stateless firewall would miss.
Application-Layer Inspection: Some SPI firewalls have the ability to perform a limited inspection of traffic at the application layer (OSI Layer 7) to bolster their state-tracking abilities. This enables them to determine whether a packet is legitimate in the context of an HTTP, DNS, or other application-layer session.
Scalability and Performance: Performing stateful inspection of network traffic requires more resources than a stateless firewall. SPI firewalls should have the resources required to analyze and secure corporate network traffic at scale while minimizing latency and performance impacts.
Logging and Monitoring: Firewalls have vital visibility into the traffic attempting to enter or leave an organization’s network. SPI firewalls should provide logging and monitoring capabilities to enable security teams to detect attempted intrusions.
Security Integration: Firewalls are one component of a corporate security architecture. They should integrate with other security solutions to enhance threat prevention capabilities and simplify security management.
Implementing SPI Firewalls in Network Infrastructure
Firewalls are commonly deployed at the perimeter of the corporate network, dividing internal corporate environments from the public Internet. In some cases, an SPI firewall may incorporate routing functionality and act as a multi-function solution.
When selecting and deploying network firewalls, it’s important to consider your organization’s business needs and required features. Some things to consider include:
Next-Generation Firewalls (NGFWs): All NGFWs offer stateful inspection capabilities, but not all SPI firewalls have the functionality of an NGFW. NGFWs’ greater range of integrated security capabilities makes them better suited to identifying more modern and sophisticated cyber threats.
AI-Powered Firewalls: Artificial intelligence and machine learning (AI/ML) are well suited to parsing through reams of network and security data to identify likely threats to the network. As the technology matures, NGFWs incorporating AI and ML will outstrip their peers in terms of threat prevention and response capabilities and efficiency.
Cloud Capabilities: As corporate clouds expand, companies need firewalls capable of scaling to meet the needs of these rapidly changing environments. Additionally, cloud-native firewalls can leverage cloud scalability to minimize the performance and latency impacts of security inspection for both on-prem and cloud-based solutions.
Quantum Force - AI-Powered Firewalls and Security Gateways
Check Point Quantum Force NGFWs offer AI-powered threat prevention capabilities to more quickly and accurately identify and block attempted attacks against an organization’s IT assets. Learn more about what to look for in an NGFW by downloading this buyer’s guide.
With AI-enhanced security and integrated threat intelligence, Quantum Force offers industry-leading threat prevention for data centers, enterprise core, perimeter and branches. To explore Quantum Force’s benefits for your organization’s cybersecurity, request a free demo today.
For securing your Cloud network environments, request a demo of Check Point CloudGuard Network firewall.
Opinião