Firewalls have been a foundational component of cybersecurity strategy for enterprises for a very long time. They have gone through massive product feature additions and enhancements over the years. One particular feature that dates back to 1994 is the stateful inspection. Show What is a stateful inspection?A stateful inspection, aka dynamic packet filtering, is when a firewall filters data packets based on the STATE and CONTEXT of network connections. Let’s explore what “state” and “context” means for a network connection. StateLet's use the network protocol TCP-based communication between two endpoints as a way to understand the state of the connection. In TCP, the four bits (SYN, ACK, RST, FIN) out of the nine assignable control bits are used to control the state of the connection. Firewalls can apply policy based on that connection state; however, you also have to account for any leftover, retransmitted, or delayed packet to pass through it after connection termination. Let’s look at a simplistic example of state tracking in firewalls:
Pseudo stateNot all the networking protocols have a state like TCP. UDP, for example, is a very commonly used protocol that is stateless in nature. Applications using this protocol either will maintain the state using application logic, or they can work without it. Few popular applications using UDP would be DNS, TFTP, SNMP, RIP, DHCP, etc. Today's stateful firewall creates a “pseudo state” for these protocols. For example, when a firewall sees an outgoing packet such as a DNS request, it creates an entry using IP address and port of the source and destination. It then uses this connection data along with connection timeout data to allow the incoming packet, such as DNS, to reply. ContextThe context of a connection includes the metadata associated with packets such as:
Stateful vs. stateless inspectionThe main difference between a stateful firewall and a stateless firewall is that a stateful firewall will analyze the complete context of traffic and data packets, constantly keeping track of the state of network connections (hense “stateful”). A stateless firewall will instead analyze traffic and data packets without requiring the full context of the connection. Now let's take a closer look at stateful vs. stateless inspection firewalls. Stateless firewallsHow does a stateless firewall work? Using Figure 1, we can understand the inner workings of a stateless firewall. A stateless firewall applies the security policy to an inbound or outbound traffic data (1) by inspecting the protocol headers of the packet. It will examine from OSI layer 2 to 4. After inspecting, a stateless firewall compares this information with the policy table (2). From there, it decides the policy action (4.a & 4.b): to ALLOW, DENY, or RESET the packet. Figure 1: Flow diagram showing policy decisions for a stateless firewall What are the pros of a stateless firewall?
What are the cons of a stateless firewall?
Let me explain the challenges of configuring and managing ACLs at small and large scale. First, let's take the case of small-scale deployment.
Let's move on to the large-scale problem now.
Reflexive firewalls AKA reflexive ACLsA reflexive ACL, aka IP-Session-Filtering ACL, is a mechanism to whitelist return traffic dynamically. Most of the workflow in policy decision is similar to stateless firewall except the mechanism to identify a new workflow and add an automated dynamic stateless ACL entry. Let's see the life of a packet using the workflow diagram below. Figure 2: Flow diagram showing policy decisions for a reflexive ACL When a reflexive ACL detects a new IP outbound connection (6 in Fig. 2), it adds a dynamic ACL entry (7) by reversing the source-destination IP address and port. The new dynamic ACL enables the return traffic to get validated against it. Similarly, the reflexive firewall removes the dynamic ACL when it detects FIN packets from both sides, an RST packet or an eventual timeout. . What are the benefits of a reflexive firewall? The one and only benefit of a reflexive firewall over a stateless firewall is its ability to automatically whitelist return traffic. This helps avoid writing the reverse ACL rule manually. What are the cons of a reflexive firewall? Reflexive ACLs are still acting entirely on static information within the packet. The reason to bring this is that although they provide a step up from standard ACLs in term of writing the rules for reverse traffic, it is straightforward to circumvent the reflexive ACL. Reflexive firewall suffers from the same deficiencies as stateless firewall. One way would to test that would be to fragment the packet so that the information that the reflexive ACL would act on gets split across multiple packets. This way the reflexive ACL cannot decide to allow or drop the individual packet. A stateful firewall, on the other hand, is capable of reassembling the entire fragments split across multiple packets and then base its decision on STATE + CONTEXT + packet data for the whole session. The other drawback to reflexive ACLs is its ability to work with only certain kind of applications. For example: a very common application FTP that’s used to transfer files over the network works by dynamically negotiating data ports to be used for transfer over a separate control plane connection. Since reflexive ACLs are static, they can whitelist only bidirectional connections between two hosts using the same five-tuple. Therefore, they cannot support applications like FTP. Stateful firewallsA stateful firewall acts on the STATE and CONTEXT of a connection for applying the firewall policy. To understand the inner workings of a stateful firewall, let’s refer to the flow diagram below. Figure 3: Flow diagram showing policy decisions for a stateful firewall How does a stateful firewall work?
What are the pros of a stateful firewall?
What are the cons of a stateful firewall?
ConclusionThere is no one perfect firewall. Each type of firewall has a place in an in-depth defense strategy. A stateless firewall could help in places where coarse-grained policing is adequate, and a stateful firewall is useful where finer and deeper policy controls and network segmentation or micro-segmentation are required. Today there are even various flavors of data traffic inspection firewalls between stateless and stateful protocol inspection. These are important to be aware of when selecting a firewall for your environment. Now that you’re equipped with the technical understanding of statefulness, my next blog post will discuss why stateful firewalling is important for micro-segmentation and why you should make sure your segmentation vendor does it. Learn moreFor more information around firewalls and other critical business decisions regarding your company’s security strategy, contact us. |