Jump to content

Main menu Navigation ●Main page ●Contents ●Current events ●Random article ●About Wikipedia ●Contact us ●Donate Contribute ●Help ●Learn to edit ●Community portal ●Recent changes ●Upload file

●Create account ●Log in ●Create account ● Log in Pages for logged out editors learn more ●Contributions ●Talk

(Top) 1 Description 1.1 Stateful inspection firewall advantages 1.2 Stateful inspection firewall disadvantages 2 See also 3 References

Stateful firewall

●Čeština ●Deutsch ●Español ●فارسی ●Français ●Italiano ●עברית ●Piemontèis ●Polski ●Português ●Русский ●Suomi ●中文 Edit links ●Article ●Talk ●Read ●Edit ●View history Tools Actions ●Read ●Edit ●View history General ●What links here ●Related changes ●Upload file ●Special pages ●Permanent link ●Page information ●Cite this page ●Get shortened URL ●Download QR code ●Wikidata item Print/export ●Download as PDF ●Printable version Appearance From Wikipedia, the free encyclopedia

In computing, a stateful firewall is a network-based firewall that individually tracks sessions of network connections traversing it. Stateful packet inspection, also referred to as dynamic packet filtering,^[1] is a security feature often used in non-commercial and business networks.

Description[edit]

A stateful firewall keeps track of the state of network connections, such as TCP streams, UDP datagrams, and ICMP messages, and can apply labels such as LISTEN, ESTABLISHED, or CLOSING.^[2] State table entries are created for TCP streams or UDP datagrams that are allowed to communicate through the firewall in accordance with the configured security policy. Once in the table, all RELATED packets of a stored session are streamlined, taking fewer CPU cycles than standard inspection. Related packets are also permitted to return through the firewall even if no rule is configured to allow communications from that host. If no traffic is seen for a specified time (time-out implementation dependent), the connection is removed from the state table. This can lead to applications experiencing unexpected disconnects or half-open TCP connections. Applications can be written to send keepalive messages^[3] periodically to prevent a firewall from dropping the connection during periods of no activity or for applications which by design have long periods of silence.

The method of maintaining a session's state depends on the transport protocol being used. TCP is a connection-oriented protocol^[4] and sessions are established with a three-way handshake using SYN packets and ended by sending a FIN notification.^[5] The firewall can use these unique connection identifiers to know when to remove a session from the state table without waiting for a timeout. UDP is a connectionless protocol,^[4] which means it does not send unique connection-related identifiers while communicating. Because of that, a session will only be removed from the state table after the configured time-out. UDP hole punching is a technology that leverages this trait to allow for dynamically setting up data tunnels over the internet.^[6] ICMP messages are distinct from TCP and UDP and communicate control information of the network itself. A well-known example of this is the ping utility.^[7] ICMP responses will be allowed back through the firewall. In some scenarios, UDP communication can use ICMP to provide information about the state of the session so ICMP responses related to a UDP session will also be allowed back through.

Stateful inspection firewall advantages[edit]

Monitors the entire session for the state of the connection, while also checking IP addresses and payloads for more thorough security
Offers a high degree of control over what content is let in or out of the network
Does not need to open numerous ports to allow traffic in or out
Delivers substantive logging capabilities

Stateful inspection firewall disadvantages[edit]

Resource-intensive and interferes with the speed of network communications
More expensive than other firewall options
Doesn't provide authentication capabilities to validate traffic sources are not spoofed
Doesn't work with asymmetric routing (opposite directions use different paths)
Can lead to unexpected disconnections or half-open connections if connections are idle for longer than the time-out

References[edit]

^ Goralski, Walter (12 May 2017). The illustrated network: How TCP/IP works in a modern network. Elsevier Science. ISBN 978-0-12-811027-0. OCLC 986540207.

^ "TCP connection status". IBM Knowledge Center. 12 February 2015. Retrieved Sep 6, 2020.

^ "TCP Keepalive HOWTO". The Linux Documentation Project. Retrieved Sep 6, 2020.

^ ^a ^b Mitchell, Bradley (Apr 1, 2020). "TCP vs UDP". Lifewire. Retrieved Sep 6, 2020.

^ "TCP three-way handshake". Study-CCNA. 6 September 2018. Retrieved Sep 6, 2020.

^ "Automatic NAT Traversal for Auto VPN Tunneling between Cisco Meraki Peers". Meraki. Retrieved Sep 6, 2020.

^ Mitchell, Bradley (Dec 3, 2018). "Guide to Internet Control Message Protocol (ICMP)". Lifewire. Retrieved Sep 6, 2020.

Information security

Related security categories

Defenses

Apps

Apps

Distros

macOS

Windows

Commercial

Freemium

Open-source

Retrieved from "https://en.wikipedia.org/w/index.php?title=Stateful_firewall&oldid=1218744104" Categories: ●Computer network security ●Packets (information technology) ●Data security ●Cyberwarfare Hidden categories: ●Articles with short description ●Short description matches Wikidata ●This page was last edited on 13 April 2024, at 15:30 (UTC). ●Text is available under the Creative Commons Attribution-ShareAlike License 4.0; additional terms may apply. By using this site, you agree to the Terms of Use and Privacy Policy. Wikipedia® is a registered trademark of the Wikimedia Foundation, Inc., a non-profit organization. ●Privacy policy ●About Wikipedia ●Disclaimers ●Contact Wikipedia ●Code of Conduct ●Developers ●Statistics ●Cookie statement ●Mobile view