Stateful firewall: Difference between revisions

Content deleted Content added

Inline

Latest revision as of 15:30, 13 April 2024

In computing, a stateful firewall is a network-based firewall that individually tracks sessions of network connections traversing it. Stateful packet inspection, also referred to as dynamic packet filtering,^[1] is a security feature often used in non-commercial and business networks.

Description

A stateful firewall keeps track of the state of network connections, such as TCP streams, UDP datagrams, and ICMP messages, and can apply labels such as LISTEN, ESTABLISHED, or CLOSING.^[2] State table entries are created for TCP streams or UDP datagrams that are allowed to communicate through the firewall in accordance with the configured security policy. Once in the table, all RELATED packets of a stored session are streamlined, taking fewer CPU cycles than standard inspection. Related packets are also permitted to return through the firewall even if no rule is configured to allow communications from that host. If no traffic is seen for a specified time (time-out implementation dependent), the connection is removed from the state table. This can lead to applications experiencing unexpected disconnects or half-open TCP connections. Applications can be written to send keepalive messages^[3] periodically to prevent a firewall from dropping the connection during periods of no activity or for applications which by design have long periods of silence.

The method of maintaining a session's state depends on the transport protocol being used. TCP is a connection-oriented protocol^[4] and sessions are established with a three-way handshake using SYN packets and ended by sending a FIN notification.^[5] The firewall can use these unique connection identifiers to know when to remove a session from the state table without waiting for a timeout. UDP is a connectionless protocol,^[4] which means it does not send unique connection-related identifiers while communicating. Because of that, a session will only be removed from the state table after the configured time-out. UDP hole punching is a technology that leverages this trait to allow for dynamically setting up data tunnels over the internet.^[6] ICMP messages are distinct from TCP and UDP and communicate control information of the network itself. A well-known example of this is the ping utility.^[7] ICMP responses will be allowed back through the firewall. In some scenarios, UDP communication can use ICMP to provide information about the state of the session so ICMP responses related to a UDP session will also be allowed back through.

Stateful inspection firewall advantages

Monitors the entire session for the state of the connection, while also checking IP addresses and payloads for more thorough security
Offers a high degree of control over what content is let in or out of the network
Does not need to open numerous ports to allow traffic in or out
Delivers substantive logging capabilities

Stateful inspection firewall disadvantages

Resource-intensive and interferes with the speed of network communications
More expensive than other firewall options
Doesn't provide authentication capabilities to validate traffic sources are not spoofed
Doesn't work with asymmetric routing (opposite directions use different paths)
Can lead to unexpected disconnections or half-open connections if connections are idle for longer than the time-out

References

^ Goralski, Walter (12 May 2017). The illustrated network: How TCP/IP works in a modern network. Elsevier Science. ISBN 978-0-12-811027-0. OCLC 986540207.
^ "TCP connection status". IBM Knowledge Center. 12 February 2015. Retrieved Sep 6, 2020.
^ "TCP Keepalive HOWTO". The Linux Documentation Project. Retrieved Sep 6, 2020.
^ ^a ^b Mitchell, Bradley (Apr 1, 2020). "TCP vs UDP". Lifewire. Retrieved Sep 6, 2020.
^ "TCP three-way handshake". Study-CCNA. 6 September 2018. Retrieved Sep 6, 2020.
^ "Automatic NAT Traversal for Auto VPN Tunneling between Cisco Meraki Peers". Meraki. Retrieved Sep 6, 2020.
^ Mitchell, Bradley (Dec 3, 2018). "Guide to Internet Control Message Protocol (ICMP)". Lifewire. Retrieved Sep 6, 2020.

[1] Goralski, Walter (12 May 2017). The illustrated network: How TCP/IP works in a modern network. Elsevier Science. ISBN 978-0-12-811027-0. OCLC 986540207.

[2] "TCP connection status". IBM Knowledge Center. 12 February 2015. Retrieved Sep 6, 2020.

[3] "TCP Keepalive HOWTO". The Linux Documentation Project. Retrieved Sep 6, 2020.

[TvU-4] Mitchell, Bradley (Apr 1, 2020). "TCP vs UDP". Lifewire. Retrieved Sep 6, 2020.

[5] "TCP three-way handshake". Study-CCNA. 6 September 2018. Retrieved Sep 6, 2020.

[6] "Automatic NAT Traversal for Auto VPN Tunneling between Cisco Meraki Peers". Meraki. Retrieved Sep 6, 2020.

[7] Mitchell, Bradley (Dec 3, 2018). "Guide to Internet Control Message Protocol (ICMP)". Lifewire. Retrieved Sep 6, 2020.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

@@ Line 1: / Line 1: @@
-<!-- READ BEFORE EDITING!
-before editing this page, please make sure the information being added explicitly relates to the unique qualities of stateful firewalls. Also, check to see another article does not exist that covers the content being added. also, try to cite as much as possible as this information can be easily incorrectly explained.
--->
-{{about|a subtype of network firewall|the primary article on firewalls|Firewall (computing)}}
 {{short description|Connection tracking network security system}}
-{{Computer security}}
-{{More citations needed|date=September 2020}}
-In computing, a '''stateful firewall''' is a [[Firewall (computing)| network-based firewall]] that individually tracks sessions of network connections traversing it. '''Stateful packet inspection''', also referred to as dynamic packet filtering,<ref>{{Cite book|last=Goralski, Walter, author.|url=http://worldcat.org/oclc/986540207|title=The illustrated network : how TCP/IP works in a modern network|isbn=978-0-12-811027-0|oclc=986540207}}</ref> is a security feature often used in non-commercial and business networks.
+<!--READ BEFORE EDITING!
+before editing this page, please make sure the information being added explicitly relates to the unique qualities of stateful firewalls. Also, check to see if another article does not already exist that covers the content being added. Try to cite as much as possible as this information can be easily incorrectly explained, and the network security articles seem to follow a trend of not citing information.-->
+In computing, a '''stateful firewall''' is a [[Firewall (computing)|network-based firewall]] that individually tracks sessions of network connections traversing it. '''Stateful packet inspection''', also referred to as dynamic packet filtering,<ref>{{cite book|last=Goralski|first=Walter|url=http://worldcat.org/oclc/986540207|title=The illustrated network: How TCP/IP works in a modern network|date=12 May 2017|publisher=Elsevier Science |isbn=978-0-12-811027-0|oclc=986540207}}</ref> is a security feature often used in non-commercial and business networks.
 ==Description==
-A stateful firewall keeps track of the state of network connections, such as [[Transmission Control Protocol| TCP]] streams or [[User Datagram Protocol| UDP]] datagrams, and can apply labels such as ''LISTEN'', ''ESTABLISHED'', or ''CLOSING''.<ref>{{Cite web|last=|first=|date=|title=TCP connection status|url=https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.1.0/com.ibm.zos.v2r1.halu101/constatus.htm|url-status=live|archive-url=|archive-date=|access-date=9/6/2020|website=IBM Knowledge Center}}</ref> State table entries are created for TCP streams or UDP datagrams that are allowed to communicate through the firewall in accordance with the configured security policy. Once in the table, all ''RELATED'' packets to a session are fast-track allowed, taking less CPU cycles than standard inspection. Packets related to a stored session are permitted to return back through the firewall even if no rule is configured to allow communications from that host. If no traffic is seen for a specified time (depending on the implementation), the connection is removed from the state table. Applications can send [[keepalive]] messages periodically to prevent a firewall from dropping the connection during periods of no activity or for applications which by design have long periods of silence.
+A stateful firewall keeps track of the state of network connections, such as [[Transmission Control Protocol|TCP]] streams, [[User Datagram Protocol|UDP]] datagrams, and [[Internet Control Message Protocol|ICMP]] messages, and can apply labels such as ''LISTEN'', ''ESTABLISHED'', or ''CLOSING''.<ref>{{Cite web|title=TCP connection status|url=https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.1.0/com.ibm.zos.v2r1.halu101/constatus.htm|access-date=Sep 6, 2020|website=IBM Knowledge Center|date=12 February 2015}}</ref> State table entries are created for TCP streams or UDP datagrams that are allowed to communicate through the firewall in accordance with the configured security policy. Once in the table, all ''RELATED'' packets of a stored session are streamlined, taking fewer [[CPU]] cycles than standard inspection. Related packets are also permitted to return through the firewall even if no rule is configured to allow communications from that host. If no traffic is seen for a specified time (time-out implementation dependent), the connection is removed from the state table. This can lead to applications experiencing unexpected disconnects or [[TCP half-open|half-open TCP connections]]. Applications can be written to send [[keepalive]] messages<ref>{{Cite web|title=TCP Keepalive HOWTO|url=https://tldp.org/HOWTO/TCP-Keepalive-HOWTO/overview.html|access-date=Sep 6, 2020|website=The Linux Documentation Project}}</ref> periodically to prevent a firewall from dropping the connection during periods of no activity or for applications which by design have long periods of silence.
-Depending on the protocol, maintaining a connection's state can vary. TCP is a connection oriented protocol and sessions are established with a [[three-way handshake]] using ''SYN'' packets and ended with a by sending a ''FIN'' notification. The firewall can use these unique connection identifiers to know when to remove a session from the state table without waiting for a timeout. UDP and [[Internet Control Message Protocol|ICMP]] are connectionless protocols, which means they do not send unique connection related identifiers while communicating. Because of that, a session will only be removed from the state table after the configured time-out. [[UDP hole punching]] is a technology that abuses this trait to allow for dynamically setting up data tunnels over the internet.
+The method of maintaining a session's state depends on the [[Transport layer|transport]] protocol being used. TCP is a connection-oriented protocol<ref name="TvU">{{Cite web|last=Mitchell|first=Bradley|date=Apr 1, 2020|title=TCP vs UDP|url=https://www.lifewire.com/tcp-headers-and-udp-headers-explained-817970|access-date=Sep 6, 2020|website=Lifewire}}</ref> and sessions are established with a [[three-way handshake]] using ''SYN'' packets and ended by sending a ''FIN'' notification.<ref>{{Cite web|title=TCP three-way handshake|url=https://study-ccna.com/tcp-three-way-handshake|access-date=Sep 6, 2020|website=Study-CCNA|date=6 September 2018}}</ref> The firewall can use these unique connection identifiers to know when to remove a session from the state table without waiting for a timeout. UDP is a connectionless protocol,<ref name="TvU"/> which means it does not send unique connection-related identifiers while communicating. Because of that, a session will only be removed from the state table after the configured time-out. [[UDP hole punching]] is a technology that leverages this trait to allow for dynamically setting up data tunnels over the internet.<ref>{{Cite web|title=Automatic NAT Traversal for Auto VPN Tunneling between Cisco Meraki Peers|url=https://documentation.meraki.com/MX/Site-to-site_VPN/Automatic_NAT_Traversal_for_Auto_VPN_Tunneling_between_Cisco_Meraki_Peers|access-date=Sep 6, 2020|website=Meraki}}</ref> ICMP messages are distinct from TCP and UDP and communicate control information of the network itself. A well-known example of this is the [[Ping (networking utility)|ping]] utility.<ref>{{Cite web|last=Mitchell|first=Bradley|date=Dec 3, 2018|title=Guide to Internet Control Message Protocol (ICMP)|url=https://www.lifewire.com/icmp-and-icmpv6-ip-networking-818135|access-date=Sep 6, 2020|website=Lifewire}}</ref> ICMP responses will be allowed back through the firewall. In some scenarios, UDP communication can use ICMP to provide information about the state of the session so ICMP responses related to a UDP session will also be allowed back through.
+=== Stateful inspection firewall advantages ===
-==See also==
-* [[Computer security]]
+* Monitors the entire session for the state of the connection, while also checking IP addresses and payloads for more thorough security
-* [[Netfilter]]
+* Offers a high degree of control over what content is let in or out of the network
+* Does not need to open numerous ports to allow traffic in or out
+* Delivers substantive logging capabilities
+=== Stateful inspection firewall disadvantages ===
+* Resource-intensive and interferes with the speed of network communications
+* More expensive than other firewall options
+* Doesn't provide authentication capabilities to validate traffic sources are not spoofed
+* Doesn't work with asymmetric routing (opposite directions use different paths)
+* Can lead to unexpected disconnections or [[TCP half-open|half-open connections]] if connections are idle for longer than the time-out
+== See also ==
+*[[Computer security]]
+*[[Netfilter]]
 ==References==
 {{Reflist}}
+{{Computer security}}
 {{Firewall software}}

v t e Information security
Related security categories	Computer security Automotive security Cybercrime Cybersex trafficking Computer fraud Cybergeddon Cyberterrorism Cyberwarfare Electromagnetic warfare Information warfare Internet security Mobile security Network security Copy protection Digital rights management	vectorial version
Threats	Adware Advanced persistent threat Arbitrary code execution Backdoors Bombs Fork Logic Time Zip Hardware backdoors Code injection Crimeware Cross-site scripting Cross-site leaks DOM clobbering History sniffing Cryptojacking Botnets Data breach Drive-by download Browser Helper Objects Viruses Data scraping Denial-of-service attack Eavesdropping Email fraud Email spoofing Exploits Fraudulent dialers Hacktivism Infostealer Insecure direct object reference Keystroke loggers Malware Payload Phishing Voice Polymorphic engine Privilege escalation Ransomware Rootkits Scareware Shellcode Spamming Social engineering Spyware Software bugs Trojan horses Hardware Trojans Remote access trojans Vulnerability Web shells Wiper Worms SQL injection Rogue security software Zombie
Defenses	Application security Secure coding Secure by default Secure by design Misuse case Computer access control Authentication Multi-factor authentication Authorization Computer security software Antivirus software Security-focused operating system Data-centric security Obfuscation (software) Data masking Encryption Firewall Intrusion detection system Host-based intrusion detection system (HIDS) Anomaly detection Information security management Information risk management Security information and event management (SIEM) Runtime application self-protection Site isolation