Stateful vs. stateless firewalls: Understanding the differences

What are stateless firewalls?

Stateless firewalls are one of the oldest and most basic firewall architectures. They were the standard at the advent of firewall technology. They were originally described as packet-filtering firewalls, but this name is misleading because both stateless firewalls and stateful firewalls perform packet filtering, just in different ways and levels of complexity.

Stateless firewalls rely on predetermined rules in access control lists (ACLs) to make decisions on individual packets. They make filtering decisions based only on the information present in each packet and do not store any information about the state or context of a connection. They inspect the source and destination IP addresses, port number and traffic type in the packet header to determine if they match a permit rule.

As a result, stateless firewalls are limited in their ability to filter traffic, and because they rely on ACLs, the filtering is only as good as the rules defined by the user. Stateless firewalls are more prone to user error if ACLs aren't managed properly.

A stateless firewall has the following characteristics:

• Provides network security by scanning static packet information.
• Acts as an ACL.
• Examines header information in each packet -- source and destination IP addresses, port number and protocol.
• Applies rules to the network (Layer 3) and transport (Layer 4) layers of the Open Systems Interconnection model.
• Does not filter packets by analyzing the content or behavior but by comparing their attributes against predefined rules of an ACL.
• Cannot store information on the connection state.
• Cannot detect many common types of attacks, including DDoS, application-layer attacks, malicious payloads and out-of-sequence packets.
• Consumes minimal system resources even as it delivers high performance and reduced latency.
• Costs less than more complex stateful firewalls.

The relative simplicity of stateless firewalls makes them less resource-intensive, faster and able to manage heavy traffic. But their limitations mean they can only be deployed in specific scenarios within an enterprise.

Today, most stateless firewalls are implemented at an internet-facing router. A basic packet-filtering rule set can reject obviously unwanted traffic and reduce the load on a stateful inspection firewall immediately behind the router.

For example, a rule can define a set of IP addresses either be permitted to access the network or be blocked if they are generated in certain geographic regions or via known bad IP addresses. It can also only allow certain network protocols to enter or leave a network. Although this is a crude approach to filtering traffic, it's a fast and non-resource-intensive tactic, enabling it to handle heavy traffic loads.

Because stateless firewalls rely on ACLs, the filtering is only as good as the rules defined by network managers. This opens the door to user error because this approach usually requires more rules than stateful firewalls. For example, in a stateless firewall, static packet-filtering rules have to be established across an entire range of ports to comb through services such as FTP and SMTP. The rules have to cover both incoming and outgoing packets. In a stateful firewall, the only rules required are those governing connections. In addition, ACLs can't automatically adapt. As the network and users evolve, ACLs have to be manually updated.

Stateless firewalls face other constraints as well. Because they treat each packet in isolation and don't have the ability to check if a packet is part of an established connection or fits within an expected state of communication, they can't identify attacks that rely on out-of-sequence packets, such as ACK flood attacks.

Furthermore, since they only inspect network packet headers and not their contents, stateless firewalls cannot identify malicious content within a packet's payload. As long as a malicious packet matches a forwarding rule, a stateless firewall forwards it. This means they are not best suited for technologies that rely on tracking connection states, such as network address translation or load balancing.

Regardless of these limitations, stateless firewalls can still play a key role when performance and scalability are critical factors -- for example, at the network perimeter to block obviously unwanted traffic from overloading other security controls.

What are stateful firewalls?

Stateful firewalls monitor data packets and the context of traffic on all network connections. One of the primary advantages of stateful firewalls is their ability to understand the context of network connections and thus make more intelligent decisions about which packets to allow and which to block. Stateful inspection firewalls, often referred to as dynamic packet-filtering or in-depth packet inspection firewalls, also work with Layer 3 and Layer 4, but they scan the contents of data packets and monitor the states of network connections. They can track the context of traffic, such as source and destination IP addresses, packet length, protocol states and port information.

Scanning the contents of data packets and keeping track of open connections enable stateful firewalls to oversee the movement of data and traffic communication requests made by users and devices throughout the network -- something stateless firewalls cannot do.

They do this by maintaining a state table made up of the sum total of connections established or blocked by the stateful firewall. When traffic arrives, stateful firewalls compare the traffic to the state table to determine whether it is part of an established connection and to ensure that packets pass through in sequence as authorized by the filter policies. Future filtering decisions take this history into account when determining if new traffic might be malicious. This also means stateful firewalls can block larger attacks, such as IP spoofing, port scanning and connection hijacking, that may be happening across individual packets.

All this monitoring comes at a higher cost in terms of processing power and speed. Stateful firewalls can thus be vulnerable to DDoS and man-in-the-middle attacks and can be subject to other attacks if their complex internal code isn't kept up to date.

A stateful firewall has the following characteristics:

• Examines packet header information and additional payload information to keep track of each incoming and outgoing connection.
• Stores information on the connection state and context to track active network connections to determine whether packets in a session are appropriate -- for example, in TCP, the state is reflected in the SYN, ACK and FIN flags.
• Catalogs patterns of behavior to learn to differentiate between safe and malicious traffic.
• Monitors multiple stages of a connection to filter out nonlogical network traffic even though it might appear legitimate.
• Drops packets if they do not fit the expected state or the payload doesn't correspond to the header.
• Slows traffic throughput rates when under heavy load.
• Does not detect and block certain application-level threats or attacks that require more granular inspection.

Stateful vs. stateless firewalls: Which to choose?

The choice between a stateful and stateless firewall depends on the organization's specific security requirements, network environment and performance considerations.

While both approaches can play a role protecting a network, next-generation firewalls (NGFWs) provide far greater protection. These firewalls combine multiple security technologies -- among them intrusion prevention, application visibility and web security -- and exploit threat intelligence information to identify and block unknown malware. As most modern applications use more than one port -- a configuration that can change during a session -- NGFWs offer far more protection than stateful firewalls that are limited to just connection-based traffic inspection.

Regardless of the type of firewall an enterprise deploys, it's important to ensure its rules are functioning as intended. At the same time, regular penetration tests and vulnerability assessments can identify weaknesses that require a review and update to firewall policies or signal configuration changes needed to adapt to evolving threats and business requirements. Centralized management capabilities, along with reporting and monitoring tools, make ongoing management and maintenance a lot easier. Finally, as with any device, update firewalls whenever new releases or patches are announced.

Michael Cobb, CISSP-ISSAP, is a renowned security author with more than 20 years of experience in the IT industry.