Stateful vs. Stateless Firewalls

What is a Firewall?

Simply, a firewall is a network device used to scan and filter incoming and outgoing network traffic and allow or block packets based on a set of predefined rules. The main duty of a firewall is to isolate internal networks from outside networks (such as the internet) to prevent outside attackers and malware from entering secure networks.

Firewalls come in two forms, software or hardware. Interestingly, most organizations' networks use the two types simultaneously. Additionally, firewalls can be broadly classified into two categories: stateful and stateless.

STATELESS Firewalls

Stateless firewalls (see Figure 1) monitor network traffic and restrict or block packets based on source and destination IP addresses or other static values. They're not 'aware' of traffic patterns or data flows. A stateless firewall uses Access Control Lists "ACLs" (which are network traffic filters used to control incoming or outgoing network traffic). A stateless firewall filter does not statefully inspect traffic. Instead, it uses packet filtering rules which define certain match conditions. If match conditions are met, the stateless firewall will allow the packet to enter the network; otherwise, the packet will be blocked, and access denied.

Different criteria can be used to define the ACL rules, such as source and/or destination IP address, specific protocol carried in the packet, the source and/or destination port, or a combination of these parameters.

Purpose of Stateless Firewall Filters

The basic purpose of a stateless firewall filter is to enhance security through the use of packet filtering. Packet filtering enables inspection of the components of incoming or outgoing packets and then performs the actions specified on packets that match the criteria. A stateless firewall filter's typical use is to protect the Routing Engine processes and resources from malicious or untrusted packets.

Advantages of Stateless Firewalls

Here are some benefits of using a stateless firewall:

• They are fast.
• They perform well under heavy traffic loads.
• They are cost-effective compared with stateful firewall types. A stateless firewall does not need to track connection sessions, making it consume less memory and CPU power when matching network packets with the one defined in the ACL rules defined by the network administrator.

The main disadvantage of a stateless firewall is that it cannot analyze all network traffic (or packets), making it unable to identify traffic type. This results in making it less secure compared to stateful firewalls.

STATEFUL Firewall

Stateful firewalls (see Figure 2) monitor all traffic streams that pass through the network. They are aware of communication paths and can implement various IP Security (IPsec) functions such as tunnels and encryption. In technical terms, this means that stateful firewalls can tell what stage a TCP connection is in (open, open sent, synchronized, synchronization acknowledged, or established). It can tell if the Maximum Transmission Unit (MTU) has changed and whether packets have fragmented, for example.