State versus Stateless Firewalls

Firewalls are a tool used to provide critical protection for systems and information. Operating according to a set of configured security rules, firewalls monitor and manage the traffic flowing into and out of your network. It is important to understand the differences between stateful versus stateless firewall technology to ensure that those systems and information is protected.

There are different ways of implementing firewalls.  Firewalls can be either network firewalls running on network hardware (a dedicated appliance or integrated into a switch or router); or host-based firewalls that inspect traffic of one or more interfaces of a host computer. When researching firewall types you likely encountered stateful and stateless firewalls. There is also a third firewall type; next-generation firewalls which have become the most common type of commercially available products. 

Stateful firewalls are capable of monitoring and detecting states of all traffic on a network to track and defend based on traffic patterns and flows. Stateless firewalls only focus on individual packets, using preset rules to filter traffic.

Firewall State Tables

A firewall state table builds and stores information about active connections that have been permitted by firewall rules.  Entries in the table define each connection based on:

• IP addresses for connection. 
• Protocol - TCP, UDP, and ICMP protocols.
• Port numbers - Services using numbered ports.  Port numbers range from 0–65535.
• Process ID (PID) -Unique identifiers for the host process associated with each connection’s traffic.
• Timestamp - The time of the last incoming or outgoing packet associated with the connection.
• Timeout - The time limit (in seconds) after which the entry is removed from the table if no packet matching the connection is received. The timeout for TCP connections is enforced only when the connection isn't established.
• Direction  - The direction (incoming or outgoing) of the traffic that triggered the entry. After a connection is established, bidirectional traffic is allowed even with unidirectional rules, provided the entry matches the connection’s parameters in the state table.

How are firewalls are the same as all other network devices.

Each host connected to each network attached to the firewall is assumed to have been assigned a unique IP address. 

Firewall state tables support both IPv4 and IPv6.  IPv4 addresses are 32 bits long while IPv6 permits addresses 128 bits long. 

When the process ends, all entries in the state table associated with a process are deleted.

How do state tables differ based on the open source project or manufacturer? 

If firewall rules change, all active connections are checked against the new rule set. If no matching rule is found, the connection entry is discarded from the state table.

If an network adapter obtains a new IP address, the firewall recognizes the new configuration and drops all state table entries with invalid local IP addresses.

 A TCP connection progresses through a series of states during its lifetime. The states are: 

• LISTEN (An open port on a host waiting for a connection.), 
• SYN-SENT (A host is actively attempting to establish a connection.), 
• SYNRECEIVED  (The server received a TCP SYN, responded with a SYN/ACK, and is now waiting for the remote host to send an ACK to finally establish the connection), 
• ESTABLISHED (There is a connection between a host and the remote IP and port that is able to exchange traffic.), 
• FIN-WAIT-1 (The first step of a four-way handshake was performed.), 
• FIN-WAIT-2  (Occurs when the server has an active connection with a client and wants to shut down the TCP connection.), 
• CLOSE-WAIT (The server has received the first FIN signal from the client and the connection is in the process of being closed.), 
• CLOSING  (Host is waiting for an acknowledgement for a connection termination request before going to the TIME-WAIT state.), 
• LAST-ACK (The local end-point has performed a passive close and has initiated an active close by sending a connection termination request to the remote end-point), 
• TIME-WAIT (The local end-point waits for twice the maximum segment lifetime (MSL) to pass before going to CLOSED to be sure that the remote end-point received the acknowledgement.), and 
• the fictional state CLOSED. 

CLOSED is considered a fictional state because based on the standard (RFC 9040) where it is defined it represents the state when there is no transmission control block (TCB), and a TCB is required to define a connection. 

References:

TCP states - explained  

TCP/IP State Transition Diagram (RFC793)  

Why deploy a stateless Firewall?

In many security courses that cover firewalls; the concept of a stateless is often barely discussed.  Most open source and commercially available firewalls are stateful and many add additional features in addition to the firewall leading them to be called 'next generation' firewalls. Stateless firewalls cannot determine the complete pattern of incoming data packets but does inspect each packet. 

Stateless firewalls perform better than stateful firewalls during heavy network traffic.  Since each packet is being individually inspected there are no tables to maintain. They are very easy to configure as the configuration simply includes which types of packets to allow.  That implicit deny all . They are also faster, less complex, and less expensive than stateful firewalls.

Another use case for packet inspection is rerouting of packets.  A firewall that can identify and reroute packets is especially useful as a defense against denial of service attacks.

Many of the use cases for stateless firewalls involve deep packet inspection (DPI). Stateful packet inspection typcially evaluates packet header information, such as source IP address, destination IP address, and port number, deep packet inspection looks at a more comprehensive range of data and metadata associated with individual packets.

Deep packet inspection, which is also known as DPI, information extraction, IX, or complete packet inspection, is a type of network packet filtering. Deep packet inspection evaluates the data part and the header of a packet that is transmitted through an inspection point, weeding out any non-compliance to protocol, spam, viruses, intrusions, and any other defined criteria to block the packet from passing through the inspection point.