Network traffic at layer 4 or above is vital. What does a stateful inspection firewall do to these layers?
What Does a Stateful Inspection Firewall Do?
Stateful Inspection Firewall is an excellent security solution for both small, medium, and large businesses. Stateful Inspection Firewall inspects the Network traffic and opens a connection only if it is known to be legitimate. The firewall blocks all the traffic that doesn’t look legitimate.
To determine this, the firewall compares the current network traffic with its state table. A state table contains information on all the active connections and sessions. Stateful Inspection Firewall ensures that the traffic from a single session or connection is not spread over multiple packets or connections.
This is known as “tunneling”. This can be done by using protocols like “HTTP Tunneling” etc. Stateful Inspection Firewall tracks all the TCP sessions, which are initiated from within an organization, and keeps a track of their state.
It identifies the source port and destination port for each session. So, if any new connection is made to an external resource from inside a network without opening a new session first. Stateful inspection will detect and block it as a possible attack or worm activity.
Packet Monitoring and Filtering
Stateful Inspection Firewall also checks every packet against its policy database. This is to ensure that it complies with the organization’s security policy before they are allowed to enter or exit the network. It works in conjunction with packet filtering when enforcing policy on a per-packet basis.
Stateful inspection allows packets to be checked individually against the active TCP sessions. Also, packet filtering allows packets to be checked only in bulk, based on IP address or protocol type. It can also filter based on application layer protocol data.
This is while packet filtering cannot filter based on application layer data unless it is part of an IP payload’s content (i.e., FTP/Telnet). A Stateful Inspection Firewall can work on both IPv4 and IPv6 networks simultaneously. But without any modifications or additional hardware/software required.
UDP Traffic Inspection
UDP traffic is inspected by Stateful Inspection Firewall. For UDP traffic, the state table does not include a state for each packet. Instead, it keeps track of the state of all the sessions in which UDP sessions are involved.
This is why a UDP session is called a “multisession” when compared to TCP. Only one session is involved in a UDP communication. Stateful inspection works by inspecting the application layer data of TCP and UDP traffic.
It only inspects payloads that exceed a preset length threshold (64 bytes by default). This can be configured based on network and security requirements. Also, this threshold can be configured on a global or a per-rule basis.
The performance impact of setting this value to higher than 64 bytes is low and recommended only in high-speed networks. That is with large payloads where performance degradation is more likely to occur. Hence, it ensures that no truncated packets are allowed to pass through the network and that no application level protocols are used on top of TCP/IP or UDP/IP protocols.