How a Stateful Firewall Works
A stateful firewall collects data regarding every connection made through it. All of these data points form profiles of “safe” connections. When a subsequent connection is attempted, it is checked against the list of attributes collected by the stateful firewall. If it has the qualities of a safe connection, it is allowed to occur. If not, the data packets are discarded. Data packets contain information about the data within them. A stateful firewall performs packet inspection, which checks the contents of packets to see if they pose threats.
Stateful firewalls can also integrate additional services, such as encryption or tunnels. These boost performance because they block malicious actors from reading the contents of communications, thereby making the connection safer through access control.
Stateful packet inspection
Stateful packet inspection is a technology used by stateful firewalls to determine which packets to allow through the firewall. It works by examining the contents of a data packet and then comparing them against data pertaining to packets that have previously passed through the firewall.
Stateful packet filtering keeps track of all connections on the network, making sure they are all legitimate. Network-based static packet filtering also examines network connections, but only as they come in, focusing on the data in the packets’ headers. This data provides less information to the firewall, limiting it to where it came from and where it is going.
Transport Control Protocol (TCP)
TCP is one of the primary protocols the internet uses to send and receive data, allowing data to be sent and received at the same time. In addition to helping transmit information, TCP contains data that can result in a reset (RST) of the connection, stopping it completely. TCP also dictates when the transmission should end with a FIN (finish) command. It groups data into packets, and when they arrive at the destination, the packets are reassembled into data the receiver can understand.
Stateful firewalls use TCP traffic to keep track of connections by examining the contents of the packets created in the TCP process. The three stages of a TCP connection—synchronize (SYN), synchronize-acknowledge (SYN-ACK), and acknowledge (ACK)—are used by a stateful inspection firewall to identify the parties involved in order to spot a potential threat. If signs of a bad actor are revealed as the TCP handshake takes place, the stateful firewall can discard the data.
Three-way handshake
The three-way handshake involves both sides of the data transmission process synchronizing to initiate a connection, then acknowledging each other. In this process, each side transmits information to the other side, and these are examined to see if anything is missing or not in the proper order.
As the handshake occurs, a stateful firewall can examine the data being sent and use it to glean information regarding the source, destination, how the packets are sequenced, and the data within the packet itself. If threats are detected, the firewall can reject the data packets.