Stateful vs. Stateless Firewalls
Protecting an organization's network becomes a top priority in today's information age. As more organizations are shifting their operations to become completely digital, the cost of a data breach can have tremendous effects on any business entity. According to Statista, the number of data breaches in the United States amounted to 1,473, with over 164.68 million sensitive records exposed, in the first half of 2020. The commercial impact of such data breaches can be devastating. For example, a report published by IBM about a data breach's cost predicts that a data breach's average cost in 2020 will reach $3.86 million. All these facts make organizations willing to use many types of security defenses to protect their sensitive data. Arguably, firewall solutions remain at the front line of network defense.
This article covers a little bit about firewalls and differentiates between the two types: stateful and stateless firewalls.
What is a Firewall?
Simply, a firewall is a network device used to scan and filter incoming and outgoing network traffic and allow or block packets based on a set of predefined rules. The main duty of a firewall is to isolate internal networks from outside networks (such as the internet) to prevent outside attackers and malware from entering secure networks.
Firewalls come in two forms, software or hardware. Interestingly, most organizations' networks use the two types simultaneously. Additionally, firewalls can be broadly classified into two categories: stateful and stateless.
Stateless firewalls (see Figure 1) monitor network traffic and restrict or block packets based on source and destination IP addresses or other static values. They're not 'aware' of traffic patterns or data flows. A stateless firewall uses Access Control Lists "ACLs" (which are network traffic filters used to control incoming or outgoing network traffic). A stateless firewall filter does not statefully inspect traffic. Instead, it uses packet filtering rules which define certain match conditions. If match conditions are met, the stateless firewall will allow the packet to enter the network; otherwise, the packet will be blocked, and access denied.
Different criteria can be used to define the ACL rules, such as source and/or destination IP address, and specific protocol carried in the packet, the source and/or destination port, or a combination of these parameters.
Purpose of Stateless Firewall Filters
The basic purpose of a stateless firewall filter is to enhance security through the use of packet filtering. Packet filtering enables inspection of the components of incoming or outgoing packets and then performs the actions specified on packets that match the criteria. A stateless firewall filter's typical use is to protect the Routing Engine processes and resources from malicious or untrusted packets.
Advantages of Stateless Firewalls
Here are some benefits of using a stateless firewall:
- They are fast.
- They perform well under heavy traffic load.
- They are cost-effective compared with stateful firewall types. A stateless firewall does not need to track connection sessions, making it consume less memory and CPU power when matching network packets with the one defined in the ACL rules defined by the network administrator.
The main disadvantage of a stateless firewall is that it cannot analyze all network traffic (or packets), making it unable to identify traffic type. This results in making it less secure compared to stateful firewalls.
Stateful firewalls (see Figure 2) monitor all traffic streams that pass through the network. They are aware of communication paths and can implement various IP Security (IPsec) functions such as tunnels and encryption. In technical terms, this means that stateful firewalls can tell what stage a TCP connection is in (open, open sent, synchronized, synchronization acknowledged, or established). It can tell if the Maximum Transmission Unit (MTU) has changed and whether packets have fragmented, for example.
Stateful firewalls filter network traffic based on the connection state. When certain traffic gains approval to access the network, it is added to the state table. For other traffic that does not meet the specified criteria, the firewall will block the connection.
Compared with stateless firewalls, the stateful type is more intelligent as it can detect future threats based on present and past observations. However, the main disadvantage of a stateful firewall is its consumption of CPU and memory. Additionally, they have a susceptibility to DDoS attacks because of their dependence on software-network relationships to manage their operations.
Neither is superior, and there are good arguments and valid use cases for both types of firewalls. Stateless firewalls are typically faster and perform better under heavy traffic loads. On the other hand, stateful firewalls are better at identifying unauthorized and forged communications. The choice to use comes down to the firewall's key requirements and its intent, aligned to the organization's risk strategy and other defensive layers.