Where do stateful inspection firewalls keep track of known connection sessions?

A stateful firewall collects data regarding every connection made through it. All of these data points form profiles of “safe” connections. When a subsequent connection is attempted, it is checked against the list of attributes collected by the stateful firewall. If it has the qualities of a safe connection, it is allowed to occur. If not, the data packets are discarded. Data packets contain information about the data within them. A stateful firewall performs packet inspection, which checks the contents of packets to see if they pose threats.

Stateful firewalls can also integrate additional services, such as encryption or tunnels. These boost performance because they block malicious actors from reading the contents of communications, thereby making the connection safer through access control.

TCP is one of the primary protocols the internet uses to send and receive data, allowing data to be sent and received at the same time. In addition to helping transmit information, TCP contains data that can result in a reset (RST) of the connection, stopping it completely. TCP also dictates when the transmission should end with a FIN (finish) command. It groups data into packets, and when they arrive at the destination, the packets are reassembled into data the receiver can understand. 

Stateful firewalls use TCP traffic to keep track of connections by examining the contents of the packets created in the TCP process. The three stages of a TCP connection—synchronize (SYN), synchronize-acknowledge (SYN-ACK), and acknowledge (ACK)—are used by a stateful inspection firewall to identify the parties involved in order to spot a potential threat. If signs of a bad actor are revealed as the TCP handshake takes place, the stateful firewall can discard the data.

In short, firewalls are network functions specifically tailored to inspect network traffic. Upon inspection, the firewall will decide to carry out specific actions, such as forwarding or blocking it according to some criteria. In such a way, we can see firewalls as security network entities and we have a number of different firewall types. The different firewall types will be used in different network locations in your infrastructure, such as distributed firewalls situated at a hypervisor layer. You may have a stateful firewall close to workloads while a packet-filtering firewall is at the network’s edge. As identity is now the new perimeter, many opt to have a stateful inspection firewall nearer to the workloads. Now with virtualization, you can have a stateful firewall per workload, commonly known as virtual firewalls. This post will focus on the stateful firewall and stateful inspection firewall. We will briefly touch on basic packet filtering, firewall traffic flow, reflexive access list and where they fit in the world of the stateful firewall. Firstly, what is a stateful firewall?

Stateful Inspection Firewall

Requirements to note:

• Also, known as dynamic packet filtering.

• Monitors the state of active connectons.

• Filters based on state and context.

• Primarily used at Transport and Network layers of the OSI model.

• Bettter security than a stateless firewall.

What Is a Stateful Firewall?

The stateful firewall examines Layer 4 headers and above, analyzing firewall traffic flow and enabling support for Application-aware inspections. Stateful inspection keeps track of every connection passing through their interfaces by analyzing packet headers and additional payload information.

• A key point: State and Context.

The two important terms to understand are state and context information. Filtering is based on the state and context information that the firewall derives from a session’s packets. The firewall will store state information in its state table, which will be updated regularly. For example, in TCP, this state is reflected in specific flags such as the SYN, ACK and FIND. Then we have the context. This includes source and destination port, IP address, and sequence numbers of any metadata. The firewall also stores this type of information and updates regularly based on traffic flowing through the firewall.

• A key point: Stateful Firewall and interface configuration

When considering a stateful inspection firewall, you should consider the interfaces in firewall terms. For example, some interfaces are connected to protected networks, where data or services must be secured. Others connect to public or unprotected networks, where untrusted users and resources are located.

The top portion of the diagram below shows a stateful firewall with only two interfaces, which connect to the inside (more secure) and outside (less secure) networks. The bottom portion of the figure shows the stateful inspection firewall with three interfaces connected to the inside (most secure), DMZ (less secure), and outside (least secure) networks. The firewall has no concept of these interface designations or security levels; these concepts are put into play by the inspection processes and policies configured.

So you need to explain to the firewall which interface is at what security level. And this will effect the firewall traffic flow. Some traffic will be denied by default between certain interfaces with default security levels.

Interface configuration specific to ASA

Since version 7.0 of the ASA code, configuring interfaces in the firewall appliance is very similar to configuring interfaces in IOS-based platforms. If the firewall connection to the switch is an 802.1q trunk (the ASA supports 802.1q only, not ISL), you can create sub-interfaces corresponding to the VLANs carried over the trunk. Do not forget to assign a VLAN number to the sub-interface. The native (untagged) VLAN of the trunk connection maps to the physical interface and cannot be assigned to a sub-interface.

Stateful Inspection and full state of active network connections

So we know that the stateful firewall monitors the full state of active network connections and constantly analyses the complete context of traffic and data packets. Then we have the payload to consider. The payload is the part of transmitted data that is the intended message, along with the headers and metadata sent only to enable payload delivery. Payloads offer information about transactions, which can protect against some of the most advanced network attacks. For example, deep packet inspection configures the stateful firewall to deny specific Hypertext Transfer Protocol ( HTTP ) content types or specific File Transfer Protocol ( FTP ) commands, which may be used to penetrate networks.

Stateful inspection and Deep Packet Inspection (DPI)

The following diagram shows the OSI layers and which layers are involved in the stateful inspection. As you can see, Stateful inspection operates primarily at the transport and network layers of the Open Systems Interconnection (OSI) model for how applications communicate over a network. However, it can also examine application layer traffic, if only to a limited degree. Higher up in the OSI layers is called Deep Packet Inspection (DPI). DPI is considered to be more advanced than stateful packet filtering. It is a form of packet filtering that locates, identifies, classifies and reroutes or blocks packets with specific data or code payloads that conventional packet filtering, which examines only packet headers, cannot detect. Many firewall vendors will have stateful inspection and DPI on the same appliance. However, a required design may require a separate appliance for compliance or performance reasons.

Stateful Inspection Firewall

What is a stateful firewall?

A stateful firewall keeps track of and monitors the state of active network connections while analyzing incoming traffic and looking for potential traffic and data risks. The state is a process or application’s most recent or immediate status. In a firewall, the state of connections is stored, providing a list of connections against which to compare the connection a user is attempting to make. Stateful packet inspection is a technology used by stateful firewalls to determine which packets to allow through the firewall. It works by examining the contents of a data packet and then comparing them against data about packets that have previously passed through the firewall.

Stateful Firewall Feature

Stateful Firewall 

Better logging than standard packet filters

Protocols with dynamic ports

TCP SYN cookies

TCP session validation

No TCP fingerprinting

Not present

Stateful firewall and packet filters

The stateful firewall is in contrast to packet filters that match individual packets based on their source/destination network addresses and transport-layer port numbers. Packet filters have no state or check the validity of transport layer sessions such as sequence numbers, Transmission Control Protocol ( TCP ) control flags, TCP acknowledgement, or fragmented packets. The key advantage of packet filters is that they are fast and processed in hardware. Reflexive access lists are closer to a stateful tool than packet filters. Whenever TCP or User Datagram Protocol ( UDP ) session permits, matching return traffic is automatically added.

The disadvantage of reflexive access lists is they cannot detect / drop-malicious fragments or overlapping TCP segments. Transport layer session inspection goes beyond reflexive access lists and addresses fragment reassembly and transport-layer validation. Application-level gateways ( ALG ) add additional awareness. They can deal with FTP or Session Initiation Protocol ( SIP ) applications that exchange IP addresses and port numbers in the application payload. These protocols operate by opening additional data sessions and multiple ports.

• Simple packet filters for a perfect world

In a perfect world where most traffic exits the data center, servers are managed with regular patching, servers listen on standard TCP or UDP ports, and designers could get away with simple packet filters. But in the real world, each server is a distinct client, has multiple traffic flows to and from the data center and back-end systems, and unpredictable source TCP or UDP port number makes using packet filters impractical. Instead, implement additional control with deep packet inspection for unpredictable scenarios and poorly managed servers. Stateful firewalls keep state connections and allow traffic to return dynamically. Return traffic is permitted if the already state for that flow is in the connection table. The traffic needs to be part of a return flow. If not, it’s dropped.

• A stateless firewall – predefined rule sets

A stateless firewall uses a predefined set of rules. If the arriving data packet conforms to the rules, it is considered “safe.” The data packet is allowed to pass through. With this approach to firewalling, traffic is classified instead of inspected. The process is less rigorous compared to what a stateful firewall does. Remember that a stateless firewall does not differentiate between certain kinds of traffic, such as Secure shell (SSH) versus File Transfer Protocol (FTP). A stateless firewall may classify these as “safe” and allow them to pass through, which can result in potential vulnerabilities.

A stateful firewall holds context across all its current sessions rather than treating each packet as an isolated entity, as with a stateless firewall. With stateless inspection, lookup functions have much less impact on processor and memory resources, resulting in faster performance even if traffic is heavy.

The Stateful Firewall and Security Levels

Regardless of the type of firewall mode, or single or multiple contexts, Adaptive Security Appliance ( ASA ) permits traffic based on a concept of security levels configured per interface. And is an important point to note for ASA failover and how you design your failover firewall strategy. The configurable range is from level 0 to 100. Every interface on ASA must have a security level. The security level allows configured interface trust-ability and can range from 0, which is the lowest, to 100, which is the highest—offering ways to control traffic flow based on security level numbering. The default security level is “0”, configuring the name on the interface “inside” without explicitly entering a security level; then, the ASA automatically sets the security level to 100 ( highest ).

By default, based on the configured nameif, ASA assigns the following implicit security levels to interfaces:

• 100 to a nameif of inside.
• 0 to a nameif of outside.
• 0 to all other nameifs.

Without any configured access lists, ASA implicitly allows or restricts traffic flows based on the security levels:

Securty Levels and Traffic Flows

• Traffic from high-security level to low-security level is allowed by default (for example, from 100 to 0, or in our case, from 60 to 10)

• Traffic from low-security level to the high-security level is denied by default; to allow traffic in this direction, an ACL must be configured and applied (at the interface level or global level)

• Traffic between interfaces with an identical security level is denied by default (for example, from 20 to 20, or in our case, from 0 to 0); to allow traffic in this direction, the command same-security-traffic permit inter-interface must be configured

Firewall traffic flow between security levels

By default, traffic can flow from highest to lowest without any explicit configuration. Also, interfaces on the same security level cannot directly communicate, and packets cannot enter and exit the same interface. Override the defaults, permit traffic by allowing high to low; explicitly configure ACLs on the interface or newer version use-global ACL. Global ACL affects all interfaces in all directions.

Firewall traffic flows

Inter-Interface communication ( Routed Mode only ); enter the command “same-security-traffic permit inter-interface” or permit traffic explicitly with an ACL. This will give design granularity and allows the configuration of more-communicating interfaces. Intra-Interface communication; configured for traffic hair-pining ( leaves on the outside interface and goes back out the outside interface ). Useful for Hub and Spoke VPN deployments; traffic enters an interface and routes back out the same interface – Spoke to Spoke communication. To enable Intra-Interface communication, enter the command “same-security-traffic permit intra-interface.”

Default inspection and Modular Policy Framework ( MPF )

ASA implements what is known as Modular Policy Framework ( MPF ). MPF controls WHAT traffic is inspected, which could be Layer 3 or Layer 4 inspection of TCP, UDP, ICMP, an application-aware inspection of HTTP, or DNS. It also controls HOW traffic is inspected based on connection limits and QoS parameters.

ASA inspects TCP / UDP from the inside (higher-security level ) to the outside ( lower-security level ). This cannot be disabled. No traffic inspection from outside to inside unless it is from an original flow. An entry is created in the state table, so when flows return, it checks the state table before it goes to implicit deny ACL. The state is created while traffic is leaving, so when the return flows come back, it checks the specific connection and application data. It does more than Layer 3 or 4 inspections and depends on the application.

It does not, by default, inspect ICMP traffic. Enable ICMP inspection with a global inspection policy or explicitly allow with an interface or Global ACLs. ASA global policy affects all interfaces in all directions. The state table is checked before any ACL. A good troubleshooting tool, Packet Tracer, goes through all inspections and displays the order that the ASA is processing.

• About
• Latest Posts

Matt Conran

Public Speaker, Author and Consultant at Conran Insight

Matt Conran has more than 24 years of networking and security industry with entrepreneurial start-ups, government organizations, and others. He now focuses on public speaking, authoring content, consulting, and creating Elearning courses.

Which firewall keeps track of the connection state?

Stateful inspection firewalls keep track of connection status.

What does stateful firewall type maintain to know the state of each connection?

A stateful firewall keeps track of the state of network connections, such as TCP streams, UDP datagrams, and ICMP messages, and can apply labels such as LISTEN, ESTABLISHED, or CLOSING.

How does stateful inspection firewall work?

Stateful inspection detects communications packets over a period of your time and examines both incoming and outgoing packets. The firewall follows outgoing packets that request specific sorts of incoming packets and authorize incoming packets to undergo as long as they constitute an accurate response.

What is stateful inspection How is state information maintained during a network connection or transaction?

Stateful inspection keeps track of each network connection between internal and external system using a state table. A state table track the context and state of each packet in the conversation by recording which station sent the packet and when it was dent.