Perimeter 3min de Leitura - 26 de August de 2020

Firewall: stateless and stateful filtering mechanisms

Homem parado em frente a servidor proxy

This post is also available in: Português English Español

Two of the first and main filtering mechanisms, present in firewalls, were created between 1989 and 1994, initially by Digital Equipments and later by the AT&T Bell Labs.

In spite of the advanced age, when dealing with technological aspects, stateless and stateful filtering respectively formed the basis for the construction and evolution of firewall solutions used nowadays.

Understanding the functioning of these mechanisms facilitates the understanding of new technologies, besides helping in a substantial way in defining the best application, according to the needs of the environment.

Even with the complexity behind security and firewall solutions, stateful filters are often used nowadays, however, usually in a transparent way, not being manageable or visible by administrators and security analysts.

We will cover the topic in an introductory way to ensure that you can benefit from understanding both the concepts that were (and are) so important to firewalls.

Packet filtering

All communication in a computer network is segmented into small packets according to the maximum transfer unit between the networks (MTU), usually 1500 bytes. In every layer, there is header information useful for processing, besides the data part (payload) where information is actually transported.

Packet filtering is nothing more than a mechanism capable of parsing headers in certain layers of the TCP/IP suite and, based on a pre-set rule pattern, forward the packet to the next step, or disregard it.

This is the basic concept of understanding a packet-control structure, and it is only possible because firewalls are strategically placed in a network topology where inter-network traffic is tapered or strangled.

Once the packet passes through the firewall (and only in this way can it reach the final destination), it has the power to define whether or not this should be forwarded. Packet forwarding is the fundamental routing feature, a function also performed by a firewall.

Stateless filtering

Stateless filtering provides an independent packet evaluation feature, where the connection is unknown. This means that each packet passing through the firewall, regardless of whether it is a new or existing connection, is evaluated by rules set by the administrator.

It is common in these architectures to create a rule for each traffic direction, predicting both the output (sending) and the input (receiving) it, which commonly occurs in different network interfaces. Since there is no knowledge of the connections, it is not possible to predict the return of the connection.

The environments with this filtering mechanism have the common tendency to have a greater number of rules, due to the need to predict the two directions of a communication (input and output).

Stateless firewalls are less and less used, yet it is still present in network devices whose focus is not security, ensuring that basic access rules can be created, avoiding unnecessary exposures.

The most important concept to be recorded about stateless firewalls is that they do not have knowledge about connections, and so they enforce their rules on all packets passing through the device.

Stateful firewall

Stateful firewalls were later designed to address security issues that emerged with the first generation, such as the case of forging connection information (spoof).

The fundamental importance was to guide the filtering to connection, allowing the filtering mechanism to know the connections and based on this it would legitimize a packet or not. This auxiliary feature is known as connection table or status table.

With the status table, every connection start is properly registered (a new status is created). When the packet returns, before starting the process of evaluating the access rules, the stateful firewall checks the status table, validating if there is any associated connection and, if it does, accepts the connection without processing the rules. Otherwise, discard the package.

The security of the environment is substantially increased by using of a stateful firewall, considering that there is traceability of parameters used to validate an active connection in the structure. The level and complexity of tracking depends on the manufacturer. Some use only address parameters as well as source and destination port, while others use sequence and acknowledgment number, window size, and so on, in the case of TCP.

As the connection evolves in terms of packet exchanges, the status table is always updated with the information, in order to ensure continuity of security and integrity. This process also guarantees the validity of the connection, without it being necessary to evaluate the access rules defined by the administrator.

In a stateful firewall, there is important savings in computing resources, since there is an initial effort to create new connections, which is offset to closure by not having to process the access rules. It is very common to find this filtering mechanism in the most modern solutions, which remains a fundamental element in the defense strategy in depth.

This post is also available in: Português English Español