Stateful firewall
In computing, a stateful firewall is a firewall that keeps track of the state of network connections (such as TCP streams) travelling across it. The firewall is programmed to know what legitimate packets are for different types of connections. Only packets which match a known connection state will be allowed by the firewalll; others will be rejected.
Early attempts at producing firewalls operated at the application level of the
seven-layer OSI model but this required too much CPU speed. Packet filters operates at the network layer (layer-4) and can examine TCP/IP packets more efficiently. However, pure packet filters have no concept of state as defined by computer science using the term finite state machine and are subject to spoofing attacks and other exploits.
A stateful firewall significantly improves on the security ability of a packet filter because it is able to hold in memory, significant attributes of each connection. It's called "stateful" because it keeps information about the state of each connection from start to finish and performs most CPU intensive checking at the time of setup of the connection. All packets after that (for that session) are processed rapidly because it is simple and fast to determine whether it belongs to an existing, pre-screened session. Once the session has ended, its entry in the state-table is discarded.
In order to prevent the state table from filling up, sessions will time out if no traffic has passed for a certain period. These stale connections are removed from the state table. Many applications therefore send keepalive messages periodically in order to stop a firewall from dropping the connection during periods of no user-activity.
Today, firewalls are again using application level filters called proxies - or application level proxies because machines with modern CPU speeds are capable of doing deep inspection in reasonable time. These proxies can parse data within a protocol in order to make intelligent decisions about the connection. For example, http can be used to tunnel IRC or peer to peer file sharing protocols. Traditional stateful firewalls cannot detect this while an application level firewall can detect and selectively block http connections according to content.
Modern computers typically exchange data by breaking it up to network frames. These frames are called "packets" in TCP/IP, the most commonly used network protocol. Firewalls inspect each packet and decide whether it should be allowed to pass the firewall and continue travelling towards its destination, or discarded. Common ways of filtering packets are according to the source/destination address or according to the source/destination port.
But in most cases this information is not enough. The administrator of the firewall might want to allow packets to pass the firewall according to the context of the connection, and not just the individual packet characteristics. Therefore, a packet belonging to an existing connection, aimed at port 22 (the Secure Shell port) should be allowed to pass the firewall, but a packet that does not belong to any existing connection must be dropped.
With the traditional stateless firewalls, this was a problem, since the firewall had no way of knowing which packets belonged to existing connections and which didn't. Stateful firewalls solve this problem by monitoring network connections and matching any packets they inspect to existing or new connections. Therefore, they offer more fine grained control over network traffic.
Examples of stateful firewalls:
Examples of application level proxy firewalls:
Squid is an example of a caching proxy. This is not a security proxy. Its main purpose is to locally store copies of web pages that are popular and therefore save bandwidth.
Also see: firewall, stateless firewall, application level firewall, Proxy server
