CDSA

Stateful Firewalls Holding Their Own After More Than Two Decades (NSS Labs Blog)

[svg-table-content]

First patented in 1994 by Check Point Software, stateful firewalls are an evolution of the packet filtering firewall. Stateful firewalls were a game changer because they introduced state tables, which permit a firewall to store the status (or state) of each network connection. This information enables stateful firewalls to examine session information (layer 4) as well as inspect each packet’s source and destination information. The session information is compared to existing connections recorded in its state table. If an established connection exists, traffic is allowed to pass through unimpeded; if not, the firewall will perform inspection at both layer 3 and layer 4 prior to making the decision to allow or deny. This process drastically increases the efficiency with which these second-generation firewalls route traffic.

Stateful firewalls are a bit like the doorman at a club. To get into the club you’re required to show him your ID; after he inspects your ID and verifies that you are of legal age to enter, he lets you in. If you need to go out to your car and grab something, he remembers who you are and lets you back in without a hassle.

Much of the data in our 2017 US Enterprise Architecture study has been eye-opening, but the data from our stateful firewall study has been particularly interesting.