When considering stateful vs. stateless firewalls, the distinction between the two approaches may sound minor but...
is actually quite significant.
Stateless firewalls, one of the oldest and most basic firewall architectures, were the standard at the advent of the firewall. Originally described as packet-filtering firewalls, this name is misleading because both stateless firewalls and stateful firewalls perform packet filtering, just in different ways and levels of complexity. For example, stateful firewalls inspect the packet payload, while stateless firewalls only inspect the packet protocol header.
Additionally, a stateful firewall always monitors data packets and the context of traffic on all network connections, whereas a stateless firewall does not inspect data packets and only determines the safety of a connection in isolation, based on predetermined rules, including the incoming traffic type, port number or destination address.
Stateful inspection became the norm in most environments years ago, and the majority of modern firewall systems take advantage of it.
Let's investigate the differences and how to choose which is best for your business.
Stateful inspection systems have a constant view of all network connections and maintain a state table based on decisions made, while stateless firewalls do not. A state table enables a stateful firewall to keep track of all open connections, including context of the traffic, such as source and destination IP addresses, packet length, protocol states and port information. When traffic arrives, the system compares the traffic to the state table to determine whether it is part of an established connection.
This means a state table is made up of the sum total of connections established or blocked by the stateful firewall. Future filtering decisions take this history into account when determining if new traffic might be malicious. This also means stateful firewalls can block much larger attacks that may be happening across individual packets.
However, all this monitoring comes at a higher cost in terms of processing power and speed. The increased processing requirements make stateful firewalls susceptible to distributed denial-of-service attacks and man-in-the-middle attacks, and the higher complexity of the internal code can result in vulnerabilities that can be attacked if software isn't up to date.
Stateless firewalls rely on predetermined rules in access control lists (ACLs) to make decisions on individual packets. They inspect the packet header for information, including source and destination IP addresses, port number and static traffic type (TCP vs. User Datagram Protocol).
As a result, stateless firewalls are more limited in their ability to filter traffic, and because they rely on ACLs, the filtering is only as good as the rules defined by the user. Stateless firewalls are more prone to user error if ACLs aren't managed properly and cannot adapt over time.
While this relative simplicity makes stateless firewalls less resource-intensive, faster and able to handle heavy traffic, the limitations mean they can only be deployed in specific scenarios within an enterprise.
The most common implementation of a stateless firewall today is at an internet-facing router. These devices often implement a basic packet-filtering rule set to weed out obviously unwanted traffic and reduce the load on a stateful inspection firewall immediately behind the router.
Choosing between stateful and stateless firewalls
Stateless firewalls are commonly used by consumers but can also be an option for small businesses with limited budgets and less traffic. Less traffic generally means fewer threats to consider, which would make setting the rules for a stateless firewall a manageable task. Stateless firewalls may also be useful in limited scenarios on internal networks, such as between virtual LANs.
For larger enterprises with more traffic that face more threats, stateful firewalls offer more security features and capabilities. However, if an enterprise uses more modern applications that use more than one port for different services or change ports, it may be necessary to look beyond stateful firewalls to next-generation firewalls, which inspect applications rather than just network connections.
Dig Deeper on Network device security: Appliances, firewalls and switches
Related Q&A from Michael Heller
Not every enterprise needs the functionality of a standard VPN client. A site-to-site VPN may be a better choice for some companies, but it's not ... Continue Reading
Sending sensitive information in attachments is inherently unsafe, and the main way to secure them -- encryption -- can be implemented inconsistently... Continue Reading
Troubleshooting VPN session timeout and lockout issues should focus first on isolating where the root of the problem lies -- be it the internet ... Continue Reading