What’s Stateful Inspection?

Print anything with Printful



Stateful inspection is a firewall technique that inspects entire data packets before they enter a network. It checks the status of established connections and stores information in a table to make security decisions. This method was first developed by Check Point® software in the mid-1990s and addresses denial of service attacks and other vulnerabilities.

Stateful inspection is a technique used in computer network firewalls to protect a network from unauthorized access. Sometimes also known as dynamic filtering, the method is capable of inspecting an entire data packet before it enters the network. This way, every packet that enters any interface on the firewall is thoroughly checked for validity against the types of connections that can go through to the other side. The process gets its name because it not only inspects data packets, but also checks the status of a connection that has been established and allowed through the firewall.

The idea of ​​stateful inspection was first conceived by Check Point® software, in the mid-1990s. Before Check Point® Firewall-1 INSPECT engine software, firewalls monitored the application layer, at the top of the open systems interconnection (OSI) model. This tended to be very taxing on a computer’s processor, so packet inspection moved from the layers of the OSI model to the third layer, the network layer. Advance packet inspection only checked the header, addressing, and protocol information of the packets and had no way of distinguishing the state of the packet, such as whether it was a new connection request.

In a stateful inspection firewall, the fast and resource-friendly packet filtering method somehow merges with the application’s more detailed information. This provides some context to the package, thus providing more information from which to base security decisions. To store all this information, the firewall must establish a table, which then defines the state of the connection. The details of each connection, including address, port and protocol information, as well as packet sequence information, are then stored in the table. The only time resources are strained is during the initial entry into the state table; after that, every other packet compared to that state uses very little processing resources.

The stateful inspection process begins when the first packet requesting a connection is captured and inspected. The packet is checked against firewall rules, where it is checked against a set of possible authorization parameters that can be infinitely customized to support previously unknown or yet to be developed software, services and protocols. The captured packet initiates the handshake and the firewall sends a response to the requesting user confirming a connection. Now that the table has been populated with connection status information, the next packet from the client is compared with the connection status. This continues until the connection times out or is terminated and the table is cleared of state information for that connection.

This leads to one of the problems addressed by the stateful inspection firewall, the denial of service attack. With this type of attack, security is not compromised as the firewall is bombarded with numerous initial packets requesting a connection, forcing the state table to fill up with requests. Once full, the state table can no longer accept any requests and therefore all other connection requests are blocked. Another method of attacking a stateful firewall leverages firewall rules to block incoming traffic but allow outgoing traffic. An attacker can trick a host on the secure side of the firewall into requesting connections from the outside, effectively opening up all services on the host for the attacker’s use.




Protect your devices with Threat Protection by NordVPN


Skip to content