Paubox blog: HIPAA compliant email made easy

What is a stateful firewall?

Written by Kirsten Peremore | January 11, 2024

Unlike other firewalls that simply block or allow traffic based on static rules, a stateful firewall examines both the header information and the state of the packets. This means it understands and keeps track of the context of a network session, such as whether a connection is starting, ongoing, or ending. Its functions include:

  • Inspecting the source and destination of packets.
  • Assessing their content for potential threats.
  • Ensuring that they are part of a legitimate and recognized session.

How does a stateful firewall work?

Connection state tracking: Stateful firewalls monitor the state of active connections. They track each session from its initiation to its active phase until it closes. This tracking includes monitoring the sequence and acknowledgment numbers in TCP connections, ensuring that packets are part of an established session.

Dynamic packet filtering: Unlike static filtering that only examines packet headers, stateful firewalls inspect the contents of data packets. They use dynamic filtering rules that can adapt based on the context of the traffic, allowing or blocking packets based on the current state of the network connection.

Protocol awareness: Stateful firewalls understand different network protocols and can interpret protocol-specific characteristics and states. For example, they recognize the different stages of a TCP connection (SYN, SYN-ACK, ACK) and can differentiate between a new connection request and an existing connection.

Table of known connections: Stateful firewalls maintain a table that records all currently established connections and their states. This table, often called the "state table," includes information like source and destination IP addresses, port numbers, and the connection's current state. The firewall consults this table for every incoming packet to decide whether it's part of an existing connection.

Traffic inspection and analysis: The firewall inspects and analyzes traffic patterns. If a packet doesn't match an existing, known connection (for instance, if it's an unsolicited incoming packet), the firewall can block it or apply specific rules, enhancing security against unauthorized access and attacks.

Timeouts and session management: Stateful firewalls manage session timeouts, automatically closing connections that have been idle for too long. This prevents resources from being tied up indefinitely and offers protection against certain types of attacks, like denial-of-service (DoS).

See also: HIPAA Compliant Email: The Definitive Guide

 

Where is a stateful firewall deployed in a healthcare network?

A healthcare network infrastructure typically incorporates a stateful firewall at the network's edge, where the internal network connects with the external internet or other untrusted networks. This strategic location allows the firewall to act as a gatekeeper by thoroughly examining incoming and outgoing traffic. By being placed at this critical juncture, the firewall monitors all data exchanges and ensures that only legitimate traffic, based on established connections and defined security policies, is allowed to enter or leave the healthcare network. This not only enhances the network's security against external threats such as cyberattacks and unauthorized access, but also assists in managing network traffic. The firewall's capability to recognize and remember the state of network connections enables it to efficiently manage bandwidth and prioritize healthcare services.

 

How does a stateful firewall handle different types of traffic?

TCP (Transmission Control Protocol) management

  • Connection tracking: TCP is a connection-oriented protocol. A stateful firewall tracks the entire lifecycle of a TCP connection, starting from the initial handshake (SYN, SYN-ACK, ACK) to the termination sequences. It ensures that packets are part of an established and ongoing session.
  • Sequence number analysis: The firewall analyzes TCP sequence numbers to prevent session hijacking and replay attacks, ensuring that packets follow the expected sequence within a session.

UDP (User Datagram Protocol) management

  • Session initiation and timeout: Unlike TCP, UDP is connectionless. The firewall manages UDP traffic by defining a session based on the source and destination IP addresses and port numbers. Since there's no formal session initiation or termination, the firewall imposes timeouts to close idle UDP connections.
  • Validation of traffic patterns: The firewall validates UDP traffic patterns and frequency to identify and mitigate risks like flooding attacks.

ICMP (Internet Control Message Protocol) management

  • Type and code inspection: ICMP is used for network diagnostics. The firewall inspects ICMP message types and codes to differentiate between benign network operational traffic (like ping requests) and potentially malicious traffic (like network scanning).
  • Contextual analysis: It analyzes the context of ICMP messages, ensuring they are appropriate responses to network conditions, and not part of an attack like ICMP tunneling or ping of death.

See also: What is a firewall and does your healthcare business need one?

 

What are the advantages of using a stateful firewall?

Employing a stateful firewall in a network boosts security by actively monitoring and tracking the state of each network connection. This approach allows the firewall to identify and block unauthorized access attempts and potentially malicious traffic that a basic firewall might overlook. By understanding the context of each connection, a stateful firewall ensures that only legitimate traffic, which is part of recognized and safe sessions, can pass through. This heightened security protects against complex cyber threats like hacking attempts and malware infections. 

Additionally, a stateful firewall enhances network performance and management. It efficiently manages network bandwidth by prioritizing legitimate and traffic, ensuring optimal network usage. The firewall's filtering capabilities adapt to changing network conditions, providing a balance between security and performance. This results in a smoother network operation, with reduced risks of congestion and improved overall network efficiency. 

See also: Choosing a firewall for a healthcare organization