Stateful inspection is
|“||[a] firewall inspection technique that examines the claimed purpose of a communication for validity. For example, a communication claiming to respond to a request is compared to a table of outstanding requests.||”|
Stateful inspection evolved from the need to accommodate certain features of the TCP/IP protocol suite. When an application uses a TCP (connection-oriented transport) to create a session with a remote host system, a port is also created on the source system. This port receives network traffic from the destination system. Packet filters must permit inbound network traffic on all return packets from the destination system for connection-oriented transport to occur. Opening this many ports creates an immense risk of intrusion by unauthorized users who may employ a variety of techniques to abuse the expected conventions.
Stateful inspection firewalls solve this problem by creating a directory of outbound TCP connections, along with each session’s corresponding client port. This “state table” is then used to validate any inbound traffic. The stateful inspection solution is more secure because the firewall tracks client ports individually rather than opening all inbound ports for external access.
Stateful inspection firewalls share the strengths and weaknesses of packet filter, but because of the state table implementation, stateful inspection firewalls are generally considered to be more secure than packet filters. Stateful inspection firewalls can accommodate other network protocols in the same manner as packet filters, but the actual stateful inspection technology is relevant only to TCP/IP.
- NIST Special Publication 800-36, at 26.