Stateful and stateless firewall

Endorsed Question
Aug 3rd, 2007
User Badges:

ASA5505 has a feature of "Stateless Active/standby" HA? What is the meant of stateless? And what is the meant of "stateful firewall". Thanks

Cisco Endorsed by Ravi Singh
Jon Marshall about 9 years 10 months ago

Hi Eric


To answer the 2nd part of your question.


A stateful firewall keeps track of the "state" of connections based on source/destination IP, source/destination port and connections flags. It can really only keep state for TCP connections because TCP uses flags in the packet headers. eg


When a client telnets to a server.


Client address = 192.168.5.1

Server address = 172.16.5.2


The client picks a random port eg 33212 and sends a packet to the server


source IP = 192.168.5.1

source port = 33212

destination IP = 172.16.5.2

destination port = 23 ( 23 is telnet port )

TCP Flag = SYN


Server responds


source IP = 172.16.5.1

source port = 23

destination IP = 192.168.5.1

destination port = 33212

TCP FLAG = SYN/ACK


Client responds


Same as original client packet except

TCP FLAG = ACK


The above is called the TCP 3 way handshake.


Now lets say there is a stateful firewall in between the client and the server.


When the firewall sees the initial packet from the client it records all the info above.


When the server responds the firewall looks up it's state table to see if it has a matching entry for the connection and finds it does. What's more because the firewall expects to see a SYN/ACK from the server because it recorded a SYN from the client. So the packet is allowed.


Now lets say the client hasn't sent an intital packet and the server sent a packet with the same info as above. The TCP FLAGS are SYN/ACK but the firewall has no record of a SYN packet sent from the client. So the packet is dropped.


In essence this is how stateful firewalls work . They keep track of each connection and allow the traffic to flow through only if there are corresponding entries in it's state table.


For non-TCP protocols eg UDP there are no flags so the stateful firewall sets a timer ie. if it sees a DNS query go out it records the IP source/destination and the Port source/destination. If within a certain amount of time a packet is received back with the same IP'S and port number, although obviously the source and destination are flipped, the packet is allowed through.


Hope this makes sense


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
srue Fri, 08/03/2007 - 06:19
User Badges:
  • Blue, 1500 points or more

With stateful failover, the state table from the active firewall is replicated to the standby firewall incase of a failover event.

With stateless failover, the state table is not replicated to the standby firewall, so in the event of a failover, all connections have to be re-initiated.

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/failover.html#wp1051178

Jon Marshall Fri, 08/03/2007 - 07:41
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi Eric


To answer the 2nd part of your question.


A stateful firewall keeps track of the "state" of connections based on source/destination IP, source/destination port and connections flags. It can really only keep state for TCP connections because TCP uses flags in the packet headers. eg


When a client telnets to a server.


Client address = 192.168.5.1

Server address = 172.16.5.2


The client picks a random port eg 33212 and sends a packet to the server


source IP = 192.168.5.1

source port = 33212

destination IP = 172.16.5.2

destination port = 23 ( 23 is telnet port )

TCP Flag = SYN


Server responds


source IP = 172.16.5.1

source port = 23

destination IP = 192.168.5.1

destination port = 33212

TCP FLAG = SYN/ACK


Client responds


Same as original client packet except

TCP FLAG = ACK


The above is called the TCP 3 way handshake.


Now lets say there is a stateful firewall in between the client and the server.


When the firewall sees the initial packet from the client it records all the info above.


When the server responds the firewall looks up it's state table to see if it has a matching entry for the connection and finds it does. What's more because the firewall expects to see a SYN/ACK from the server because it recorded a SYN from the client. So the packet is allowed.


Now lets say the client hasn't sent an intital packet and the server sent a packet with the same info as above. The TCP FLAGS are SYN/ACK but the firewall has no record of a SYN packet sent from the client. So the packet is dropped.


In essence this is how stateful firewalls work . They keep track of each connection and allow the traffic to flow through only if there are corresponding entries in it's state table.


For non-TCP protocols eg UDP there are no flags so the stateful firewall sets a timer ie. if it sees a DNS query go out it records the IP source/destination and the Port source/destination. If within a certain amount of time a packet is received back with the same IP'S and port number, although obviously the source and destination are flipped, the packet is allowed through.


Hope this makes sense


Jon

leon.mflai Fri, 08/10/2007 - 09:11
User Badges:

Hi Jon,


Further to your reply.


If TCP-3Way Handshake has already done, does it mean that FW will pass thru all TCP-Packets with TCP Flags like PUSH, RESET related to this session?


Tks

Leon

srue Fri, 08/10/2007 - 09:16
User Badges:
  • Blue, 1500 points or more

...as long as it matches an entry in the session table, yes.

jaimecalzada Tue, 12/06/2016 - 09:20
User Badges:

Sorry for reviving this thread once again. Is there any benefit to have a stateless firewall? It seems like in terms of failover, a stateful firewall is the way to go.

Actions

This Discussion