Home Page


Firewall Topics

Application Control

Application Layer Filtering

Firewall Authentication

High Availability, Failover, RAID, Clustering, & Redundancy

IPS & IDS Systems

Load Balancing & Link Balancing


Network Firewall Buyers Guide

Next-Gen vs UTM

Packet Filtering

Parental Control

Perimeter Network or DMZ

Personal or Hardware Firewall?

Ports Protocols and IP Addresses


Stateful Packet Filtering



What is a Firewall?

Which Network Firewall?

Zero Day Protection



Firewall Stateful Packet Filtering Tutorial



3rd generation hardware firewalls maintain records of all connections passing through the firewall, known as stateful packet inspection. They are able to determine whether a packet is either the start of a new connection, a part of an existing connection, or an invalid packet.

This would mean if a user from the internal network asks for traffic to return back to them from the internet, the firewall will allow this type of traffic, as it has been requested. However traffic initiated from the outside world will not be allowed if no one from the internal network has requested this, unless a firewall rule has been specifically setup for this.

How stateful packet inspection works is a firewall maintains a state table of all the connections initiated from the internal LAN. For example it would only allow a TCP request from the outside world if it is a response to an outgoing request. When an incoming packet is received the firewall will check its ACL and state table to see if there has already been an existing connection and if there has then this packet will be allowed and filtered through to its destination. Information that is recorded in a state table is the ones at the network and transport layer such as the source and destination IP addresses, and the source and destination ports.

As 3rd generation hardware firewalls retain the ability to filter packets and also include a more sophisticated feature in monitoring and updating a dynamic state connection table, this provides a more advanced level of security. However it does require more processing power, and of course this would increase the cost of the product as well.

The only packets allowed into the LAN from the internet as start of a new connection would be ones specifically configured by a firewall. This is usually configured when a company host a web server, FTP server, etc. However the connection should be very tightly controlled and only allowed to that one specific port and IP address.

Implementing stateful packet inspection feature in firewalls has been an excellent security feature, and proves to be very effective, scalable and transparent to end users.

For further reading, there's some excellent electronic ebooks available for download from eBooks.com