Re: Stateful Inspection

From: James Grant (
Date: 05/16/02

From: James Grant <>
Date: Thu, 16 May 2002 16:13:27 GMT

Wolfgang Kueter wrote:
> James Grant wrote:
> > A stateful firewall can inspect the contents of the packets as well.
> Even the marketing buzzwords on your company's website show that you
> are wrong.

Not true.
Explained below.
> Cut & Paste quoting
> <quote>
> Stateful Packet Inspection
> VisNetic Firewall falls into a class of firewalls called Stateful
> Inspection Firewalls. Stateful inspection firewalls overcome the
> limitations of packet filter firewalls and applicationproxy servers.
> They examine more than just the "to" and "from" addresses in the data
> packets, and do not require a proxy for every application being
> accessed. Stateful inspection firewalls determine whether packets can
> get through the firewall based on the protocol, port, and source and
> destination addresses.
> </quote>
> But that is just "To" and "From". What information do you find in the
> header of an packet? Source and destination address, protocol, source
> port, detination, maybe TCP Flags. Stateful filtering just looks at the
> headers.

The original poster asked:

>>> Can a firewall performing stateful inspection actually inspect
>>> the contents of the packet at the application layer and not just
>>> the headers? I thought it could only inspect the headers. Am I
>>> wrong?

To which I correctly answered:

>>A stateful firewall can inspect the contents of the packets as well.

He asked if it can and yes, it can.
I didn't say stateful inspection involved looking at the contents, etc.
I just said a stateful firewall could, it could inspect more than the
> <quote>
> For every request that is allowed by this strategy, stateful inspection
> firewalls open up a limited time window to allow response packets, but
> ONLY from the same host.
> </quote>
> This is still layer 3. Nothing about content, just a mechanism to save
> information about contacted external hosts and opening a time window
> for reply packets. Nothing about content.

You're not making a point here that isn't addressed above.
> <quote>
> Also, by maintaining information about previous packets, stateful
> inspection firewalls can quickly verify that packets meet the criteria
> for authorized traffic, making them inherently fast.
> </quote>
> Simply wrong, stateful packet filters are slower than non stateful
> ones, because the rules change dynamically. Therefore they consume more
> memory and CPU time than non stateful packet filters.

The web page could be worded better, but strictly it's not "simply
as you claim. The website doesn't say "faster", it says "fast".

James Grant
8Signs Ltd.