What is difference between stateless and stateful firewalls?

Hey guys, today I am going to talk about firewalls and what is the main difference between stateful firewall and stateless firewall. This article is written for those who have ambiguity to know what exactly is different between the aforementioned firewalls. Stateless firewall also called packet filtering firewall is usually a router, this firewall work on network layer (L3) and transport layer (L4) only, they basically work on list of rules, these rules called access list which contain IP address and port number, based on the rules configured by firewall admin, traffic could be either permitted or denied. On the other hand, Stateful firewalls, also called circuit level firewall, this firewall has same specifications as stateless firewall plus they go one layer up, session layer (L5), this feature gives this firewall more flexibility and stronger security rules since the admin is no longer required to open unregistered ports when a response come to the connection initiator. Let’s configure these firewalls then generate same traffic twice, once with stateless firewall and the other with stateful firewall to make it clearer.

We are going to use GNS3 to demonstrate our examples.

stateless firewall (ROUTER)

Computer: Windows 7 PC Statless_firewall: Router used as firewall Router_1: Router connected by computer through telnet

Now let’s try to telnet Router_1 by using computer:

As you can see, access is granted since no access list is applied yet. Now, we are going to create 2 access lists on Statless_firewall Router:

Applying access list 100 on inbound fastethernet 0/0 will permit only port 23 (telnet) traffic to come in to the interface and applying access list 101 on outbound interface will deny any traffic from going out of the interface.

Now let’s try to telnet after implementing the access lists.

As you can see the connection was not establish because the traffic was denied by the firewall when it comes back from the router. The reason for this is we have an access list deny any traffic going out of the fastethernet 0/0 (access list 101). As we said the stateless firewall does not keep state of connection, so the interface denies any traffic with no exceptions. To work around this problem, we could permit all unregistered port (<1023) on 101 access list to have the traffic passed but this generate another problem. Making all ports greater than 1023 open is not secured at all. This problem solved by stateful firewall.

stateful firewall (FIREWALL)

Computer: Windows 7 PC Stateful_firewall: a firewall Router_1: Router connected by computer through telnet

Now let’s try doing same thing, telnet Router_1 by using computer

After doing all network configurations, as you can see, we are able to telnet the remote router (Router_1) by using cmd on the computer. Since there are no access list restrictions.

Now let’s do same access list configurations as we did the previous example (stateless firewall).

Here we implement the access-list on the gigabitethernet 0 interface like the previous example

Now, notice the difference in the following images. we can telnet Router_1 even though there is an access-list deny any connection going out of gigabit Ethernet 0 interface.

Stateful firewall maintain state of any allowed connection and when the allowed traffic return back to the traffic initiator, the firewall allows the traffic to pass. In other words, stateful firewall check either there is session on the stateful firewall to allow the traffic to pass or implement access list rules on the traffic.

I hope this article demonstrate the difference between the two firewalls well.

Thank you