
Every secure facility depends on one specific entity to keep it guarded, but also allow passage in and out: a gate. Similarly, every secure network relies on one specific entity to allow good traffic in and keep bad traffic out: a firewall.
Cool. What does that mean?
As you use the internet, send emails, communicate with business partners, you are sending and receiving traffic — all of which has to go through one (or a few) different network devices that make sure you’re getting the information you’re supposed to be getting.
On the surface, that sounds pretty straightforward. And probably a lot of people might default to accepting it at that level. In reality, it ends up being substantially more convoluted with a variety of network devices that do a mix of different things. You have firewalls, network intrusion detection and prevention systems, host intrusion detection and prevention systems, demilitarized zones (DMZ), and several other things which I plan to talk about in the future. For this article, however, I will focus solely on firewalls, and therein the difference between two primary types: stateful and stateless firewalls.
Stateless Firewalls
I’ll start with stateless firewalls. These are the most basic, as they generally restrict traffic based on source and destination. That is to say, your security team may have discovered that you get a lot of bad traffic from some IP, 86.75.30.9. So they configure the firewall to block all traffic from 86.75.30.9. Problem solved. No more bad traffic from this IP. Unfortunately, your security team also finds that somehow, a lot of data has been moving from inside your network back to IP 86.75.30.9. The security team takes a look at it and that data turns out to be sensitive, and is not supposed to go outside of your internal network. So the firewall is then configured to block all traffic going to 86.75.30.9. Now, the firewall has a set of rules that block all traffic going to and from that IP, solving the basic problem of bad traffic and data exfiltration.
To get a better understanding of this, consider the TSA (Transportation Security Administration). The TSA is responsible for securing U.S. “transportation systems to ensure freedom of movement for people and commerce,”^1 which most people usually observe via the security personnel who work in airports, processing travelers via luggage and personnel inspections. One component of their job is ensuring that a dangerous individual doesn’t get on a plane with other travelers, endangering them. This individual may be blacklisted^2 and not allowed to fly, so the TSA bars their entry past the checkpoint (like the firewall blocks incoming traffic). On the other end, if you’ve ever traveled internationally, there are some locations where you may not be able to leave the terminal due to one reason or another^3, and so you will be barred from entry into the country (like the firewall blocking outgoing traffic).
Stateful Firewalls
On the other end, stateful firewalls take a different approach to traffic. These firewalls observe the overall context of the traffic that is coming in and going out. That is to say, if you initiate some sort of traffic with a website, a stateful firewall will consider the fact that a connection has been established and potentially allow for something that may not (under normal circumstances) be permitted.
To get a better understanding of this, consider a theme park or club that requires some sort of cover fee. To get in, you pay some fee and they give you something (a stamp, bracelet, etc. — token) to indicate that you are permitted to come and go for some duration of time. If you’re visiting a fair and realize you forgot something in your car, leave, and come back, whoever is working at their entrance will see your token and allow you to pass through without any hassle. Similarly, the stateful firewall may observe something normally suspicious (a download of a file) but permit it because the action was initiated on the user end (that is, you clicked on the download that initiated the file being transferred to your computer).
You Need a Wall…
Firewalls are an important part of your network, whether at home or in the office. They serve as a virtual gatekeeper, preventing the bad from coming in (or leaving) your network, while allowing the good traffic freedom of movement. I hope that this article has helped provide some clarity on the general concept of network firewalls, distilling yet another security-related topic for your consumption.
Until next time, cheers!
References:
[1] TSA Mission: https://www.tsa.gov/about/tsa-mission
[2] Disclaimer: I do not know all the details behind who gets blacklisted by the TSA, and why. I don’t mean to start political debate — merely utilize this example to explain a technical security concept. Don’t dig into it any deeper than that.
[3] This is probably more common in a present-day environment where restrictions due to COVID-19 significantly limit any sort of travel.
Author’s Note
Original securitydistilled.com post, December 7, 2020