What is Stateful Inspection?

Stateful Inspection: What It Is and How It Works

Stateful inspection, also referred to as dynamic packet filtering, is a technology used in Next-Generation Firewalls (NGFWs) that monitors the state of active connections and uses this information to determine which network packets to allow through. This process makes it possible to detect and block unauthorized traffic, ensuring that only legitimate traffic is allowed into a network.

How Stateful Inspection Works

In a stateful inspection firewall, each incoming packet is compared to a set of predefined rules. If the packet matches a rule, it is allowed through. If it doesn't, the firewall analyzes the packet to determine whether it is part of an existing connection. If the packet is part of an existing connection, it is allowed through. If it isn't, the packet is discarded.

Stateful inspection firewalls keep track of the state of active connections by maintaining a state table. This table contains information about each active connection, including the source and destination IP addresses, port numbers, and other data that can be used to identify the connection. When a new packet arrives, the firewall compares the packet to the state table to determine whether it is part of an existing connection.

Stateful Inspection and DDoS Attacks

While stateful inspection firewalls are effective at detecting and blocking unauthorized traffic, they are not optimized for defending against Distributed Denial of Service (DDoS) attacks. State-exhaustion DDoS attacks are specifically crafted to defeat firewalls and other state dependent devices. These attacks overwhelm a firewall by flooding it with TCP connection requests, preventing it from accepting any new connections.

State dependent devices such as network firewalls can be easily overwhelmed by DDoS attacks, leading to a complete outage of protected assets. For DDoS protection, intelligent DDoS mitigation systems (IDMS) such as Arbor TMS and AED are optimized for DDoS defense, and can defend stateful devices against DDoS attacks, when necessary.

Stateful inspection is an essential technology used in NGFWs to detect and block unauthorized traffic. It works by monitoring the state of active connections and using this information to determine which network packets to allow through. However, it is important to note that state dependent devices such as network firewalls are vulnerable to State-exhaustion DDoS attacks. To defend against DDoS attacks, it is recommended to use intelligent DDoS mitigation systems (IDMS) such as NETSCOUT TMS and AED/APS.

Related Resources

Omnis Network Security Solution
Solution

Omnis Security

Omnis Security is an advanced threat analytics and response platform that provides the scale, scope, and consistency required to secure today’s digital infrastructure.
Learn more
ATLAS Security Engineering & Response Team
Overview

ASERT

NETSCOUT’s network security experts provide world-class cyber security research and threat analysis for the benefit of today’s enterprise and network operators.
Learn more