A stateful inspection firewall combines aspects of a packet-filtering firewall, a circuit-level gateway, and an application-level gateway. Like a packet-filtering firewall, a stateful inspection firewall operates at the network layer of the OSI model, filtering all incoming and outgoing packets based on source and destination IP addresses and port numbers.

A stateful inspection firewall also functions as a circuit-level gateway, determining whether the packets in a session are appropriate. For example, a stateful inspection firewall verifies that SYN and ACK flags and sequence numbers are logical.

Finally, a stateful inspection firewall mimics an application-level gateway: The firewall evaluates the contents of each packet up through the application layer and ensures that these contents match the rules in your company's network security policy.

Better Performance, Same Level of Security? Like an application-level gateway, a stateful inspection firewall can be configured to drop packets that contain specific commands. For example, you could configure a stateful inspection firewall to drop FTP packets containing a Put or Get command.

Unlike an application-level gateway, however, a stateful inspection firewall does not break the client-server model to analyze application-layer data. An application-level gateway requires two connections: one connection between the trusted client and the gateway and another connection between the gateway and the untrusted host. The gateway then relays information between the two connections. Although some people insist that this configuration ensures the highest degree of security, other people argue that this configuration slows performance unnecessarily.

A stateful inspection firewall, on the other hand, does not require two connections, allowing a direct connection between a trusted client and an untrusted host. To provide a secure connection, a stateful inspection firewall intercepts and examines each packet up through the application layer of the OSI model.

Rather than relying on application-specific proxies (and thus limiting users to the services for which you are running a proxy), a stateful inspection firewall relies on algorithms to recognize and process application-layer data. These algorithms compare packets against known bit patterns of authorized packets and are theoretically able to filter packets more efficiently than application-specific proxies.

Because a stateful inspection firewall allows a direct connection between a trusted client and an untrusted host, some people believe this firewall is less secure than an application-level gateway. However, other people argue that using a direct connection makes a stateful inspection firewall perform better than an application-level gateway at no cost to security.

What's Out There?
A stateful inspection firewall is a popular solution for securing Internet and intranet connections because this firewall is transparent to users, scrutinizes data at the highest OSI layer, and does not require you to modify clients or run a separate proxy for each service that runs over the firewall. In fact, Check Point Software Technologies, Ltd.'s FireWall-1, which is one of the most popular commercial firewalls, is a stateful inspection firewall. Credited with coining the term stateful inspection, Check Point began selling FireWall-1 in 1993 and now owns 44 percent of the firewall market.Don't be Careless. Stateful inspection firewalls are among the most secure firewalls available today and "fooling them can be a lot of work," according to Jon McCown, a network security analyst for the U.S. National Compter Security Agency (NCSA).

Nevertheless, stateful inspection firewalls, like all firewalls are not 100 percent effective. So why bother implementing a firewall at all? You should implement a firewall for the same reason you protect your home by locking your doors, despite the fact that this safey measure does not guarntee that an intruder cannot enter your house. Leaving an Internet or intranet connection without a firewall is a careless, open invitation to would-be intruder.