A firewall is a system designed to prevent unauthorized access to or from a private network. Firewalls can be implemented in hardware, software, or a combination of both. There are several types of firewalls, and one of them is the firewall “stateful” o with status tracking.
At the end of the article you will find a small test that will allow you assess the knowledge acquired in this reading
The state inspection, also known as “status monitoring” o “stateful inspection” in English, it is an advanced technique used in network security to improve the efficiency and effectiveness of firewalls.
Stateful inspection
Stateful firewalls not only examine each individual data packet, but also keep a record of the state of active network connections.
This log can include details such as source and destination IP addresses, port numbers, packet sequence numbers, timestamps, and more.
Unlike firewalls without state tracking (stateless), which treat each data packet as a separate transaction, stateful firewalls understand that data packets are sent as part of network connections.
These firewalls can remember that a specific incoming data packet is the response to an outgoing request that was made previously.
How the State Inspection works
Here are some additional details on how health inspection works:
1. Connection establishment
When a network connection is initiated (for example, when a user within the network requests a web page), the firewall records details of the connection in its state table.
This information includes things like the IP address of the computer that is making the request, the IP address of the web page that is being requested, and the port numbers that are being used.
2. Connection monitoring
As data packets continue to flow through the connection, the firewall continues to record and update the details in its state table.
This may include, for example, tracking the sequence numbers of packages to ensure they are arriving in the correct order.
3. Connection termination
When the network connection is closed (for example, when the user closes the web page they requested), the firewall notices that the connection has been terminated and removes it from its state table.
La condition inspection provides a number of advantages for network security. First, it allows firewalls to more effectively block unwanted or suspicious traffic because they can recognize when an incoming data packet is not associated with a valid network connection.
It can also help detect and prevent certain types of attacks, such as IP spoofing attacks or SYN flood attacks, which attempt to exploit the way network connections are established.
At a more technical level, a stateful firewall maintains a status table to track all existing communication sessions. Each session is logged with details such as source and destination IP addresses, port numbers, packet sequence numbers, and timestamps.
Connection status records (status tables)
“Active network connection status logs,” also known as the state table of a firewall, is a data structure used in stateful firewalls to track the details of all network connections that are passing through the firewall.
The exact details that are tracked can vary by system, but often include the following items:
1. Source IP address
This is the IP address of the machine that initiated the connection. In a typical web connection, this would be the IP address of the user requesting to view a web page.
2. Destination IP address
This is the IP address that the connection is being sent to. In a typical web connection, this would be the IP address of the server hosting the requested web page.
3. Ports of origin and destination
Ports are numbers that identify the specific processes that are communicating within the source and destination machine. The source port is randomly assigned by the system initiating the connection, while the destination port is generally a standard number that corresponds to a particular network service (for example, port 80 for HTTP traffic).
4. Sequence number and acknowledgment number
These are values used in the TCP protocol to ensure that data packets arrive in the correct order and to confirm receipt of the packets.
5. TCP Flags
TCP flags are part of the header of TCP packets and provide information about the status of the connection. Common flags include SYN (synchronize, for establishing connections), ACK (acknowledge, for confirming receipt of packets), FIN (finish, for closing connections), and RST (reset, for aborting connections).
6. Connection status
This is a value that indicates whether the connection is being established, active, closing, etc.
7. Timestamp
This is a timestamp that indicates when the activity was last seen on the connection. This can be useful for clearing idle connections from the status table.
By maintaining this status table, stateful firewalls can monitor and control network traffic more effectively than stateless firewalls.
This is particularly useful for blocking unsolicited traffic from outside the network, allowing responses to requests initiated from within the network, and detecting and preventing certain types of attacks.
Health tracking provides a greater security than a stateless firewall because it has a more complete view of network activity. However, it can also consume more computing resources, because it has to constantly maintain and update its state table.
Deep Packet Inspection
An additional aspect that could be considered in a stateful firewall is deep packet inspection (DPI), which allows the content of the data packet itself to be examined.
This can help detect certain types of attacks that would not be visible by monitoring connection status alone, such as viruses that spread via email attachments.
In short, a stateful firewall is a critical component in cybersecurity, providing advanced defense by being able to track the full state of network connections and make decisions based on that context.
Is MikroTik a stateful firewall?
Yes, MikroTik routers, which use the RouterOS operating system, are capable of functioning as stateful firewalls.
MikroTik implements status tracking functionality through its “Connection Tracking” (Connection Tracking).
El connection tracking It allows the firewall to track the state of network connections through the router and make filtering decisions based on the state of a connection. This includes details such as source and destination IP addresses, ports used, connection status (for example, whether a new connection is being established or whether these are packets associated with an existing connection), and more.
How does MikroTik implement the stateful firewall?
Here is an example of how you can configure a stateful firewall on a MikroTik router:
1. Enable connection tracking.
Connection tracing is enabled by default in RouterOS, but you can check it and enable it if necessary with the following command:
/ip firewall connection tracking set enabled=yes
2. Configure firewall rules
To allow established and related connections, and to block new ones that were not initiated from within the network. This can be done with commands like the following:
/ip firewall filter add chain=forward connection-state=established action=accept
/ip firewall filter add chain=forward connection-state=related action=accept
/ip firewall filter add chain=forward connection-state=new action=drop in-interface=wan
In these examples, the first two rules allow packets associated with already established connections or related connections (for example, responses to requests that originated from within the network), while the last rule blocks attempts at new connections from outside of the network.
This is just an example of how a stateful firewall can be configured in MikroTik. Actual configuration may vary depending on specific network needs.
It is worth noting that firewall rules must be carefully planned and tested, as incorrect configuration can leave the network vulnerable or disrupt legitimate traffic.