We are independent & ad-supported. We may earn a commission for purchases made through our links.
Advertiser Disclosure
Our website is an independent, advertising-supported platform. We provide our content free of charge to our readers, and to keep it that way, we rely on revenue generated through advertisements and affiliate partnerships. This means that when you click on certain links on our site and make a purchase, we may earn a commission. Learn more.
How We Make Money
We sustain our operations through affiliate commissions and advertising. If you click on an affiliate link and make a purchase, we may receive a commission from the merchant at no additional cost to you. We also display advertisements on our website, which help generate revenue to support our work and keep our content free for readers. Our editorial team operates independently of our advertising and affiliate partnerships to ensure that our content remains unbiased and focused on providing you with the best information and recommendations based on thorough research and honest evaluations. To remain transparent, we’ve provided a list of our current affiliate partners here.

Our Promise to you

Founded in 2002, our company has been a trusted resource for readers seeking informative and engaging content. Our dedication to quality remains unwavering—and will never change. We follow a strict editorial policy, ensuring that our content is authored by highly qualified professionals and edited by subject matter experts. This guarantees that everything we publish is objective, accurate, and trustworthy.

Over the years, we've refined our approach to cover a wide range of topics, providing readers with reliable and practical advice to enhance their knowledge and skills. That's why millions of readers turn to us each year. Join us in celebrating the joy of learning, guided by standards you can trust.

What is Stateful Inspection?

By S.A. Keel
Updated: May 16, 2024

Stateful inspection is a technique used in computer network firewalls for protecting a network from unauthorized access. Also sometimes known as dynamic filtering, the method is capable of inspecting an entire data packet before it enters the network. In this way, every packet entering any interface on the firewall is checked completely for validity against the types of connections that are allowed to pass through to the other side. The process gets its name because it not only inspects the data packets, but also monitors the state of a connection that has been established and allowed through the firewall.

The idea for stateful inspection was first devised by Check Point® software, back in the mid 1990s. Prior to Check Point's® Firewall-1 INSPECT™ engine software, firewalls monitored the application layer, at the top of the open systems interconnection (OSI) model. This tended to be very taxing on a computer's processor, so packet inspection moved down the OSI model's layers to the third layer, the network layer. Early packet inspection only checked the header information, the addressing and protocol information, of packets and had no way of distinguishing the state of the packet, such as whether it was a new connection request.

In a stateful inspection firewall, the resource-friendly and speedy packet filtering method is merged somewhat with the more detailed application information. This gives some context to the packet, thereby providing more information from which to base security decisions. To store all of this information, the firewall needs to establish a table, which then defines the state of the connection. The details of every connection, including the address information, ports and protocols, as well as the sequencing information for the packets, are then stored in the table. The only time resources are strained at all is during the initial entry into the state table; after that, every other packet matched against that state uses hardly any computing resources.

The stateful inspection process begins when the first packet requesting a connection is captured and inspected. The packet is matched against the firewall's rules, where it is checked against an array of possible authorization parameters which are endlessly customizable in order to support previously unknown, or as yet to be developed, software, services and protocols. The captured packet initializes the handshake, and the firewall sends a response back to the requesting user acknowledging a connection. Now that the table has been populated with state information for the connection, the next packet from the client is matched against the connection state. This continues until the connection either times out or is terminated, and the table is cleared of the state information for that connection.

This brings about one of the issues faced by the stateful inspection firewall the denial of service attack. With this type of attack, the security isn't compromised in as much as the firewall is bombarded with numerous initial packets requesting a connection, forcing the state table to fill up with requests. Once full, the state table can no longer accept any requests, and so all other connection requests are blocked. Another attack method against a stateful firewall takes advantage of the firewall's rules to block incoming traffic, but allow any outgoing traffic. An attacker can trick a host on the secure side of the firewall into asking for connections from the outside, effectively opening up any services on the host for the attacker to use.

EasyTechJunkie is dedicated to providing accurate and trustworthy information. We carefully select reputable sources and employ a rigorous fact-checking process to maintain the highest standards. To learn more about our commitment to accuracy, read our editorial process.
Discussion Comments
EasyTechJunkie, in your inbox

Our latest articles, guides, and more, delivered daily.

EasyTechJunkie, in your inbox

Our latest articles, guides, and more, delivered daily.