Stateful Firewall vs. ACLs on router

  • This may sound like an easy one……but getting specific facts is not as simple…

    Can someone provide some factual evidence on why a Stateful Firewall is much more effective when compared to an ACL based security solution (IP filter).

    • What specific technical risks/weaknesses will be involved if router-based packet filter/Access Control List approach is used?
      -  Are there any OFFICIALLY published certifications/best practices that cover the use of statefull firewalls vs. ACLs and why one is better than the other? Any research papers on this topic?

    Thank you for any feedback!

  • Router ACLS are more easily spoofed (since they are not stateful).

    On the other hand router ACLs are much faster than a stateful firewall and might make sense where the session ramp-up could be faster than a firewall can handle (like the Olympics or a Victoria’s Secret show).

  • Well, since stateful firewalls have been on the market for quite many years now and in many cases evolved with enhanced new security features I’m sure the web is full of “stateful vs. stateless” documents. But with regards to security the obvious advantages of a stateful firewall in general would be:

    • The firewall keeps states an ALL communication passing through the firewall. This means that every single packet traversing the firewall is treated without regard to previous/future packets in a stateless/static firewall (router). An obvious drawback is that you need permanent open holes in your firewall to allow the traffic you need, and not open and close holes/ports in your firewall depending on the state of the session. Another typical drawback that is common with most static/stateless firewalls are that they are vulnrable to spoofing and flooding.

    Now I also mentioned that the stateful firewalls have evolved quite a bit the last couple of years. Many stateful firewalls can inspect packets at higher levels (application layer) and protect specific applications from known/unknown threats. Also reassembly of fragmented packets to find hidden attacks. Yes of course deeper inspection and more functions can cost performance. But I’m sure there is a stateful firewall out there that will suit your needs.