Discover Firewalls News
Taking a Stateful Approach to Firewall Design
Traditionally, designers have turned to packet classification, also called stateless classification, as a means for providing higher levels of performance in a firewall architecture. While doing a nice job on analyzing an individual packet, the packet classification approach falls short. Specifically, by not relating individual packet information to an overall flow, these classification engines can leave big holes in the firewall architecture, requiring application-level proxying, which adds cost and degrades firewall performance.
What's needed is a more stateful approach to classification. Rather than simply looking at a packet, designers need to implement stateful classification techniques that allow designers to classify the properties of a packet as well as understand how that packet fits into an overall communication flow.
The link for this article located at CommsDesign is no longer available.