Stateful Packet Inspection
Stateful packet inspection, also called stateful packet filtering, provides the best combination
of security and performance because connections are not only applied to an ACL but also
logged in to a small database known as the state table. After a connection is established, all
session data is compared to the state table. If the session data does not match the state table
information for that connection, the connection is dropped.
Figure 2-3 depicts, using the OSI reference model, how traffic passes through a stateful
packet inspection firewall from the source to the destination. Note that the traffic enters
Application
Presentation
Session
Transport
Network
Data Link
Physical
Source
Application
Presentation
Session
Transport
Network
Data Link
Physical
Proxy Firewall
Application
Presentation
Session
Transport
Network
Data Link
Physical
Destination
Cisco PIX Firewall 31
between the network and transport layers, and is verified against the state table and the rule
set, while basic protocol compliance is checked at the upper layers.