1. Stateful Filtering and Stateful Inspection

2.  Stateful filtering has been used to define the stateful tracking of protocol information at Layer 4 and lower.  Stateful filtering products exhibit no knowledge of application layer protocols.  At the most basic level, such products use the tracking of the IP addresses and port numbers of the connecting parties to track state.  More advanced forms of stateful filtering can also track sequence and acknowledgment numbers and the TCP packet flags.  With the addition of these criteria, we can get truly stateful connection tracking for TCP, although we still lack the ability to differentiate traffic flows at the application level.

3. Stateful Filtering and Stateful Inspection  Stateful inspection, in contrast, has come to be used as a description of the devices that track state using all the Layer 4type information listed previously, as well as the tracking of application-level commands.  All this information can be combined to offer a relatively strong definition of the individual connection's state. Also, because Layer 7 information is being examined, extra insight into nonstandard protocol behaviors is available.  This allows normally troublesome protocols such as FTP and H.323 to be securely passed by the device without complication.  Stateful inspection is a term originally coined by the security product manufacturer Check Point, the maker of FireWall-1, for the way FireWall-1 handles the tracking of state information.

4. Stateful Filtering and Stateful Inspection  It comprises both the tracking of state using Layer 4 protocol information and the tracking of application-level traffic commands.  In both stateful filtering and stateful inspection, the tracked state information is most often recorded into a state table that tracks the information until a connection is torn down (as with TCP) or until a preconfigured timeout is reached (TCP, UDP, and ICMP).  Every vendor has its own implementation of these methods.