Stateful vs Stateless Firewalls - You NEED to know the difference
Ғылым және технология
In this video Adrian explains the difference between stateful vs stateless firewalls. He covers REQUEST and RESPONSE parts of a TCP connection as well as ephemeral ports
▶ Check out Adrian's full range of content at learn.cantrill.io
▶ Join the best online technical study community techstudyslack.com
FOLLOW ME 😺
▶ Twitter: / adriancantrill
▶ KZread: / learncantrill
OTHER VIDEOS AND PLAYLISTS 🎞
▶ Network Fundamentals • Networking Fundamentals
▶ Technical Fundamentals • Technical Fundamentals
▶ AWS Fundamentals • AWS Fundamentals
▶ Course Intros • learn.cantrill.io - Co...
▶ Exam Question Practice • AWS Exam Question Walk...
▶ MINI PROJECT - Hybrid DNS • Mini Project - Hybrid ...
▶ MINI PROJECT - Advanced VPN • Mini-project - Advance...
▶ MINI PROJECT - Pet Cuddle O Tron • Mini-project - Pet-Cud...
▶ MINI PROJECT - Web Identity Federation • Mini-project - Simple ...
▶ MINI PROJECT - Architecture Evolution • Mini-project - Applica...
▶ MINI PROJECT - Cat Pipeline • Mini Project - CatPipe...
▶ Best Videos • Best Videos
All rights reserved © 2022 Adrian Cantrill
Пікірлер: 90
I've looked up this stateless vs stateful subject many times before and nowhere has it been explained better than in this video! Brilliant job, thank you!
@LearnCantrill
Жыл бұрын
Glad it was helpful!
@blackie5566
Жыл бұрын
I second that, one of the best explanations!!! Thank you so much
As a Networks instructor, I see that this video is helpful and professional. 20/20
@LearnCantrill
Жыл бұрын
thanks !! glad you like it.
I've been in network security for sometime now, and this is one of the best ways I've seen this explained. Great work!
Brilliant video, broken down each and every part very detailed and straight to the point.
@LearnCantrill
Жыл бұрын
Glad you liked it.
- When you make a connection using TCP each side is sending IP packets to each other. TCP is layer 4 protocol which runs on top of IP and adds error correction and ports. - Each connection by a user via client to an application on a server consists of two parts- the request (initiation) and the response which are two parts of the same interaction - client picks a temporary (ephemeral) port as its source which has a value between 1024 and 65536. Then the client initiates a connection to the server using a well known destination port 443 - https. Well known ports are associated with popular applications. This is the request part. The client asking for something from the server. - Next the server responds with some type of data. The server connects to the source IPof the request which is the clien. It connects to the client's port which is an ephemeral port. This is the response part. It is from the server on that well known port 443 to the client on the ephemeral port chosen by the client - It is is this values that uniquely identify a connection - source Ip and source port, and destination IP and destination port. - Each interaction/connection comprises of a request part and response component. The directionality of the transmission depends on the node's perspective. The direction of a request or response isnt always outbound or inbound. There are outgoing requests, outgoing responses, incoming requests and incoming responses. Some servers can have all, like web servers, where the both initiate and accept connections. For every connection start with the request and the response will be the inverse - When the client initiates a request, packets are sent to the server with a source IP and source port of the client and destination IP and destination port of the server. This request is an outbound request from the client perspective and an inbound request from the server perspective - Firewalls require consideration of perspective - directionality when defining rules for connections. The response is always inverse direction to the request - source IP, source port and destination IP and destination port switch. - Stateless firewalls see the request and response as separate activities. Allowing or denying them is done individually so there are two separate rules required one for the request and another for the response. Therefore more management overhead with more rules required per connection - The request component is always going to be to a well know port. The response is always going to be from a server to a client going to a random ephemeral port chosen by the client's OS. And because the firewall is stateless it has no way of knowing which specific port the response is destined for. Therefore in the firewall rules traffic in the full range of ephemeral ports must be allowed which isn't ideal for security engineers. - Stateful firewalls are intelligent enough to identify the response component from it's request component. By comparing the ports and IP of the request and response and if they're the same it can link them to each other. Therefore, for a specific request the stateful firewall automatically knows which data is the response and automatically allows it. Therefore only one rule required for stateful firewalls which is for allowing/denying the request and the response is automatically allowed/denied significantly reducing admin overhead. In addition there's no need to allow traffic for the entire ephemeral port range as the firewall knows the specific ephemeral port for the connection
Thanks for the amazing work you're putting in !
@LearnCantrill
2 жыл бұрын
Glad you enjoy it!
Well articulately explained. Also quickly refreshed some of the Network layer concepts before diving into the topic, this is something I always wanted.
Best explanation ever. Clarity pro max!
Excellent Explanation, I'm still learning a lot but this is spot on and really breaks it down for me to understand. Thank you.
Literally, brilliant way to teach. Thanks ❤
Excellent video and explanation. You have cleared up so many topics for me.
@LearnCantrill
Жыл бұрын
Glad it was helpful!
What a great explanation! Great job!!
@LearnCantrill
2 жыл бұрын
Thanks Danilo :) please like, share and subscribe (*shudders at sounding like a youtuber*)
Good slides, good explanations, good video. Thanks for making me smarter.
@LearnCantrill
Жыл бұрын
glad it helps :)
what a fantastic explanation along with slides. Thank u very much
well explained..thanks a lot!
Oh this explaination is excellent and helps a lot
Fantastic explanation!
Great job, very educational!
@LearnCantrill
Жыл бұрын
Thanks !!! glad you find it valuable.
Very simple explanation. Thank you!
@LearnCantrill
Жыл бұрын
Glad it was helpful!
Great Video understandable.You are doing well at teaching
Very clear explanation and incredibly helpful. One thing that still confuses me is the ‘overhead’ part which you say is lower on stateful firewalls. Since they record the state of a connection whereas a stateless firewall doesn’t; it’s more intuitive for me to say that a stateless firewall therefore needs less memory and has less overhead as a consequence. But I’m probably mistaken one concept for the other.
@LearnCantrill
Жыл бұрын
no you are correct.
Very good explanation
This is video is 10/10 🎉🎉 appreciate the effort ❤ U got a new sub
Great animation and explanation. Thanks!
@LearnCantrill
Жыл бұрын
Glad it was helpful!
@LearnCantrill
Жыл бұрын
Thanks :) glad it helped.
Excellent! Would you be able to point me to the "next video" that helps explain AWS State/Stateless that you mentioned?
Thanks again for the great video 😀😀😀
@LearnCantrill
2 жыл бұрын
Thanks for watching!
video starts at 8:20 if you already know the basics of what a firewall is.
Great video, subscribed and liked. Just curious wouldn't modern systems only use the ranges of 49152 to 65535 as their ephemeral ports?
Great video! I am looking to block inbound SMB port 445 across Windows workstations in my environment. If I leave workstations with the ability to make an outbound SMB connection to a printer server and allow the print/file server inbound SMB allow access, will the computers still be able to communicate with the server back and forth (outbound + inbound) even though there is a deny rule on incoming SMB connections? How will the Firewall know which to choose since the rules are almost conflicting, is it going to choose the automatic deny?
Wow, super explained recommended
@LearnCantrill
Жыл бұрын
Glad you liked it
holy hell!! this ws explained very well. subbed!!
@LearnCantrill
Жыл бұрын
thanks, glad you like it.
Excellent, thank you
@LearnCantrill
Жыл бұрын
Glad it helped
Very well explained video and excellently well illustrated to boot - I would say one thing and thats the use of the ephemeral port numbers which are the same as the IP of the target which threw me for a second as confusing but maybe might mislead others into thinking the port number somehow defaults to the IP of the target which it wouldnt i suspect? Loved the video as my go to explainer for people and myself when i have to jog the grey matter.
@LearnCantrill
Жыл бұрын
that's not a bad idea actually.. i might tweak that in the next version. Thanks.
one of the best. thanks
@LearnCantrill
11 ай бұрын
Glad you like it!
Nice articulated 😊
@LearnCantrill
Жыл бұрын
Thanks! 🙂
Amazing explanation. Just amazing
super helpful. Thanks for this. What do you use to create these diagrams? If you don't mind sharing.
@LearnCantrill
Жыл бұрын
it's not one single tool ... it would be a whole set of videos itself to show how to create them.
@ggin2008
Жыл бұрын
@@LearnCantrill I can imagine. they are very good and it would awesome if you could demonstrate it some day. thank you so much for all the work you do. really helpful and high quality content.
Hey There. Im taking your AWS Solutions Architect - Professional course. It has been a great experience. I am stuck on one demo because I need to increase my vCPU limit to create an EC2. Currently my vCPU limit is 8. How do I increase it and how much should i increase it
great video!
@LearnCantrill
2 жыл бұрын
Thanks!
great, thanks
@LearnCantrill
10 ай бұрын
Glad you liked it!
Satisfactory ❤
I think AWS security group acts like a Stateful firewall? Am I correct?
@LearnCantrill
2 жыл бұрын
correct !! , with some additional enhancements ... since security groups can reference other security groups and themselves :)
It’d be a crime to follow, like and comment. Thank you for a Job well done!
Super presentation
@LearnCantrill
Жыл бұрын
Thank you
Thanks
@LearnCantrill
Жыл бұрын
thank you !! :)
Thank you
@LearnCantrill
Жыл бұрын
Glad you like.
you are the man baruch hashem
@LearnCantrill
Жыл бұрын
glad you like :)
Legend!
@LearnCantrill
Жыл бұрын
thanks, glad you like.
Then why would people opt to use stateless firewalls instead of stateful firewalls?
@LearnCantrill
2 жыл бұрын
in most cases you wouldn't - it's an older tech. it gives you a little more control .. you can control both sides of traffic flow.
@mdgm88
2 жыл бұрын
With AWS security groups (stateful) apply to things like instances (e.g. EC2, RDS) and ELB. NACL (stateless) apply at the subnet level. You’d probably always use security groups where you can, and use NACL in addition if you need a bit of extra control e.g. to block all pings to a subnet.
❤❤❤
Nobody does it better...
waiting for layer 6 and 7
@LearnCantrill
2 жыл бұрын
Stay tuned.
good video, but to put it clearer , if the packet go to the router, INBOUND, if they leave OUTBOUND. it is the perspective of the router.
@LearnCantrill
10 ай бұрын
how is that clearer? you've just used a router vs a client/server ?
WTF 😳 my brain exploded , couldn’t understand anything. Pls simplify next time.
@LearnCantrill
Жыл бұрын
This is the simplified version. But there is other stuff you need to understand first. Maybe check out my networking fundamentals series.
@c.s1055
2 ай бұрын
Me too