Stateful vs Stateless Access Control Lists: What’s the Difference

Systems and network administrators must be fully conversant with Access Control Lists (ACL). That is so they are proficient in setting up and managing the user privileges that control who gets access, and to what, on their servers and networks. All operating systems have access control list functions. You will find them in Windows, Unix, MacOS, and of course in all Linux variants. You will also see ACLs at work in Amazon Web Services (AWS) and other cloud services.

Candidates for CompTIA Linux+ certification are tested on a full range of ACL functions and settings. For example, in the Security section of the certification exam, candidates are expected to identify the different use cases between stateful and stateless ACLs in relation to implementing and configuring Linux firewalls.

What is an Access Control List?

Access control lists first in Unix, and later in Linux, were designed to protect files systems. In this context, ACLs are used to define which users and groups of users can access folders and files, and the rights or permissions that they have to use or modify them. The file system ACL specifies the rights that permit users to create/update a file or folder, or to run a program file.

When you issue the Linux 'ls -l' command, you see the files and folder listing with the permissions in the familiar '-rwxrwxrwx' format. The 'r' means read, the 'w' means write, and 'x' means execute. The first set of 'rwx' settings is for the owner of the file or folder, the second set is for the user group associated with them, and the third set is for all other users. Admins use the 'getfacl' and 'setfacl' Linux commands to view and set or modify permissions on files and directories.

What is a Network Access Control List?

In the same way that ACLs control access to filesystem resources, Network Access Control Lists control the incoming and outgoing flow of network traffic, securely routing authorized packets to their intended destinations and blocking unauthorized traffic. Network Access Control Lists are what the CompTIA Linux+ certification exam is referencing relative implementing and configuring Linux firewalls.

Firewall functionality can be implemented either in networking hardware or in a host server (Linux or Windows) based on business and/or technical considerations. If you are running a small-scale networked environment, a Linux-based firewall may fit your budget better than a standalone firewall. Wherever it is implemented, your firewall follows your defined security rules, to monitor and control traffic flow into and out of your network.

Within Linux, network ACL functionality is executed in the Netfilter framework, which is part of the Linux kernel. Netfilter allows for packet filtering and logging, network address and port translation, and other network traffic filtering functions. The firewall filtering rules are set up for Netfilter through a user-space command-line utility called iptables. Now iptables syntax can be complicated, so system and network admins will typically use a user-friendly front-end like UFW (for Ubuntu), or firewalld (for Red Hat, CentOS, SUSE, and other distros).

Stateless and Stateful Network ACLs

What are stateful and stateless firewalls? The difference is in how they handle the individual packets. A stateless firewall looks at each individual packet, filtering it and processing it per the rules specified in the network access control list. It does not look at, or care about, other packets in the network session.

Stateless firewalls look only at the packet header information and are not able to detect if traffic is authorized or not. On the other hand, a stateful firewall knows about the status of every packet in a session and exercises defined rulesets to detect and reject unauthorized traffic.

Your Linux-based firewall will allow for both stateful and stateless connections, depending on the type of applications you are planning to run. For example, shopping cart and database applications will require stateful connections, whereas stateless connections are fine for web servers. If a web search is interrupted, the end user can simply reenter it. Netfilter supports both stateless and stateful access control lists for both IPv4 and IPv6 protocols.

Why a Stateless Firewall?

Because a stateless firewall does not need to process and store data related to each connection, it will require less memory and will be much faster than a stateful firewall. However, this performance comes with the downside that if they are not well administered, stateless firewalls may be easier for hackers to penetrate. Because of the simplicity and speed of operation, stateless firewalls are a frequent choice to protect small networks.

Why a Stateful Firewall?

Stateful firewalls are less efficient at handling traffic, but they offer much more robust detection of — and protection against — unauthorized access. They also need fewer ports than an equivalent stateless firewall. Using iptables commands, Linux admins can implement a rigorous security regime for incoming and outgoing traffic.

For example, you can direct Netfilter to block traffic to or from specific IP addresses or ports, block floods of website requests, disable outgoing emails, and limit the number of concurrent connections from specific IP addresses. For audit and forensic purposes, you can also keep a log of dropped network packets.

Stateful firewalls are not invincible! Like any system, they can be vulnerable to hackers if they are not administered and updated conscientiously.

Final Thoughts

Network security is a top job priority for systems administrators, who are expected to be proficient at setting up Linux firewall configurations. If you are thinking of becoming CompTIA Linux+ certified, then make CBT Nuggets' CompTIA Linux+ (XK0-004) online training an integral part of your study plan! Learn from Shawn Powers as he introduces you to Netfilter and iptables, and then explains in detail how to manipulate Linux firewalls on Ubuntu and CentOS Linux distributions.