Which of the following statements is true regarding a stateless packetfiltering firewall? (Select the best answer.)
- It can operate at Layer 4 of the OSI model.
- It is more secure than a stateful packetfiltering firewall.
- It tracks packets as a part of a stream.
- It is not susceptible to IP spoofing attacks.
A stateless packetfiltering firewall can operate at Layer 4 of the Open Systems Interconnection (OSI) model.
A stateless packetfiltering firewall, which is also referred to as a static packetfiltering firewall, evaluates and either blocks or allows individual packets based on the Layer 3 and Layer 4 information in the packet header. Specifically, stateless packetfiltering firewalls can use the source and destination IP addresses, source and destination port numbers, and protocol type listed in the packet header? these values are commonly known as the 5tuple. Because a stateless packetfiltering firewall allows all traffic from an approved IP address, stateless packetfiltering firewalls are susceptible to IP spoofing attacks? an IP spoofing attack is a type of attack wherein an attacker uses the source IP address of a trusted host to send messages to other computers. This allows the attacker to send messages that appear to come from legitimate hosts on the network. In addition, because a stateless packetfiltering firewall evaluates packets individually, it cannot evaluate data streams or track connections.
By contrast, stateful packetfiltering firewalls traditionally operate at Layers 3, 4, and 5 of the OSI model. Stateful packetfiltering firewalls are more secure than stateless packetfiltering firewalls and are commonly used because of their versatility and ability to dynamically monitor and filter packets. Session information is maintained and tracked by stateful packetfiltering firewalls in order to determine whether packets should be permitted or blocked. For example, when monitoring Transmission Control Protocol (TCP) traffic, the stateful packet filter adds an entry to the state table when a TCP session is permitted. Subsequent packets are verified against the state table to ensure that the packets are in the expected sequence. If the TCP packet sequence numbers are not in the expected range, the packets are dropped.