Share via


Does IPsec Do ‘Stateful’ Filtering?

====================== DISCLAIMER ====================
This posting is provided "AS IS" with no warranties, and confers no rights.
====================================================

What Is ‘Stateful’ Filtering?
Stateful filtering is the type of packet filtering that firewalls do where the firewall records certain details from packets leaving the protected network and then compare any returning packets destined for the original sender of the packets. The firewall makes sure that the details of the packets coming in are the same as the details it recorded from the packets going out. If they match the packets are forwarded, if not the packets are dropped and an event raised.

Does IPsec Do This?
The simple answer is ‘No’. IPsec filters packets based upon a previously-agreed upon ‘contract’ called a ‘Security Association’ or SA. Packets accepted or dropped based upon the rules in an SA (the process is a bit more complex than this, but this is the observed outcome).

This filtering is very similar in the end result (packets are accepted or dropped based upon information in the packets), but different is where and when they happen. With IPsec, the packets are dropped by the IPsec peer when they reach the peer and not the firewall on behalf of the peer.

Can I Use Both For More Security?
Absolutely ‘Yes’ ! IPsec and firewalls of all types can work together to provide a better security than either alone.

How Do I Enable IPsec Traffic Through A Firewall?
For information about enabling IPsec through a firewall, see the Microsoft Knowledge Base article 233256 (https://support.microsoft.com/default.aspx?scid=kb;en-us;233256)