Re: Stateful Packet Inspection Firewall

From: SysAdm (wjones@sitesmith.com)
Date: 02/12/03 

From: "SysAdm" <wjones@sitesmith.com>
Date: Wed, 12 Feb 2003 22:58:12 +0000 (UTC)

> <snip>
> which again broadly says that SPI maintains a table for all
> connections, and inspects packet contents for legality. My question
> again is how "legality" is defined; whether anything that the client
> computer initiates is treated as legitimate. My previous experience is
> only with software firewalls i.e. ZoneAlarm, which blocks off incoming
> ports but also controls which applications can access the net / listen
> to ports. Presumably SPI does not place any restrictions on client
> actioins.
>
> This is a bit worrying, because it seems to me that SPI places no
> barriers in the path of a trojan that I might accidentally install
> (from an email attachment say) on my computer. If EvilTrojan installs
> and listens on port 400 for portscans, how is the firewall to
> differentiate between it and a legitimately written user application
> which may also wish to listen on port 400? Linksys techsupport tried
> to tell me SPI would prevent trojans, but they couldn't explain the
> above point, and I think they're wrong.

in a nutshell statetful... packet inspection simply means packets (incoming
and outgoing) are inspected and placed into a state table before they are
routed onto their destination. The stateful inspection checks to see
whether a packet is part of an established connection within the state
table. If it isnt (eg. out-of-state, such as a TCP ACK without a
corresponding SYN already existing), and it doesnt correspond to any
explicit or implicit rule within the rulebase, it will be dropped.
Connections are only allowed if they are part of an explicit/implicit rule
contained within the firewalls rulebase.

traditionally most firewalls would have an explicit drop rule as their last
rule. this effectively means that all traffic is allowed that you have
implicitly made rules for, however the explicit drop rule is their to deny
any other (non-rule) related traffic (eg. your example).

so, in respect of trojans, one of the most important rules you must add to
your rulebase is to implicitly define which ports you allow outbound. if you
allow "any" outbound, the explicit drop rule will not help stop trojans.

SysAdm

Relevant Pages

  • Re: I am sick of windows firewall
    ... I use the AnalogX IPsec rules to supplement BlackIce ... need IPsec to stop outbound that BlackIce cannot do by ... attempts on the Windows networking ports even though BI ... supplemental packet filtering solution. ...
    (comp.security.firewalls)
  • Re: Duane Arnold re: SPI
    ... It sounds like you are saying that SPI is the stealthing of a router's WAN ... "Non-stealthed" - Means that your system responded to the packet ... A packet filtering f/w cannot safely block it as f/w cannot tell if it is ...
    (comp.security.firewalls)
  • a good site or book to understand SPI
    ... I did yahoo search on SPI. ... PC security as well as home network security - I will have a home ... What is Stateful Packet Inspection? ... When an IP packet arrives at the firewall from the Internet, ...
    (comp.security.firewalls)
  • Re: Serial CPLD
    ... be increased by packet buffering and serialization ... SPI is really a pin-saver, and the SPI one allows multiple-bytes ... CPLD Low power candidates: ... You might be able to move the Txmit CRC into the ARM, ...
    (comp.arch.embedded)
  • Re: N00b Question
    ... There is a great product called packet shaper by packetteer. ... AIM, iTunes, etc... ... ports and IP's this device will detect it. ... > For MSN/yahoo chat you can block the ports in your external firewall. ...
    (Security-Basics)