Re: Stateful Packet Inspection Firewall

From: MeanChildJ (MeanChildJ@Mean's.net)
Date: 02/13/03 

From: MeanChildJ <MeanChildJ@Mean's.net>
Date: Thu, 13 Feb 2003 03:14:05 GMT

On Wed, 12 Feb 2003 21:15:56 +0000, greenNOSPAMaviator@bigfoot.com
wrote:

>I just got a DSL Router which includes an SPI firewall. The
>manufacturer (Linksys) doesn't have very good technical support, so
>I'm not much wiser as to how it works. The firewall screen has no
>configuration options which worried me first time I saw it.
>
>In a previous message a few weeks ago someone said;
>
>>To over simplify it, SPI allows all of your
>>external ports to be closed until an internal request is made, then a port
>>is temporarily opened for the response to that request only. This is
>>accomplished by using a state table.
>>If the firewall product you are using does not have stateful packet
>>inspection, then you are in the dark ages.
>
>Is this synopsis approximately correct, that connections are
>disallowed until the client initiates an outbound connection, or a
>"listen" on a port?
>
>Someone mentioned the following webpage;
>
>http://www.sans.org/rr/firewall/anatomy.php
>
>which again broadly says that SPI maintains a table for all
>connections, and inspects packet contents for legality. My question
>again is how "legality" is defined; whether anything that the client
>computer initiates is treated as legitimate. My previous experience is
>only with software firewalls i.e. ZoneAlarm, which blocks off incoming
>ports but also controls which applications can access the net / listen
>to ports. Presumably SPI does not place any restrictions on client
>actioins.
>
>This is a bit worrying, because it seems to me that SPI places no
>barriers in the path of a trojan that I might accidentally install
>(from an email attachment say) on my computer. If EvilTrojan installs
>and listens on port 400 for portscans, how is the firewall to
>differentiate between it and a legitimately written user application
>which may also wish to listen on port 400? Linksys techsupport tried
>to tell me SPI would prevent trojans, but they couldn't explain the
>above point, and I think they're wrong.

 You should check to see if your model of Linksys router supports SPI.
Linksys has eliminated the SPI feature in certain models due to
problems. You can surf to Linksys site and check for sure.

MeanChildJ

Relevant Pages

  • Re: Stateful Packet Inspection Firewall
    ... you need a router with NAT to establish multiple machines to use one public ... An SPI firewall will help to keep out hackers/crackers and you will ... not application based but port based. ...
    (comp.security.firewalls)
  • Re: Software vs. hardware firewalls
    ... >>What advantage does a hardware firewall like the Linksys BEFSR41 ... Now, the latest version of the Linksys firmware SPI has been removed, ... because that were having too many issues implementing SPI into the firmware. ... By using Port Forwarding or Triggering, you will be able to tell the router ...
    (comp.security.firewalls)
  • Re: Linksys Router and BlackICE - Confused!!
    ... > server and to forward port 80 web traffic to my Linux box. ... > Since I installed the mail server it is being hammered by these Asian ... applications and servers you need to purchase a firewall, ... > I contacted Linksys and they said this is normal. ...
    (alt.computer.security)
  • Re: VPN/PPOE/RWW Questions/Security
    ... The attitude for many is that Linksys' quality is going downhill. ... > one mapping on the firewall. ... > that his home LAN becomes inoperable. ... I have seen port 443 probed to death on my firewall logs for RWW. ...
    (microsoft.public.windows.server.sbs)
  • Stateful Packet Inspection Firewall
    ... I just got a DSL Router which includes an SPI firewall. ... >external ports to be closed until an internal request is made, ... and listens on port 400 for portscans, ...
    (comp.security.firewalls)