Re: Duane Arnold re: SPI

From: Duane Arnold (
Date: 03/11/03

From: "Duane Arnold" <>
Date: Tue, 11 Mar 2003 04:27:50 GMT

> and my LAN is not accessible to outside initiated packets via the
> router's NAT, which has the ability to drop them.

That's not to my understanding. The NAT takes the packet that was sent to
the public IP of the router and sends them to the private IP's/machines of
the router the packet belongs too. From my understanding, NAT may have
some ability to drop some packets. Some routers only have NAT. And the
there are other routers that have NAT and SPI. Stateful Packet Inspection.
Once again, meaning for *every* inbound packet sent to the router, there
was a corresponding packet sent by the router, otherwise, the packet is
dropped --- statefullness.

Case in point, the Linksys router firmware for the router I use, use to
have SPI that didn't work and has been completely removed from the firmware.
The router with NAT alone cannot pass the Pcflank Stealth test and the
router couldn't pass the test with the defective SPI. The test sends
unsolicited inbound packets to the machine. I'll *almost* guarantee that
any router that has viable SPI on it will pass the test. Any router that
doesn't have SPI on it will not pass the test.

Now, with BI setting on the machine that initiated the test with BlackIce
being at the *Paranoid* level - Block all unsolicited inbound traffic, the
router with BlackIce is able to pass the test. BI is performing the role of
SPI that is not there. On one test, the packets came right to the router to
the machine, but BI stopped it.

SPI is different than NAT. It is a feature that is not present in all NAT

 Duane )

The protection of the machine is a process and is not a given!