Re: Duane Arnold re: SPI

From: Duane Arnold (notme@notme.com)
Date: 03/11/03


From: "Duane Arnold" <notme@notme.com>
Date: Tue, 11 Mar 2003 04:27:50 GMT


> and my LAN is not accessible to outside initiated packets via the
> router's NAT, which has the ability to drop them.

That's not to my understanding. The NAT takes the packet that was sent to
the public IP of the router and sends them to the private IP's/machines of
the router the packet belongs too. From my understanding, NAT may have
some ability to drop some packets. Some routers only have NAT. And the
there are other routers that have NAT and SPI. Stateful Packet Inspection.
Once again, meaning for *every* inbound packet sent to the router, there
was a corresponding packet sent by the router, otherwise, the packet is
dropped --- statefullness.

Case in point, the Linksys router firmware for the router I use, use to
have SPI that didn't work and has been completely removed from the firmware.
The router with NAT alone cannot pass the Pcflank Stealth test and the
router couldn't pass the test with the defective SPI. The test sends
unsolicited inbound packets to the machine. I'll *almost* guarantee that
any router that has viable SPI on it will pass the test. Any router that
doesn't have SPI on it will not pass the test.

Now, with BI setting on the machine that initiated the test with BlackIce
being at the *Paranoid* level - Block all unsolicited inbound traffic, the
router with BlackIce is able to pass the test. BI is performing the role of
SPI that is not there. On one test, the packets came right to the router to
the machine, but BI stopped it.

SPI is different than NAT. It is a feature that is not present in all NAT
routers.

http://www.homenethelp.com/web/explain/about-NAT.asp

 Duane )

--
The protection of the machine is a process and is not a given!


Relevant Pages

  • Re: NAT vs Firewall
    ... SPI will help in logging, email alerts and stopping hacker attempts. ... Your NAT router might do this already as it may have other coding to see spoof, ... Firewall Type ...
    (comp.security.firewalls)
  • Re: Windows as Proxy Server vs. other firewall approaches.....
    ... NAT is stateful by definition. ... Here's how an incoming packet is handled: ... Where the SPI firewall becomes criticaly important is when the router is ... > knows that it is a proxy server. ...
    (microsoft.public.windowsxp.network_web)
  • Re: NAT is not a mechanism for securing a network.. but.. HELP!
    ... >> Well the firmware for the 11S4 router has no FW like software like ... >> SPI so it wasn't and is not doing packet inspection. ... >> article Watchguard put out awhile back about how NAT routers can be ... > device opens a port by putting it in the NAT table, ...
    (comp.security.firewalls)
  • Re: Microsoft FTP and Linksys BEFSR41 (okay, Kerio 2.1.5 also)
    ... really block wan requests (it squelches router replies) people should look ... twice at what linksys means by "SPI". ... track of in the NAT table and if so which ones? ...
    (comp.security.firewalls)
  • Re: NAT and Keep State IP Rule
    ... > My router is a NAT router, I can also set a number of IP rules and ... You need to understand what NAT and Stateful Packet Inspection does, ... traffic never becomes WAN traffic leaving the network out to the Internet ...
    (comp.security.firewalls)