What Is an SPI Firewall?
A firewall prevents unauthorized access to an enterprise's network, using An SPI firewall goes beyond a stateless filtering system's examination of just a packet's header and destination port for authentication, checking the entire packet's content before determining whether to allow it passage into the network. This greater level of scrutiny provides much more robust security and pertinent information on network traffic than a stateless filtering system.
Weaknesses of Stateless Packet Inspection
In a February 2002 article for Security Pro News, author Jay Fougere notes that while stateless IP filters can efficiently route traffic and put little demand on computing resources, they present serious network security deficiencies. Stateless filters don't provide packet authentication, can't be programmed to open and close connections in response to specified events, and offer easy network access to hackers using IP spoofing, in which incoming packets bear a falsified IP address that the firewall identifies as coming from a trusted source.
How an SPI Firewall Regulates Network Access
An SPI firewall records the identifiers of all the packets its network transmits and when an incoming packet attempts to gain network access, the firewall can determine whether it's a response to a packet sent from its network or if it's unsolicited. An SPI firewall can employ an access control list, a database of trusted entities and their network access privileges. The SPI firewall can reference the ACL when scrutinizing any packet to determine if it came from a trusted source, and if so, where it can be routed within the network.
Responding to Suspicious Traffic
The SPI firewall can be programmed to drop any packets sent from sources not listed within the ACL, helping to prevent a denial-of-service attack, in which an attacker floods the network with incoming traffic in an effort to bog down its resources and render it unable to respond to legitimate requests. Netgear's website notes in its "Security: Comparing NAT, Static Content Filtering, SPI, and Firewalls" article that SPI firewalls can also examine packets for characteristics of those used in known hacking exploits, such as DoS attacks and IP spoofing, and drop any packet that it recognizes as potentially malicious.
Deep Packet Inspection
Deep packet inspection offers advanced functionality over SPI and is capable of examining packet contents in real-time while delving deep enough to recover information such as the full text of an email. Routers equipped with DPI can focus on traffic from specific sites or to specific destinations, and can be programmed to perform specific actions, such as logging or dropping packets, when packets meet a source or destination criteria. DPI-enabled routers can also be programmed to examine particular types of data traffic, such as VoIP or streaming media.
References & Resources
- Business Continuity Management; E. A. Mathys
- Microsoft: Windows: Windows Dev Center - Desktop: Access Control Lists
- Microsoft: Windows: Windows Dev Center - Desktop: Trustees
- Netgear: Denial of Service Attacks and Stateful Packet Inspection
- United States Computer Emergency Readiness Team: National Cyber Alert System: Understanding Denial-of-Service Attacks
- Netgear: Security: Comparing NAT, Static Content Filtering, SPI, and Firewalls
- Ars Technica: Hardware: Deep Packet Inspection Meets "Net Neutrality, CALEA"
- Security Pro News; Stateful vs. Stateless IP Filtering; Jay Fougere
- Symantec: IP Spoofing: An Introduction
- PC World; What You Should Know About Firewalls; Michael Desmond