Featured:
Allergies
Tech Know
Grilling Guide
eHow Now Blog

Do You Need Stateful Packet Inspection if You Use a Firewall?

Do You Need Stateful Packet Inspection if You Use a Firewall? thumbnail
SPI-enabled firewalls can prevent attacks causing network downtime and data loss.

If you've gone to the lengths of purchasing a firewall to protect your network, employing stateful packet inspection technology is a logical decision. SPI provides more comprehensive packet inspection than standard packet filtering, giving you an additional layer of security that can prevent network downtime or data loss. An SPI-enabled firewall can also protect you from potential downstream liability claims, in which an attacker hijacks your network to attack a third party, possibly resulting in a claim of negligence against you for improperly securing your network.

  1. SPI Vs. Packet Filtering

    • Packet filtering applications select individual packets from a data stream for examination, then determine whether or not the packet will be allowed to pass through the firewall. Packet examination often consists solely of checking the header's source and destination information and the application will also monitor its transmission and receiving ports, along with the protocol it employs. SPI uses a state table to determine whether a transmission is expected or unsolicited, dropping unknown packets according to the network administrator's filtering rules, and its state table knows when one side has terminated a connection, marking any additional packets that may enter the connection as suspect. SPI can also thwart Internet Protocol spoofing, in which a hacker makes a packet appear as though it comes from a trusted source, through its capability of examining the packet's full contents.

    SPI and Access Restrictions

    • Network administrators using an SPI-enabled firewall can articulate address restrictions in address control lists, which enforce rules on which external sites can freely access the network and which are blocked. The network administrator will reserve a certain number of ports to leave open to accept unsolicited packets from addresses on the ACL. Acting in conjunction with the state table, the firewall can determine if an incoming packet is a response to a request within the network and if not, if it's from an approved address.

    Access Rule Flexibility

    • The network administrator must devise the filtering rules for firewalls that employ either packet filtering alone or have SPI capabilities. A firewall with packet filtering alone doesn't allow for modifications to the rules while the network is operating. A network using an SPI-enabled firewall can employ dynamic state filtering, which allow network administrators to provide for exceptions to access permissions when given conditions are met, giving them more flexibility in routing traffic into and out from the network.

    SPI and Denial-of-Service

    • A firewall using SPI places intensive demands on the network's resources as it checks a constant stream of packets against its ACL and state table. This resource demand can make the network vulnerable to a denial-of-service attack, in which a hacker floods the network with packets in an attempt to bog down resources and crash the system. As the firewall attempts to process each packet sent during the DoS attack, it can't process legitimate network traffic and blocks authorized users from its resources.

Related Searches:

References

Resources

  • Photo Credit Jupiterimages/Pixland/Getty Images

Comments

Related Ads

thumbnail
Featured