J.P. Schwartz - Click to go home
Advanced Options
Custom Network Design
www.jpschwartz.com home About J.P. Schwartz IT Consulting Custom Network Design Services IT Consulting and Network Design Resources Contact J.P. Schwartz
Tech Tips ‹ back

Stateful Packet Inspection

Stateful Packet Inspection, or SPI, is a firewall feature that gives the firewall a little intelligence about what traffic to allow through. By monitoring the traffic, the firewall can watch for an inbound connection attempt from the internet or an outbound connection attempt from your local computer. When the firewall sees the attempt it checks your configuration to see if it should permit the connection. If the connection is established, the firewall then automatically allows the reply traffic back through the firewall as long as that traffic is part of the established conversation. In this way, you only have to configure the firewall with a rule set about who is allowed to start conversations.

Benefits
Stateful Packet Inspection is found in most modern firewalls because it simplifies the configuration and provides for additional security. It is more difficult to spoof, or fake an address source for traffic going through a SPI firewall. It is also nice to have the automatic conditional rules that SPI provides, for example, the internet can’t send us information we didn’t ask for.

Limitations
The big limitation of Stateful Packet Inspection is that it permits anything you ask for. It will allow you to ask for a file with a virus, it will allow you to ask for a connection to a hackers computer so that they can control your system, it will allow you to get offensive content, spam, or a long list of other undesirable things. The next limitation is that the default configuration of most firewalls must be secured to limit outbound connections from your computer out to the internet. Last of all, SPI only looks at IP addresses and port numbers. For example, port 80 is supposed to be for web pages, SPI can’t tell if it is actually a web page you are getting or something else entirely.

Conclusion
Stateful Packet Inspection is a good standard feature for most firewalls, but it is inadequate when left in the default configuration. Due to its limitations, SPI should be considered a minimal feature.

For additional information or support please contact us at 303-482-1242.
Home | About | Services | Resources | Contact
Denver Computer Consulting | Custom Network Design | Network Services | Security Services | Server/Workstation Services
J.P. Schwartz, Inc. | PO Box 270429 | Louisville, Colorado 80027
303 482 1242 | 303 317 8830 Fax
©Copyright 2007, J.P. Schwartz, Inc. | Terms & Policies | Sitemap
Design by Tool Studios®
 tell a friend