SPI Firewall – What is it?

SPI (Stateful Packet Inspection) is a firewall that prevents unauthorized or unofficial access to an enterprise’s network. This keeps track of the state of network connections (such as TCP streams, UDP communication) traveling across it. The firewall is programmed to distinguish genuine or official packets for different types of connections. The packets matching a known active connection will be allowed by the firewall, while others are restricted or blocked.

SPI Firewall

The SPI Firewall verifies the entire packet’s content before determining whether to allow its passage into the network. This greater level of inspection or analysis provides much more robust security and pertinent information on network traffic than a stateless filtering system. The firewall holds significant attributes of each connection in memory, from very beginning to end. These attributes, are collectively known as the state of the connection. It includes details such as the IP addresses and ports involved in the connection and the sequence numbers of the packets traversing the connection.

SPI Firewall helps Regulating Network Access

SPI firewall verifies and records the identifiers of all the packets transmitted on its network. When an incoming packet attempts to gain network access, the firewall determines whether it’s a response to a packet sent from its network or not. An SPI firewall maintains an access control list that is a database of trusted entities and their network access privileges. The SPI firewall can prefer the Access Control List (ACL) when scrutinizing any packet to determine if it came from a trusted source, or not and if so, where it can be routed within the network.

SPI Responding to Suspicious Traffic

The SPI firewall are programmed in such a manner that it can restrict and drop out any packets that are not sent from sources listed within the ACL. By doing this, it helps prevent a denial-of-service attack, in which an attacker floods the network with incoming traffic in an effort to bog down its resources and render it unable to respond to legitimate requests. Net-gear’s website notes in its “Security: Comparing NAT, Static Content Filtering, SPI, and Firewalls” article that SPI firewalls can also examine packets for characteristics of those used in known hacking exploits, such as DoS attacks and IP spoofing, and drop any packet that it recognizes as potentially malicious.

Advantage over Stateless Packet Filters

Stateless packet filters can efficiently route traffic and put little demand on computing resources, but they present serious network security deficiencies. It doesn’t even provide packet authentication, while this is possible with State Packet Inspection. Stateless filter can’t be programmed to open and close connections in response to specified events, and offer easy network access to hackers using IP spoofing, in which incoming packets bear a falsified IP address that the firewall identifies as coming from a trusted source. But, State Packet Inspection verifies each and every packet before transmitting and also during receiving packets. It also blocks the access of packets which are not listed on its network ACL.

SPI provides authenticated access of data and prevents the entry of unwanted or the harmful packets into a network.


No comments yet.

Leave a Comment