dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
12

spi
@66.128.17.x

spi to nwrickert

Anon

to nwrickert

Re: Is it safe to disable router's firewall?

Here is a quick grab of a paragraph off of wikipedia regarding SPI. This is important to note. SPI not only keeps track of sessions and will not allow random packets to be inserted into the stream it also watches for legitimate traffic establishing new connections coming back in such as with active ftp, etc.

Before the advent of stateful firewalls, a stateless firewall, a firewall that treats each network frame (or packet) in isolation, was normal. Such a firewall has no way of knowing if any given packet is part of an existing connection, is trying to establish a new connection, or is just a rogue packet. Modern firewalls are connection-aware (or state-aware), affording network administrators finer-grained control of network traffic.

The classic example is the File Transfer Protocol, because by design it opens new connections to arbitrary ports. FTP, among other protocols, needs to be able to open connections to arbitrary high ports to function properly. Since a firewall has no way of knowing that the packet destined to the protected network, to some host's destination port 4970, is part of a legitimate FTP session, it will drop the packet. Stateful firewalls solve this problem by maintaining a table of open connections and intelligently associating new connection requests with existing legitimate connections.
TheWiseGuy
Dog And Butterfly
MVM
join:2002-07-04
East Stroudsburg, PA

TheWiseGuy

MVM

Modern NAT does a lot of that these days. Most implementations allow active FTP. NAT checks if a packet is part of an ongoing TCP connection from the (Port pair and IP) or if a UDP packet had been sent outbound to the IP from the port pair.

The Netgear site has a good page on the added advantages of SPI. For the average individual, unless they are targeted most of these are not a major concern. Certainly for a major organization SPI can be helpful. Also if you have reason to believe you might be targeted for a DOS attack SPI would certainly help.

»kbserver.netgear.com/kb_ ··· 1218.asp

nwrickert
Mod
join:2004-09-04
Geneva, IL

nwrickert to spi

Mod

to spi
Here is a quick grab of a paragraph off of wikipedia regarding SPI.
I am not denying its uses.

For the typical home router, the main benefit of SPI is to the marketing department, which can make the router sound more impressive than it really is.

For a complex corporate firewall, you really do need SPI. But management of such a firewall involves complexity beyond the ability of most home users and beyond the capability of most home routers.

spi
@66.128.17.x

spi

Anon

Agreed. I just didn't want everyone to think that SPI had no benefit to the user. For the other reply NAT is a ip/port translation and should not be doing inspection to allow things such as active FTP to establish a NEW connection back into your network. Nat simply works with the IP/ports, for a router to realize it needs to allow a brand new connection from an outside host into an inside host it needs to inspect the traffic to see the agreed upon port that will be initiated back to the inside. They may market this stuff in a number of ways but if you go by the definition NAT does not do inspection or fixup or alg or whatever your vendor preferred term may be.
spi

spi to TheWiseGuy

Anon

to TheWiseGuy
I think you misunderstand how active ftp works. NAT does not handle active ftp by default. in active ftp the client establishes an outbound control connection to a ftp server which is allowed through the router and nat'd. The server replies to the request over the data channel and they agree on a port that the server can start a brand new connection to the client on. NAT will not know of this new connection and will NOT allow it. The port they agree upon is only mentioned within the data portion of the packet, therefore packet inspection must be done so the router can allow a newly established connection through to the correct host.
TheWiseGuy
Dog And Butterfly
MVM
join:2002-07-04
East Stroudsburg, PA

TheWiseGuy

MVM

I assure you I understand how active FTP works. An initial connection is made to Port 21 outbound. The Inbound return packet contains the port where the data connection will be established. You do not need to have an SPI FIREWALL, what the topic was about, for a modern NAT router to allow active FTP.

True, I said modern NAT when talking about FTP and probably should have said modern NAT routers. Still you could easily implement a sub-routine in NAT that checks if the remote is Port 21 and simply check the return packet as part of NAT without implementing a full SPI firewall, since active FTP is one of the oldest and most used protocols that require an inbound connection in response.

nwrickert
Mod
join:2004-09-04
Geneva, IL

nwrickert to spi

Mod

to spi
SPI is not enough for active FTP. Rather, the router must monitor the data part of the packets to see what port is agreed to, create a special entry in its NAT table to handle that connection, and appropriately modify that data packet. Most home routers are designed to handle this.

Passive FTP will work without difficulty through a NAT router as long as no output blocking is being done.

If the FTP server is behind the NAT router, things are more complex and some home routers won't handle it properly.

spi
@66.128.17.x

spi to TheWiseGuy

Anon

to TheWiseGuy
I guess where I am going with this is that by definition NAT alone cannot handle active FTP. In active FTP the server starts a new connection into the client and without some sort of packet inspection the router doesn't even know who to forward that traffic to. The traffic will be denied. Whatever you want to call this packet inspection that the router does to see that data port and know it is associated with the original outgoing ftp session is up to you but it is not NAT. BTW, you only described half of what an active ftp session does, you didn't even make it to the part that a basic router would have problems with.
spi

spi to nwrickert

Anon

to nwrickert
I think that actually depends on who you ask. A lot of companies like to market it as a fixup, inspect, alg, etc. According to wiki it is part of SPI. I do agree with you though. Deep packet inspection must be done to determine this. We are on the same page and at the basic level I am sure you explain it much better than I do. It appears some think that NAT does deep packet inspection to know how to handle these types of traffic however if you go by true network definitions NAT does not do this type of inspection. As you said the NAT table may be updated but NAT itself is not responsible for the actual intelligence.
TheWiseGuy
Dog And Butterfly
MVM
join:2002-07-04
East Stroudsburg, PA

TheWiseGuy to spi

MVM

to spi
said by spi :

BTW, you only described half of what an active ftp session does, you didn't even make it to the part that a basic router would have problems with.
Huh, maybe you can not read.
said by Me :
An initial connection is made to Port 21 outbound. The Inbound return packet contains the port where the data connection will be established.

quote:
Still you could easily implement a sub-routine in NAT that checks if the remote is Port 21 and simply check the return packet as part of NAT without implementing a full SPI firewall,

You do understand Active FTP enough to understand that the DATA connection is the part you say will have a problem, not the control connection.

For you or anyone else that needs to understand active FTP
see

»slacksite.com/other/ftp.html

NAT/PAT is Name Address Translation/Port Address Translation, you must modify the NAT/PAT tables to allow inbound traffic from active FTP. It does not need to be done by a stateful firewall.

spi
@66.128.17.x

spi

Anon

lol... you are explaining this to me and you call it "Name Address Translation". Man you need to get a refund on whatever certification you got... I agree with you, the NAT (Network Address Translation) table is updated but NAT is not inspecting the traffic to determine this information for itself. NAT is not responsible for inspecting this traffic and NAT alone will not allow this inbound traffic. NAT alone cannot handle this type of traffic.. Don't read anymore into it, that is all I am trying to say. NAT alone cannot handle this type of traffic.
spi

spi to TheWiseGuy

Anon

to TheWiseGuy
BTW since you brought it up NAT/PAT as you call it are not one in the same.
TheWiseGuy
Dog And Butterfly
MVM
join:2002-07-04
East Stroudsburg, PA

1 edit

TheWiseGuy

MVM

said by spi :

BTW since you brought it up NAT/PAT as you call it are not one in the same.
Sigh I wish I could put anonymous trolls on ignore. I also wish the system were not all of a sudden informing me of every reply by an anonymous user.

Actually, if you read Cisco

»www.cisco.com/en/US/tech ··· 31.shtml
Overloading – A form of dynamic NAT that maps multiple unregistered IP addresses to a single registered IP address by using different ports. Known also as PAT (Port Address Translation), single address NAT or port-level multiplexed NAT.
PAT is the name of a specific type of NAT.

I'm done feeding the troll. You do not need a stateful firewall, which is what this topic is about, to do active FTP.

spi
@66.128.17.x

spi

Anon

The guy that calls it Name Address Translation calls me a troll. Nice try...

You are correct you may not need what your router vendor calls spi for active ftp but you do need some sort of deep packet inspection which is NOT NAT.