rchandra
Stargate S G-1 And Atlantis Fan
Premium
join:2000-11-09
14225-2105
clubs:
| SPI feature
FWIW, I own the Linksys BEFSR41, and it supports SPI. Their assertion is that the Netgear products are the only ones in their survey that support this.
--
English is a difficult enough language to interpret correctly when its rules are followed, let alone when a writer doesn't follow those rules. |
|
Bobcat
Volvo sucks donkey balls
Premium
join:2001-02-04
Bedminster, NJ
 ·Verizon Online DSL
| Here's what the Linksys User's Manual says about SPI:
"SPI (Stateful Packet Inspection) - This feature checks the state of of [sic] a packet to verify that the destination IP address matches the source IP of the original request. To use the firewall, click the Enable button; otherwise select Disable to use the NAT firewall."
Could you explain what this means and what practical purpose it serves?
--
Without software, life itself would be impossible.
Optimum Online; $29.95 per month; average speed 7200/900 kbps |
|
rchandra
Stargate S G-1 And Atlantis Fan
Premium
join:2000-11-09
14225-2105
clubs:
| Well, as you can tell, whoever wrote the Linksys documentation doesn't exactly have a firm grasp on English. The quote out of the docs implies it's the state of the packet that matters, and thus the confusion. Packets don't really have a state; they have a header and contents/payload. The state being referenced is the state of a network connection. SPI not only looks at the source and destination addresses (as in IP addresses) and ports (if applicable), but also monitors other attributes of a packet, such as TCP sequence numbers or some timer attached by the router to recently passed packets (often for ICMP or UDP, which are connectionless protocols). It is an enhancement to security because more about a packet has to "match up" before it is allowed to be passed through. It's therefore more likely to be a legit communication and less likely to be someone trying to sneak something past your router.
[edit]oh, yeah...forgot practical application.
Let's say some random cracker is doing some packet sniffing and is waiting for the end of some mail sesssion you have going, and wants to inject some packets for whatever reason back behind your firewall. S/he waits for the connection to close, then sends packets that look like they might belong with that data stream, so the router passes them back. If the router does SPI, it realizes you've already sent the packets for TCP connection shutdown, so it says, "no way, Jose". Usually it just drops the additional packets on the floor, or it may return some ICMP message, or in addition to dropping, it might log internally or to some computer (syslog packet, SNMP trap, etc.).
Or let's take another, DoS example. BlAcKHaTCrAcKeR that I am, I want to cause constant TCP RST responses in your communication, so I just inject packets with invalid TCP sequence numbers, thus causing the connection to be reset and terminated. An SPI firewall would refuse to let these out-of-bounds packets through.
[text was edited by author 2002-02-04 23:35:30] |
|
DrTCP
Yours truly
Premium,ExMod 1999-04
join:1999-11-09
Round Rock, TX
| SPI (stateful packet inspection) is a very poorly understood term (even in the documentation of the vendors that claim SPI!
Description of SPI in Linksys documentation is wrong. So, is the description of SPI at PracticallyNetworked.com.
Pls. see my take on this issue.
»RT311 and SPI |
|
okaven
join:2001-12-02
New York, NY
| reply to Bobcat
Bobcat:
Linksys's SPI is not SPI in the strictest sense. We were looking at the firewalls ability to handle packets stateful.
SPI is a firewall architecture that works at the network layer of the OSI model. This means that it does not only look at the packet header information (this is the SPI functionality Linksys refers to for source and destination inspection) but also at the packet contents. This allows the system to block questionable packets (denial-of-service, syn-flood, etc.). A SPI firewall also monitors connection state and compiles the information in a table (often refered to as state table).
Additionally users can apply certain user-defineable rulesets to an incoming packet.
As a simple example:
1 Allow Send Email (SMTP) * 192.168.1.66
2 Allow File Transfer (FTP) * 192.168.1.77
3 Deny Default * LAN
This rule would allow packets that match 1 and 2 to pass (to the respective IP addresses), but would deny certain other packets.
Hope that shed a little more light onto the issue.
-ok
----------------------------------------
Oliver Kaven
Project Leader, Network Infrastructure
PC Magazine Labs
[text was edited by author 2002-02-05 19:20:39] |
|
DrTCP
Yours truly
Premium,ExMod 1999-04
join:1999-11-09
Round Rock, TX
| okaven: I am glad to see you guys participating in this discussion.
The following are accurate descriptions of SPI (as I have referred in the reference thread above).
»www.avolio.com/apgw+spf.html
»rr.sans.org/firewall/anatomy.php
Linksys routers do not have the overhead of any packet filters that Netgear and ZyXEL routers have (by the way Netgear RT311/RT314/RP114/RP334/RO318/MR314 are all based on ZyXEL's ZyNOS - modified by Netgear, others are based on SonicWall). So, Linksys is benefiting from the lack of meaningful packet filtering capabilities. Secondly, an SPI firewall has more to do as opposed to one that simply does packet filters and much more against the one that does not
have specific filtering and just relying on the NAT. So, comparing NAT only router with one that has packet filter capabilities and even SPI is not a fair comparison.
Finally, you tests seems to placed extra importance on small packet performance whereas for bulk transfers large packet performance is what really matters. Over there Netgear is either as fast or faster than Linksys and advantage of 64 byte packets is not that important. Also, test environment is very important. WAN port of Netgear routers is half-duplex only. If would not like bi-directional artificial small packet performance tests. In real life most packets are large packets and small ACK packets do not consume much bandwidth.
Another test that is conducted by Tolly group.
»www.2wire.com/products/pdfs/tolly_hp0501.pdf
Alas, on this test Linksys performed poorly on large packets. |
|
