Re: SPI feature - dslreports.com

Author	All Replies
okaven join:2001-12-02 New York, NY	reply to Bobcat Re: SPI feature Bobcat: Linksys's SPI is not SPI in the strictest sense. We were looking at the firewalls ability to handle packets stateful. SPI is a firewall architecture that works at the network layer of the OSI model. This means that it does not only look at the packet header information (this is the SPI functionality Linksys refers to for source and destination inspection) but also at the packet contents. This allows the system to block questionable packets (denial-of-service, syn-flood, etc.). A SPI firewall also monitors connection state and compiles the information in a table (often refered to as state table). Additionally users can apply certain user-defineable rulesets to an incoming packet. As a simple example: 1 Allow Send Email (SMTP) * 192.168.1.66 2 Allow File Transfer (FTP) * 192.168.1.77 3 Deny Default * LAN This rule would allow packets that match 1 and 2 to pass (to the respective IP addresses), but would deny certain other packets. Hope that shed a little more light onto the issue. -ok ---------------------------------------- Oliver Kaven Project Leader, Network Infrastructure PC Magazine Labs [text was edited by author 2002-02-05 19:20:39]
okaven join:2001-12-02 New York, NY	to forum · permalink · · 2002-02-05 18:34:23 ·
DrTCP Yours truly Premium,ExMod 1999-04 join:1999-11-09 Round Rock, TX	okaven: I am glad to see you guys participating in this discussion. The following are accurate descriptions of SPI (as I have referred in the reference thread above). »www.avolio.com/apgw+spf.html »rr.sans.org/firewall/anatomy.php Linksys routers do not have the overhead of any packet filters that Netgear and ZyXEL routers have (by the way Netgear RT311/RT314/RP114/RP334/RO318/MR314 are all based on ZyXEL's ZyNOS - modified by Netgear, others are based on SonicWall). So, Linksys is benefiting from the lack of meaningful packet filtering capabilities. Secondly, an SPI firewall has more to do as opposed to one that simply does packet filters and much more against the one that does not have specific filtering and just relying on the NAT. So, comparing NAT only router with one that has packet filter capabilities and even SPI is not a fair comparison. Finally, you tests seems to placed extra importance on small packet performance whereas for bulk transfers large packet performance is what really matters. Over there Netgear is either as fast or faster than Linksys and advantage of 64 byte packets is not that important. Also, test environment is very important. WAN port of Netgear routers is half-duplex only. If would not like bi-directional artificial small packet performance tests. In real life most packets are large packets and small ACK packets do not consume much bandwidth. Another test that is conducted by Tolly group. »www.2wire.com/products/pdfs/tolly_hp0501.pdf Alas, on this test Linksys performed poorly on large packets.
	to forum · permalink · · 2002-02-05 19:44:25 ·


Friday, 27-Nov 05:38:28	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact over 10 years online! © 1999-2009 dslreports.com.republican-creole page compression OFF