Questions about Statefull Packet Inspection (SPI)

[imported_davehries]

I need a new router and have been investigating the security aspects of routers. I have noticed that a few consumer routers have SPI as a security feature.

Is SPI important for a home user? Is it worth the extra $$ for this feature?

The routers that I have found with this feature include LinkSys WRT54G and GS and Motorola BR700 (wired). Everyone seems to like the LinkSys, but I can't find many impressions for the BR700 router. Does anyone have any experience with Motorola routers? The BR700 is cheaper than the WRT54G-GS routers?

Thanks.

 

[atiyeh]

SPI would be helpful if you had roommates who were using p2p applications and you didnt want them too. Might be a lil over the top for the home user though.

 

[ScottMac]

In a nutshell, SPI will block any uninvited inbound traffic. Inbound will only be allowed as a response to a request from an inside source).

It won't help with P2P because the client "invites" the other streams in to participate in your file service process.

You can allow outside-initiated traffic by opening the specific port and providing the specific information.


FWIW

Scott

 

[imported_davehries]

Thanks for the info.

I also use ZoneAlarmPro and according to one of ZA guru's, ZAPro has SPI as a security feature. So, if true, as long as I use ZAPro I don't have to be concerned about finding or using a router that has SPI.

I just hope that the Guru knows what he is talking about. I can't find any reference to SPI in the ZA docs.

 

[pdo]

just bought this wireless router from Fry's for $18 and it has SPI built in....

 

[Boscoh]

Originally posted by: davehries
Thanks for the info.

I also use ZoneAlarmPro and according to one of ZA guru's, ZAPro has SPI as a security feature. So, if true, as long as I use ZAPro I don't have to be concerned about finding or using a router that has SPI.

This is true to some extent. SPI on a network-level device certainly has it's benefits (and drawbacks) to having SPI-based firewalling software on the host system itself.

With the software on your system, your machine is still getting hit with that traffic that might otherwise be blocked. This will always increase resource usage on your system as the firewall software processes that traffic against it's ruleset. The resource hit might be very little or it might be a lot, but it will be there. Also, as long as you have those packets hitting your NIC, you're opening yourself up to the possibility that one of those packets could exploit a vulnerability in your firewall software, thus potentially making it useless.

Generally when packets are processed at a network-level firewall, there is less risk of it exploiting something in the firewall software and getting around it provided that the firewall is properly configured. That has been my experience, anyway. General thinking is that you want to limit exposure to your PC as much as possible. By putting the firewall on your PC you aren't doing anything to limit it's exposure, you're just relying on that software to block out the bad stuff.

The major downside to using something at the network level is that you dont usually get the granularity in rules that you'd get from something residing on the end system. Unless your firewall is extremely intelligent, you are usually limited to just opening and closing ports to permit applications. At that point, most firewalls dont care what application uses that port, just that something is allowed to use it.

Because I know what's on my PC and what is running at all times, I dont really care too much about having personal firewall software on my PC. A good SPI-based hardware firewall filtering out stuff at the gateway works better for me. I do run firewall software on my laptop in addition to the hardware firewall I have at home though. But that is because my laptop is a critical business resource and it sees a lot of different public-access networks as well. I never trust other peoples networks.

 

[JackMDS]

Link to: Cable/DSL Routers - NAT, Ports, SPI.

:sun:

 

[imported_davehries]

Thanks Boscoh. Your reply was first rate. It really cleared things up for me.

I was wondering what router do you use?

I am thinking about getting the Motorola BR700 (price at NewEgg $53.00) a wired router. It has SPI/NAT and other security features that I am interested in getting. I was also looking at the Motorola WR850G (price at WalMart $54.50), it lacks SPI. WalMart also has the LinkSys WRT54G for $60.00 it has SPI.

If you were going to get one of these three routers which would you go for? Considering quality, reliabilityand support issues.

PS. At this point in time a have no need for wireless, just adds some future proofing. But, by the time I might need wireless things will be completely different.

 

[Boscoh]

I'm glad I could help.

I have never dealt with the motorola routers, but if they are of the same quality as their cable modems then they should be fairly decent. I've heard good things about the WRT54G, so if my choice was between the two I might be inclined to go with that one. Personally, I am very fond of the ZyXel Prestige 334W I've been using lately. It has SPI and a bunch of other features. I am not sure of the price though, I got it free .

My main firewall though is a Cisco PIX 501 that sits right behind my cable modem. As far as firewalls go, that's pretty much "it" right there, in my opinion. The price might be a few hundred dollars above what you're looking to spend though.