Support Center Application Notes IP Filter / Firewall Application Notes
 
  
2. "SPI" / "Keep State" introduction

Stateful Packet Inspection was developed in the early 1990s to overcome some of the limitations of static packet filters. The limitation of static packet filter is described below by giving an example. Considering the network environment and the filtering rules specified as follows.

Access Rules:

1. Allow internal IP1 >1023 port ==> Any IP, 80 port, use TCP protocol

2. Allow Any IP, 80 port ==> internal IP1, 1433 port, use TCP protocol (Set Keep State here.)

3. Block any other packets



The rule 1 represents that packets running at internal IP1 with port number greater than 1023 are allowed to send outside by using TCP protocol. In other words, the rule 1 is used to allow any internal host to access public web server. In contrast, the rule 2 is used to restrict any access requests from outside except from public web server. In this case, we will block any access requests to the MSSQL Server from hackers. However, the hacker could change the port number of his host to 80 so that he can directly access the MS SQL Server due to the grant of rule 2.

There are many other applications to create such security holes for hackers, for example, FTP with active/passive mode. Furthermore, some hackers may explore the vulnerabilities of static access rules and in turn design some specific packets. These packets may be segmentations of a complete message so that all of them can pass through the access rules (router). However, after reassembling these segmented packets, you will find that the complete message is illegal. Thus, to overcome this limitation of static packet filtering, the SPI technology is developed. Sometimes we called the SPI as dynamic packet filtering.

Stateful packet inspection technology only compares the first packet of connections against the defined security policies. Once a connection has been established, it is recorded in a state table. This state table is checked when packets arrive at the firewall, and if a packet matches the information there, it is allowed to pass. By using this table of connection data, the overall process of matching and controlling packets is dramatically improved when complex security policies are involved.

The Stateful Packet Inspection applied to Vigor2600, Vigor2600X, Vigor2600W, Vigor2600W, Vigor2600G, Vigor2900/Gi,and Vigor2600V is a simplified type. At Web Configuration of the above models, we call it as "Keep State" while other vendors call it as simplified SPI.


Page last modified : 13 October 2008   
Corporate  |   Products Center  |   Information Center  |   Support Center  |   Contact us  |   Register form  |   Customer Survey  |   SiteMap  |   Legal Announcement
Please use IE 5.0 or above ( resolution 1024 * 768 ) for best display.     Copyright © 1997~2008 by DrayTek Corp.