stateful packet inspection?

[xyyz]

alright what is all this about anyways? i think it has something to do with ACL's right?

how do I do anything with this? my linksys router claims it has SPI... it even has this little thing that allows you to enable SPI... but after I enable it... then what happens?

also, my Cisco 806 (and eventually my 2620) has it... but what do I do with it?

anyone wanna help me out here and give me a pointer on what I should read to better understand SPI?

 

[Tallgeese]

This might shed some light:

Stateful packet inspection

A second method utilized by firewalls is known as stateful packet inspection. Stateful packet inspection is a form of super-charged packet filtering. It examines not just the headers of the packet, but also the contents, to determine more about the packet than just its source and destination information. It is called a stateful packet inspection because it examines the contents of the packet to determine what the state of the communication is - i.e. it ensures that the stated destination computer has previously requested the current communication. This is a way of ensuring that all communications are initiated by the recipient computer and are taking place only with sources that are known and trusted from previous interactions. In addition to being more rigorous in their inspection of packets, stateful inspection firewalls also close off ports until connection to the specific port is requested. This allows an added layer of protection from the threat of port scanning

In lower-end devices, SPI's more like a "set-and-forget" feature. The better ones might write SPI events to a log, but I wouldn't expect much more from them.

 

[xyyz]

that's some pretty advanced stuff.... the router needs to analyze the content? doesn't that require some pretty high-end ablities?

 

[Nothinman]

that's some pretty advanced stuff.... the router needs to analyze the content? doesn't that require some pretty high-end ablities?

Yes that means the router needs to understand the protocol being used, i.e. http, irc, etc.

 

[Saltin]

ISA will do it, but you'd want to put it on a hog of a box.

 

[n0cmonkey]

<< ISA will do it, but you'd want to put it on a hog of a box. >>



So will IPTables, IP Filter, and Packet Filter, and they work on smaller machines.

EDIT: Of course you want to match the size of the machine with the speed fo the connection.

 

[Saltin]

<< EDIT: Of course you want to match the size of the machine with the speed fo the connection. >>



Thanks for qualifying that. Of course I was speaking generally. Generally speaking, you are going to want a much stronger box to do Statefull packet inspection, regardless of the which software is doing it.

 

[n0cmonkey]

<<

<< EDIT: Of course you want to match the size of the machine with the speed fo the connection. >>



Thanks for qualifying that. Of course I was speaking generally. Generally speaking, you are going to want a much stronger box to do Statefull packet inspection, regardless of the which software is doing it. >>



Thats true for *ANY* platform. The more work you want done quickly, the bigger the machine you should get

With the solutions I provided there would be less overhead than with the Microsoft solution (in my opinion), so a smaller machine should be just fine. I have heard good things about ISA though, and of course the bad stuff as well (less Microsoft centric than you may think).

 

[Thor86]

For ISA server, would a p3-1Ghz, 512Mb Ram, 40 gig drive be considered a "hog"?

 

[Saltin]

Thats fine for regular firewall and proxy, and caching functionality, as long as it isnt the gateway for too many computers. It all depends on the number of clients you are servicing.
Is that hardware enough for 20 clients? Sure
Is that hardware enough for 20 clients and stateful packet inspection? Maybe
Is that hardware enough for 100 clients? Maybe
Is that hardware enough for 100 clients and stateful packet inspection? Doubtful

These are just examples and not actual numbers, your results will depend on the number of clients you are servicing

 

[xyyz]

i ahve both a Cisco 806 and 2611 that can support stateful packet inspection, unfortunately, I dont have the IOS for the 2611 that can handle this feature, but I do have it for the 806. For a home network with say up to 8 clients will the 806 be good enough? Also, where do I read about cisco's SPI features... what I saw on the Cisco site was really thin.

 

[n0cmonkey]

My thoughts on routers doing firewalling: Let a router route and a firewall firewall. Blocking a minimum of traffic with a router (internal ips and so forth) would be great at a router, but the more tasks you give it, the more of a load the machine will have and it could cause problems. On a home setup this may not ever happen, but on a corporate setup this could be bad.

 

[Thor86]

Everyone,

Thanks for all your inputs. But yet another question, where would the location of ISA server on the network be the most useful for high traffic so it doesn't act as a router, but rather a firewall (with stateful packet inspection)?

TIA!

 

[n0cmonkey]

<< Everyone,

Thanks for all your inputs. But yet another question, where would the location of ISA server on the network be the most useful for high traffic so it doesn't act as a router, but rather a firewall (with stateful packet inspection)?

TIA! >>



Right behind the router.

 

[Tallgeese]

<< Right behind the router. >>

Exactly. You want this router to act as a "choke" router, in that it is configured to screen and discard obviously fake traffic (packets inbound on an external interface with "spoofed" origination addresses that match internal addresses, etc.)

The thinking is that although those methods are not accurate (or secure) enough for complete firewall protection, the router can perform these functions MUCH faster than a firewall (which is very SLOW, relatively speaking) can do its thing.

If the choke router can "pre-disqualify" 50-75% of the original traffic as bogus, then you could potentially reduce the firewall's workload to as little as 25% of what it would be without the choke router.