|
The Broadband Router
Features Guide
The Firewall & SPI
All NAT based routers act as a
'natural' firewall between the Internet and your LAN by masking the true
IP address' of the computers on your LAN. The very nature of
NAT
makes it nearly
impossible for someone to directly connect to a computer behind a NAT router
using the computer’s IP address. This does not however stop hackers from
successfully launching things like DoS (Denial of Service) attacks on you.
Packet Inspection
To accomplish its connection
sharing task, NAT routers do something called Packet Inspection. Part of
this inspection process involves blocking unwanted and unrequested packets
trying to reach your LAN computers. It can also involve forwarding
‘wanted’ packets to servers you might have running on your lan ( see
port forwarding article
) Statefull Packet
Inspection
SPI is a little
different than ordinary ‘packet inspection’. The basic interpretation of SPI is that
a router/firewall with SPI will protect you from more attacks than a router
without SPI. SPI means that the router will look at a packet
of information, examine it in some way, and determine what to do with it
(beyond simple routing). SPI routers not only understand TCP/IP, they understand
the kind of applications that are running on the protocol.
This understanding allows the router to filter out advanced forms of
attacks on the internet like Denial of Service attacks.
There is no standard for implementing SPI. Each manufacturer writes its
own SPI software or licenses it from an Internet security company. As you can
imagine, the quality of the SPI software can vary. Evaluating the
effectiveness of each SPI implementation is WAY out of the
scope of this web site and would require a small army
of security experts to accomplish in any meaningful way.
This brings
us to the difficult question: How do you tell how good the SPI firewall
in a broadband router is? This is a VERY difficult question
to answer. Without getting extremely technical, the best we can
do is look for indications that the router has the capability
of performing operations on each packet beyond basic NAT.
Indications that a
router has good SPI.
1) Logging:
Routers that do not support any kind of logging
might indicate that the router software is not very intelligent. Routers
that log attacks and actually tell you what kind of attack was attempted
are obviously doing some advanced packet inspection. This is probably your
BEST indicator.
2) Special Application
Support without DMZ:
Dumb routers make you put your computer in the
DMZ for all kinds of things. Advanced routers can support NetMeeting, VPN
pass-through and more without having to move your computer to the DMZ. The
only way the router can do this is to look for packets from your special
application then re-write and re-route packets in a way that is compatible
with both your application and NAT. The fact that the router is aware of
your application is an indication of advanced SPI.
3) Advanced packet
filtering:
Packet filtering in itself is SPI. Check to
see if your router supports any kind of string filtering on packets. The
more advanced the filtering options, the better an indication of good SPI.
Summary
A router with indications of advanced SPI still
needs to be 'told' how to look for attacks and how to react to them. The
points above let you know that the router is capable of advanced attack
shielding. Remember, the manufacturer must program the router for good
firewall protection and keep it updated. | 
Menu:
