+ All Categories
Home > Documents > SPI Vs DPI


Date post: 02-Jun-2018
Author: zahbir123
View: 219 times
Download: 0 times
Share this document with a friend
Embed Size (px)

of 4

  • 8/10/2019 SPI Vs DPI


    Statefulvs. Deep Packet Inspection

    Stateful Packet Inspection (SPI)

    What is a SPI firewall?SPI is a basic firewalling feature that is included in standard DSL routers.

    How does SPI work?SPI works at the network layer by examining a packets header and footer in addition toensuring the packet belongs to a valid session.

    When an IP packet arrives at the firewall from the Internet the firewall decides if itshould be forwarded to the internal network.

    To do this the firewall inspects the packet to see what connections have beenopened from the inside of the network to the Internet.

    If there is a connection open that applies to the packets that have arrived from theInternet then it will be let throughotherwise it will be rejected.

    So instead of permitting any host program to send any kind of traffic on port 80 itensures it belongs to a current, open session, it looks at the source anddestination IP addresses as well as the source and destination ports to make this


    How Secure is SPI?This type of security simply controls incoming traffic, and wouldnt be able to preventattacks from innocuous Web browsing, spyware, adware, trojans etc.

    Stateful Inspection

    The term was originally coined by Check Point in reference to their Firewall-1 product, but

    the term is now used by virtually every firewall vendor in existence. A stateful firewall differsfrom a standard packet filter in a very simple way a stateful firewall deals with

    connectionsand their characteristics rather than packets individually.

    In short, stateful firewalls keep track of open, legitimate connections and compare trafficmoving through the firewall to these known-good entries. The firewall knows all about theconnections in its state table (the list of legitimate connections) and anything deemednot part of one on the list is discarded.

    This was a major advance over basic packet filtering in terms of security. It suddenlybecame much more difficult to inject spoofed packets into legitimate connections and havethem accepted by the firewall because stateful inspection looks at TCP sequence numbers,TCP Flags, etc. rather than just source and destination IP and port numbers.


  • 8/10/2019 SPI Vs DPI


    State ul vs Dee Packet Ins ection

    Another thing that stateful inspection brought to the table was the ability to touch theapplication layer to some degree. The most commonly known example of this is theability to handle an FTP session a complex task involving two separate connections.Without being able to watch actual FTP traffic, the firewall wouldnt be able to deal withthis level of complexity. This should not, however, be confused with true layer-7 visibility.The original forms of stateful inspection dealt predominantly with layers 4 and below.

    The most important thing to remember when discussing stateful inspection, however, is arguablywhat it isnt. Firewall vendors have hyped the term to the point that it carries almost magicalovertones. Dont fall for it. Again, stateful firewalls deal with connect ions rather than individualpackets, and they build state tables that hold the connection information. Then they simply comparetraffic moving through them to the contents of their state tables.

    Deep Packet Inspection (DPI)

    What is a DPI firewall?

    DPI is an intelligent firewallingfeature that forms part of the integrated security suite of a UTMfirewall.

    How does DPI work?

    As well as looking at the header, footer, source and destination of incoming packets, DPI alsoexamines the data part of the packet, searching for illegal statements and predefined criteria andmaking a decision on whether or not to let i t through based on the content.

    DPI combines signature-matching technology with analysis of the data in order to determinethe impact of that communication stream.

    DPI takes the incoming packets apart, examines the data, comparing with set criteria, andthen re-assembles the packet.

    The ASIC chip in the FortiGate firewall (also used for Bitcoin mining) allows this type of firewalling to be done quickly, efficiently and without degrading the speed of network traffic.Router and software firewalls simply do not have the necessary power to perform this levelofdeep packet inspection.

    How Secure is DPI?

    This type of security will guard against attacks from Trojans, spyware, and Malware etc.which are increasingly common and are obtained through seemingly innocuous Webbrowsing by end-users.


    Basic Packet Filters

    As a general rule, the more advanced the firewall technology, the higher up in the OSI Modelit works. The first and most basic type of firewall to come about is simply referred to now as apacket filter. These firewalls worked at the 3rd level of the OSI model, aka the network layer.

    Packet filters worked primarily off of two parameters within packets the source anddestination IP addresses but theywere able to look at (and filter on) the protocol field inthe IP header as well.

  • 8/10/2019 SPI Vs DPI


    State ul vs. Dee Packet Ins ection

    The key here, however, is that very few checks were done on packets, and they were onlydone at the network layer. As a result, it has become somewhat trivial to trick these sorts offilters via various techniques. Spoofing, fragmenting, and various other sorts of tinkering allowan attacker to get traffic through simple packet filters that they were set up to block.

    One advantage of packet filters, however, was (and is) their speed. Because they perform sofew checks they are able to do so quite efficiently.

    Proxy Firewalls

    One of the most interesting and powerful types of firewalls is the proxy firewall. The main thingto remember when considering proxy firewalls is the fact that they initiate a second connectionfrom themselves. In other words, when a request is made for a resource thats handled by aproxy firewall, the original request does not make it back to the host in possession of theresource. The proxymakes the request to the resource and then returns the information back

    to the client.

    This is a highly secure way of doing things because it allows one to filter out a large amount ofpotentially malicious content within the original request. For example, imagine that there is150,000 areas in a request that can be tampered with by an attacker some of which couldcreate a security issue on the host being targeted. Well, if only 10 pieces of information areneeded to make a legitimate request, the proxy knows this and can take those 10 things andmake its own request. This way, when the proxy asks for the resource, the host is far lesslikely to be tricked into doing something its not supposed to do.

    Deep Packet Inspection

    For the last few years its been stateful inspection thats received most of the attention. Asmentioned, every firewall vendor on the planet hurried to throw together an implementation just

    so they could say they had it.

    Well, now theres a new player in town deep inspection. Just as with stateful inspection,

    vendors are trying their best to make this technology something it isnt.

    To make a long story short, deep inspection is stateful inspection but with visibility into theapplication layer. In other words, deep inspection allows the firewall to see the actual datapassing through it rather than just keeping track of connection information. As mentionedabove, many stateful inspection implementations allow for interaction with the application layerin certain circumstances, but thats not the main function of stateful inspection.

    So whats the practical advantage of deep inspection over stateful inspection? Contentfiltering. Is the client that just made a connection to our webserver trying to propagate a worm?

    Is a website trying to install malware via an HTTP session?

    These are questions that stateful inspection cannot answer and that deep inspection can.

    Once the firewall can see into the application layer fully, it can start matching what it seesagainst a list of known bad content. This is signature-basedanalysis, and its the backbone ofall antivirus technology. The advantage here is the ability to catch a whole lot of knownnastiness, along with the relative ease of updates. The disadvantage would be the fact that,like in the AV world, the ability to stop unknown attacks is virtually nil, i.e. a new threat usuallyrequires a new update. Anomaly analysis, on the other hand, works by establishing whatsnormal and then flagging traffic that strays from those boundaries. Theoretically this isquitepowerful, but in practice its often too hard to determine with any confidence what a knowngood baseline is. Without that, its very difficult to be able tosay this is bad because its not

    normal. As a result, its the signature paradigm thats dominated thisspace.

  • 8/10/2019 SPI Vs DPI


    So thats basically what deep inspection turns out to be a stateful firewall with contentanalysis that uses signatures and anomaly analysis.


    A firewall of any description is a must for any user connecting to the Internet.

    However, for a truly effective platform a dedicated hardware firewall with DPI provides the bestall-round solution and goes a long way to securing networks from the more sophisticated anddamaging Internet threats.

    State ul vs. Dee Packet Ins ection