What kind of protection does a router with spi firewall provide?

Discussion in 'other firewalls' started by Dregg Heda, Jun 28, 2009.

Thread Status:
Not open for further replies.
  1. Dregg Heda

    Dregg Heda Registered Member

    Id basically like to know what kind of threats Im protected against with a router and what kind of threats are left so that I can formulate an appropriate security policy. Thanks for any info guys!
  2. Seer

    Seer Registered Member

    In short, a router will stop any unsolicited inbound. That is all.

    It is very hard to tell how the SPI is implemented in yor specific router model, but most home routers' SPI (standard cheap models up to few 100$) will act as a state table with IP and port numbers. The numbers are kept for a certain amount of time and inbound packets are allowed based on what has been requested. Technically it can be said that it works as SPI, depending on how you define the term. But there would be no actual inspection of TCP headers, and anything less than that to me is not SPI. Of course you could check with the vendor what exactly is advertised as "SPI" so I could be wrong here.

    A router will also provide NAT, which will stop any packets not explicitely requested by the SPI mechanism (again, only based on IP and port) so any inbound "attacks" (scans) are stopped dead at the gateway. But it won't stop incorrect/malformed requested packets, you would need a real SPI (header inspection) to filter them. While these do not pose a real threat, it's up to you to decide whether you want them or not.

  3. Dregg Heda

    Dregg Heda Registered Member

    Hi Nick,

    So lets assume I have a router of the first variety, one without TCP header inspection, what kind of threats would I be protected against? Basically hackers scanning for open ports to slip backdoors and trojans into my system right? Wouldn't a software firewall do the same thing? Why bother with a router then? Also are there any downsides to my router not stopping incorrect/malformed threats, and not just from a security perspective?

    Furthermore if I am protected against the abovementioned threats, whats left for me to worry about? Driveby downloads? Phishing? Anything else? Id like to have a breakdown of the kind of threats I face even with a router so that I can complement my security arsenal. Thanks.
  4. Victek

    Victek Registered Member

    Routers provide protection with no CPU overheard. They also have various firewall features and are much less likely to be hacked compared with a host based personal firewall which is vulnerable to malware. In fact if you have an old CPU available you could install Smoothwall (free!) on it and have a very strong, configurable firewall. That said I've always used personal firewalls since they provide another layer and often include additional features, such HIPS.
  5. Seer

    Seer Registered Member

    A good software firewall will give protection of a router and much more, and I really see no benefit in routers except practical reasons which Victek mentioned. I personally use a router, but simply as a hub. If I connect a single PC, I set the router in bridge mode.

    A firewall/router does not know anything about drive-bys and fraudulent sites. You would need an anti-malware (http scanner i.e.) to deal with these. Or a DPI firewall, which is basically the same as personal firewall and a http scanner (AV).

    Just for the record, I am not encouraging you to ditch the router, but simply stating my opinion.

  6. Kees1958

    Kees1958 Registered Member

    I have a Router with build in firewall

    - easy, no CPU hassle on your PC
    - basic DOS/ARP/etc protection
    - set up a partitioned network (clients can't access each other)
    - NAT: Mac Address Control, allow only listed Mac Addresses to connect
    - DHCP reservation - provide infinitive lease, always get the same IP addres
    - DPI:
    a) allow only listed IP Addresses to go out (coming from LAN side),
    b) block all traffic other than from/to own IP addresses (only the ones reserved with DHCP are allowed to send receive packets)
    c) deny own IP addresses to go in from WAN side
    d) only allow listed Mac addresses to go out (coming from lan side)

    - configure OpenDns in your router disable phising protection in your browsers, again less CPU/network burden

    Drive By's
    - use a policy management program like GesWall, DefenseWall or Appguard.

    - Use keyscrambler (free or paid), fool them. beside the Dutch have a public private ecryption system when doing on line banking with a token calculator, so who cares bout keyloggers

    - Hitman Pro 3.5

    Sofware FireWall
    - Windows own limited inbound FW protection (only for boot protection)

    Why a Router with NAT/DPI on header level?
    - 90% is for ease of use and practical reasons, 10% remaining is
    - basically to protect against man in the middle attacks
    - isolate my son's PC from the rest
    - logs are easy to read and check

    Regards Kees
    Last edited: Jun 30, 2009
  7. funkydude

    funkydude Registered Member

    I highly do NOT recommend this, although OpenDNS's filtering is good, both Firefox's and Opera's have always caught more and usually stuff OpenDNS misses.

    You should use both for (I'd say) 99.99% protection, they complement each other beautifully.
  8. Kees1958

    Kees1958 Registered Member

    We do online banking and shopping with IE8, with manual Smart screen filter check, but Phising in Iron is deselected for speed.
  9. Fly

    Fly Registered Member

    A router 'firewall' (NAT or otherwise) will provide basic protection, and is usually much more stable than a software firewall.

    Software firewalls can malfunction, or be disabled.

    Software firewalls in addition to a router can provide useful additional protection, especially regarding outbound connections.
  10. HJO

    HJO Guest

    May be off topic.
    How do I check if my router firewall is doing what it is suppose to do?
    Thanks in advance.
  11. Fly

    Fly Registered Member

    What kind of protection do you want ? What do you want to test ?

    Routers have (nearly) always a 'NAT firewall'. They may have an additional (?) firewall too.

    If your router is wireless, issues like encryption and others come into play.
    So I'll just skip the wireless part.

    If you want to see whether your ports are closed or stealth, you can test that on www.grc.com , shieldsup. This will only work if your modem has no firewall and your computer is directly connected to the router, so you're not testing a software firewall.
  12. HJO

    HJO Guest

    Alright, thanks for your reply.
    I'll check it out.
  13. Dregg Heda

    Dregg Heda Registered Member

    Sorry for not responding earlier everyone, but my fingerprint reader was giving me trouble and I couldnt access my laptop. Eventually I had to reinstall the OS, but before I could do this I had to go away on holiday and only after coming back did I have the time to reinstall everything, which is the first time Ive done it by the way, so there were some trepidatious moments and some screwups along the way. But anyway Ive set everything back up, or atleast I think I have, so hopefully we can continue with our discussion.
  14. Dregg Heda

    Dregg Heda Registered Member

    Hi Seer,

    Yea I was aware that the router wouldnt protect me from drivebys, etc. I guess my question was if the router takes care of 'attacks' then what else is left for me to deal with through other security means. I.e. what wont the router protect me from.
  15. Dregg Heda

    Dregg Heda Registered Member

    Hmmmm, my router has a tab on the settings page to 'enable firewall'. Surely this means that it has TCP header inspection, and is not relying on the NAT alone to provide protection. I mean Nat routers without built-in firewalls provide the kind of protection your talking about right (i.e. without TCP inspection)? So if my router has a built in firewall, requiring activation, that means it provides something above and beyond the Nat, i.e TCP inspection. Is my reasoning sound?

  16. Dregg Heda

    Dregg Heda Registered Member

    Hi Kees,

    Thanks for all your info its been quite illuminating as always. Some questions on your post.

    1) If my software firewall (pctools) treats the home network as untrusted, would that give similar protection as wlan partitioning? Also is it possible for malware on a laptop connected wirelessly to infect a PC with a wired connection on the same network? I assume this is possible since both are connected to the same network. Will wlan partitioning help with this, or does it only isolate wireless devices from each other?

    2) I understand the differences between Defensewall and GesWall, but how about AppGuard? How does it differ from the abovementioned apps? Ilya claims DW offers stronger protection than AppGuard. Is this true?

    3) Can KeyScrambler protect against all keyloggers? Are there any known keyloggers which can beat keyscrambler?

    Edit: What is boot protection and why is it important? If its just preventing anything from connecting to or from the pc during boot, surely if your pc doesnt have a permanent connection this wont be a problem. As you would only connect online after fully booting.
    Last edited: Jul 30, 2009
  17. Dregg Heda

    Dregg Heda Registered Member

    So in conclusion, it seems that a router will protect my ports but I am still at risk to threats from websites I visit. The only threat vectors I see remaining are, drivebys from both compromised safe sites and illicit sites I knowingly visit, phishing, some form of social engineering and knowingly downloading and installing unsafe stuff. Did I miss anything out?
  18. Dregg Heda

    Dregg Heda Registered Member

  19. Dregg Heda

    Dregg Heda Registered Member

    PS: does the spi function in pctools firewall offer TCP header inspection?
  20. Dregg Heda

    Dregg Heda Registered Member

    Kees? Seer? Anyone?
  21. Kees1958

    Kees1958 Registered Member

    1. I do not pc tools FW. Check whether the PC's can see each other in the network, when they do they can communicate within the network (which is normal) with Wlan partitioning the WLAN clients can't access other in the network, while giving wired clients the chance to cimmunicate with each other.

    2. DW protecs programs and downloaded files, Appguard protecs applications (with no direct disk access and MBR protection at the moment) and denies execution of the user space. So DW is stronger and applies less limitations, but AppGuard's angle (deny execute) also makes it a pretty strong protection.
    So I agree on protection strength, but on protection effectiveness AppGuard is close to DW.

    3. All know at the moment. So a combination of policy management (DW, GW or AG) with Keyscrambler gives a malware a tough job to get your personal data.

    Boot protection is important becasue the services/drivers of you security might not be loaded yet, so when a malware manages to load first, it can stop your security aps from working properly
  22. Seer

    Seer Registered Member

    With a little knowledge on how network protocols work, it is very easy to draw conclusions on your router's filtering ability by using a good s/w firewall with a tight ruleset and a good logging ability.
    Unfortunately, there is no easy way for a home user to properly test router filtering. You would need to create subLAN with a router to be tested, which is not trivial for most. It is much easier to drop the router filtering and use a software of your choice - which can be tested on a home LAN with ease.

    I can't say for your specific router model, but a couple of router firewalls I've been playing with (these were advertised as SPI) filtered packets by keeping a state table of IP addresses and port numbers for a certain amount of time (no header inspection or very poorly implemented). While this is certainly above NAT, it still is not SPI.

    A "stealth" test will check only for the ability to filter (drop) TCP "SYN" flag. Which is really only a fraction of what should be tested. Most routers will have this "hard-coded" (or simply on/off) so they can drop unsolicited requests. But that doesn't mean that the stateful inspection is properly implemented.

    Honestly, I find very hard to answer this as I personally do not think/care of/for many attack vectors out there and simply never felt the need for protection against them. The consequence of this is that in many aspects of security my knowledge is next to 0 as it is limited to things I am interested in. So I'll leave this one out to Kees. ;)

    Look'n'Stop firewall (on which PCTools is based on) had SPI over TCP implemented long before PCTools even existed. It is only logical to assume PCTools will have it too. But haven't really tested, so can't be 100% on this.

  23. Kees1958

    Kees1958 Registered Member

    Well since the second draft of 802.11n even 100 - 200 dollar routers actually do inspect the headers, but it is true that some vendors promised more than they actually delivered. Models from 2008 and younger with 802.11n are more like to have real SPI on packet header level, but it is not a guarantee. Check before buying, contact the vendor as Seer advised
  24. thathagat

    thathagat Guest

    well let me too ask a puerile question...isn't a simple nat+firewall router with a decent software firewall good enough for home users?
  25. tipstir

    tipstir Registered Member

    Yes NAT+SPI is good enough for most. Some routers like the Belkin N+ offer Block ICMP ping to the WAN port (note most routers have this feature) DoS (Denial of Service Attacks) and PoD (Ping of Death) features of the hardware firewall. On wireless and wired PCs you should use some sort of software firewall with a good HIP and malware ondemand security protection. Antivirus with Spyware/Adware/Malware also.
Thread Status:
Not open for further replies.