Hardware firewalls - stateful packet inspection stops what?

Discussion in 'other firewalls' started by Stro, Jul 16, 2004.

Thread Status:
Not open for further replies.
  1. Stro

    Stro Registered Member

    Joined:
    May 16, 2004
    Posts:
    130
    Location:
    Memphis, TN USA
    I've read that hardware firewalls utilize "stateful packet inspection" (SPI) on incoming information packets, and "network address transfer" (NAT) to present a different IP address to the outside internet work than the actual IP address used for the PC, or PCs on a home network.

    I understand that personal software firewalls, like Zone Alarm Pro, do not utilize SPI or NAT (perhaps because only hardware can utilize them?).

    My question, then, is what protection do SPI and NAT offer over a well configured software firewall? What does SPI block that software firewall will not?

    I currently run Zone Alarm Pro 4.5 software firewall, but no hardware firewall (my Linksys router doesn't have a hardware firewall). When surfing websites, Ad-aware 6.0 very frequently finds CoolWebSearch malware on my PC. Can anyone tell me how I can block CoolWebSearch from entering my PC in the first place? Will SPI block it?

    Regards,
    Stro
     
  2. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Hi Stro,

    I'll try to answer what I can.
    Here is a definition of SPI:

    Also referred to as dynamic packet filtering. Stateful inspection is a firewall architecture that works at the network layer. Unlike static packet filtering, which examines a packet based on the information in its header, stateful inspection tracks each connection traversing all interfaces of the firewall and makes sure they are valid. An example of a stateful firewall may examine not just the header information but also the contents of the packet up through the application layer in order to determine more about the packet than just information about its source and destination. A stateful inspection firewall also monitors the state of the connection and compiles the information in a state table. Because of this, filtering decisions are based not only on administrator-defined rules (as in static packet filtering) but also on context that has been established by prior packets that have passed through the firewall.
    As an added security measure against port scanning, stateful inspection firewalls close off ports until connection to the specific port is requested.

    So in other words, SPI firewalls are able to look inside each packet to see if there is any funny business inside, rather than just looking at the outside headers.
    They are also more able to deal with things like DOS (denial of service) attacks through better filtering.

    NAT (network address translation) is a function of the router not the firewall.
    Here is a description and here.
    If you are using a router, you are more then likely already using NAT. If your computer were directly connected to say a cable modem and you set up ICS (internet connection sharing) then your computer would be functioning as the NAT router.

    It is definately a good idea to have both a hardware and software firewall (if it is within budget). The software firewall's main purpose will then be to block programs within the computer from phoning home. It will also add an extra "layer" should the hardware firewall be breeched or if other "trusted" computers on the LAN are subverted to attack your computer. The hardware firewall's main purpose will be blocking all the port scans and hack attacks.
    Of course any firewall is better than no firewall. The firewall (hardware or software) should be installed and properly configured before having a physical connection to the internet (i.e. unplug LAN cable). It is also a good idea to have a really good password set up on the firewall (hardware and software) config ASAP. Not all hardware firewalls are created equal. It would be a good idea to visit forums related to the models you are interested in and see what kind of issues you are likely to encounter with that model.

    A firewall (even SPI, hardware or software) cannot really protect you from Cool Web Search because it exploits web browser flaws. Although some firewalls are able to block active content (activeX, javascript, etc.), which may block some angles of attack. You may gain more protection by hardening your IE settings, or even using a different browser. I am not familiar with all methods of CWS attack, so someone else could better answer that.
    You should get rid of any infection you have first so you can start with a clean slate. From what I have read here, CWS can be very difficult to remove and requires expert advice. Here is a link that may help. You could also post here.

    Hope this helps a little.
     
    Last edited: Jul 16, 2004
  3. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    Hi Devinco, my compliments for your answer!! ;)
     
  4. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Hi INFINITY, Thank you.
     
  5. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Most personal firewalls do offer SPI (including ZA) but normally only at the network level (i.e. they can see which network connection an individual packet belongs to or if it is an attempt to set up a new connection - and can tell if a packet is a reply to a previously sent request). I have produced an FAQ on Stateful Inspection here which provides extra background information, although it details its implementation in Outpost firewall (which has the option of transport level SPI also).

    Most router firewalls have a similar capability - but are unable to tell which application on your PC is sending/receiving data so a software firewall is still needed to alert you to trojan/spyware/adware connection attempts. Only enterprise-level firewalls produced by the likes of Checkpoint offer "full" SPI (where it recognises and verifies packet contents up to the application level).
    To block browser hijackers, you need software that filters web traffic. You can either use ones specifically targetted at spyware (like SpywareBlaster) or more general purpose ones that can block ActiveX, Java or Javascript (Proxomitron is the most powerful but does take some learning, WebWasher Classic is an easier option for most - both are free). Another option is to ditch Internet Explorer and use a more secure and better-designed browser like Firefox (free) or Opera (ad-supported - registering gets rid of the ads).
     
  6. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Software firewalls also have/use stateful packet inspection, ZA is one that does. NAT can also be done via software on a system, Windows ICS being an example of this.

    Is this question based on the SPI/NAT being done on a separate router/firewall? If so, being a dedicated standalone device adds to your overall security. In terms of just stopping unsolicited inbound traffic, a properly configured software firewall will do this equally as well as a router/firewall.

    Regards,

    CrazyM
     
  7. Stro

    Stro Registered Member

    Joined:
    May 16, 2004
    Posts:
    130
    Location:
    Memphis, TN USA
    Thank you very much Devinco, Paranoid2000 and CrazyM for investing your time to better educate me!
     
Loading...
Thread Status:
Not open for further replies.