SPI firewalls incoming connections

Discussion in 'other firewalls' started by Hans Baele, Jan 24, 2015.

  1. Hans Baele

    Hans Baele Registered Member

    Joined:
    Jan 24, 2015
    Posts:
    3
    I've read an SPI firewall checks whether incomming connections are initiated from local applications before blocking them.
    But when the SPI firewall is not running on the computer but for example on the home router in case of a home network how can the SPI firewall check that application?
     
  2. Hans Baele

    Hans Baele Registered Member

    Joined:
    Jan 24, 2015
    Posts:
    3
    I be more clear: Can i suppose that SPI firewalls only forward ESTABLISHED and RELATED packets and block NEW packets maybe?
    This way I would anderstand a firewall in the router can function.
     
  3. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,729
    Location:
    localhost
    On the router, not applications but devices attached to your router. In simple terms, SPI firewalls only forward ESTABLISHED and RELATED packets to the systems within your LAN and block UNSOLICITED packets (not originating from your LAN = not linked to devices attached to the router).

    Simple explanations here: http://en.wikipedia.org/wiki/Stateful_firewall
     
  4. Hans Baele

    Hans Baele Registered Member

    Joined:
    Jan 24, 2015
    Posts:
    3
    OK I understand.Thanks for your info.
     
  5. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,729
    Location:
    localhost
    No problem! :thumb:
     
  6. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    SPI Firewalls are largely obsolete these days, unfortunately. Layer 3 stuff for the most part. True protection starts at Layer 5 and onward, ASUS RT-AC87 is the first true consumer Layer 5 FW. Although I won't personally run anything less than a Layer 5 on my gateway, I prefer Layer 7 or higher, or layered - Layer 7 solutions. (Blended Technology)

    Simple Nat, and Basic SPI provide at best - trivial protection these days.
     
  7. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,729
    Location:
    localhost
    In layman terms, SPI will ensure that the internet packets are intended for your devices or otherwise discard them. It will inspect packets but it will not inspect that the solicited/legit packets are transporting also exploiting or bad code for the receiver or the sender. Therefore, if your first line of defence is a SPI firewall then you need to ensure that the devices attached to it are properly protected against dangerous code (i.e. your devices are up to date and protected by an antimalware software). The latter is increasingly difficult with the internet of things. I.e. attached to the SPI router you may have other devices than PCs (.e.g TVs and pay per view devices, alarm systems and cameras, washing machines, fridges, etc) that you may not be able to update or protect as required. So, aside from the specific commercial on ASUS, there are several other devices that provides this additional protection. You may want to search this board as they have been discussed recently.
     
  8. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,081
    Location:
    Netherlands
    Well, with modern routers that is true, but for a security enthusiast there are some options to reduce those threats:
    • Use a wired connection through a power line adapter for your smart TV, set a network access schedule for the smart TV (from 08.00 to 01.00) for example for friday/sat/sun, from 18.00 through 01.00 during midweek).
    • Use your 2.4 Ghz network for PC's and tablets (also allowing access to your NAS and network printer) using DHCP IP reservation with eternal lease and only reserving IP-range on the devices used (with a MAC address filter enabled for your 2.4Ghz network).
    • Use the 5GHz as a WPA2 protected "guest" network for visitors with network partitioning enabled (meaning devices can't communicate with each other in network) and assign a different IP-range (from bottem and up) and including the internal LAN-IP addresses of your 2.4 network in the parental blocklist.
    Since introduction of 5GHz and marketing hype of 5Ghz/fibre optical connections, the quality of 2.4 Ghz (from 17 overlapping networks to nine) has become better as 5 Ghz (I can even use short GI, since closest and most interfering neighbours use 5Gz now) in multi-level Dutch terraced/row houses. Therefore I use the 5Ghz for guests.

    This way I don't mind when friends with smart phones of tablets want access on my wireless network. The speedbumps (access schedule, parental blocklist, DHCP reservation and MAC filtering, lan-partitioning) won't stop a hacker, but together with a long pass phase, might confuse a script kiddy enough to change his attention to your neighbours. Using Norton DNS now and used the free six months of Sitecom security (HMP in the router) to discourage interest into the new network in the neighbourhood.

    To survive a lion attack, you don't have to out run the lion, being faster (better secured) as the slowest of the herd (neighborhood) will reduce the risk of an unfriendly attack substantially.
     
    Last edited: Jan 25, 2015
  9. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    1,633
    Location:
    Toronto, Canada
    Beautifully stated. :thumb:
     
  10. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    Restricting to 5Ghz won't always be viable since a lot of devices only connect via 2.4Ghz. Another option is to attach a second WAP to your network with LAN RESTRICTIONS, then give everyone that comes over access to that WAP. Set the WAP for scheduled access from say 8am-12m, and presto! So you have your internal WAP (Secured, w/Intranet), and your external WAP (Secured, Scheduled, w/o Intranet) The default Deny/Deny/All policy on guest restriction is a powerful tool, and extremely difficult for a hacker to bypass to get into your network. It's the default core policy on ALL enterprise grade firewalls after the policy cascade.
     
  11. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,081
    Location:
    Netherlands
    Well, in the Netherlands most media junkies get themselves a new smartphone every year (or two at the most). They are the ones who ask to get on-line, because they suffer from the "continuous partial attention syndrome". People with older 2.4 Ghz phones, don't need to go on-line wherever they are. They seem to be capable of enjoying a party, an evening with friends or a conversation without checking there social media continuously. Although your observation is true, the 5Ghz limitation is not a problem in daily life. No one complained that they could not get on-line, since I divided access to two different frequency networks.
     
    Last edited: Jan 25, 2015
  12. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,081
    Location:
    Netherlands
    Your first mail of UTM setup at wilders inspired me to try a second WAP (with and without bypassing/bridging the NAT-firewall) but that setup suffered a lot of stutter. I used a two year old 300n router as second WAP. I guess the hardware/firmware of the home grade, low-mid quality routers is not designed for these type of setups yet.

    I don't have a schedule on the 5Ghz network. For starters when parties get out of hand the media junkies seem to feel the need to tell their digital friends that they are having a good time in the early hours. Secondly with the partitioning enabled (devices on same network can't communicate with each other), I would rather have the local script kiddies focus their attention on this 5Ghz network.
     
    Last edited: Jan 25, 2015
  13. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    Was it a double NAT issue with the second one? I'd use a dedicated WAP, you can find some pretty cheap at Microcenter.
     
  14. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,081
    Location:
    Netherlands
    Yep, I guess it is the double NAT issue, I will wait with upgrading until it is clear what is the best approach double networks or MiMo and I will also wait to see what the availability (price) of network cards will be (3x3 or 4x4). Hooking an 1TB USB3 drive as NAS into the router might also influence my decision. For the time being this approach serves me well.

    What is your take on this (what direction home market routers/cards is going to make)?
     
  15. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    I think the ASUS top end units are where it's going. Specifically, UTM-type features to protect blended devices in the home. Bit Defender's new appliance, and some other ones in the worlds. I am a strong advocate of ASUS w/Trend Micro (lifetime free) as what would be the first UTM for many homeowners. I think it's a great product, and really boosts protections. Router companies would be fools not to take note with what ASUS and Trend are doing. When you shop for a router now, you have two choices - one with free Trend, or one without, other features are very very closely matched.

    You can chain all of the routers you want together if you avoid double/triple NATs and Loopbacks. Transparent/Bridge mode is the best, or tossing the others into AP mode. I've successfully chained together 3 UTM appliances, but didn't like the work required to punch everything through, it was a nightmare! So now I run Untangle on the gateway with everything enabled (double AV's, etc), and it solves most of those issues while offering a blended approach. I'd really love my ASUS back on the front gate with Trend as the first line of defense, so I suspect I will re-arrange things to facilitate it's return.
     
Loading...