TCP Stateful packet inspection

Discussion in 'LnS English Forum' started by Mikel, Feb 7, 2005.

Thread Status:
Not open for further replies.
  1. Mikel

    Mikel Guest

    What exactly does this feature do? After enabling it I noticed alot more activity in the logs.

    What benefits do I have if I enable it?

    Also, is there a chance that it can slow down my internet? because after enabling it, a short time later my msn d/c...This happens occasionaly, but could TCP packet inspection cause this?
     
  2. Thomas M

    Thomas M Registered Member

    Joined:
    Jan 12, 2003
    Posts:
    355
  3. Xyzzy

    Xyzzy Registered Member

    Joined:
    Jan 11, 2005
    Posts:
    67
    Location:
    Poland
    Do not belive in what's written at the first link- SPI description is crap.

    Actually LnS uses stateful inspection all the time, turning on the advanced option just enables you to see more of what's going on.

    Proof of permanent SPI in LnS:
    When you define connection for WWW (like outbound tcp 1024-65535->80), you do not need to define a rule for returning traffic (like inboud tcp 80->1024-65535). Thus, LnS keeps info on state of connection (statefully inspect packets) and automatically allows inboud traffic for properly opened connection.

    X.
     
  4. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Actually Thomas M first link does offer SPI description which is quite accurate.

    Xyzzy, Look ‘n’ Stop SPI implementation is not activated upon default installation; user needs to manually enable that feature, and when they do activate it, the user will know it has been activated because all clients current connections gets blocked (so much for your assumptions of keeping state of connections even with Look ‘n’ Stop SPI implementation off.) until the moment you re-launch all the clients (this where state of connections begins).
    :p
     
  5. Thomas M

    Thomas M Registered Member

    Joined:
    Jan 12, 2003
    Posts:
    355
    Mikel,

    Maybe I am not a firewall expert! But PhantOms' input is always appreciated, since he really knows about LnS ;)

    Thomas :)
     
  6. Xyzzy

    Xyzzy Registered Member

    Joined:
    Jan 11, 2005
    Posts:
    67
    Location:
    Poland
    As for link, do you think that the following is true?!?
    "Stateful packet inspection [...] examines not just the headers of the packet, but also the contents, to determine more about the packet than just its source and destination information."
    It is utter nonsense, SPI uses only headers, NOT packet contents (payload)!!! Basically, SPI for TCP connections uses TCP header flags (that are in HEADER) to track connection state.
    Here is TPC state machine, nothing about packet contents, all about flags.
    http://www.samag.com/documents/s=1176/sam9907d/9907d_f1.htm

    As for LnS, I was completely wrong. Damn this miserable help, all by trial and error! LnS does not track state for normal configuration, and it seems turning SPI option on just adds displaying some info, but info on connection state is not used for filtering?!?

    X.
     
  7. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    I didn’t mean to put it across as if you were wrong, I merely meant the information giving is indeed quite accurate based on many properly designed SPI implementations in Software Firewall products. Regardless what most articles has written and what its readers believes and says, properly designed SPI implementations (true SPI implementations) does do content. Anyways I’m not going to argue here, I don’t see the point, you either do your research or you don’t it is up to you and whomever…

    In regards to Look ‘n’ Stop, from everything that been mentioned and everything I have observed, Look ‘n’ Stop by default installation do not do state tracking until you decide to enable Look ‘n’ Stop SPI implementation, once you enabled most will know it’s been working because all CURRENT CONNECTIONS will begin being blocked, users has to exit current client applications and re-run them and make all new connections, if Look ‘n’ Stop had done state tracking, when enabling Look ‘n’ Stop SPI implementation you wouldn't observed this sort of behaviour.
    :p
     
  8. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Actually it depends on which level you are refering to.
    At IP level, TCP header is a payload.

    When SPI is implemented to handle FTP (Active connection mode), not only headers but the TCP payload has to be examined. But at FTP level this information is probably in a header.

    Yes, after the feature is turned on, the connection states are used to do filtering, and to block any packet not belonging to a connection.

    Frederic
     
  9. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Aha! Finally, it all makes sense now. :D Thanks!
     
  10. Skank!

    Skank! Registered Member

    Joined:
    Jan 29, 2005
    Posts:
    31
    Location:
    New Zealand
    Does this harm p2p programs?? i seem to be getting a lot of disconnects while using eMule, and Azureus seems to have less connections as well....
     
  11. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Look 'n' Stop SPI implementation does :(
     
  12. Thomas M

    Thomas M Registered Member

    Joined:
    Jan 12, 2003
    Posts:
    355
    By the way: What about SP2 for Win-XP? All I know is that SP2 additionly limits the number of simultaneous connections, thereby slowing down P2P programs? Is there a registry hack around for this?

    Thomas :)
     
  13. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    True, and Yes...
     
  14. Thomas M

    Thomas M Registered Member

    Joined:
    Jan 12, 2003
    Posts:
    355
    Got it ! Thanks PhantOm :cool:

    Thomas :rolleyes:
     
  15. Xyzzy

    Xyzzy Registered Member

    Joined:
    Jan 11, 2005
    Posts:
    67
    Location:
    Poland
    I created a rule for WWW browsing: Outbound TCP 1024-65535->80 and turned on SPI. But I still need a rule to allow reply traffic. Is this the 'not completely implemented SPI' I have read about in this board (ie. states used only for blocking and not for allowing packets)?

    Phantom, maybe you could explain to me the SPI 'incompleteness' in LnS?

    I would not call tracking FTP connections state SPI. Is there any product that uses such terminology referring to FTP connections?

    X.
     
  16. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Hi Xyzzy

    - Look ‘n’ Stop SPI Implementation is designed to work as an additional layer, you still need to make rules that applies for both directions for authorizing TCP rules.

    Regarding FTP, Look ‘n’ Stop SPI Implementation does not “yet” cover FTP Protocols, however many stateful packet-filters do cover FTP and it goes much like this Stateful Inspection tracks the FTP session, examining FTP application-layer data. When the client requests that the server generate the back-connection (an FTP PORT command), stateful packet-filters extracts the port number from the request. Both client and server IP addresses and both port numbers are recorded in an FTP-data pending request list. When the FTP data connection is attempted, stateful packet-filters examines the list and verifies that the attempt is in response to a valid request. The list of connections is maintained dynamically, so that only the required FTP ports are opened. As soon as the session is closed the ports are locked, ensuring maximum security.
     
  17. Skank!

    Skank! Registered Member

    Joined:
    Jan 29, 2005
    Posts:
    31
    Location:
    New Zealand
    Thanks for the info...
    of course LNS wasnt designed with p2p programs in mind...lol ;)
     
Thread Status:
Not open for further replies.