UDP SPI

Discussion in 'LnS English Forum' started by nuser, Jul 9, 2007.

Thread Status:
Not open for further replies.
  1. nuser

    nuser Registered Member

    Joined:
    May 31, 2007
    Posts:
    105
    Location:
    Singapore
    Hi, Frederic,
    In other firewalls (Jetico, Comodo), there are stateful inspections for both TCP and UDP. Will LnS support 'UDP SPI' in the future?
    For connectionless UDP, there are not enough informations in the header and the criteria for allowing/blocking might be ambiguous. Is this the reason that UDP SPI is not implemented in LnS?
    thanks in advance.
     
  2. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi nuser :)

    The SPI on TCP is based on the TCP handshake, (the first syn flag, packets sequences number, etc.)...

    The so-called SPI in UDP in based on the connection status (established, fin-wait-1, fin-wait2, etc). As you know UDP is connectionless and, IMHO, it's a confusion to called this a stateful inspection... (the word is used in a "marketing" way not a technical way to impress users...)

    But I agree with you that future release of LnS should include such UDP status inspection (USI © climenole ;) ).

    This... and many other enhancements... :D

    And now I return to work on my articles about LnS and other marvelous things of the virtual world...

    (I confess that I'm a slow motion writer...)

    :)
     
  3. nuser

    nuser Registered Member

    Joined:
    May 31, 2007
    Posts:
    105
    Location:
    Singapore
    thanks, Climenole,:D
    Since there are no syn flag or sequence numbers of UDP connections, how does 'USI':D determine whether an UDP packet is good or bad (which has been allowed by ruleset)?
    Suppose LnS has such an 'USI' feature and I allow local port 137 and 138, what will hapeen if the USI is active? Will the incoming UDP packets to port 137 and 138 be dropped by USI?
     
    Last edited: Jul 13, 2007
  4. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi nuser :)

    Frankly, I have no (clear) idea...

    How a UDP connection may be processed and checked LIKE IF it's NOT connectionless ? o_O

    I stated in my previous answer the it may be based on connection states but that's wrong...
    (I have a lack of intellectual concentration presently :rolleyes: )


    It's possible for sure to makes some inspections on the UDP packets and their relations to the applications, ports, Ip addr. etc. but calling this SPI is in plain english a LIE. (Very good for marketing indeed...)

    By the way: it's easy for closed source programs to pretend making UDP SPI:
    It will be interesting to check the source code of these USP "SPI" and the logic used for this...
    I'm very skeptical about the reliability on these "inspections"... :shifty:

    For the moment the only way to control these UDP packets is to rely on correct UDP rules for the applications and on the application itself to parse the data and format correctly... This double-check combination is the only way to do it presently.

    Have a nice day.

    :)
     
  5. nuser

    nuser Registered Member

    Joined:
    May 31, 2007
    Posts:
    105
    Location:
    Singapore
    Hi, Climenole,
    I just found some references from Cisco. Seems that the 'USI' depends on a user-defined timeout. So, it might be unreliable.
     

    Attached Files:

Thread Status:
Not open for further replies.