Dec 10, 2024 
Support Center » Knowledgebase » Kerio Control » What is Stateful Packet Inspection
 What is Stateful Packet Inspection
Solution WinRoute Firewall

With Stateful Packet Inspection (SPI), every time a packet is sent out of the computer, the firewall keeps track of it. When a packet comes back to the firewall, the firewall can tell whether or not the in-bound packet is a reply to the packet that was sent out.

This way, the firewall can handle most network traffic safely without a complex configuration of firewall rules.

Discussion

What does "Stateful" mean?

"Stateful" basically means "remembers things that came before." Something that is "stateful" knows about the current "state" of things -- what's going on at that moment, and what went on before that.

A "stateful" firewall knows not only about the packet it's looking at, but also about packets that came before that one.

Why is that useful in a firewall?

Imagine that you had no memory. At any moment, all you knew about was that moment, and you had to figure everything out just from what you could see. This is how old firewalls worked -- they knew only about the current packet they were looking at. They couldn't "remember" packets they had seen before.

Firewalls are designed to control network connections to your computer. The problem is that a "connection" is different than a "packet." A packet is just a single piece of information, but a "connection" is a whole stream of packets. How does one tell if a packet is part of a connection, if you can't remember the packets that came before?

So, modern firewalls keep track of packets, and "know" if they're part of a connection or not.

How does this work in WinRoute Firewall?

Let's pretend we have a guy named John, and his computer is connected to a Firewall (WinRoute Firewall, in particular).

  1. John points his web browser at a web page, like www.yahoo.com.
  2. The web browser sends a packet to www.yahoo.com, saying "I'm going to talk to you."
  3. The packet goes through WinRoute Firewall.
  4. WinRoute Firewall notes, "John is sending a packet to www.yahoo.com."
  5. WinRoute Firewall sends the packet on to www.yahoo.com.
  6. www.yahoo.com sends a packet back to John, saying "Okay, you can talk to me."
  7. The packet from www.yahoo.com gets to John's WinRoute Firewall.
  8. WinRoute Firewall looks at the packet, and thinks, "Should I let this packet in?"
  9. WinRoute Firewall notes, "The packet is from www.yahoo.com."
  10. WinRoute Firewall checks to see if John recently sent out a packet to www.yahoo.com.
  11. WinRoute Firewall discovers that yes, John sent a packet to www.yahoo.com, so this must be a reply.
  12. WinRoute Firewall forwards the packet on to John's computer.

Of course, this all happens at blinding speed. On the average modern computer, WinRoute Firewall can handle millions of packets like this every second.

Where's the "inspection" in all of that? WinRoute Firewall has to "inspect" each packet to see where it came from, or where it's going to.



Article Details
Article ID: 15
Created On: Jun 14, 2004 01:40 PM

 This answer was helpful  This answer was not helpful

 Back
 Login [Lost Password] 
Email:
Password:
Remember Me:
 
 Search
 Article Options
Home | Register | Submit a Ticket | Knowledgebase | News | Downloads
Language: