The Broadband Router

The Firewall & SPI

All NAT based routers act as a 'natural' firewall between the Internet and your LAN by masking the true IP address' of the computers on your LAN. The very nature of NAT makes it nearly impossible for someone to directly connect to a computer behind a NAT router using the computer IP address. This does not however stop hackers from successfully launching things like DoS (Denial of Service) attacks on you.

Packet Inspection

To accomplish its connection sharing task, NAT routers do something called Packet Inspection. Part of this inspection process involves blocking unwanted and unrequested packets trying to reach your LAN computers. It can also involve forwarding 憌anted� packets to servers you might have running on your lan (see port forwarding article )

Statefull Packet Inspection

SPI is a little different than ordinary packet inspection�. The basic interpretation of SPI is that a router/firewall with SPI will protect you from more attacks than a router without SPI. SPI means that the router will look at a packet of information, examine it in some way, and determine what to do with it (beyond simple routing). SPI routers not only understand TCP/IP, they understand the kind of applications that are running on the protocol. This understanding allows the router to filter out advanced forms of attacks on the internet like Denial of Service attacks.

There is no standard for implementing SPI. Each manufacturer writes its own SPI software or licenses it from an Internet security company. As you can imagine, the quality of the SPI software can vary. Evaluating the effectiveness of each SPI implementation is WAY out of the scope of this web site and would require a small army of security experts to accomplish in any meaningful way.

This brings us to the difficult question: How do you tell how good the SPI firewall in a broadband router is? This is a VERY difficult question to answer. Without getting extremely technical, the best we can do is look for indications that the router has the capability of performing operations on each packet beyond basic NAT.

Indications that a router has good SPI.

1) Logging:

Routers that do not support any kind of logging might indicate that the router software is not very intelligent. Routers that log attacks and actually tell you what kind of attack was attempted are obviously doing some advanced packet inspection. This is probably your BEST indicator.

2) Special Application Support without DMZ:

 Dumb routers make you put your computer in the DMZ for all kinds of things. Advanced routers can support NetMeeting, VPN pass-through and more without having to move your computer to the DMZ. The only way the router can do this is to look for packets from your special application then re-write and re-route packets in a way that is compatible with both your application and NAT. The fact that the router is aware of your application is an indication of advanced SPI.

3) Advanced packet filtering:

 Packet filtering in itself is SPI. Check to see if your router supports any kind of string filtering on packets. The more advanced the filtering options, the better an indication of good SPI.

Summary

A router with indications of advanced SPI still needs to be 'told' how to look for attacks and how to react to them. The points above let you know that the router is capable of advanced attack shielding. Remember, the manufacturer must program the router for good firewall protection and keep it updated.