What is Stateful Packet Inspection (SPI)?

Stateful Packet Inspection is a dynamic packet filtering technique for firewalls that, in contrast to static filtering techniques, includes the state of a data connection in the inspection of packets.

For example, it detects active TCP sessions and can allow or block data packets based on the session state. SPI provides higher security for firewall inspection and reduces the number of rules that need to be defined.

What is Stateful Packet Inspection?

SPI is the abbreviation for stateful packet inspection. The German term is “stateful inspection of data packets.” It is a dynamic packet filtering technique for firewalls.

Unlike static filtering techniques such as Static Packet Filtering (SPF), SPI is able to take the connection state of a session into account when deciding whether to allow or block a data packet. Stateful packet inspection, for example, detects active TCP sessions and assigns the inspected packets to active connections.

An SPI firewall must analyze data packets at layer three of the ISO/OSI reference model and create and maintain state tables. The dynamic state tables form the basis for forwarding or blocking the data packets. Stateful packet inspection originated in the 1990s from static packet filtering techniques.

READ:  What is A Smart Card?

The company Check Point Software Technologies originally developed the technique. The advantages of stateful packet inspection are increased firewall security and a reduction in the number of firewall rules that need to be defined. SPI should not be confused with deep packet inspection (DPI). DPI is able to inspect the payload of data packets and analyze protocols or applications up to the highest OSI layer.

Comparison of stateful packet inspection and static packet filters

Stateful packet inspection evolved from static packet filtering (SPF) and has replaced older technologies in modern firewalls. Static packet filters analyze data packets based only on header information such as IP addresses or ports and are not able to detect the connection status of communication between a sender and receiver.

To allow data exchange between two partners, the outbound and return directions of packets must be allowed separately. However, since the connection state is not detected, a party can send packets even if the remote party has not requested any data at all or there is no active session between the two.

A filter based on stateful packet inspection, on the other hand, remembers whether a connection is active and blocks data packets without any prior communication or request.

How SPI works

  • A firewall with stateful packet inspection must analyze data packets with regard to their connection status. To do this, it is necessary, for example, to evaluate commands such as SYN, ACK, or FIN within a TCP session.
  • From the analyses, the firewall creates dynamic state tables in which the connection states of many communication relationships are stored. Each data packet to be checked is tried to be assigned to an active connection.
  • Only response packets of an active connection are forwarded by the firewall. Timeouts can be used to specify when a connection is automatically marked as inactive and a received response is no longer assigned to a session.
  • TCP or UDP ports remain closed without an active connection and cannot be scanned by uninvolved parties. SPI firewalls can also perform stateful inspection of connectionless protocols such as UDP (User Datagram Protocol).
  • State tables are also created based on UDP packets. The firewall only allows incoming UDP packets through if a UDP request has been made beforehand.