Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsLAN (ethernet/Wifi/routers/Bluetooth)Home network risky without SPI firewall??
smac

338 posts

Ultimate Geek
+1 received by user: 40


#63371 25-Jun-2010 11:33
Send private message

I have a Linksys/Cisco WAG160N that I was having problems with for local traffic between wired and wireless machines. Turns out the SPI firewall is interfering with things, and local traffic is fine with SPI turned off.

Cisco have been good - they say it is a "known issue", however they are unable to reproduce it in the lab, so are simply going to refund me the purchase price. No prob there.

The question is: for a private network, am i really exposing myself to any risk by running without SPI? Or am I worrying about nothing? I understand the basics of what SPI does, just a little unclear on the real-world benefits/risks.

Thanks 

Create new topic
richms
29097 posts

Uber Geek
+1 received by user: 10205

Trusted
Lifetime subscriber

  #345279 25-Jun-2010 16:27
Send private message

I have never got a clear answer from any of the vendors about what a SPI firewall does in addtion to the state that simply having NAT present does. I have always turned it off since it does seem to cause a lot of voip issues, and in the case of my old router was the cause of it failing after a day or so of use because its tables got full.

Anyone know what it really offers in addtion to having nat on the router? I am guessing it may do some state of each incoming connection via NAPT fowarded ports, but that is just a guess.




Richard rich.ms



Oldhat
180 posts

Master Geek

Lifetime subscriber

  #345329 25-Jun-2010 18:36
Send private message

It keeps a record of any outbound connections in anticipation of incoming packets from that source. The reason it can cause issues for VoIP is that it will drop packets from a source that you haven't opened a connection with.

I'm surprised that the OP experienced issues with SPI on the LAN as it is generally only active on the WAN port.

smac

338 posts

Ultimate Geek
+1 received by user: 40


  #345337 25-Jun-2010 18:59
Send private message

Oldhat:  

I'm surprised that the OP experienced issues with SPI on the LAN as it is generally only active on the WAN port.


Agreed Oldhat, and that's why it took me a long time to isolate.  It was only once I'd absolutely confirmed the connection that I approached Cisco, but as soon as I did the response was "yes we get a couple of these a month and we don't understand it either...."  Hence the no further questions refund.

I also have an intermittent  VOIP  issue (person I am calling can not hear me speak), but this has been harder to isolate as it's only 'sometimes'. Will be interesting to see if that one occurs while SPI is off, I suspect not after your explanation above.


This actually complicates the original question. I guess it's not just "is it safe to run without SPI", the 2nd part to the question is "....and if not, can SPI and VOIP play nicely together?"  



cyril7
9073 posts

Uber Geek
+1 received by user: 2499

ID Verified
Trusted
Subscriber

  #345444 26-Jun-2010 08:53
Send private message

Hi, as Oldhat says SPI is in addition to NAT, the NAT routing in its own action creates the primary firewall by controlling the inbound and outbound connections of each TCP stream from the single WAN port IP to many LAN port IPs. Other normal functions of a firewall may also exist such as ping blocking, monitoring for DOS attacks and closing the stack if it happens etc.

SPI in addition monitors the actual state of each connection checking on the transactions and confirming they keep in step with a normally conducted TCP connection. A TCP connection is a state controlled activity, when working normally, so the SPI checks thats in order. Some nasty burglers jump into a connection during a quite time and clone the distant connection point, this would normally break the state rules but the end point maynot realise it and carry on a connection, the SPI in the firewall will.

SPI and VOIP do play together, its not in anyway normal that they dont, but if there is a bug in Linksys's SPI routine then anything can happen, its obviously not their intention to break a valid connection, its a bug.

I normally leave SPI off and have never felt that I have been more prone to attack, reason I normally have left it off is that historically with older modem/routers the available horsepower was not a lot and SPI would have a big impact on throughput, with modern routers horsepower is not an issue so there is no reason to leave it off.

I wouldnt loose sleep

Cyril

Create new topic








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.








RSS feeds
Main feed
Forums feed
Copyright
©2002-2026 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright