Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


smac

273 posts

Ultimate Geek


#63371 25-Jun-2010 11:33
Send private message

I have a Linksys/Cisco WAG160N that I was having problems with for local traffic between wired and wireless machines. Turns out the SPI firewall is interfering with things, and local traffic is fine with SPI turned off.

Cisco have been good - they say it is a "known issue", however they are unable to reproduce it in the lab, so are simply going to refund me the purchase price. No prob there.

The question is: for a private network, am i really exposing myself to any risk by running without SPI? Or am I worrying about nothing? I understand the basics of what SPI does, just a little unclear on the real-world benefits/risks.

Thanks 

Create new topic
richms
23670 posts

Uber Geek

Trusted
Subscriber

  #345279 25-Jun-2010 16:27
Send private message

I have never got a clear answer from any of the vendors about what a SPI firewall does in addtion to the state that simply having NAT present does. I have always turned it off since it does seem to cause a lot of voip issues, and in the case of my old router was the cause of it failing after a day or so of use because its tables got full.

Anyone know what it really offers in addtion to having nat on the router? I am guessing it may do some state of each incoming connection via NAPT fowarded ports, but that is just a guess.




Richard rich.ms

Oldhat
172 posts

Master Geek


  #345329 25-Jun-2010 18:36
Send private message

It keeps a record of any outbound connections in anticipation of incoming packets from that source. The reason it can cause issues for VoIP is that it will drop packets from a source that you haven't opened a connection with.

I'm surprised that the OP experienced issues with SPI on the LAN as it is generally only active on the WAN port.

 
 
 
 


smac

273 posts

Ultimate Geek


  #345337 25-Jun-2010 18:59
Send private message

Oldhat:  

I'm surprised that the OP experienced issues with SPI on the LAN as it is generally only active on the WAN port.


Agreed Oldhat, and that's why it took me a long time to isolate.  It was only once I'd absolutely confirmed the connection that I approached Cisco, but as soon as I did the response was "yes we get a couple of these a month and we don't understand it either...."  Hence the no further questions refund.

I also have an intermittent  VOIP  issue (person I am calling can not hear me speak), but this has been harder to isolate as it's only 'sometimes'. Will be interesting to see if that one occurs while SPI is off, I suspect not after your explanation above.


This actually complicates the original question. I guess it's not just "is it safe to run without SPI", the 2nd part to the question is "....and if not, can SPI and VOIP play nicely together?"  

cyril7
7833 posts

Uber Geek

Trusted
Subscriber

  #345444 26-Jun-2010 08:53
Send private message

Hi, as Oldhat says SPI is in addition to NAT, the NAT routing in its own action creates the primary firewall by controlling the inbound and outbound connections of each TCP stream from the single WAN port IP to many LAN port IPs. Other normal functions of a firewall may also exist such as ping blocking, monitoring for DOS attacks and closing the stack if it happens etc.

SPI in addition monitors the actual state of each connection checking on the transactions and confirming they keep in step with a normally conducted TCP connection. A TCP connection is a state controlled activity, when working normally, so the SPI checks thats in order. Some nasty burglers jump into a connection during a quite time and clone the distant connection point, this would normally break the state rules but the end point maynot realise it and carry on a connection, the SPI in the firewall will.

SPI and VOIP do play together, its not in anyway normal that they dont, but if there is a bug in Linksys's SPI routine then anything can happen, its obviously not their intention to break a valid connection, its a bug.

I normally leave SPI off and have never felt that I have been more prone to attack, reason I normally have left it off is that historically with older modem/routers the available horsepower was not a lot and SPI would have a big impact on throughput, with modern routers horsepower is not an issue so there is no reason to leave it off.

I wouldnt loose sleep

Cyril

Create new topic





News »

Nanoleaf enhances lighting line with launch of Triangles and Mini Triangles
Posted 17-Oct-2020 20:18


Synology unveils DS16211+
Posted 17-Oct-2020 20:12


Ingram Micro introduces FootfallCam to New Zealand channel
Posted 17-Oct-2020 20:06


Dropbox adopts Virtual First working policy
Posted 17-Oct-2020 19:47


OPPO announces Reno4 Series 5G line-up in NZ
Posted 16-Oct-2020 08:52


Microsoft Highway to a Hundred expands to Asia Pacific
Posted 14-Oct-2020 09:34


Spark turns on 5G in Auckland
Posted 14-Oct-2020 09:29


AMD Launches AMD Ryzen 5000 Series Desktop Processors
Posted 9-Oct-2020 10:13


Teletrac Navman launches integrated multi-camera solution for transport and logistics industry
Posted 8-Oct-2020 10:57


Farmside hits 10,000 RBI customers
Posted 7-Oct-2020 15:32


NordVPN starts deploying colocated servers
Posted 7-Oct-2020 09:00


Google introduces Nest Wifi routers in New Zealand
Posted 7-Oct-2020 05:00


Orcon to bundle Google Nest Wifi router with new accounts
Posted 7-Oct-2020 05:00


Epay and Centrapay partner to create digital gift cards
Posted 2-Oct-2020 17:34


Inseego launches 5G MiFi M2000 mobile hotspot
Posted 2-Oct-2020 14:53









Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.