How Does SPI Firewall Protect Network Traffic
By Nick Anderson 5 minutes
A firewall is an important part of network security that examines network traffic and decides it is supposed to reach you. Firewalls have existed since the early days of the internet when they used to be nascent in detection and the ability to stop unsolicited traffic. Over time, with powerful hardware, firewalls have become stronger.
Your operating system has a firewall to check what traffic is allowed to communicate with the internet. And your router has a built-in firewall that checks inbound traffic to see if they are legitimate. Network security will take a huge hit in the absence of a firewall.
SPI is a type of firewall that does more than just basic analysis to determine what data packets are allowed to enter. What is an SPI firewall? Learn about it in our blog.
What is SPI Firewall?
SPI stands for Stateful Packet Inspection. It is an advanced firewall for providing network security.
Stateless firewalls or packet filtering only check the source and destination IP address, and source/destination port and allows inbound traffic to communicate with the correct device on the network. We have explained in our previous blogs how to port forward and why it may be required for certain activities (gaming, for e.g) for the best experience. A stateful firewall in comparison is more comprehensive. But first, let’s understand how NAT works.
What is NAT?
Network Address Translation is a part of your router that keeps a record of all outbound requests in the NAT table. It notes the IP address of every device, what port it has used, and the destination IP address and port that it wants to connect over the internet.
It then maps your device to a single IP address, also called a gateway, assigned by the Internet Service Provider (ISP). Because there are a finite number of IP addresses that we have nearly exhausted, this approach buys us the needed time before IPv4 addresses are depleted. You can learn more about IPv4 addresses here.
The NAT firewall is a stateless firewall that only follows certain rules to approve/deny entry for the data packets.
How Does an SPI Firewall Work?
Network traffic moves in small chunks called data packets. Your communication with a friend over the internet is based on a series of data packets. Each data packet carries some information that gets transported, then constructed at its destination.
Instead of just monitoring the source and destination addresses, an SPI firewall keeps a check on the context of the data packets. It checks certain things like whether the data packet belongs to an active session established after a TCP handshake. It works with both TCP and UDP. In the case of UDP, which transfers data packets without receiving acknowledgment, it follows the configuration (allowed duration of the session, for e.g).
SPI firewall has its own memory that it uses to keep a record of previous data packets and uses the state table to determine if the next packet is part of the series. It knows what application has requested to connect to the internet and expects to hear a response from the webserver. The SPI firewall will discard the data packet if certain conditions are not met.
For example, when you request to open a website, the SPI firewall will record that request into its memory. The inbound response will thus be trusted because it knows an internal application requested for it. SPI is useful because it can open/close ports to allow traffic to traverse through the NAT, something that a stateless firewall cannot.
It’s useful for basic security where the firewall will discard data packets containing malware and not part of the series sent by a bad actor.
The process to provide this kind of security presents a performance penalty.
SPI vs. DPI
Deep Packet Inspection (DPI) is a more advanced firewall currently in use. It works on a deeper level on the OSI model than the SPI firewall. Where SPI verifies data packets by checking things like packet’s header, the source, active connection, among other things, DPI breaks down the data packet. We are talking about actually examining the payload to verify that it passes the set rules.
DPI is much more powerful. Network administrators can deploy DPI to check for certain signatures like malware, or to block traffic that contains certain words. It improves network security by not only ensuring that the data packets are part of trusted communication. And that a hacker has not slipped malware in the payload.
But it has one glaring problem: speed. DPI is more advanced but also more demanding. It requires more processing power and time as data packets have to be deconstructed then reconstructed.
DPI is used for national surveillance. Countries like China use DPI in its Great Firewall of China to block certain traffic; which is why so many websites and VOIP services are unreachable in the country.
Conclusion – Does SPI Limit VPN?
SPI does not interfere with a VPN. When you install FastestVPN, it makes an exception in the application firewall. The SPI firewall knows that a trusted application has requested to connect to the internet. And conversely, it allows inbound traffic from the VPN server.
FastestVPN’s anti-malware feature works as a sort of firewall. It checks domains against flagged malicious domains and prevents them from opening.