Solved

What OSI layer(s) does a stateful packet inpection firewall work at?

Posted on 2010-11-26
3
2,866 Views
Last Modified: 2012-06-22
Greetings Experts,

I'm studying for the CompTIA Security+ exam and I'm reading material on SPI firewalls or Stateful Packet Inspection.  One aspect that I'm having a little of trouble grasping is at what layer(s) does SPI work at?  I went online and found Layer 3 but other sources say its Layer 3 and Layer 4.  I was wondering if someone could clarify and point me to some definite sources where I can find this information like Cisco's site or some other reputable networking company.  Thanks in advance experts.  
0
Comment
Question by:student_23
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 10

Accepted Solution

by:
lanboyo earned 400 total points
ID: 34219781
A stateful packet firewall would be inspecting at layer 4 and up.

Since the firewall is keeping track of the state of tcp sessions as they are traversing it, it is looking at ( for instance ) the tcp syn, ack bits as well as tcp source and destination ports.

If it was an IP source and destination only filter or access list this would be a level 3 OSI thing.

Best place to find this would be a security plus bran dump sad to say. These are security abstractions that relate to security abstractions.
0
 
LVL 70

Assisted Solution

by:Qlemo
Qlemo earned 100 total points
ID: 34221509
I agree to the above. Please keep in mind that TCP/IP is NOT working exactly with OSI Layers. Some of the protocols act on more than one layer, or in-midst of them. So an exact assignment isn't feasible in many cases.
About the "4 and up", a SPI firewall often even needs to inspect the payload, e.g. for FTP, to change private to public IPs, read port negotiations, and more. That corresponds to Layer 5 and up.

Implementing a good SPI firewall is quite complex because of that, and I don't think you will find any documentation readily composed for that reason.
0
 

Author Closing Comment

by:student_23
ID: 34223786
lanboyo and Qlemo,

Thank you very much for your valuable insight.  I did look in my book but there's isn't more information on SPI.
0

Featured Post

Create the perfect environment for any meeting

You might have a modern environment with all sorts of high-tech equipment, but what makes it worthwhile is how you seamlessly bring together the presentation with audio, video and lighting. The ATEN Control System provides integrated control and system automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
Come and listen to Percona CEO Peter Zaitsev discuss what’s new in Percona open source software, including Percona Server for MySQL (https://www.percona.com/software/mysql-database/percona-server) and MongoDB (https://www.percona.com/software/mongo-…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question