Insights Into Packet Inspection Capabilities Of Modern Firewalls

With cybercrime taking the enterprise ecosystem by storm, the issue of securing a network infrastructure along with restricting employee access to unwanted internet resources is a top-of-mind priority for organizations.

In the territory of network security, the firewall is the name of the game. It fends off suspicious web traffic based on preconfigured rules, thereby reducing the risk of malware infiltration, DDoS attacks, data breaches, as well as unauthorized use of specific services and protocols within corporate networks.

This long-standing defensive instrument has gone through evolutionary changes over the years, giving rise to spin-offs that differ in the ways they stop sketchy data packets in their tracks. From traditional to next-generation firewalls (NGFWs), the effectiveness of these solutions has seen a dramatic spike.

This article shines a light on the two arguably most common technologies at the heart of modern firewalls: stateful packet inspection (SPI) and deep packet inspection (DPI). For the bigger picture, let’s first zoom in on the principles behind firewalls and the different approaches to blocking rogue traffic.

Firewall fundamentals

A firewall is a device or a configurable application tasked with sifting through internet traffic to block potentially malicious data. Having debuted in the late 1980s as packet-filtering routers, this tech has since been the cornerstone of the network perimeter philosophy, which remains relevant in the current cybersecurity climate. As decades went by, firewalling has extended its reach in terms of functionality to keep pace with cybercrime advancements.

The classic categorization of firewalls is based on the supported layer of the Open Systems Interconnection (OSI) model, which reflects the tiers of communications used by computer systems to interact over a network. Each category harnesses different protection mechanisms to do its thing. With that in mind, the most common types of firewalls are as follows.

• Packet filters: These operate at Layer 3 (Network) of the OSI model, checking traffic entities against an access-control list that specifies which packets are subject to analysis and what action should be applied. Also known as stateless firewalls, they only inspect the packet header information that includes the IP address of the source and destination, the transport protocol details, and port details.
• Circuit-level gateways: Working at Layer 4 (Transport) of the OSI model, these tools don’t look at data packets at all. Instead, they scrutinize network protocol session messages such as TCP handshakes to figure out whether the remote host fits the mold of a legitimate one.
• Stateful filters: With the above-mentioned stateful packet inspection technology at their core, these firewalls analyze the context of data packets by, for instance, verifying that the packet corresponds to an active session initiated after a TCP handshake. Focused on both Layer 3 (Network) and 4 (Transport) of the OSI model, they can recognize traffic patterns and follow a dynamic filtering logic that goes beyond applying a fixed set of rules.
• Application-layer gateways: Acting as proxies for application servers and protocols, such gateways perform their checks at the highest Layer 7 (Application) of the OSI model. These are often used synonymously with NGFWs that largely build their protections around the DPI functionality.

With the growing complexity of cyberattacks trying to break through a network perimeter, firewalls that are based on static rules and only analyze packet header information while ignoring the data context aren’t always enough.

Mechanisms like SPI and DPI take the defenses further and have the potential to bridge the gap. This explains why firewalls with these technologies on board – stateful filters and application-level gateways – are gaining momentum these days. Let’s go over their capabilities and peculiarities to understand why they make a difference.

The gist of stateful packet inspection

SPI is context-aware firewalling technology whose algorithms go above and beyond the level of an elementary data packet. Unlike the more rudimentary stateless packet inspection, it isn’t bound by immutable rules and has the precious ability to discern patterns in active connections. This tactic is a prerequisite for pinpointing anomalies in otherwise benign-looking traffic.

One area where SPI performs particularly well is DDoS prevention. When malicious actors try to swamp a network with more traffic than it can handle, the dodgy data packets may fly under the radar of other firewalls as they come from legitimate sources and don’t contain any suspicious hallmarks when analyzed in isolation.

Despite this feigned normality, stateful packet inspection will raise the alarm after determining that scores of such requests are stemming from the same IP address. Based on the verdict, the stateful filter can automatically close the communication ports exploited for the attack.

How does deep packet inspection work?

DPI, in its turn, is less about the context and more about the contents of traffic packets. Operating at the highest level of the OSI model, this technology is considered to be more thorough in terms of spotting various forms of network compromise. In addition to inspecting packet headers, it examines metadata inside the packet itself. This way, DPI recognizes signatures that are inherent to malware payloads a fragment of data might be carrying.

The capacity to dissect the body of a traffic packet makes this firewalling technology incredibly effective in identifying malicious code, which is increasingly used by threat actors to cross network perimeters. Unsurprisingly, DPI is the backbone of next-generation firewalls that are also equipped with technologies like intrusion prevention systems (IPS), user identity management, and web application firewall (WAF) to provide the most robust defenses across the board.

On a separate note, DPI can make a decision to block a certain portion of traffic based on indirect indicators that are intrinsic to a specific application or protocol. This is how network administrators and ISPs can pull the plug on some peer-to-peer file sharing protocols that are at odds with corporate guidelines or regulatory requirements.

Different firewall implementations, overlapping objectives

There is no such thing as one-size-fits-all firewalling technology. SPI excels at DDoS protection, thwarts hacking attempts, provides extensive logging capabilities, and has a moderate impact on the speed of network communications. However, it isn’t likely to detect harmful code lurking inside data packets.

DPI recognizes malware activity, supervises user behavior, limits the use of specific protocols regardless of the port and IP address, and leverages heuristic analysis to overcome the limitations of the rule-based filtering logic. But, deconstructing and reconstructing traffic packets is resource-intensive, which may lead to network bottlenecks. Also, the fact that DPI isn’t focused on the context of internet traffic limits its denial-of-service attack prevention capabilities.

By and large, each firewalling technology has its advantages and downsides. The choice of the right one depends on an organization’s security priorities, budget, processing power at hand, and industry-specific threats.

Final thoughts

The reality is that a firewall is only the initial barrier in network defense, albeit an essential one. Whether it’s based on SPI, DPI, or conventional stateless packet filtering, it doesn’t suffice to foil growingly complex and sophisticated cyberattacks. For maximum protection, it should work side by side with frameworks like Zero Trust and secure access service edge (SASE) that fortify user access controls and add cloud-native security functions to the mix.