A SPI is just a dynamic firewall, so it opens ports for outbound
connections, allows inbound connections related to outbound
connections, and most imporantly, closes unused ports automatically.
So, a SPI only indirectly helps against port scans by keeping things
closed that don't need to be open.

An example is say you're playing a game. This game needs port 1000
open to conect to it's server. So the SPI happily lets this outbound
connection in. The server accepts the port but wants port 2000 open
to talk to the client in your computer, so the SPI detects this
inbound connection is related to the outbound on port 1000, and allows
this connection through (opening port 2000.) Now, your friend's game
client gets your IP from the server and wants to connect to you on
port 3000 (you're hosting the game). Since this is an inbound
connection, and you currently have no outbound connections (directly)
to your friend, the SPI denies this request. So with you and your
friend unable to connect to each other you decided to quit this game
and try another. When you quit, you close all connections to the
server. The SPI detects this change and closes ports 1000 and 2000
respectivly.

So, as the SPI dynmically opens and closes ports, this is the
protection it provides against hackers and port scans.

-Adam.

On Wed, Aug 20, 2008 at 1:04 AM, Juan B <juanbabi (at) yahoo (dot) com [email concealed]> wrote:
>
>
> Hi,
>
> Can someone please explain why statefull inspection Fw helps against hackers? I know that those FW keep track of the sessions but I dont understand how the feature might help against a port scan from the internet or other ways to mitigate hackers attacks.
>
> Thanks
>
> Juan
>
>
>
>
>
>
>

[ reply ]