SmallNetBuilder Forums
Go Back   SmallNetBuilder Forums > Wireless Networking > ASUS Wireless > ASUS AC Routers & Adapters

Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old 12-02-2012, 11:26 AM
Kritiker's Avatar
Kritiker Kritiker is offline
New Member
 
Join Date: Nov 2012
Posts: 28
Thanks: 10
Thanked 0 Times in 0 Posts
Kritiker is just starting out
Default Firewall=SPI (Stateful Packet Inspection)?

The specifications for the RT-AC66U state:
Quote:
Firewall: SPI intrusion detection, DoS protection
and in the router's web interface, under Firewall | General, I see
Quote:
Firewall: Yes/No
Enable DoS protection: Yes/No
Logged packet types: select
Respond Ping Request from WAN: Yes/No
Since I see no other place where I can enable/disable SPI (Stateful Packet Inspection), I wonder whether the Firewall mentioned here is the SPI, includes it, or does not include it.

Another way of asking this might be whether SPI can be enabled/disabled separately at all or just with the entire firewall.

To me, it almost looks as if the term Firewall is used here first to refer to the four functions: Enable SPI, Enable DoS protection, Logged packet type and Respond Ping Request from WAN plus the features on the other tabs: URL filtering, Keyword filtering and Network Services filtering and and then to refer to SPI alone, i.e., that Enable SPI has been mislabeled Enable Firewall.

Have I got it all wrong?

Last edited by Kritiker; 12-02-2012 at 11:33 AM.
Reply With Quote
  #2  
Old 12-02-2012, 01:38 PM
RMerlin's Avatar
RMerlin RMerlin is offline
Very Senior Member
 
Join Date: Apr 2012
Location: Canada
Posts: 8,453
Thanks: 43
Thanked 4,368 Times in 1,871 Posts
RMerlin is just starting out
Default

This description is probably misleading.

SPI means that the firewall keeps track of the state of every connections, and will apply rules based on this. This is done by iptable. The router will distinguish a packet sent to a connection that is tracked as being ESTABLISHED versus one sent to a port that has no established connections (in which case it will drop it).

This is what these rules will do, for example:

Quote:
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
So yes, the Firewall option is what controls SPI.

I suspect that the Intrusion Detection is marketing speak for "the router will log packets that are sent to non-opened ports as they might be intrusion attempts". This must not be confused with real IPS (Intrusion Prevention System), which relies on a signature database to detect attempts at exploiting known vulnerabilities. That kind of feature is usually only available in enterprise products.
__________________
Asuswrt-Merlin: Customized firmware for Asus routers
Github: github.com/RMerl - Twitter: RMerlinDev
See the sticky post for more info.
Reply With Quote
  #3  
Old 12-02-2012, 03:01 PM
Kritiker's Avatar
Kritiker Kritiker is offline
New Member
 
Join Date: Nov 2012
Posts: 28
Thanks: 10
Thanked 0 Times in 0 Posts
Kritiker is just starting out
Default

When you say this description is probably misleading, to which description are you referring, my suggestion of mislabeling or ???

I am still unclear. Does
Quote:
Enable Firewall Yes/No
enable/disable just SPI or does it enable/disable more? If so, what?

I disabled the Firewall using this setting and not much in any of the tabs (that I noticed) under Advanced Settings | Firewall seemed to change. Respond Ping Request from WAN is greyed out when the Firewall is disabled and not greyed out when the Firewall is enabled. I don't know if this changes the Respond Ping Request from WAN or just prevents its being changed. Other Firewall features still had to be (could be) enabled/disabled separately, so the Enable Firewall selector doesn't seem to affect the whole Firewall.

In the past, my routers have all had the ability to turn SPI on/off, separately and I was surprised not to see that option here and I wondered if this was actually it. In fact, I would have expected to see an Enable SPI Yes/No selector at exactly this spot in the router's web interface.

I am trying to understand what these settings actually do on this router and what the implications are. The manual skips over the entire topic of Firewalls.

So far, I am liking this router and the features it has. In particular, I am trying to develop a better understanding of how the Respond Ping Request from WAN (which I have used for years), enable Web Access from WAN (which is new to me and somewhat worrisome), the Firewall (including SPI (which I have always used)) and the services the router can provide to me from outside my own network (new to me) interact and what security risks using these services brings. But I have more reading to do before I can ask any of those questions. The manual is remarkably silent on these topics too, as far as I can tell.

I am running stock 3.0.0.4.260 right now.

Oh and I thought the intrusion detection above just referred to the router's SPI feature, nothing more.

Addendum:

When Enable Firewall is set to No, the router responds to pings from the WAN even if the (now greyed out) Respond Ping Request from WAN was set to, and now displays, No. Also the Logged packets type selector is greyed out but left at whatever it was set to. So Enable Firewall certainly controls more than just SPI.

So, one must conclude that a greyed out setting, meaning that one cannot change it, does not necessarily indicate the correct state of the setting. I find that disturbing. Perhaps I am expecting too much?

Last edited by Kritiker; 12-02-2012 at 03:39 PM.
Reply With Quote
  #4  
Old 12-02-2012, 03:37 PM
RMerlin's Avatar
RMerlin RMerlin is offline
Very Senior Member
 
Join Date: Apr 2012
Location: Canada
Posts: 8,453
Thanks: 43
Thanked 4,368 Times in 1,871 Posts
RMerlin is just starting out
Default

Quote:
Originally Posted by Kritiker View Post
When you say this description is probably misleading, to which description are you referring, my suggestion of mislabeling or ???
I meant Asus's description, sorry.

Quote:
Originally Posted by Kritiker View Post
I am still unclear. Does enable/disable just SPI or does it enable/disable more? If so, what?
Try disabling it, then connect through telnet to see what firewall rules are applied:

Quote:
iptables -L
You will see if the rules related to connection states such as what I posted are still there.

Quote:
Originally Posted by Kritiker View Post
So far, I am liking this router and the features it has. In particular, I am trying to develop a better understanding of how the Respond Ping Request from WAN (which I have used for years)
If that option is enabled, it means that when someone pings your public IP, your router will return an echo response.

When disabled, the firewall will silently ignore the packet, so people pinging your IP will get a "request timed out", meaning they can't tell if there is something connected to that IP or not.

Some online games require you to be pingable for example, so you will need to enable that option in those cases.

Quote:
Originally Posted by Kritiker View Post
enable Web Access from WAN (which is new to me and somewhat worrisome)
Some people need to be able to remotely access their router to configure it. Not the safest thing to leave enabeld indeed, but if you had someone who is not techno-savvy requiring your help in configuring their router's wireless, you could have them temporarily enable that option, allowing you to remotely configure their router. You still need to know the router's username and password to access it.

Quote:
Originally Posted by Kritiker View Post
Oh and I thought the intrusion detection above just referred to the router's SPI feature, nothing more.
That's the part I meant is kinda confusing, if not misleading. People see "intrusion detection" and think about some advanced IPS, which it ain't.
__________________
Asuswrt-Merlin: Customized firmware for Asus routers
Github: github.com/RMerl - Twitter: RMerlinDev
See the sticky post for more info.
Reply With Quote
  #5  
Old 12-02-2012, 03:44 PM
Kritiker's Avatar
Kritiker Kritiker is offline
New Member
 
Join Date: Nov 2012
Posts: 28
Thanks: 10
Thanked 0 Times in 0 Posts
Kritiker is just starting out
Default

You are too fast for me. I made a couple of changes to my posting while you were replying to me. I miss the strikethrough on this forum - that would have made it easier for me to indicate changes.

I will now digest your response(s) more fully. Thanks.

Oh and I will dust off my Telnet program. I know I have it here, somewhere.

Last edited by Kritiker; 12-02-2012 at 03:50 PM.
Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


All times are GMT -4. The time now is 06:10 AM.

Top 10 Stats
Top Posters* Top Thanked
RMerlin  315
L&LD  159
thelonelycode...  143
stevech  141
azazel1024  103
KGB7  64
Adamm  63
TeHashX  57
speedingcheet...  56
jim769  56
RMerlin  4368
stevech  270
ryzhov_al  199
TeHashX  191
RogerSC  164
L&LD  163
joegreat  104
jlake  98
PrivateJoker  93
sinshiva  85
Most Viewed Threads* Hottest Threads*
Old Beta Version...  16980
Old ASUS...  16150
Old Asuswrt-Merli...  15580
Old 'Heartbleed'...  12183
Old Potential...  7515
Old Groundhog...  5939
Old Asus-Merlin...  5789
Old Linksys...  4462
Old Linksys...  4386
Old [TUTORIAL]...  2655
Old Asuswrt-Merli...  144
Old Beta Version...  112
Old Linksys...  104
Old Potential...  98
Old ASUS...  93
Old Groundhog...  49
Old Asus router...  43
Old [TUTORIAL]...  39
Old Asus-Merlin...  35
Old 'Heartbleed'...  33



Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
© 2006-2014 Pudai LLC All Rights Reserved.