What is Stateful Packet Inspection (SPI) and how does it work?
SPI tracks the state of connections so only inbound packets that are legitimate responses to inside-initiated requests are allowed; unsolicited inbound traffic is blocked.
Stateful Packet Inspection (SPI) is a firewall technique that remembers the state of each network connection rather than judging packets one at a time. The insight is that on a typical network, legitimate inbound traffic is almost always a reply to something an inside host asked for — so the firewall can safely block anything that wasn't requested.
* Outgoing requests are recorded in a state table; an inbound packet is allowed only if it matches one, otherwise it is dropped. *
How it works:
- It monitors outgoing packets and notes their destinations in a state table of active connections.
- When a packet arrives from outside, it checks the table: the packet is allowed only if it is a legitimate response to a request that originated inside.
- Unsolicited inbound traffic — i.e. connections the outside started on its own — is blocked.
This is why SPI is stronger than simple packet filtering: a basic packet filter would let in any packet matching an address/port rule, whereas SPI also asks "did we actually ask for this?"
Go deeper:
Firewall (computing) — Wikipedia — its "stateful filter" section explains connection tracking and how it improves on stateless packet filtering.