stateful packet inspection (SPI)

Stateful packet inspection(SPI) refers to dynamic packet filtering in which each data packet ischecked on a stateful basis and assigned to a specific active session. The data packets are analyzed and the connection status is included in the decision.

Dynamic packet filtering evolved from static packet filtering, orSPF, and is used in firewalls, among other applications. In the SPI method, data packets are analyzed during transmission at the network layer, down to the application level, and stored in dynamic state tables. Based on the comparison of multiple data packets and by determining the correlation between related data packets, the decisions for forwarding the data packets are made. The set of rules of Stateful Packet Inspection is relatively simple and states that an HTTP request can only be made from one machine to another. Since the dynamic packet filter stores the communication link, only the second computer may respond to the requesting computer. SPI systems have a timeout in which the operation must be performed. This means that the time of the action can also be included in the decision, and conclusions can be drawn as to whether the response refers to an appropriate request.

Data packets that cannot be assigned to certain criteria or possibly belong to a DoS attack are discarded. Firewalls with SPI technology are therefore superior to pure packet filter firewalls in security-relevant applications.

A more advanced technique is deep packet inspection( DPI) in which the information content of the payload is analyzed and interpreted. The DPI technique can be used for control and also for censorship.