FIDP-01

Are you utilizing a stateful packet inspection (SPI) firewall?

Explanation

This question is asking whether your organization uses a stateful packet inspection (SPI) firewall as part of your network security infrastructure. A stateful packet inspection firewall is a more advanced type of firewall that not only examines individual packets in isolation (like a basic packet filter) but also keeps track of the state of network connections. It maintains a state table that records information about active connections, including source and destination IP addresses, ports, sequence numbers, and connection states. This allows the firewall to make more intelligent decisions about which packets to allow or block based on the context of the connection. This question is being asked in a security assessment because SPI firewalls provide stronger protection than basic packet filtering. They can detect and block certain types of attacks that might bypass simpler firewalls. For example, they can prevent packets that don't belong to an established connection from entering the network, which helps protect against various spoofing and session hijacking attempts. When answering this question, you should: 1. Clearly state whether you use SPI firewalls 2. Mention the specific firewall products/vendors you use 3. Briefly describe how they're deployed in your network architecture 4. Note any additional security features these firewalls provide If you don't use SPI firewalls, explain what alternative security measures you have in place to achieve similar protection.

Example Responses

Example Response 1

Yes, we utilize stateful packet inspection (SPI) firewalls throughout our network infrastructure We have deployed Palo Alto Networks Next-Generation Firewalls at our network perimeter, which provide comprehensive SPI capabilities along with additional security features such as application awareness, user identification, and threat prevention These firewalls maintain state tables for all connections passing through them, allowing them to make context-aware decisions about traffic Additionally, we implement AWS Security Groups for our cloud infrastructure, which also operate as stateful firewalls to protect our cloud-based assets.

Example Response 2

Yes, our organization implements stateful packet inspection through a layered approach We use Cisco Firepower firewalls at our network edge that provide SPI functionality, tracking the state of all connections and only allowing packets that match known, legitimate connections or properly initiated new connections For our internal network segmentation, we utilize FortiGate firewalls that also implement SPI to control traffic between different security zones All firewall rules follow the principle of least privilege, and we conduct quarterly reviews of our firewall configurations to ensure they remain effective and appropriate.

Example Response 3

No, we currently do not utilize stateful packet inspection firewalls Our network security relies primarily on basic packet filtering firewalls and network access control lists (ACLs) on our routers While these provide some level of protection by filtering traffic based on source/destination addresses and ports, we recognize this is not as robust as SPI technology We are currently in the process of evaluating several next-generation firewall solutions that include SPI capabilities, with implementation planned for the next quarter In the interim, we compensate for this limitation through other security controls including network segmentation, intrusion detection systems, and endpoint protection platforms on all systems.

Context

Tab: Infrastructure
Category: Firewalls, IDS, IPS, and Networking