Are you utilizing a stateful packet inspection (SPI) firewall?
Explanation
Network perimeter defense is what's being checked, specifically whether your infrastructure relies on a stateful packet inspection (SPI) firewall.
A stateful packet inspection firewall is a more advanced type of firewall that not only examines individual packets in isolation (like a basic packet filter) but also keeps track of the state of network connections. It maintains a state table that records information about active connections, including source and destination IP addresses, ports, sequence numbers, and connection states. This allows the firewall to make more intelligent decisions about which packets to allow or block based on the context of the connection.
This question is being asked in a security assessment because SPI firewalls provide stronger protection than basic packet filtering. They can detect and block certain types of attacks that might bypass simpler firewalls. For example, they can prevent packets that don't belong to an established connection from entering the network, which helps protect against various spoofing and session hijacking attempts.
When answering this question, you should:
- Clearly state whether you use SPI firewalls
- Mention the specific firewall products/vendors you use
- Briefly describe how they're deployed in your network architecture
- Note any additional security features these firewalls provide
If you don't use SPI firewalls, explain what alternative security measures you have in place to achieve similar protection.
Example Responses
Example Response 1
Yes, we utilize stateful packet inspection (SPI) firewalls throughout our network infrastructure We have deployed Palo Alto Networks Next-Generation Firewalls at our network perimeter, which provide comprehensive SPI capabilities along with additional security features such as application awareness, user identification, and threat prevention These firewalls maintain state tables for all connections passing through them, allowing them to make context-aware decisions about traffic Additionally, we implement AWS Security Groups for our cloud infrastructure, which also operate as stateful firewalls to protect our cloud-based assets.
Example Response 2
Yes, our organization implements stateful packet inspection through a layered approach We use Cisco Firepower firewalls at our network edge that provide SPI functionality, tracking the state of all connections and only allowing packets that match known, legitimate connections or properly initiated new connections For our internal network segmentation, we utilize FortiGate firewalls that also implement SPI to control traffic between different security zones All firewall rules follow the principle of least privilege, and we conduct quarterly reviews of our firewall configurations to ensure they remain effective and appropriate.
Example Response 3
No, we currently do not utilize stateful packet inspection firewalls Our network security relies primarily on basic packet filtering firewalls and network access control lists (ACLs) on our routers While these provide some level of protection by filtering traffic based on source/destination addresses and ports, we recognize this is not as robust as SPI technology We are currently in the process of evaluating several next-generation firewall solutions that include SPI capabilities, with implementation planned for the next quarter In the interim, we compensate for this limitation through other security controls including network segmentation, intrusion detection systems, and endpoint protection platforms on all systems.
Context
- Tab
- Infrastructure
- Category
- Firewalls, IDS, IPS, and Networking
Related questions
- Do you have a documented policy for firewall change requests?
- Have you implemented an intrusion detection system (network-based)?
- Do you employ host-based intrusion detection?
- Are audit logs available for all changes to the network, firewall, IDS, and IPS systems?
- Is authority for firewall change approval documented? Please list approver names or titles in Additional Info.
- Have you implemented an intrusion prevention system (network-based)?

