NAT vs. NAT + Stateful Packet Inspection

I've been researching routers as a prelude to setting up a home network with multiple computers accessing the Internet via a cable modem. Many of the "older" routers have NAT-based firewalls. Some of the newer models have NAT and stateful packet inspection (SPI). These newer models tend to run at a $50-70 premium to the old models.

Question 1: How much does SPI increase the effectiveness of the router firewall?

Question 2: Ignoring the other capabilities of the "new" routers (e.g., VPN, DDNS, auto-crossover ethernet ports) is the added security of SPI worth the premium?

Question 3: Are there other critical security features in the latest generation of routers that should drive me to spend the additional money?

Thanks for your input...

GoodKarma

Stateful packet inspection is really handy when you are setting up firewalling rules, so I bet that the integrated nat boxes that have the feature are niftier when you are using them to set up a custom firewall.

Stateful Packet Inspection (SPI) will (help) protect you from DOS type attacks. Most SOHO routers do not include this type of protection, but it can be found in some just over $100 or so. Of course, you may find a deal from time to time with MIR's that will drastically reduce your cost.

Simply described, SPI checks both the type and number (rate) of packets that are hitting the router. You set the threshold, and if that certain number of a certain type of packet is received, then your router will discard all packets of that type for a certain amount of time (again, you set the duration).

Question 1: 10 fold

Question 2: Yes it is, especially on broadband. Remember 90% of the computer population are total idiots that have no idea what a CodeRed, Nimda, and other worms are, let alone protect for them, know when their computer has it, and how to properly clean it. Broadband is a worms heaven.

Question 3: Some have UPnP NAT which is handy if you like to do anything pertaining to Microsoft and voice communication. Some have built in support for IPv6. Some have software firewalls and their own virus protection or support to interact with popular anti-virus software.

If you keep all your machines behind nat I don't think spi would increase firewall effectiveness at all. Already the machines would be untouchable by the outside world.

I don't see why spi would help with nimda, codered, and friends either. Already the nat box isn't running a vulnerable service, probably not even any services on the ports those worms hit, so they are going to get an icmp unavailable anyways. If the things even send icmps. Linksys routers don't seem to respond to pings.

The packets still get to travel down the wire. I don't see why using spi to change the way to deny them would make much difference... they're still coming down your pipe and clogging your line.

Or are you assuming he'll put his box in the dmz and the nat box will run spi against the traffic his box gets? That still doesn't seem very safe. I would be genuinely surprised if these things understood which packets belonged to a codered connection and which did not.

Thanks everyone for the thoughtful replies. I appreciate your input.

Based on these comments, it sounds like NAT effectively "hides" the network from the Internet, and SPI helps manage potentially damaging/dangerous traffic (e.g., DOS, worms). Is that correct?

Let me get a bit more specific about my decision. I'm setting up a wireless network and want to purchase a wirless broadband router. I'm debating between purchasing an older 802.11b router (e.g., Linksys BEFW11S4 for ~$70) or a newer 802.11g router (e.g., Linksys WRT54G for ~$120). I'm not planning on hosting in the DMZ.

I understand the draft nature of the 54G specification, the wireless frequency differences, and the speed (or not) differences.

Does anyone have any specific feedback on their experience using these products...particularly from a security perspective?