This section discusses the more advanced technique of packet inspection: Stateful Packet Inspection (SPI). To understand how SPI operates, you must briefly review the TCP/IP model.
Many people are confused about the relationship between the OSI reference model and the TCP/IP model—simply put, the use of OSI is a reference for developers whereas, in education, functionally TCP/IP is used. Therefore, you must use the TCP/IP model when inspecting packets.
Figure 5-5 shows the five layers of the TCP/IP model. The stateful inspection component is concerned with how TCP (Layer 4—transport) makes connections. Tracking the state of the TCP connection is done via Layer 4 of the TCP/IP model.