Friday, April 15, 2016

What is Deep Packet Inspection ?

Deep Packet Inspection or DPI is a technology using which one can examine the data part of the network packets and search for protocol non-compliance, virus, spam, intrusions and other statistical information and decide whether the packet should be passed or dropped or should be routed to a different destination for further processing.





DPI is both a hardware and a software solution. A DPI device monitors the payload of each packet passing through it and detects protocols, application, inappropriate URL's, intrusion attempts and even malware present in the data packet. It is often used to enhance network security. And, Internet Service Providers often use it to decide on data usage, data limits, bandwidth, compliance with regulations, prioritization of traffic, load balancing or collection of statistical data from its subscribers.


Let's understand first how DPI works and how DPI technology has evolved.


OSI Model and Flow of Data Packets


To understand how DPI works and how this technology has evolved, we need to understand how a data packet flows through OSI protocol stack.





As per the OSI model, the communication system between the sender and receiver of a network packet is partitioned into seven layers :


  1. The Application Layer – responsible for interacting with the application software
  2. The Presentation Layer – responsible for compression, encryption and formatting of data being presented
  3. The Session Layer – responsible for creating, managing and ending a session's communication
  4. The Transport Layer – responsible for sequencing and delivery of data
  5. The Network Layer – responsible for the addressing and routing of the network packets
  6. The Data Link Layer – responsible for formatting the packet as per the medium of transmission of packets
  7. The Physical Layer – responsible for defining the actual media and characteristics of the transmitted data


When we type a URL in the address bar of a browser, the data typically flows through the OSI protocol stack in the following way :

  1. We type the URL in the address bar of the browser. The Application Layer interacts with the corresponding software, here the web browser. The browser makes an HTTP request to access the webpage from the web server. The request is passed through the next layer of the OSI model – the Presentation Layer.
  2. The Presentation Layer is concerned with the actual format of data being presented. When the browser receives the data from the web server, the Presentation Layer presents it in a proper format like JPEG, MPEG, MOV, HTML etc. This layer can also encrypt and compress the data.
  3. The next layer of the OSI model is the Session Layer. This layer is responsible for creating, managing and ending session's communication between the sender and receiver of the data. The Session Layer, the Presentation Layer and the Application Layer are mainly responsible for composing the payload of a packet.
  4. The Transport Layer deals with the sequencing and delivery of the data. It segments the data into packets, sequence the packets, establishes a connection between the source and destination of the packets and then, sends those across through the next layer of the OSI model. Please note that, the Transport Layer is not concerned with the managing and ending of sessions. It only processes the connection between the sender and the receiver of the data.
  5. The Network Layer is responsible for the addressing and routing of the network packets. It deals with how the network packets will travel from one part of the network to the other. However, it is not concerned with whether the packets received are error free. The Transport Layer takes care of that.
  6. The Data Link Layer formats the packets as per the medium used for transmitting the packets – e.g. Wireless medium, ethernet connection etc.
  7. The Physical Layer does not change the actual data of the packets. It defines the actual media and characteristics of the transmitted data. The Physical Layer, the Data Link Layer, the Network Layer and the Transport Layer are mainly responsible for composing the headers of network packets.



Lineage of Packet Inspection


Initially, Packet Inspection used to be used in traditional Firewalls. They would use this technology to monitor and filter packets for network security. Later, this technology gradually evolved to Deep Packet Inspection. Now, DPI is widely used in modern Next Generation Firewalls for enhancing network security, though the usage of DPI is not at all limited to that. It is widely used for content optimization, network and subscriber analysis and content regulation.


Shallow Packet Inspection


Shallow Packet Inspection is widely used in traditional Firewalls. It works mainly in the first three layers of the OSI model. This technology examines mainly the headers of the network packets to decide on whether the packet should be passed or should be dropped.

Shallow Packet Inspection mainly observes the source and destination IP addresses, the number of packets the message is broken into, the total number of hops in routing the packet and synchronization data for reassembling the packets etc to decide on whether the packet should be processed further.


Medium Packet Inspection


Medium Packet Inspection is widely used in application proxies. They examine the packet headers and limited amount of payload of the packet. And, that information is then matched against a pre-loaded parse list, which can be easily updated by the system administrators. A parse list allows specific packet types based on the data format types and associated location in the internet, rather than their IP addresses alone.


Medium Packet Inspection technology can look into the Presentation Layer of the packet's payload, which enables it to detect certain file formats. Using Medium Packet Inspection devices, administrators can thus prevent client computers from receiving flash files from Youtube, image files from social networking sites etc. Medium Packet Inspection can even prioritize some packets based on associated application commands and file formats of the data. It can dig into the packet to identify application protocol commands associated with it and then permit or deny it as per that information. (What is Web Application Firewall and how does it work ? )


Medium Packet Inspection was quite an advancement from Shallow Packet Inspection. But, the problem with this technology is it is quite poorly scalable, which limits its usefulness to a large extent.


Deep Packet Inspection


Medium Packet Inspection technology can look into the payload of the packets only up to a certain extent. So, Medium Packet Inspection devices have only limited application awareness. And, we needed something more.

Deep Packet Inspection technology evolved for that purpose. It looks into the payload of the packets and can identify the origin and content of each packet to take further decisions.

Deep Packet Inspection devices use expressions to define patterns of interest in network data streams. It can handle the packets based on specific patterns present in the payload of the packets.

So, a Deep Packet Inspection Device can look into payload of all the data packets passed through it in real time. So that would mean, a Deep Packet Inspection Device can look inside all the traffic from a specific IP address, pick out all the HTTP traffic, capture all the traffic that are meant for or coming from a specific mail server and reassemble those emails when a user types out.




Applications of Deep Packet Inspection technology


Deep Packet Inspection technology has several applications. Some major applications are listed below :


Network Security


It is widely used to Next Generation Firewalls ( What is Next Generation Firewalls ? ) to monitor and filter traffic per application basis instead of port basis, which enables it to troubleshoot network problems in a better way.

Anti-malware


A Deep Packet Inspection device can detect and filter a wide range of malware including trojans, viruses, spyware, adware and other malicious applications. It can do that by mainly taking a couple of approach mentioned below :


  • URL Detection – Deep Packet Inspection devices can compare incoming and embedded URLs against a database of that of known malicious websites.
  • Object Detection – Deep Packet Inspection devices can look into the traffic to search for potentially harmful executables and objects and then, analyze them to detect malware.
  • Signature Detection – Deep Packet Inspection devices can look into the payload of data packets to search for the presence of signatures of known malware. Signature matching is done using a database of known signatures of malware and it usually takes help of security service providers to update the signature database.


URL Filtering


Deep Packet Inspection devices can look into the traffic to search for requested URLs and block URLs which are potentially harmful or inappropriate.


Protocols and Application Recognition


Deep Packet Inspection technology can look into the traffic to distinguish between email services including IMAP, POP3 and SMTP. It can identify protocols like HTTP, FTP, TCP etc. It can also look into the payload of data traffic to see the presence of certain file types like Flash, Youtube, Windows Media etc. It can identify a wide variety of tunneling, session, peer-to-peer, messaging and VoIP protocols so that it can route the data for further processing.


Network Management


Deep Packet Inspection technology can be used to maintain QoS (Quality of Service) for the end users. It can be used to differentiate between different types of traffic and to prioritize or throttle down those different types of traffic to maintain basic QoS.


Billing and Metering of Traffic


Deep Packet Inspection technology can be used by the Internet Service Providers to offer subscribers different levels of access like usage, data limits, bandwidth etc. It can also be used for the purpose of compliance of certain regulations of traffic, prioritization of traffic and load balancing.


Subscriber Analysis


Sometimes Deep Packet Inspection technology is used by the Internet Service Providers to gather statistical information of their subscribers. For example, the ISPs can gather information on web browsing habits of their subscribers and later, to use that to enhance marketing revenues.


Application Distribution and Load Balancing


Deep Packet Inspection technology can be used to look into the packet content and then, to redirect them to different destinations for the purpose of load balancing and fault tolerance.


Content Regulations


Deep Packet Inspection technology can be used to examine the traffic and to block content that are potentially harmful or unlawful.


Copyright Enforcement


Deep Packet Inspection technology can be used to look into the packet content and automatically detect and block unauthorized sharing of copyrighted contents including music or video files.



So, Deep Packet Inspection is quite an advancement of technology and it is completely upto us to decide on how we are going to use it for our own benefits. This article was intended to give basic infomation on Deep Packet Inspection. Hope it solved the purpose.




Read More

What is Next Generation Firewall or NGFW ?

What is Next Generation of Anti Virus or NGAV ? 

How do SSL Inspectors detect malicious contents inside encrypted traffic ?

Evoution of Firewall : From Packet Filters to Next Generation Firewall

What is Honeypot ?

What is an Intrusion Detection System and how does it work ?

How does Network Segmentation improve security and what is VLAN ?




No comments:

Post a Comment