Learn about deep packet inspection in Data Protection 101, our series on the fundamentals of information security.
Deep packet inspection, which is also known as DPI, information extraction, IX, or complete packet inspection, is a type of network packet filtering. Deep packet inspection evaluates the data part and the header of a packet that is transmitted through an inspection point, weeding out any non-compliance to protocol, spam, viruses, intrusions, and any other defined criteria to block the packet from passing through the inspection point.
Deep packet inspection is also used to decide if a particular packet is redirected to another destination. In short, deep packet inspection is able to locate, detect, categorize, block, or reroute packets that have specific code or data payloads that are not detected, located, categorized, blocked, or redirected by conventional packet filtering. Unlike plain packet filtering, deep packet inspection goes beyond examining packet headers.
Deep packet inspection is a form of packet filtering usually carried out as a function of your firewall. It is applied at the Open Systems Interconnection's application layer.
Deep packet inspection evaluates the contents of a packet that is going through a checkpoint. Using rules that are assigned by you, your Internet service provider, or the network or systems administrator, deep packet inspection determines what to do with these packets in real time.
Deep packet inspection is able to check the contents of these packets and then figure out where it came from, such as the service or application that sent it. In addition, it can work with filters in order to find and redirect network traffic from an online service, such as Twitter or Facebook, or from a particular IP address.
Conventional packet filtering only reads the header information of each packet. This was a basic approach that was less sophisticated than the modern approach to packet filtering largely due to the technology limitations at the time. Firewalls had very little processing power, and it was not enough to handle large volumes of packets. In other words, conventional packet filtering was similar to reading the title of a book, without awareness or evaluation of the content inside the cover.
With the advent of new technologies, deep packet inspection became feasible. As it became more thorough and complete, it became more comparable to picking up a book, cracking it open, and reading it from cover to cover.
There are several uses for deep packet inspection. It can act as both an intrusion detection system or a combination of intrusion prevention and intrusion detection. It can identify specific attacks that your firewall, intrusion prevention, and intrusion detection systems cannot adequately detect.
If your organization has users who are using their laptops for work, then deep packet inspection is vital in preventing worms, spyware, and viruses from getting into your corporate network. Furthermore, using deep packet inspection is based on rules and policies defined by you, allowing your network to detect if there are prohibited uses of approved applications.
Deep packet inspection is also used by network managers to help ease the flow of network traffic. For instance, if you have a high priority message, you can use deep packet inspection to enable high-priority information to pass through immediately, ahead of other lower priority messages. You can also prioritize packets that are mission-critical, ahead of ordinary browsing packets. If you have problems with peer-to-peer downloads, you can use deep packet inspection to throttle or slow down the rate of data transfer. DPI can also be used to enhance the capabilities of ISPs to prevent the exploitation of IoT devices in DDOS attacks by blocking malicious requests from devices.
Mobile service operators and other similar service providers also use deep packet inspection to tailor-fit their offerings to individual subscribers allowing them to differentiate data usage as “all you can eat,” wall garden, or value added. Record labels and other copyright holders can also request ISPs to block their content from being downloaded illegally – a process achieved through deep packet inspection.
Other times, deep packet inspection is used to serve targeted advertising to users, lawful interception, and policy enforcement. Deep packet inspection can also prevent some types of buffer overflow attacks.
Lastly, deep packet inspection can help you prevent anybody from leaking information, such as when e-mailing a confidential file. Instead of being able to successfully send out a file, the user will instead receive information on how to get the necessary permission and clearance to send it.
As with other technologies, deep packet inspection can also be used for less than admirable purposes, such as eavesdropping and censorship. In fact, the Chinese government has been known to use deep packet inspection to monitor the country's network traffic and censor some content and sites that are harmful to their interests. This is how China has been able to block out pornography, religious information, materials concerning political dissent, and even popular websites such as Wikipedia, Google, and Facebook.
While DPI has many potential use cases, it can easily detect the recipient or sender of the content that it monitors, so there are some concerns around privacy. This is primarily a concern when DPI is used in the context of marketing and advertising, through monitoring the behavior of users and selling browsing and other data to marketing or advertising companies.
Two primary types of products utilize deep packet inspection: firewalls that have implemented features of IDS, such as content inspection, and IDS systems that aim to protect the network rather than focus only on detecting attacks. Some of the main techniques used for deep packet inspection include:
● Pattern or signature matching – One approach to using firewalls that have adopted IDS features, pattern or signature matching, analyzes each packet against a database of known network attacks. The downside to this approach is that it’s effective only for known attacks, and not for attacks that have yet to be discovered.
● Protocol anomaly – Another approach to using firewalls with IDS features, protocol anomaly uses a “default deny” approach, which is a key security principle. Using this technique, protocol definitions are used to determine which content should be allowed. This differs from the approach of simply allowing all content that doesn’t match the signatures database, as occurs in the case of pattern or signature matching. The primary benefit of protocol anomaly is that it offers protection against unknown attacks.
● IPS solutions – Some IPS solutions implement DPI technologies. These solutions have similar functionality to in-line IDS, although they have the ability to block detected attacks in real-time. One of the biggest challenges in using this technique is the risk of false positives, which can be mitigated to some extent through the creation of conservative policies.
Some limitations exist with these and other DPI techniques, although vendors offer solutions aiming to eliminate the practical and architectural challenges through various means. Additionally, DPI solutions are now offering a range of other complimentary technologies such as VPNs, malware analysis, anti-spam filtering, URL filtering, and other technologies, providing more comprehensive network protection.
No technology is perfect, and deep packet inspection is no exception. It has three distinct weaknesses:
1. Deep packet inspection is very effective in preventing attacks such as denial of service attacks, buffer overflow attacks, and even some forms of malware. But it can also be used to create similar attacks.
2. Deep packet inspection can make your current firewall and other security software you use more complicated and harder to manage. You need to be sure that you constantly update and revise deep packet inspection policies to ensure continued effectiveness.
3. Deep packet inspection can slow down your network by dedicating resources for your firewall to be able to handle the processing load.
Aside from privacy concerns and the inherent limitations of deep packet inspection, some concerns have arisen due to the use of HTTPS certificates and even VPNs with privacy tunneling. Some firewalls are now offering HTTPS inspections, which would decrypt the HTTPS-protected traffic and determine whether the content is permitted to pass through. However, deep packet inspection continues to be a valuable practice for purposes ranging from performance management to network analytics, forensics, and enterprise security.
Digital Guardian's cloud-delivered DLP Platform detects threats and stops data exfiltration from both well-meaning and malicious insiders as well as external adversaries.