Deep packet inspection (DPI). To the uninitiated, it sounds more than a little frightening, and very much like something you want to avoid at all costs. But if you’re reading this blog, I’m sure you’ve seen DPI plastered over most network company’s websites. I have to admit, after WildPackets’ 22 years in the industry, I’m truly amazed that DPI has risen to the buzzword level.
In principle, DPI is very straightforward. As the name implies, it involves the inspection of every packet traversing a specific point on the network, and analyzing part, or all, of the packet depending on the application. The key phrase here is “depending on the application.” At first used strictly for protocol analysis and development, DPI has become the foundation for many different network management and control functions, making it a sometimes overloaded term. A common misconception is that since Company A and Company B both claim to do Deep Packet Inspection, they must be competitors. This is most often a false assumption, leading a significant confusion. Let’s try to eliminate some of the confusion by outlining the key technologies where DPI is in use.
A little more background is probably in order before diving into the applications. The purpose of a network packet is simply to move information from one host to another. The information can take any form, from overall network management to data exchanges between clients and servers. Each packet can only contain a certain amount of data, so most interactions between hosts involve the delivery of multiple packets to complete a particular transaction. Each packet is self contained, meaning that each packet has all the information needed to correctly route it from one host to another. The basic elements of the packet are the header and the payload. The header contains all of the routing information as well as metadata about the payload, while the payload is the actual data being transmitted. It gets a whole lot more complicated than that, but for the purposes of describing how DPI is used this should suffice.
One other bit of background that’s worth covering is how the packets are actually intercepted for inspection. At any given moment in a transmission a packet is either being conducted down a cable, or being processed by a network device, like a switch or router. To inspect the packet, you must be in this path. Since the only devices in this path are typically routers or switches (networking gear), either the router or switch themselves must be capable of doing the inspection or a network connection needs to be “tapped.” Tapping involves disconnecting an existing network connection and adding a network device inline which will perform a particular function, and in our case one based on DPI.
One of the primary uses of DPI is to perform network monitoring – keeping track of everything that is happening on the network. Given that each packet is self-contained and provides detailed information, including the data itself, the depth of data reported for network monitoring can vary greatly based on DPI. The most common approach used in network monitoring today is to employ flow-based monitoring, which only looks at the packet header (the routing information) to determine overall statistics like top network users and top applications. The advantage is that most network devices (switches and routers) supply flow-based information, eliminating the need to tap into the network. The drawback is that the level of detail available for monitoring is limited.
Network analysis carries network monitoring much further. Network analysis uses the full packet, both header and payload, to perform detailed analysis of everything happening on the network, from layer 2 to layer 7 events. Network analysis can provide all of the information typically found in a network monitoring solution, but adds the ability to do detailed troubleshooting of any network problem. A corollary to network analysis is network recording, where all network packets are stored for a period of time so analysts can go back and replay exactly what happened on the network hours or even days ago. In order to obtain this increased detail, the network must be tapped with a device capable of capturing and analyzing the network packets. Though an added expense, most enterprises do decide to employ network analysis solutions as they provide the only way to truly achieve root cause analysis of network issues.
Though not the only technology used for network security, DPI does provide the basis for many key network security technologies, from firewall security to dedicated intrusion detection and intrusion prevention systems (IDS/IPS). Most security applications require a dedicated appliance to be inline, and unlike network monitoring and analysis solutions, which are typically passive, network security solutions often provide active controls of network behavior based on the DPI results. Network security solutions require far less storage than network monitoring and analysis solutions, because once a packet is inspected, only metadata for any security anomalies that are detected need to be retained.
Lawful intercept is a very specific application of DPI, typically employed by governments under strict regulation. It involves the capture and analysis of network data pertaining to a particular user, typically someone who is under investigation, and performed within the guidelines of a specific court order. DPI allows the law enforcement agency to capture all of the packets for a particular user, and either analyze the data in real time or save the packets for post-capture analysis. Lawful intercept typically involves close cooperation between law enforcement agencies and service providers.
With the huge amount of data traversing enterprise networks today, traffic shaping has become very common on corporate networks. Traffic shaping uses DPI to inspect packet headers to determine the type of traffic contained in that particular packet (HTTP, VoIP, FTP, etc.). Then, based on user-defined rules, alters the delivery priority for the packet. For example, FTP transfers may be given a lower priority as compared to HTTP traffic since most of the applications used by Company A are web-based. So FTP packets may be delayed if the current volume of HTTP traffic is high. Traffic shaping systems may look even more deeply into packet headers, differentiating between specific types of HTTP traffic. This is very useful for providing priority to web-based corporate applications over YouTube videos, for example. Network quality of service (QoS) is a specific form of traffic shaping that can be done at the network level (i.e. by switches and routers). Certain data types, like VoIP, are real-time in nature and much more sensitive to network delays. VoIP packets can be assigned a higher QoS which will give these packets priority routing over other network packets.
Data Leak Prevention (DLP)
This is a relatively new technology that allows users to inspect network traffic for the purpose of determining if sensitive data is being transmitted in ways that violate corporate policy. It uses DPI, and requires both an inline appliance and analysis of both the header and payload information. Often based on keyword rules, DLP systems analyze each packet for rules violations, only saving metadata when violations are detected. DLP systems are far from foolproof, and require detailed knowledge of typical network traffic patterns and constant adjustment to reduce false alarms while keeping data secure.
Networks have become increasingly more sophisticated, with the daily complexity of issues and outside threats growing proportionally. DPI enables a wide range of network technologies that provide essential services from overall network monitoring to detailed network analysis to security systems that prevent attacks and data leakage. It’s no wonder that DPI has become such a buzzword. Hopefully when you come across a product that uses DPI now, the first question you will ask is HOW is it using DPI!