Traditional packet filtering is analogous to checking visitor identity cards without checking what they are carrying. Traditional firewalls manage security by blocking and allowing particular TCP ports.
Packet filtering is limited to only checking source and destination IP addresses and requested TCP ports. If both IP addresses match and the TCP or UDP port is on the access list, the packet is considered secure and verified and allowed to pass through the firewall.
Hackers realized they could encapsulate their malicious programs by hiding them in scripts within seemingly legitimate emails or websites. The malware passed through traditional firewalls unnoticed. Imagine allowing a visitor posing as a sales rep with real-looking ID to access your business. If you don’t check what’s in his backpack, it could contain … anything at all. Perhaps a laptop. Perhaps something much worse.
How Deep Packet Inspection works
Deep packet inspection examines the content of packets passing through the firewall and makes a real-time decision to allow or deny passage based on rules assigned in the firewall. These rules are written by a business manager, home owner, internet service provider (ISP) or network manager.
Firewalls built within the last few years have the CPU power to perform a DPI of every packet passing through the firewall. By crossing multi-core processors with firewall technology, most firewall firms are now able to perform DPI for an advertised bandwidth.
Current DPI can examine the content of messages, the website where the information came from, the application that produced the data, or other examine the data for other applications that may be used. DPI filters within a firewall can be used to reroute or block traffic from specific applications (messenger bots, chat, email) and websites.
Why would you want DPI?
- DPI is a great network security tool. It is an intent-based tool, and so ideal for the detection and interception of viruses and other forms of malicious traffic. The footprint of most virus software and malware is well known. Examining the packet for these footprints allows a network manager to weed out the bad packets from the good.
- A good deep packet inspection installation can be used to accelerate the flow of network traffic. For example, a message recognized as high priority can be routed to its destination ahead of other less important packets. Voice calls can be prioritized over casual browsing. DPI can also be used to throttle data transfer to prevent employees using company time to chat online, to browse non-productive websites or to use their Internet access in unproductive ways.
- As DPI is superb at preventing and detecting intrusions, it can be very effective against buffer overflow and DDoS (distributed denial-of-service) attacks. DPI helps prevent viruses and malware from spreading through the entire company network.
- As DPI is a comprehensive packet examination process, it monitors the packets that go in and out of a network. Deep packet inspection therefore is used for lawful interception and policy enforcement.
- Lastly, deep packet inspection helps your business prevent employees from purposely or accidentally leaking some forms of information. A network manager could write DPI rules that block any attached files with certain words within it. An end user might be prompted with notification on how to get permission to send such a file.
Limitations of deep packet inspection
Deep packet inspection has three significant limitations for company or home firewalls.
- While it is an effective tool against buffer overflow attacks, denial-of-service (DoS) attacks and certain types of malware, because DPI is so CPU intensive, a hacker can overwhelm the firewall by creating very large volume attacks that the firewall cannot overcome.
- Managing DPI adds to the complexity of managing a firewall. Firewall OEM (original equipment manufacturers) have created complex interfaces to manage all the DPI options. Firewalls must be periodically updated via a service to remain effective because of the need to see and understand the footprints of all known types of viruses and other malicious software.
- DPI slows normal firewall traffic and all users will require a much more CPU intensive firewall to keep pace with the internet demands of our current times.
DPI gives network managers the power to examine and conduct surveillance on the users of their network. They can censor traffic and internet search results and prioritize one user or service over another. In this information intensive age, the challenge is to provide maximum protection for business networks while ensuring freedom of communications.