The need for deep packet inspection arose as hackers became more sophisticated in their approach to unauthorized access of data and information.
Packet versus deep packet inspection
Every piece of digital data whether from a website, a video game, an email or any form of electronic communication is transmitted over the internet in small bundles of data known as packets. These packets contain the data to be transmitted and other pieces of information that ensures the data is sent or routed to the proper destination. For many years, network managers used traditional packet filtering aka checking the headers to block malicious or bad packets at their firewalls. It was not long before hackers overcame this obstacle and so the need for deep packet inspection or DPI was created.
Traditional packet filtering
Traditional packet filtering is done by checking the packet ICP and TCP headers and filtered at a firewall based on the header information. This work is done at the Layer 3 and Layer 4 of the open systems interconnection (OSI) model largely because older and traditional firewalls lacked the power to check each packet for intent.
Traditional packet filtering is analogous to checking visitor identity cards without checking what they are carrying. Traditional firewalls manage security by blocking and allowing particular TCP ports.
Packet filtering is limited to only checking source and destination IP addresses and requested TCP ports. If both IP addresses match and the TCP or UDP port is on the access list, the packet is considered secure and verified and allowed to pass through the firewall.
Hackers realized they could encapsulate their malicious programs by hiding them in scripts within seemingly legitimate emails or websites. The malware passed through traditional firewalls unnoticed. Imagine allowing a visitor posing as a sales rep with real-looking ID to access your business. If you don’t check what’s in his backpack, it could contain … anything at all. Perhaps a laptop. Perhaps something much worse.
Deep Packet Inspection
The process of analyzing these TCP/IP packets is known as deep packet inspection or DPI. This is akin to airports and many businesses businesses scanning backpacks, shoes, coats and even people themselves with metal scanners and x-ray machines. This is to look beyond the superficial appearance and check what’s beneath the surface.
Deep packet inspection is a CPU (central processing unit) intensive method of packet filtering that examines, locates, identifies, classifies, reroutes or blocks packets with specific data or code payloads. Traditional or conventional packet filtering is limited to examining only packet headers and does not examine data for improper or malicious intent. It is a firewall feature of most modern firewalls. DPI functions at the layer 7 or application layer of the open systems interconnection reference model.
It is worth noting that DPI is far more CPU intensive than traditional packet filtering. This is because more steps are required to examine the packets. Older or slower firewalls do not have the power to check large volumes of data.
How Deep Packet Inspection works
Deep packet inspection examines the content of packets passing through the firewall and makes a real-time decision to allow or deny passage based on rules assigned in the firewall. These rules are written by a business manager, home owner, internet service provider (ISP) or network manager.
Firewalls built within the last few years have the CPU power to perform a DPI of every packet passing through the firewall. By crossing multi-core processors with firewall technology, most firewall firms are now able to perform DPI for an advertised bandwidth.
Current DPI can examine the content of messages, the website where the information came from, the application that produced the data, or other examine the data for other applications that may be used. DPI filters within a firewall can be used to reroute or block traffic from specific applications (messenger bots, chat, email) and websites.
Why would you want DPI?
- DPI is a great network security tool. It is an intent-based tool, and so ideal for the detection and interception of viruses and other forms of malicious traffic. The footprint of most virus software and malware is well known. Examining the packet for these footprints allows a network manager to weed out the bad packets from the good.
- A good deep packet inspection installation can be used to accelerate the flow of network traffic. For example, a message recognized as high priority can be routed to its destination ahead of other less important packets. Voice calls can be prioritized over casual browsing. DPI can also be used to throttle data transfer to prevent employees using company time to chat online, to browse non-productive websites or to use their Internet access in unproductive ways.
- As DPI is superb at preventing and detecting intrusions, it can be very effective against buffer overflow and DDoS (distributed denial-of-service) attacks. DPI helps prevent viruses and malware from spreading through the entire company network.
- As DPI is a comprehensive packet examination process, it monitors the packets that go in and out of a network. Deep packet inspection therefore is used for lawful interception and policy enforcement.
- Lastly, deep packet inspection helps your business prevent employees from purposely or accidentally leaking some forms of information. A network manager could write DPI rules that block any attached files with certain words within it. An end user might be prompted with notification on how to get permission to send such a file.
Limitations of deep packet inspection
Deep packet inspection has three significant limitations for company or home firewalls.
- While it is an effective tool against buffer overflow attacks, denial-of-service (DoS) attacks and certain types of malware, because DPI is so CPU intensive, a hacker can overwhelm the firewall by creating very large volume attacks that the firewall cannot overcome.
- Managing DPI adds to the complexity of managing a firewall. Firewall OEM (original equipment manufacturers) have created complex interfaces to manage all the DPI options. Firewalls must be periodically updated via a service to remain effective because of the need to see and understand the footprints of all known types of viruses and other malicious software.
- DPI slows normal firewall traffic and all users will require a much more CPU intensive firewall to keep pace with the internet demands of our current times.
DPI gives network managers the power to examine and conduct surveillance on the users of their network. They can censor traffic and internet search results and prioritize one user or service over another. In this information intensive age, the challenge is to provide maximum protection for business networks while ensuring freedom of communications.