WHAT IS DPI?
Deep packet inspection, which is also known as DPI, information extraction, IX, or complete packet inspection, is a type of network packet filtering. Deep packet inspection evaluates the data part and the header of a packet that is transmitted through an inspection point, weeding out any non-compliance to protocol, spam, viruses, intrusions, and any other defined criteria to block the packet from passing through the inspection point. Deep packet inspection is also used to decide if a particular packet is redirected to another destination. In short, deep packet inspection is able to locate, detect, categorize, block, or reroute packets that have specific code or data payloads that are not detected, located, categorized, blocked, or redirected by conventional packet filtering. Unlike plain packet filtering, deep packet inspection goes beyond examining packet headers.
HOW DEEP PACKET INSPECTION WORKS
Deep packet inspection is a form of packet filtering usually carried out as a function of your firewall. It is applied at the Open Systems Interconnection's application layer.
Deep packet inspection evaluates the contents of a packet that is going through a checkpoint. Using rules that are assigned by you, your Internet service provider, or the network or systems administrator, deep packet inspection determines what to do with these packets in real time.
Deep packet inspection is able to check the contents of these packets and then figure out where it came from, such as the service or application that sent it. In addition, it can work with filters in order to find and redirect network traffic from an online service, such as Twitter or Facebook, or from a particular IP address.
DEEP PACKET INSPECTION VS. CONVENTIONAL PACKET FILTERING
Conventional packet filtering only reads the header information of each packet. This was a basic approach that was less sophisticated than the modern approach to packet filtering largely due to the technology limitations at the time. Firewalls had very little processing power, and it was not enough to handle large volumes of packets. In other words, conventional packet filtering was similar to reading the title of a book, without awareness or evaluation of the content inside the cover.
With the advent of new technologies, deep packet inspection became feasible. As it became more thorough and complete, it became more comparable to picking up a book, cracking it open, and reading it from cover to cover.
USE CASES FOR DEEP PACKET INSPECTION
There are several uses for deep packet inspection. It can act as both an intrusion detection system or a combination of intrusion prevention and intrusion detection. It can identify specific attacks that your firewall, intrusion prevention, and intrusion detection systems cannot adequately detect.
If your organization has users who are using their laptops for work, then deep packet inspection is vital in preventing worms, spyware, and viruses from getting into your corporate network. Furthermore, using deep packet inspection is based on rules and policies defined by you, allowing your network to detect if there are prohibited uses of approved applications.
Deep packet inspection is also used by network managers to help ease the flow of network traffic. For instance, if you have a high priority message, you can use deep packet inspection to enable high-priority information to pass through immediately, ahead of other lower priority messages. You can also prioritize packets that are mission-critical, ahead of ordinary browsing packets. If you have problems with peer-to-peer downloads, you can use deep packet inspection to throttle or slow down the rate of data transfer. DPI can also be used to enhance the capabilities of ISPs to prevent the exploitation of IoT devices in DDOS attacks by blocking malicious requests from devices.
Mobile service operators and other similar service providers also use deep packet inspection to tailor-fit their offerings to individual subscribers allowing them to differentiate data usage as “all you can eat,” wall garden, or value added. Record labels and other copyright holders can also request ISPs to block their content from being downloaded illegally – a process achieved through deep packet inspection.
Other times, deep packet inspection is used to serve targeted advertising to users, lawful interception, and policy enforcement. Deep packet inspection can also prevent some types of buffer overflow attacks.
Lastly, deep packet inspection can help you prevent anybody from leaking information, such as when e-mailing a confidential file. Instead of being able to successfully send out a file, the user will instead receive information on how to get the necessary permission and clearance to send it.
As with other technologies, deep packet inspection can also be used for less than admirable purposes, such as eavesdropping and censorship. In fact, the Chinese government has been known to use deep packet inspection to monitor the country's network traffic and censor some content and sites that are harmful to their interests. This is how China has been able to block out pornography, religious information, materials concerning political dissent, and even popular websites such as Wikipedia, Google, and Facebook.
While DPI has many potential use cases, it can easily detect the recipient or sender of the content that it monitors, so there are some concerns around privacy. This is primarily a concern when DPI is used in the context of marketing and advertising, through monitoring the behavior of users and selling browsing and other data to marketing or advertising companies.
DEEP PACKET INSPECTION TECHNIQUES
Two primary types of products utilize deep packet inspection: firewalls that have implemented features of IDS, such as content inspection, and IDS systems that aim to protect the network rather than focus only on detecting attacks. Some of the main techniques used for deep packet inspection include:
