Deep packet inspection (DPI) is an advanced method of examining and managing network traffic. It is a form of packet filtering that locates, identifies, classifies and reroutes or blocks packets with specific data or code payloads that conventional packet filtering, which examines only packet headers, cannot detect.
Usually performed as part of a firewall defense, deep packet inspection functions at the application layer of the Open Systems Interconnection (OSI) reference model.
Deep packet inspection examines the contents of packets passing through a given checkpoint and makes real-time decisions depending on what a packet contains and based on rules assigned by an enterprise, an internet service provider or a network manager.
Previous forms of packet filtering only looked at packet header information, which is analogous to reading an address printed on an envelope without any knowledge of the contents of the envelope. This was due partly to the limitations of older technology.
Until recently, firewalls did not have the processing power necessary to perform deeper inspections on large volumes of traffic in real time. Technological advancements have enabled DPI to perform more advanced inspections so that it can check both packet headers and data.
DPI can examine the contents of a message and identify the specific application or service that sent it. In addition, filters can be programmed to look for and reroute network traffic from a specific Internet Protocol address range or a certain online service, such as Facebook or Twitter.
DPI is mainly used by firewalls that include an intrusion detection system feature and by standalone IDSes that are intended to both detect attacks and protect the network.
It can be used for benevolent purposes as a network security tool to detect and intercept viruses, worms, spyware and other forms of malicious traffic and intrusion attempts. But it can also be used for more nefarious activities, like eavesdropping and state-sponsored censorship.
Deep packet inspection is also useful for network management and content policy enforcement to stop data leaks and to streamline or modify the flow of network traffic as per specific use cases. For example, a message tagged as high-priority can be routed to its destination ahead of less important or lower-priority messages or packets. DPI can also be used to throttle data transfers to prevent peer-to-peer abuse and thus improve network performance.
Because DPI makes it possible to identify the originator or recipient of content containing specific packets, it has sparked concern among privacy advocates and opponents of net neutrality.
Deep packet inspection has three significant limitations:
Despite these limitations, many network administrators have embraced deep packet inspection technology to cope with the increase in the volume, complexity and frequency of internet-related threats.
The following are the three main techniques used in deep packet inspection:
In a network, each data packet comes with a header that provides basic information about its sender, intended recipient and the time it was sent. Conventional packet filtering can only read this information. This is the traditional approach used by older firewalls since they were incapable of processing other types of data quickly enough to avoid adversely affecting network performance.
With deep packet inspection, firewalls can overcome those shortcomings for more comprehensive, real-time packet inspection. This enables them to extract or filter information beyond packet headers for more proactive and advanced network monitoring and protection. Within the constantly expanding cyberthreat landscape, DPI is a powerful aspect of the network security ecosystem.
13 Sep 2021