Tip

Deep packet inspection tools: Proxy vs. stream-based

Ezine

This article can also be found in the Premium Editorial Download "Network Evolution: Data center fabric wars."

Download it now to read this article plus other related content.

Deep packet inspection (DPI) tools have been mostly associated with service provider networks, but enterprise network managers are increasingly turning to the technology to better manage application performance

    Requires Free Membership to View

and ensure a greater level of security.

Basic firewalls inspect packet headers to ensure that HTTP requests go only to the Web server and that SMTP traffic is directed to the email server, but this does not protect against Web attacks or email-borne malware. DPI tools, on the other hand, inspect the entire contents of a packet and determine performance based on which application layer protocol is in use. As such, DPI makes it possible to find, identify, classify, reroute or block packets with specific data or code payloads that conventional packet filtering cannot detect.

DPI tools: Stream vs. proxy-based

Packet inspection strategies can be broken into two categories: stream-based and proxy-based.

Stream-based inspection examines the data in each incoming packet as it arrives. If no threat is found, the packet is forwarded to its destination. Proxy-based inspection buffers the series of packets that make up a single transaction and inspects for threats after all packets have been received. Both stream- and proxy-based inspection techniques match data sequences against known threat signatures and also utilize heuristics to detect zero-day attacks.

Critics of proxy-based DPI tools say that the volume of data pouring through protection devices (especially with increasing file sizes) makes it impossible for a proxy-based product to buffer all of the incoming traffic. What's more, they believe that buffering large files introduces unacceptable delays in application performance.

To address the concern of problematic buffer sizes, Fortinet, for example, offers a product that includes a configuration parameter to limit buffer sizes. The company's accompanying literature explains the trade-offs between buffer size and the probability of missing an attack. In addition, proxy-based inspection advocates say the difference in performance between a stream-based and proxy-based tool is a misperception and that actual transaction time is approximately the same.

Meanwhile, critics of stream-based technology say those tools aren't as thorough as proxy-based tools because it is impossible to detect threats without viewing the entire transaction. What's more, they say that stream-based products can decompress only basic compression techniques such as .zip, while proxy-based products can decompress many techniques. Vendors of stream-based products contend that their software can detect the characteristics of malware as they inspect packets one by one.

Wedge Networks adds an additional DPI strategy: deep content inspection. Wedge products reassemble a sequence of packets that are then decompressed and decoded into application level objects. Then Wedge's anti-spam, anti-virus and Web monitor products inspect the entire object to detect threats.

Integrating DPI into other network security and management devices

Increasingly, DPI functions are being incorporated into other forms of network security and management to better control network access and even ensure Quality of Service (QoS).

DPI functions work within Intrusion Prevention System (IPS), Unified Threat Management (UTM), and Data Leak Prevention (DLP) devices to address the increased risk linked with personal devices on the enterprise network, going well beyond malware protection.

In addition, DPI tools can show the percentage of bandwidth each application uses. So some DPI devices even enable network managers to control bandwidth allocations based on this data. DPI is also used in network test devices to enable network managers to trap and record specific events at the application layer.

Now that DPI is being incorporated into other network management and security devices, a much wider variety of networking technology vendors is offering the tools. In part 2 of this series on DPI tools, we outline a wide variety of DPI vendors

David B. Jacobs of The Jacobs Group has more than twenty years of networking industry experience. He has managed leading-edge software development projects and consulted to Fortune 500 companies as well as software start-ups.

This was first published in June 2012

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.