Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Deep packet inspection tools: Proxy vs. stream-based

As more enterprises consider deep packet inspection tools, network managers must choose the technique that works best for them.

Deep packet inspection (DPI) tools have been mostly associated with service provider networks, but enterprise network...

managers are increasingly turning to the technology to better manage application performance and ensure a greater level of security.

Basic firewalls inspect packet headers to ensure that HTTP requests go only to the Web server and that SMTP traffic is directed to the email server, but this does not protect against Web attacks or email-borne malware. DPI tools, on the other hand, inspect the entire contents of a packet and determine performance based on which application layer protocol is in use. As such, DPI makes it possible to find, identify, classify, reroute or block packets with specific data or code payloads that conventional packet filtering cannot detect.

DPI tools: Stream vs. proxy-based

Packet inspection strategies can be broken into two categories: stream-based and proxy-based.

Stream-based inspection examines the data in each incoming packet as it arrives. If no threat is found, the packet is forwarded to its destination. Proxy-based inspection buffers the series of packets that make up a single transaction and inspects for threats after all packets have been received. Both stream- and proxy-based inspection techniques match data sequences against known threat signatures and also utilize heuristics to detect zero-day attacks.

Critics of proxy-based DPI tools say that the volume of data pouring through protection devices (especially with increasing file sizes) makes it impossible for a proxy-based product to buffer all of the incoming traffic. What's more, they believe that buffering large files introduces unacceptable delays in application performance.

To address the concern of problematic buffer sizes, Fortinet, for example, offers a product that includes a configuration parameter to limit buffer sizes. The company's accompanying literature explains the trade-offs between buffer size and the probability of missing an attack. In addition, proxy-based inspection advocates say the difference in performance between a stream-based and proxy-based tool is a misperception and that actual transaction time is approximately the same.

Meanwhile, critics of stream-based technology say those tools aren't as thorough as proxy-based tools because it is impossible to detect threats without viewing the entire transaction. What's more, they say that stream-based products can decompress only basic compression techniques such as .zip, while proxy-based products can decompress many techniques. Vendors of stream-based products contend that their software can detect the characteristics of malware as they inspect packets one by one.

Wedge Networks adds an additional DPI strategy: deep content inspection. Wedge products reassemble a sequence of packets that are then decompressed and decoded into application level objects. Then Wedge's anti-spam, anti-virus and Web monitor products inspect the entire object to detect threats.

Integrating DPI into other network security and management devices

Increasingly, DPI functions are being incorporated into other forms of network security and management to better control network access and even ensure Quality of Service (QoS).

DPI functions work within Intrusion Prevention System (IPS), Unified Threat Management (UTM), and Data Leak Prevention (DLP) devices to address the increased risk linked with personal devices on the enterprise network, going well beyond malware protection.

In addition, DPI tools can show the percentage of bandwidth each application uses. So some DPI devices even enable network managers to control bandwidth allocations based on this data. DPI is also used in network test devices to enable network managers to trap and record specific events at the application layer.

Now that DPI is being incorporated into other network management and security devices, a much wider variety of networking technology vendors is offering the tools. In part 2 of this series on DPI tools, we outline a wide variety of DPI vendors

David B. Jacobs of The Jacobs Group has more than twenty years of networking industry experience. He has managed leading-edge software development projects and consulted to Fortune 500 companies as well as software start-ups.

This was last published in June 2012

Dig Deeper on Network management and monitoring