Deep packet inspection
From Computing and Software Wiki
m |
(→External Links) |
||
(5 intermediate revisions not shown) | |||
Line 1: | Line 1: | ||
- | Deep Packet Inspection (DPI) is a technology used to scan | + | [[Image:OSI_layers.png|thumb|OSI Model Layers]] |
- | This inspection technique is generally used for network security applications in order to check for malicious software being transferred in the packet<sup>[2]</sup> | + | '''Deep Packet Inspection''' ('''DPI''') is a technology used to scan network information packets beyond their protocol headers to retrieve and analyse data carried in the packet. This is as opposed to shallow or stateful packet inspection which scans only the header portion of a packet to ensure that the protocols are being used properly<sup>[1]</sup>. |
+ | This inspection technique is generally used for network security applications in order to check for malicious software being transferred in the packet<sup>[2]</sup> and also to guard against attacks such as [[Denial Of Service Attacks]]. However there are concerns that the same technology could be easily applied to creating a 'tiered' service structure where customers are charged more for downloading certain types of files or accessing certain types of websites<sup>[3]</sup>. | ||
__TOC__ | __TOC__ | ||
==Background== | ==Background== | ||
- | The need for DPI was driven by increasing threat presence over networks that previous iterations of firewall technology were unable to properly defend against. These threats included viruses sent through e-mail and more sophisticated intrusion methods<sup>[4]</sup>. However, in order to check for these threats, a greater amount of information needed to be accessed than currently could be by standard | + | The need for DPI was driven by increasing threat presence over networks that previous iterations of [[Network firewall|firewall]] technology were unable to properly defend against. These threats included viruses sent through e-mail and more sophisticated intrusion methods<sup>[4]</sup>. However, in order to check for these threats, a greater amount of information needed to be accessed than currently could be by standard [[Network firewall|firewall]]s and intrusion detection systems. This led to the development of a system in which the information contents of the packets can be examined<sup>[1]</sup>. |
With this capability enabled, the packet can be scanned for hints as to the intentions of the sender. The problem with the implementation is one of creating a system for searching the packets at wire speed<sup>[4]</sup>. As a result, development of fast hardware and software is a requirement of any useful implementation of DPI. | With this capability enabled, the packet can be scanned for hints as to the intentions of the sender. The problem with the implementation is one of creating a system for searching the packets at wire speed<sup>[4]</sup>. As a result, development of fast hardware and software is a requirement of any useful implementation of DPI. | ||
==Technology== | ==Technology== | ||
- | The technology used to implement DPI firewalls began with byte string searches through packet contents, but this technology was inefficient and has been being improved since initial conception. | + | The technology used to implement DPI firewalls began with byte string searches through packet contents, but this technology was inefficient and has been being improved since the initial conception of the technique. |
===Design=== | ===Design=== | ||
Original DPI filters used pattern matching with byte strings in order to search through the contents of a packet for signatures of unwanted messages. For example, several widespread internet worms such as Nimda, Code Red and Slammer are spread by executable files containing certain byte strings that can be searched for<sup>[2]</sup>. | Original DPI filters used pattern matching with byte strings in order to search through the contents of a packet for signatures of unwanted messages. For example, several widespread internet worms such as Nimda, Code Red and Slammer are spread by executable files containing certain byte strings that can be searched for<sup>[2]</sup>. | ||
Line 20: | Line 21: | ||
==Usage== | ==Usage== | ||
- | DPI has many possible uses, but the main ones to be implemented are network security applications and customer service monitoring at an ISP. | + | DPI has many possible uses, but the main ones to be implemented are network security applications and customer service monitoring at an ISP. [[Image:Firewall.jpg|thumb|A Firewall]] |
===Network Security=== | ===Network Security=== | ||
- | DPI is an innovation in firewall technology that removes the additional network equipment required for intrusion detection and prevention by integrating these extra components into the firewall itself. Whereas stateful inspection was able to determine the protocol of the packets to be inspected, DPI is able to make its decisions based on the actual ''data content'' of the packets<sup>[1]</sup>. Using this method the firewall is able to make much more informed decisions on when the network traffic is trying to perform a forbidden task. With stateful inspection, the only capability is based on the packets not following a standard protocol, whereas DPI is able to find in detail what the packet may be attempting to accomplish based on a rule-set implemented by an administrator<sup>[7]</sup>. | + | DPI is an innovation in [[Network firewall|firewall]] technology that removes the additional network equipment required for intrusion detection and prevention by integrating these extra components into the [[Network firewall|firewall]] itself. Whereas stateful inspection was able to determine the protocol of the packets to be inspected, DPI is able to make its decisions based on the actual ''data content'' of the packets<sup>[1]</sup>. Using this method the [[Network firewall|firewall]] is able to make much more informed decisions on when the network traffic is trying to perform a forbidden task. With stateful inspection, the only capability is based on the packets not following a standard protocol, whereas DPI is able to find in detail what the packet may be attempting to accomplish based on a rule-set implemented by an administrator<sup>[7]</sup>. |
===By the ISP=== | ===By the ISP=== | ||
An ISP utilizing DPI is able to determine detailed information regarding the browsing habits of their customers allowing them to offer advanced service and denial capabilities of users attempting to access various types of files or using certain software programs<sup>[3]</sup>. Several of the possible uses in an ISP include: | An ISP utilizing DPI is able to determine detailed information regarding the browsing habits of their customers allowing them to offer advanced service and denial capabilities of users attempting to access various types of files or using certain software programs<sup>[3]</sup>. Several of the possible uses in an ISP include: | ||
Line 36: | Line 37: | ||
==See Also== | ==See Also== | ||
+ | *[[Network Intrusion Detection System]] | ||
+ | *[[Peer To Peer Network Security]] | ||
==References== | ==References== | ||
Line 59: | Line 62: | ||
==External Links== | ==External Links== | ||
+ | * [http://en.wikipedia.org/wiki/Net_neutrality Wikipedia page on network neutrality] | ||
+ | * [http://en.wikipedia.org/wiki/Internet_service_provider Wikipedia page describing ISPs] | ||
+ | * [http://www.inputoutput.io/?p=9 Subverting Deep Packet Inspection the Right Way] | ||
+ | * [http://www.ranum.com/security/computer_security/editorials/deepinspect/ What is "Deep Inspection"?] | ||
+ | * [http://dpi.priv.gc.ca/ A collection of essays from industry experts] | ||
- | + | [[User:Watsos|Watsos]] 22:52, 10 April 2009 (EDT) | |
- | [[User:Watsos|Watsos]] | + |
Current revision as of 02:52, 11 April 2009
Deep Packet Inspection (DPI) is a technology used to scan network information packets beyond their protocol headers to retrieve and analyse data carried in the packet. This is as opposed to shallow or stateful packet inspection which scans only the header portion of a packet to ensure that the protocols are being used properly[1]. This inspection technique is generally used for network security applications in order to check for malicious software being transferred in the packet[2] and also to guard against attacks such as Denial Of Service Attacks. However there are concerns that the same technology could be easily applied to creating a 'tiered' service structure where customers are charged more for downloading certain types of files or accessing certain types of websites[3].
Contents |
Background
The need for DPI was driven by increasing threat presence over networks that previous iterations of firewall technology were unable to properly defend against. These threats included viruses sent through e-mail and more sophisticated intrusion methods[4]. However, in order to check for these threats, a greater amount of information needed to be accessed than currently could be by standard firewalls and intrusion detection systems. This led to the development of a system in which the information contents of the packets can be examined[1]. With this capability enabled, the packet can be scanned for hints as to the intentions of the sender. The problem with the implementation is one of creating a system for searching the packets at wire speed[4]. As a result, development of fast hardware and software is a requirement of any useful implementation of DPI.
Technology
The technology used to implement DPI firewalls began with byte string searches through packet contents, but this technology was inefficient and has been being improved since the initial conception of the technique.
Design
Original DPI filters used pattern matching with byte strings in order to search through the contents of a packet for signatures of unwanted messages. For example, several widespread internet worms such as Nimda, Code Red and Slammer are spread by executable files containing certain byte strings that can be searched for[2].
Issues and Challenges
The major issue with the implementation of DPI in standard networks is the speed at which these searches can be performed. In order to really be useful, these checks must be done at wire speed and with networks scaling up to 10 Gbps, it is difficult to perform inline checks that will not negatively affect network performance[5]. There are, however, several methods available or becoming available that address this issue in both software and hardware including:
- Fast TCAM algorithms[5]
- Parallel bloom filters[2]
- Reconfigurable FPGAs performing regular expression matching[6]
The implementation chosen will depend on the company using the technology. Any of the given implementations give a fast, powerful method for obtaining and filtering DPI data for whatever uses the network administrators have deemed necessary.
Usage
DPI has many possible uses, but the main ones to be implemented are network security applications and customer service monitoring at an ISP.Network Security
DPI is an innovation in firewall technology that removes the additional network equipment required for intrusion detection and prevention by integrating these extra components into the firewall itself. Whereas stateful inspection was able to determine the protocol of the packets to be inspected, DPI is able to make its decisions based on the actual data content of the packets[1]. Using this method the firewall is able to make much more informed decisions on when the network traffic is trying to perform a forbidden task. With stateful inspection, the only capability is based on the packets not following a standard protocol, whereas DPI is able to find in detail what the packet may be attempting to accomplish based on a rule-set implemented by an administrator[7].
By the ISP
An ISP utilizing DPI is able to determine detailed information regarding the browsing habits of their customers allowing them to offer advanced service and denial capabilities of users attempting to access various types of files or using certain software programs[3]. Several of the possible uses in an ISP include:
Tiered Services
Since an ISP routes all the traffic of their customers and DPI is able to give a high degree of detail regarding these customers' browsing habits, any ISP using DPI technology on their networks would feasibly be able to limit the traffic of customers who have not paid for the higher tiers of services[3]. Using this method an ISP would be able to limit the type of files downloaded, the total number of downloads, number of e-mails received and etc. for any customer. They could also limit traffic considered "less important" by relegating it to lower speeds when its use is detected[3].
Targeted Advertising
In the same manner as above, an ISP will be able to view the browsing habits of its customers and filter advertising sent to the user accordingly. This will provide a higher purchase rate through advertisements, creating higher revenue for both the advertisers and for the ISP implementing the strategy. This has already been implemented in the past by several ISPs, including Charter communications who have since cancelled the strategy[8].
Copyright Enforcement
As a result of the MPAA and RIAA beginning to turn their suits against copyright infringement over to the ISP instead of the individual[9] to try and get ISPs to block the access of customers to P2P applications and bit torrent sites in order to cut down on the illegal trading of copyrighted files. By using DPI the ISPs would be able to carry out these requests and as a result of the lawsuits, would have strong incentive to carry it out.
Net Neutrality
DPI is a technology that can provide incredible detail of the network habits of any individual to their ISP. It can be claimed to be equivalent to a phone tap[10] based on the amount of private information that can be gleaned from examining the data. As a result, proponents of network neutrality say that this clearly is against the idea of network neutrality and are against its wide implementation and acceptance[10].
See Also
References
[1] I. Dubrawsky, Firewall Evolution - Deep Packet Inspection, Security Focus, Jul. 2003, available at http://www.securityfocus.com/infocus/1716
[2] S. Dharmapurikar, P. Krishnamurthy, T. Sproull and J. Lockwood, Deep Packet Inspection using Parallel Bloom Filters, IEEE Micro, vol. 24, no. 1, Jan.-Feb. 2004, p.52-61
[3] J. Chester, The End of the Internet?, The Nation, Feb. 2006, available at http://www.thenation.com/doc/20060213/chester
[4] C. Weinschenk, The Case for Deep Packet Inspection, It Business Edge, Oct. 2007, available at http://www.itbusinessedge.com/cm/community/features/interviews/blog/the-case-for-deep-packet-inspection/?cs=22719
[5] Seok-Min Kang, Il-Seop Song, Youngseok Lee, and Taeck-Geun Kwon, Design and Implementation of a Multi-gigabit Intrusion and Virus/Worm Detection System, Communications, 2006 IEEE International Conference on, vol. 5, June 2006, p.2136 - 2141.
[6] J. Moscola, J. Lockwood, R. Loui and M. Pachos, Implementation of a Content-Scanning Module for an Internet Firewall, Field-Programmable Custom Computing Machines, 2003. FCCM 2003. 11th Annual IEEE Symposium on 9-11 April 2003, p.31-38.
[7] T. Porter, The Perils of Deep Packet Inspection, Security Focus, Jan. 2005, available at http://www.securityfocus.com/infocus/1817
[8] R. Esguerra, Charter Communications ISP Halts Traffic Inspection/Advertising Plan, Electronic Frontier Foundation, Jun. 2008, available at http://www.eff.org/deeplinks/2008/06/charter-communications-isp-halts-traffic-inspectio
[9] E. Bangerman, "Year of filters" turning into year of lawsuits against ISPs, Ars Technica, Mar. 2008, available at http://arstechnica.com/tech-policy/news/2008/03/year-of-filters-turning-into-year-of-lawsuits-against-isps.ars
[10] N. Anderson, Deep packet inspection meets 'Net neutrality, CALEA, Ars Technica, Jul. 2007, available at http://arstechnica.com/hardware/news/2007/07/Deep-packet-inspection-meets-net-neutrality.ars
External Links
- Wikipedia page on network neutrality
- Wikipedia page describing ISPs
- Subverting Deep Packet Inspection the Right Way
- What is "Deep Inspection"?
- A collection of essays from industry experts
Watsos 22:52, 10 April 2009 (EDT)