Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
By Safa Alkateb
Network and telecommunications engineers face stark challenges in the coming years.
Analysts predict sharp increases in demand for network bandwidth and speed, as well
as the proliferation of sophisticated security risks. YouTube video already accounts for
about one fifth of all Internet data, and Cisco forecasts that by 2014 online video use will
increase seven fold. Peer to peer networking, VoIP, video chat and conferencing, online
gaming, cloud computing and other data-intensive activities are also expected to grow
dramatically, straining physical and wireless infrastructure across the globe.
On top of these bandwidth concerns are the ever-changing security threats that
jeopardize government and corporate networks, individual computers and mobile
devices. According to WhiteHat Security, the number of security threats doubled in the
past year and a half, and the pace of cyber crime is quickening.
To combat these pressures and meet future demand for data services, governments,
enterprises and carriers are not only upgrading their network infrastructure for greater
speed and quality of service, but they are looking for ways to manage their data flows
more intelligently. And the key to maintaining the integrity and efficiency of a multi-Gbps
network is a technology called deep packet inspection (DPI).
In this white paper, we explore five critical issues related to DPI, helping companies that
are interested in adding DPI to their products or networks better understand DPI, what it
can achieve, what best practices look like and what implications DPI has on privacy and
net neutrality.
White Paper: 5 Things You Need to Know about Deep Packet Inspection (DPI) 3
1. What is DPI?
DPI is a hardware and software solution that monitors a network's data stream and
identifies protocols and applications, inappropriate URLs, intrusion attempts and
malware by looking deep into data packets. DPI provides important security and
translation functions by inspecting incoming packets, reassembling and decompressing
them, analyzing the code and passing data to appropriate applications and services. If
malicious URLs or code are detected, the system can block them entirely.
DPI can also be used by service providers to offer subscribers different levels of access
(such as type of usage, data limits or bandwidth level), comply with regulations, prioritize
traffic, adjust loads and gather statistical information. As more and more software moves
off the desktop and onto the enterprise network or into the cloud, network performance
becomes critical to productivity. DPI can recognize applications as data passes through
the system, allocating each the resources they need.
White Paper: 5 Things You Need to Know about Deep Packet Inspection (DPI) 4
Today, the DPI industry is growing rapidly, with product revenue expected to reach $1.5
billion by 2014. DPI is an important part of a larger network security appliance and
software market that is expected to reach $7 billion by 2014.
The ability to quickly and easily update detection profiles without disrupting the system is
important in a DPI solution, particularly for data centers and carriers. For this reason,
detection engines should be user configurable without requiring a system reboot. A
credible DPI system should be able to detect protocols and applications using all of the
following methods:
Port Detection
Signature Detection
Heuristics Detection
Object Detection – Searching the data flow for potentially harmful executables
or objects (such as JPEG images), then analyzing them
Each of these detection approaches can and should be updated with third-party
signature subscriptions (such as those from security service provider Kaspersky).
IDS / IPS
Intrusion detection systems (IDS) and intrusion prevention systems (IPS) both detect
intrusion attempts and share many characteristics. They are used to detect hackers and
unauthorized people trying to access a network or computer, usually by exploiting a
vulnerability in an application. But the two systems differ in one important aspect: IDS is
primarily an out-of-band logging tool used for forensic analysis. IPS, on the other hand,
runs inline and automatically takes action when malicious activity is detected.
White Paper: 5 Things You Need to Know about Deep Packet Inspection (DPI) 6
DPI systems can provide one or both of these services. To provide optimal performance,
IDS and IPS should support PCRE syntax, SNORT rules, normalized URL detection and
TCP normalization. Third party signature databases are available to detect thousands of
threats.
URL Filtering
URL filtering is a basic security feature, blocking unauthorized or inappropriate URLs.
But to work in a carrier-grade DPI environment it must be able to perform at a high level.
Specifically, the filtering function must be able to handle millions of URLs at real-time
speeds. To achieve these speeds, the system must be able to support both literal strings
and wildcards. To reduce the complexity of the rules that govern it, the filtering system
should provide URL normalization.
Raw throughput speed is only part of the picture. Advanced DPI systems are also highly
efficient, so they consume fewer resources and can run on less expensive equipment.
Until recently, DPI had to run on power-hungry, dedicated systems. Today, it can be
integrated efficiently into a larger system.
What do these advances mean to you? To provide DPI, you no longer need deep
expertise in the technology. Standardization has made DPI relatively easy to add to
many OEM and enterprise systems.
White Paper: 5 Things You Need to Know about Deep Packet Inspection (DPI) 7
Hardware Features:
Multi-core processor technology
On-chip or on-board hardware acceleration for common functions
Code compaction to reduce l-cache misses
―Normal‖ path prediction to reduce execution cycles
Data structure consolidation to improve flow setup performance
Pre-fetching to sustain performance through data flow spikes
Software Features:
TCP-IP reassembly for accurate payload scanning
An abstracted centralized flow manager to allow for additional DPI engines
In-line decompress/GZIP support to decompress HTTPS payloads
HTML and MIME parsing to allow URL and object extraction
Minimal packet rescanning for 3x to 4x performance improvement
Ability to dynamically update rules
Optimized signatures
Companies that deploy DPI can combat privacy concerns with clearly written,
enforceable policies that lay out what information can be collected and what cannot.
They should also remind themselves on a regular basis that intrusive behavior, if
discovered, can have serious repercussions on their reputation and revenues.
White Paper: 5 Things You Need to Know about Deep Packet Inspection (DPI) 8
There is nothing inherent in DPI that compromises people’s privacy, of course. In fact,
DPI provides features and benefits to network communications that are available
nowhere else. For instance, DPI’s ability to feed data to applications at different bit rates
allows service provides to make optimal use of limited bandwidth and dramatically
improve the end user’s experience. Using DPI, a provider can discriminate in favor of
applications that require smooth data delivery. In this way, a streaming video can be
allocated more bandwidth than a video download. This technology allows companies like
Netflix and YouTube to deliver high performance even during peak hours. And now
lower speed options are becoming available at commodity prices, putting DPI within
reach of consumer-facing products.
Architecture
The TurboDPI system is designed to simultaneously support multiple functions, such as
protocol detection, URL filtering and IDS/IPS, and anti-malware. Packets passing
through the system first undergo on-the-fly IP and TCP reassembly and decompression
before being passed to the flow manager. HTTP, MIME and URL normalization are
applied and the data flow is checked against a variety of signatures and rules. Packets
flagged as positives are then routed to appropriate applications (such as anti-malware)
for further processing.
Key Functions
The TurboDPI system comes with built-in support for all four critical detection functions:
Protocol detection and application recognition, anti-malware and anti-virus, IDS/IPS and
URL filtering. The protocol detection engine is supported by signature-, port- and
heuristics-based detection systems, all of which can be updated dynamically. Similarly,
the anti-malware and anti-virus system can be easily updated, either manually or using
an automated third-party profiling service (such as Kaspersky).
White Paper: 5 Things You Need to Know about Deep Packet Inspection (DPI) 10
Performance
TurboDPI was designed for performance. It’s state-of-the-art OCTEON II processor with
on-board HFA can process packets at a data rate of up to 40 Gbps. In addition, the
solution’s hardware-based decompression and checksum engines, together with its Uni-
Scan technology, provide industry-leading performance in a compact form factor.