What is Deep Packet Inspection and why is it used?
In Association with
Each day, large amounts of data transfer across the internet from device to device. As it travels, it passes through various internet service providers, as it traverses the planet. This data is known as network traffic, and a continuous stream of data gets divided up into smaller pieces for sending, known as packets.
For various reasons, providers may want to look at this data as it gets transmitted through the network. A common example to analyze these packets is for security reasons. There are different methods for analysis.
What is traditional packet inspection?
The digital data on the network gets sent as these packets, which can be anything from the voice data from a phone call, the video stream of a video conference, or the data for an email - to name just a few examples. How all this data gets sent correctly, or more properly termed as how the packets of data are routed to the appropriate destination is that each has a header. This header is additional data to label the packet.
Within this packet header is various info including the source IP address, the destination IP address, and a port number. If we think about the data packet as a piece of luggage on a conveyor going to its destination, then in this analogy the packet header is the bag tag with the UPC code that the airline places on each piece of luggage to send it correctly to the correct destination.
Notice that in traditional packet inspection, the packets get examined based on the header. Therefore, there is an assumption that the header accurately describes the data within the packet. Using our airport luggage analogy for the data packets again, this would be the equivalent of airport security not examining the inside of any of the bags before loading on or off of the plane. Clearly, this represents a fundamental security weakness, and therefore a more advanced look at data packets needed to be developed.
Using traditional packet inspection to filter and shape traffic is called plain packet filtering. However, as the packet header and the data packet may not be in agreement as it may be mislabeled (either accidentally or intentionally), then there is only so much traffic shaping that can be done.
What is deep packet inspection?
Given the obvious limitation of traditional packet inspection, it makes sense to see that a better approach would be needed. This became known as deep packet inspection (DPI), which also gets referred to as continuous deep packet inspection.
In DPI, this powerful technology is able to examine both the packet header, just like in traditional packet inspection, and also the contents of the data packet. This then ensures that the packet header is in full agreement with the full contents of the packet. Continuous DPI can also make sense of the sequence of the packets, attempting to understand the connections between the packets, such as the voice data of a phone call where the data packets need to be processed in order for the conversation to appear as a continuous and uninterrupted phone call.
Another important point about DPI is that it can be performed continuously, in real time, on a 24/7 basis. The application layer data gets analyzed, and from that the behavior of the packet can be predicted, and if it is suspicious, the transmission of the data packet is stopped.
Why use deep packet inspection?
Deep packet inspection is used to identify traffic, both based on the header, and also the data in the packet. This then gets used for traffic shaping, so that certain network traffic can then be prioritized, while other data can be blocked.
Another benefit is that DPI can reveal the traffic that is running across the network. While historically this has focused on the amount of data in terms of bandwidth, it has become increasingly important to pay attention to the types of data, as in some cases need to be prioritized differently. This allows an email to be prioritized at a lower level as it is not particularly time sensitive, than a video call, gaming traffic, or streaming audio whose data packets need a higher priority or the quality of the experience will become quite poor.
How is DPI used to protect a network?
Network security is the usual reason to block certain data packets from entering the network from outside. By fully examining the data packet, via DPI, it starts with making sure that the header is fully accurate, and that it describes the data in the packet. In the case of a discordance between the two, then this data packet can be blocked for concern that this was done to compromise the network.
DPI can be the first step in stopping a complex attack. For example, a botnet attack can be recognized running across the network, and neutralized before it becomes a bigger issue.
Applying big data to DPI
Deep packet inspection, with each data packet fully examined as it goes across a network - both wired and wireless - not only keeps the network secure, but also generates a considerable amount of data. Network providers are taking a ‘Big data’ approach, and aggregating this data to recognize trends that are meaningful and in turn sellable. This DPI data, when correlated with geographic location, can reveal details of consumer trends, and shopping behavior, for example. By providing this info to advertisers, for a price, a network provider has the potential to generate additional revenue streams.
Conclusion
DPI is an evolution of traditional packet inspection, to go beyond the header data of data packets being transmitted, and analyze fully the data packet itself, including at the application layer for the potential behavior. Understanding DPI is important to knowing how to optimize, and secure a network.
