Deep packet inspection explained

What is deep packet inspection?

Deep packet inspection (DPI) refers to the method of examining the full content of data packets as they traverse a monitored network checkpoint. Whereas conventional forms of stateful packet inspection only evaluate packet header information, such as source IP address, destination IP address, and port number, deep packet inspection looks at fuller range of data and metadata associated with individual packets. Deep packet inspection will not only scrutinize the information in the packet header, but also the content contained within the payload of the packet.

The rich data evaluated by the deep packet inspection provides a more robust mechanism for enforcing network packet filtering, as DPI can be used to more accurately identify and block a range of complex threats hiding in network data streams, including:

• Malware
• Data exfiltration attempts
• Content policy violations
• Criminal command and control communications

Deep packet inspection capabilities have evolved to overcome the limitations of traditional firewalls that rely upon stateful packet inspection. To understand the advancement offered by deep packet inspection, think of it in terms of airport security.

Stateful packet filtering would be like validating the safety of baggage by checking luggage tags to make sure the origination and destination airports match up against the flight numbers on record. In contrast, filtering using deep packet inspection would be more like examining bags through an x-ray to ensure there's nothing dangerous inside before routing them to their proper flights.

Use cases for deep packet inspection

Analysis of traffic flows through deep packet inspection opens up a range of new and improved security use cases.

Blocking malware

When paired with threat detection algorithms, deep packet inspection can be used to block malware before it compromises endpoints and other network assets. This means it can help filter out activity from ransomware, viruses, spyware, and worms. More broadly, it also provides visibility across the network that can be analyzed through heuristics to identify abnormal traffic patterns and alert security teams to malicious behavior indicative of existing compromises.

Stopping data leaks

Deep packet inspection can be used not only for inbound traffic, but also outbound network activity. This means organizations can use that analysis to set filters to stop data exfiltration attempts by external attackers or potential data leaks caused by both malicious and negligent insiders.

Content policy enforcement

The added application visibility afforded by deep packet inspection allows organizations to block or throttle access to risky or unauthorized applications, such as peer-to-peer downloaders. Similarly, the deeper analysis from DPI opens the path for organizations to block policy-violating usage patterns or prevent unauthorized data access within corporate-approved applications

Benefits and challenges of DPI

The added visibility provided by DPI's probing analysis helps IT teams to enforce more comprehensive and detailed cybersecurity policies. This is why many firewall vendors have moved to add it to their feature lists over the years.

However, many organizations have found that enabling DPI in firewall appliances often introduces unacceptable network bottlenecks and performance degradation. First of all, these on-premises appliances are tied to corporate networks and require organizations to backhaul traffic from remote users through this infrastructure for packets to run through DPI inspection checkpoints. This introduces tremendous latency for this growing body of users and is increasingly unworkable as so many companies have been forced to support completely distributed workforces. What's more, these performance issues are likely to spur many users and departments to skip inspection altogether. When these users connect to cloud and online resources directly without a VPN connection, they end up bypassing the network perimeter protections altogether.

And then there's the challenge of encrypted traffic. While some firewalls do claim to perform deep packet inspection on HTTPS traffic, the process of decrypting data and inspecting it inline with traffic flows is a processor-intensive activity that overwhelms many hardware-based security devices.  In response, administrators often choose to turn off the capability within their firewalls.

This leaves a huge network visibility blind spot as the prevalence of TLS/SSL across the web grows. Current industry estimates show that as much as 95% of web activity today occurs through encrypted channels. Attackers recognize the challenges that their potential victims face in extending DPI scrutiny over this traffic, which is why some two-thirds of malware now hide under cover of HTTPS.

As a result, organizations seeking to reap the benefits of DPI tend to look for additional technical means to enable the functionality.

How secure web gateways offer DPI functionality

Recognizing that firewalls still serve a valuable primarily purpose at the network perimeter, many organizations are turning to cloud-based secure web gateways to help them remove the performance burden of deep packet inspection from these devices.  These web filters protect outbound user traffic, ideally by using DPI functionality that can examine both HTTP and HTTPS traffic generated by users regardless of their location. By offloading encrypted and remote user traffic through a cloud-based secure web gateway, organizations can scale up DPI's deep analysis of traffic without pressuring existing hardware-based devices.

In the same vein, that architecture also makes it simpler to perform deep packet inspection outside the confines of the corporate network. This offers organizations a more consistent path to policy enforcement when they're managing security policies across multiple locations and a widespread remote user base that's connecting directly to the internet and cloud resources.