Flexible, Adaptable, Application Decoding
An important component of deep packet inspection is application decoding capabilities. Its one thing to be able to identify applications and extract meta data, but adding the capability to track session state and user interactions within those applications adds a significant layer of complexity. And it’s this – the ability to track client interactions within sessions – where the IP Fabrics application decoding packages excels.
Importance of Architecture
The IP Fabrics software architecture consists of a highly concurrent Deep Packet Inspection (DPI) and Deep Application Protocol Inspection (DAPI) engine that feeds one or more “surveillance modules” (SMs). A surveillance module defines a single, unified provisioning and output message format for a general class of network applications (webmail service, IM/Chat service, etc).
A surveillance module plug-in defines the specific messaging keywords and syntactical processing for a specific network application in order to match subjects using that service (the webmail SM has plug-ins for Yahoo and mail-dot-com for example).
This modular approach enables new service processing to be snapped in-and-out of the software architecture with minimal intrusion into the rest of the software. The architecture is also very powerful in that the single output message format per service dramatically simplifies provisioning, reception, and processing of the information delivered by DeepProbe.
IP Fabrics groups services into “Intelligence Modules”. Each module can be added onto the system so DeepProbe can be tailored for only the services you’re interested in.
IP Intelligence™ classifies and decodes RADIUS and DHCP protocols. Filters can be set to track the messaging, report IP address assignments of RADIUS or DHCP IDs, and detect traffic based on specific IP protocol and/or layer 4 ports or port groups. Static IP addresses can also be set in filters for reporting on specific endpoints. The IPIntelligence™ package automatically detects changes in IP address assignments and follows these changes for reporting on specific users that may change IP addresses frequently.
VoiceIntelligence™ classifies and decodes voice over IP calls and resulting RTP traffic for SIP/SDP and/or WebRTC call control signaling. Filters can be set for a variety of SIP endpoint addresses and can be configured for providing only call data record (CDR) information or full content. The SIP call control output messages include mapping the call to the resulting RTP connections including the CODEC encoding scheme and other media information used for the content connection.
WebIntelligence™ classifies and decodes web traffic, IM/Chat and social media services. The Web Traffic SM performs general HTTP, DNS and SSL processing. The SSL portion reports SSL certificates and handshakes but doesn’t perform SSL decryption of the connection. The DNS reports on all domain name service transactions. The HTTP processing tracks HTTP traffic and filters can be set to report on specific URLs, host names, or other HTTP header information. The IM/Chat SM can report on all forum traffic for a specific forum or group of forums, specific IM/Chat user IDs, presence and status updates, and message transfers. The IM/Chat SM can also detect, decode and report on text, binary messages, audio, and video content within the supported IM/Chat services.
MailIntelligence™. MailIntelligence™ classifies, decodes and reports on a variety of email and webmail protocols. Three types of filters are supported:
- Service model filters report on all traffic for the specific mail service.
- Client model filters detect logins of specific webmail users (or detect a session currently in progress) and reports on all activity for that session until logout.
- Party model filters look through all the traffic for the mail service looking for email addresses in all to, from, cc, and bcc lines of the mails and will report on any mails where the selected email address is involved.
All filter types can report information in event (IPDR), summary (IPDR, subject, and limited content), and full (complete information including all mail bodies and attachments) output formats. In addition, scan schemas can be referenced in filters to perform additional scanning of mail bodies, subject lines and attachments in order to detect keywords or phrases in the mail traffic.
ScanIntelligence™ (not shown in the picture) provides the capability to perform content scanning of mail bodies, subject lines, attachments, chat & forum messages, and other kinds of social media message transfers.