IP Fabrics Unique Deep Packet Inspection Capabilities
Deep Packet Inspection (DPI) is the process of looking beyond the packet header information and extracting information based on the content (network application. Typical use cases of DPI include:
- Validate the network protocols are operating properly and no anomalies.
- Enterprise rules compliance. Authorized access to network services.
- Government compliance. Historical data retention, lawful intercept, network forensics.
- Real-time detection.
- Anomalies in communication sessions
- Identification of network fraud, viruses, spam, security threats.
- Routing and Service Level Agreements
- Traffic policies based on users and network applications
- Software Defined Networks (SDN)
- Network data mining for sentiment, network use, demographics
- Information services
Deep Packet Inspection from a technical perspective is made up of packet classification (identifying what services are running on every IP connection) and content inspection (pulling out meta data information from the network application service content itself). Deep packet inspection by itself does not typically understand user context or actions within a given network application session.
Wide and Narrow Classification
The figure below shows the difference between “wide” classification and “narrow” classification.
Wide classification involves processing every packet and generating packets and meta data output for each one. The classification processing typically does not reassemble individual packets together – instead it simply uses the network headers and sometimes some information in the content to identify what service that packet belongs to.
Narrow classification adds a relevant packet rules component. The relevant packet rules tell the classifier what traffic streams are important. If the packets for a stream are not relevant, the classifier doesn’t waste it’s time extracting meta data for the packets in that stream. This can lead to higher performance and more efficiency in cases where a subset of the traffic is of interest.
Content inspection is typically the next step after classification. The input to content inspection are packets and associated meta data. At this point, content inspection software typically keeps a flow table where packets of a specific flow are collected, reassembled, dechunked, and decompressed (in the case of HTTP). Enough of the traffic stream is reassembled in order to decode the network application content. Inspecting the content once it’s been reassembled can provide application-level information like what the service is, user IDs, and other content related information. Once enough of the stream is reconstructed, a descriptor is created with application-level meta data and in some cases, the reconstructed message itself.
Deep Application Protocol Inspection (DAPI) – Going the Extra Mile
The figure below shows how the IP Fabrics Deep Packet Inspection engine differs from others in a unique way. Content and descriptor information is processed in a more in-depth way. Instead of stopping at the point where application meta data can be pulled out, additional state is kept in the flow table that enables processing of client-to-server and server-to-client transactions within the application. For example, the ability to differentiate a mail send from a draft send. Or the ability to detect failed interactions within a session for whatever reason. It’s also important to note that for many over-the-top applications based on TCP, a session DOES NOT EQUAL an IP 5-tuple! A logical session may hop among servers and ports. But within the content there is always some kind of unifying identifier that maps these transactions to a single session flow – that’s where the DeepProbe DPI software shines!
Once the DAPI processing is completed, another unique feature is the fact that DAPI normalizes the message output for a given class of service. This makes receiving information from the DeepProbe or DeepSweep much easier. For example the mail read output message from DeepProbe is exactly the same regardless of whether the webmail protocol was Yahoo or Gmail. This normalized output simplifies processing the DeepProbe output and eliminates the need for collection and analysis systems to have service-specific code to deal with the differences of a mail read from Yahoo versus Gmail.
IP Fabrics’ unique DAPI technology opens the door to greater visibility of not only information within the network application, but user actions and activities within the application. Once identified, normalizing output across specific network applications of the same service type greatly simplifies interfacing with and processing the DeepProbe output.