Deep packet inspection

From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by Hairy Dude (talk | contribs) at 14:59, 14 April 2008 (→‎United States: put long quotation in a {{quote}}). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

Deep packet inspection (DPI) (or sometimes complete packet inspection) is a form of computer network packet filtering that examines the data and/or header part of a packet as it passes an inspection point, searching for non-protocol compliance, viruses, spam, intrusions or predefined criteria to decide if the packet can pass or if it needs to be routed to a different destination, or for the purpose of collecting statistical information. This is in contrast to shallow packet inspection (usually called just packet inspection) which just checks the header portion of a packet.[1]

Deep packet inspection (and filtering) enables advanced security functions as well as internet data mining, eavesdropping, censorship, etc. Advocates of net neutrality fear that DPI technology will be used to privatize the Internet. DPI is currently being used by the enterprise, service providers and governments in a wide range of applications.

Background

Deep packet inspection (DPI) combines the functionality of an intrusion detection system (IDS) and an intrusion prevention system (IPS) with a traditional stateful firewall.[2] This combination makes it possible to detect certain attacks that neither the IDS/DPS nor the stateful firewall can catch on their own. Stateful firewalls, while being able to see the beginning and end of a packet flow, but cannot on their own catch events that would be out of bounds for a particular application. While IDSs were able to detect intrusions, they have very little capability in blocking such an attack. DPIs are used to prevent attacks from viruses and worms at wire speeds. More specifically, DPI can be effective against buffer overflow attacks, denial of service (DoS) attacks, sophisticated intrusions, and a small percentage of worms that fit within a single packet.

DPI devices have the ability to look at Layer 2 through Layer 7 of the OSI model. This includes headers and data protocol structures as well as the actual payload of the message. The DPI will identify and classify the traffic based on a signature database that includes information extracted from the data part of a packet, allowing finer control than classification based only on header information.

A classified packet can be redirected, marked/tagged (see quality of service), blocked, rate limited, and of course reported to a reporting agent in the network. In this way, HTTP errors of different classifications may be identified and forwarded for analysis. Many DPI devices can identify packet flows (rather than packet-by-packet analysis), allowing control actions based on accumulated flow information.

Deep packet inspection at the enterprise

Until recently security at the enterprise was just a perimeter discipline. It was about keeping the bad guys out, and the good guys shielded from the outside world. The preferred tool to do this was a stateful firewall. It can permit access from the outside world to pre-defined destinations. And it permits access back to other hosts only if a request to the outside world has been made previously.[3]

Now vulnerabilities exist at network layers that are not visible to a stateful firewall. Also, there has been a transition from desktops to laptops. The laptops can bring the threats inside the network such as viruses, worms or spyware. Users may use perfectly legitimate access applications but with illegitimate use of those applications. DPI enables IT administrators and security officials to set policies and enforce them at all layers, including the application and user layer to help combat those threats. These policies are being used to restrict access to certain URLs and to ensure employee productivity.

Deep packet inspection at service providers

Service providers use DPI for their internal operations just as any other enterprise does, plus they use DPI to run their business. They tend to use DPI for lawful intercept, policy definition and enforcement, targeted advertising, quality of service, offering tiered services, and copyright enforcement.

Lawful intercept

Service providers are required by various governments around the world and their agencies to allow lawful intercept capabilities. This had been previously met by creating a traffic access point (TAP) using an intercepting proxy server that connects to the government's surveillance equipment. Now that this functionality can be included in the DPI, DPI products that are "CALEA-compliant" can be used as a TAP to collect a user's datastream.[4]

Policy definition and enforcement

Service providers obligated by the service level agreement with their customers to provide a certain level of service, and at the same time enforce their acceptable use policy, which contains certain policies that cover copyright infringements and illegal materials and unfair use of bandwidth. In some countries the ISPs are required to perform filtering depending on the country's laws. DPI allows service providers to "readily know the packets of information you are receiving online--from e-mail, to websites, to sharing of music, video and software downloads"[5] Policies can be defined that allow of disallow connection to or from an IP address, certain protocols, or even heuristics that predict a certain application.

Targeted advertising

Because ISPs route all of their customers' traffic, they are able to monitor web-browsing habits in a very detailed way allowing them to gain information about their customers' interests, which can be used by companies specializing in targeted advertising. At least 100,000 US customers are tracked this way, and as many of 10% of US customers have been tracked in this way. Technology providers include NebuAd, Front Porch and Phorm. US ISPs monitoring their customers include Knology and Wide Open West, and probably also Embarq. In addition, the UK ISP BT has admitted testing technology from Phorm without their customers' knowledge or consent. [6]

Quality of service

Applications such as peer-to-peer (P2P) traffic presents increasing problems for broadband service providers. P2P traffic is typically used by applications that do file sharing. This can be files, music and videos. P2P drives increasing traffic loads, requiring additional network capacity. Service providers say a minority of users generate large quantities of P2P traffic and degrade performance for the majority of broadband subscribers using applications such as email or Web browsing which use less bandwidth, but require lower latency.[7] Poor network performance increases customer dissatisfaction and leads to a decline in service revenues.

DPI allows the operators to ensure equitable bandwidth to all users by preventing network congestion. Additionally, a higher priority can be allocated to a VoIP or video conferencing call which requires low latency versus web browsing which does not.[8] This is the approach that service providers use to dynamically allocate bandwidth according to traffic that is passing through their networks.

Tiered services

Mobile and broadband service providers use DPI as a means to implement tiered service plans, to differentiate "walled garden" services from "value added", “all-you-can-eat" and "one-size-fits-all” data services.[9] Service providers are increasingly challenged to optimize their service delivery and increase their Average Revenue Per User (ARPU). By being able to charge for just a walled garden, or per application, or per service, or all-you-can-eat rather than a one-size fits all package, the operator can better tailor his offering to the subscriber. A policy is created per user or user group. The DPI in turn enforces that policy, allowing the user access to different services and applications.

Copyright enforcement

More and more, ISPs are being required to enforce copyrights. In 2006, one of Denmark's largest ISPs, Tele2, was give a court injunction and told it must block its customers from accessing The Pirate Bay, a launching point for Bit Torrent.[10] Instead of prosecuting file sharers one at a time[11], the International Federation of the Phonographic Industry (IFPI) and the big four record labels EMI, Sony BMG, Universal Music and Warner Music have begun suing ISPs like Eircom for not doing enough about protecting their copyrights.[12] The IFPI wants ISPs to filter traffic to remove illicitly uploaded and downloaded copyrighted material from their network, despite European directive 2000/31/EC clearly stating that ISPs may not be put under a general obligation to monitor the information they transmit and directive 2002/58/EC granting European citizines a right to privacy of communications. The Motion Picture Association of America (MPAA) which enforces movie copyrights, on the other hand has taken the position with the FCC that Net neutrality could hurt anti-piracy technology such as deep packet inspection and other forms of filtering.[13] To protect themselves against lawsuits, court injunctions, and government policies and regulations, ISPs are being forced to employ DPI to prevent illegal distribution of copyrighted materials by their subscribers.

Deep packet inspection by governments

See also: network surveillance and censorship

Government agencies all over the world use DPI for their internal operations just as any other enterprise does. In addition, governments in North America, Europe and Asia use DPI for various reasons such as surveillance and censorship; many are classified.[14]

United States

The US government has been spying on foreigners and US citizens using deep packet inspection at international peering points according to a 2008 IEEE Computer Society journal article:

Optical fiber carrying the inter-ISP peering traffic associated with AT&T’s Common Backbone was "split," dividing the signal so that 50 percent went to each output fiber. One of the output fibers was diverted to the secure room; the other carried communications on to AT&T’s switching equipment. The secure room contained Narus traffic analyzers and logic servers; Narus states that such devices are capable of real-time data collection (recording data for consideration) and capture at 10G bits per second (bps). Certain traffic was selected and sent over a dedicated line to a "central location." The San Francisco office set up was one of many throughout the country, including in Seattle, San Jose, Los Angeles, and San Diego. According to Marcus’s affidavit, the diverted traffic "represented all, or substantially all, of AT&T’s peering traffic in the San Francisco Bay area," and thus, "the designers of the ... configuration made no attempt, in terms of location or position of the fiber split, to exclude data sources comprised primarily of domestic data."[15]

Narus's Semantic Traffic Analyzer software which runs on IBM or Dell Linux servers, using DPI technology, sorts through IP traffic at 10Gps to pick out specific messages based on a targeted e-mail address, IP address or, in the case of VOIP, phone number.[16] On the other hand, President George W. Bush and and Attorney General Alberto R. Gonzales believe the president has authority to order secret intercepts of telephone and e-mail exchanges between people inside the United States and their contacts abroad without obtaining a FISA warrant.[17]

The NSA uses deep packet inspection technology to make traffic surveillance, sorting and forwarding more intelligent. The DPI is used to find which packets are carrying e-mail or a Voice over Internet Protocol (VoIP) phone call.[18]

China

Deep packet inspection engines, nicknamed "The Great Firewall of China", are being used by China to monitor all traffic in and out of their country, as well as censor information flow.[19] China's Internet filtering regime is extremely pervasive, sophisticated and effective. It prevents access to sensitive materials, from pornography to religious material to political dissent. Chinese citizens often find themselves blocked while accessing Web sites containing content related to Taiwanese and Tibetan independence, Falun Gong, the Dalai Lama, the Tiananmen Square incident, opposition political parties, or a variety of anti-Communist movements.[20] China blocks VOIP traffic in and out of their country.[16] Also, China has blocked YouTube and access to various photography and blogging sites.[21]

DPI and net neutrality

See also: network neutrality

Some people find all of this digging and probing into upper layers of the Internet protocol to be offensive.[4]"The 'Net was built on open access and non-discrimination of packets!" Critics, meanwhile, call net neutrality rules "a solution in search of a problem" and believe that net neutrality rules would reduce incentives to upgrade networks and launch next generation network services.

See also

References

  1. ^ Dr. Thomas Porter (2005-01-11). "The Perils of Deep Packet Inspection". Security Focus. Retrieved 2008-03-02.
  2. ^ Ido Dubrawsky (2003-07-29). "Firewall Evolution - Deep Packet Inspection". Security Focus. Retrieved 2008-03-02.
  3. ^ Elan Amir (2007-10-29). "The Case for Deep Packet Inspection". IT Business Edge. Retrieved 2008-03-02.
  4. ^ a b Nate Anderson (2007-07-25). "Deep packet inspection meets 'Net neutrality, CALEA". ars technica. Retrieved 2006-02-06.
  5. ^ Jeff Chester (2006-02-01). "The End of the Internet?". The Nation. Retrieved 2006-02-06.
  6. ^ Peter Whoriskey (2008/04/04). "Every Click You Make: Internet Providers Quietly Test Expanded Tracking of Web Use to Target Advertising". Retrieved 2008/04/08. {{cite web}}: Check date values in: |accessdate= and |date= (help)
  7. ^ "Deep Packet Inspection: Taming the P2P Traffic Beast". Light Reading. Retrieved 2008-03-03.
  8. ^ Matt Hamblen (2007-09-17). "Ball State uses deep packet inspection to ensure videoconferencing performance". Computer World. Retrieved 2008-03-03.
  9. ^ "Allot Deploys DPI Solution at Two Tier 1 Mobile Operators to Deliver Value- Added and Tiered Service Packages". Money Central. 2008-02-05. Retrieved 2008-03-03.
  10. ^ Jeremy Kirk (2008-02-13). "Danish ISP prepares to fight Pirate Bay injunction". IDG News Service. Retrieved 2008-03-12.
  11. ^ Matthew Clark (2005-07-05). "Eircom and BT won't oppose music firms". ENN. Retrieved 2008-03-12.
  12. ^ Eric Bangeman (2008-03-11). ""Year of filters" turning into year of lawsuits against ISPs". ars technica. Retrieved 2008-03-12.
  13. ^ Anne Broach (2007-07-19). "MPAA: Net neutrality could hurt antipiracy tech". net news.com. Retrieved 2008-03-12.
  14. ^ Carolyn Duffy Marsan (2007-06-27). "OEM provider Bivio targets government market". Network World. Retrieved 2008-03-13.
  15. ^ Bellovin, Steven M. (January/February 2008). "Risking Communications Security: Potential Hazards of the Protect America Act" (PDF). IEEE Security and Privacy. 6 (1). IEEE Computer Society: pp. 24-33. doi:http://doi.ieeecomputersociety.org/10.1109/MSP.2008.17. Retrieved 2008-03-03. {{cite journal}}: |pages= has extra text (help); Check |doi= value (help); Check date values in: |date= (help); External link in |doi= (help); Unknown parameter |coauthors= ignored (|author= suggested) (help)
  16. ^ a b Robert Poe (2006-05-17). "The Ultimate Net Monitoring Tool". Wired. Retrieved 2008-03-03.
  17. ^ Carol D. Leonnig (2007-01-07). "Report Rebuts Bush on Spying - Domestic Action's Legality Challenged". The Washington Post. Retrieved 2008-03-03.
  18. ^ J. I. Nelson, Ph.D. (2006-09-26). "How the NSA warrantless wiretap system works". {{cite web}}: Unknown parameter |access= ignored (|access-date= suggested) (help)
  19. ^ Ben Elgin and Bruce Einhorn (2006-01-12). "The Great Firewall of China". Business Week. Retrieved 2008-03-13.
  20. ^ "Internet Filtering in China in 2004-2005: A Country Study". Open Net Initiative. Retrieved 2008-03-13.
  21. ^ "China Blocks YouTube, Restores Flickr and Blogspot". PC World. 2007-10-18. Retrieved 2008-03-03.
Retrieved from "https://en.wikipedia.org/w/index.php?title=Deep_packet_inspection&oldid=205562053"