Basically, “Packet” in this article means Headers+Payload. Note: We are using the term “packet” loosely here to mean any application layer data/payload that has been encapsulated with lower-level protocols (e.g.
This opens up a whole new world of opportunities and challenges. So DPI is able to say, “while the port being used is HTTP, the application carried is actually Skype”. Basically, DPI is able to not just inspect the general information carried by a packet but also inspect the contents of the packet itself. This brings us to the third type of firewall technology: Deep Packet Inspection. A firewall using static and/or stateful filtering will allow traffic from those applications thinking it is normal web traffic. Skype, P2P torrent applications) run on standard HTTP and HTTPS ports. How about if everything is fine at the IP and Transport layers (referencing the OSI model), but the real threat is contained in the data portion of the packet?įor example, many applications (e.g. SYN+ACK is seen without an initial SYN packet), the firewall knows that is probably a security attack.īut as firewall techniques got better, so did hackers. If there is any funny business happening in the exchange (e.g. For example, when a stateful firewall sees a SYN packet, it keeps track of that TCP connection expecting to see the corresponding SYN+ACK and ACK packets. We then moved on to Stateful filtering (or Stateful Packet Inspection) which basically keeps track of the state of connections. Access Control Lists), it doesn’t scale well for current security needs. While this technique still has its place in today’s network (i.e. In this technique, every packet (irrespective of whether that packet is standalone or part of a traffic flow) is checked against the filtering rules. Initially, we had Static/Stateless filtering where traffic is checked against rules that match on source/destination IP addresses/ports. Deep Packet Inspection (DPI)Īs mentioned in the introduction above, the state of firewall/filtering techniques has evolved over the years. We will also briefly consider how DPI is different from packet capture/protocol analysis. In this article, we will ignore the fluff and buzzwords and take a look at Deep Packet Inspection (DPI) for what it really is, how it does what it does, why organizations use it, some of the challenges it faces, and some of the tools that can be used to perform DPI. what is NGFW? Is it just another name for Unified Threat Management?). static filtering simply checks IP and maybe TCP headers to make filtering decisions), some of them are marketing buzzwords and are still developing (e.g.
While the usage of some of these terms has become fairly standard (e.g. When it comes to firewalls or filtering techniques, you hear different terms like static filtering, stateful firewall, deep packet inspection, Next generation firewall (NGFW), and so on.
0 kommentar(er)
