Minggu, 10 Juni 2018

Sponsored Links

What is Deep Packet Inspection ? - The Security Buddy
src: www.thesecuritybuddy.com

Packet inspection in is a type of data processing visible in detail on the contents of data sent, and rerouted accordingly. It can be used for non-hazardous reasons, such as ensuring that the data feed is providing the content in the correct format, or free of viruses. Or it could be used for more sinister motives, such as eavesdropping and censorship. There are several headers for IP packets; network equipment only need to use this first (IP header) for normal operation, but the use of the second header (such as TCP or UDP) is usually considered a shallow packet inspection (usually called stateful packet inspection) although this definition.

There are several ways to get packages for deep packet inspection. Using port mirroring (sometimes called Port Span) is a very common way, as well as optical splitter.

Deep Packet Inspection (and filtering) enables advanced network management, user services, and security functions as well as internet data mining, tapping, and internet censorship. Although DPI has been used for Internet management for years, some internet neutral supporters fear that the technique can be used in an anti-competitive manner or to reduce the Internet's openness.

DPI is used in various applications, in so-called "companies" (larger corporations and institutions), in telecommunication service providers, and in government.


Video Deep packet inspection



​​â € <â €

DPI combines the functions of intrusion detection systems (IDS) and Intrusion prevention systems (IPS) with traditional stateful firewalls. This combination makes it possible to detect certain attacks that both IDS/IPS and stateful firewalls can not capture on their own. The stateful firewall, while being able to see the start and end of the packet flow, can not capture its own events that will be out of bounds for certain applications. While IDS can detect intrusions, they have very little ability to block such attacks. DPI is used to prevent attacks from viruses and worms at wire speed. More specifically, DPI can be effective against buffer overflow attacks, denial-of-service (DoS) attacks, sophisticated intrusions, and a small percentage of matching worms in a single package.

Devices that support DPI have the ability to view Layer 2 and beyond Layer 3 of the OSI model. In some cases, DPI can be called to look through Layer 2-7 of the OSI model. These include headers and data protocol structures as well as the payload of messages. The DPI function is called when the device sees or takes other actions, based on information outside Layer 3 of the OSI model. DPI can identify and classify traffic based on signature databases that include information retrieved from the packet data section, allowing better control than classification based solely on header information. End points can use encryption and obfuscation techniques to avoid DPI actions in most cases.

Confidential packets may be assigned, tagged/checked (see service quality), blocked, limited rates, and, of course, reported to the reporting agency in the network. In this way, HTTP errors from different classifications can be identified and forwarded for analysis. Many DPI devices can identify packet flow (rather than packet-by-packet analysis), allowing control actions based on accumulated stream information.

Maps Deep packet inspection



At the corporate level

Initially the security at the corporate level is only perimeter discipline, with the dominant philosophy of keeping unauthorized users out, and protecting legitimate users from the outside world. The most commonly used tool to achieve this has become a stateful firewall. This can allow excellent access control from the outside world to a predetermined destination on the internal network, as well as allow access back to other hosts only if requests to the outside world have been created before.

The vulnerability exists in the network layer, however, which is not visible to the stateful firewall. In addition, increased use of laptops in companies makes it more difficult to prevent threats such as viruses, worms, and spyware from corporate network penetration, as many users will connect laptops to less secure networks such as home broadband connections or wireless networks in public locations. Firewalls also do not distinguish between authorized and forbidden uses from legally accessible applications. DPI allows IT administrators and security officials to set policies and enforce them across all layers, including apps and user layers to help combat these threats.

Deep Packet Inspection can detect some types of buffer overflow attacks.

DPI can be used by companies for Data Leak Prevention (DLP). When an e-mail user tries to send a protected file, the user can be given information about how to get the proper permission to send the file.

Ubiquiti Networks - Deep Packet Inspection - DPI Introduction ...
src: i.ytimg.com


On network/Internet service provider

In addition to using DPI to secure their internal network, Internet service providers also apply it to public networks provided to customers. Common uses of DPI by ISPs are legitimate interception, policy definition and enforcement, targeted advertising, quality of service, offer tiered services, and copyright enforcement.

Legitimate interpretation

Service providers are required by almost all governments around the world to enable legitimate interception capabilities. Decades ago in the old telephone environment, this was filled with creating a traffic access point (TAP) using an intercepted proxy server that connects to government surveillance equipment. The acquisition component of this function can be provided in many ways, including DPI, DPI-enabled products that "LI or CALEA-compliant" can be used - when directed by court order - to access the user datastream.

Definition and policy enforcement

Service providers are required by service level agreements with their customers to provide certain levels of service and at the same time enforce acceptable usage policies, may use DPI to implement certain policies that include copyright infringement, illegal material, and unfair bandwidth usage. In some countries ISPs are required to screen, depending on the country's laws. DPI allows service providers to "easily find out the information packets you receive online - from e-mail, to websites, to sharing music, video and software downloads". Policies can be defined that allow or prohibit connections to or from certain IP addresses, protocols, or even heuristics that identify specific applications or behaviors.

Targeted ads

Because ISPs traffic all their customers, they can monitor the habits of web surfing in a very detailed way that enables them to get information about their customers' interests, which can be used by companies specializing in targeted advertising. At least 100,000 US customers are tracked this way, and as many as 10% of US customers have been tracked in this way. Technology providers include NebuAd, Front Porch, and Phorm. US ISPs that monitor their customers include Knology and Wide Open West. In addition, United Kingdom ISP British Telecom has recognized testing solutions from Phorm without the knowledge or consent of their customers.

Service quality

DPI can be used against neutrality.

Applications such as peer-to-peer (P2P) traffic present an increasing problem for broadband providers. Typically, P2P traffic is used by apps that perform file sharing. This may be any file type (i.e. documents, music, videos, or apps). Due to the size of the frequently transferred large media files, P2P drives an increase in traffic load, requiring additional network capacity. Service providers say a small percentage of users generate large amounts of P2P traffic and degrade the performance of most broadband subscribers using applications such as email or Web searches that use less bandwidth. Poor network performance increases customer dissatisfaction and leads to a decrease in service revenue.

DPI allows operators to sell excessively available bandwidth while ensuring equitable distribution of bandwidth to all users by preventing network congestion. In addition, higher priority can be allocated to VoIP or video conference calls that require low latency compared to web searches that are not. This is the approach that service providers use to dynamically allocate bandwidth according to the traffic that passes through their network.

Other vendors claim that DPI is not effective against P2P and other methods of Bandwidth Management are more effective.

Tiered services

Mobile and broadband providers use DPI as a means to implement a tiered service plan, to differentiate "walled garden" services from "value added" data services, "all free meals" and "one size for all". By being able to charge for "walled parks", per app, per service, or "eat as much" than a "one size for all" package, the operator can tailor its offer to each customer and increase Average Per User Revenue (ARPU) they. Policies are created per user or group of users, and the DPI system in turn enforces that policy, allowing users to access various services and applications.

Copyright enforcement

The ISP is sometimes requested by the copyright owner or requested by a court or official policy to help enforce the copyright. In 2006, one of Denmark's biggest ISPs, Tele2, was granted a court order saying it had to block its customers from accessing The Pirate Bay, the launch point for BitTorrent. Rather than demanding file collectors one by one, the International Federation of Phonographic Industries (IFPI) and four major EMI record labels, Sony BMG, Universal Music and Warner Music have begun to sue ISPs like Eircom for not doing enough about protecting their copyrights. IFPI wants ISPs to filter traffic to remove copyrighted material and be downloaded illegally from their networks, even though the European directive of 2000/31/EC clearly states that ISPs should not be under general obligation to monitor the information they transmit, and directing 2002/58/EC gives European citizens the right to privacy of communication. The Motion Picture Association of America (MPAA) imposed the copyright of the film, on the other hand has taken a position with the Federal Communications Commission (FCC) that network neutrality can hurt anti-piracy techniques such as Deep Packet Inspection and other forms of filtering.

Statistics

DPI allows ISPs to collect statistical information about usage patterns by user groups. For example, it may be interesting whether users with 2 Mbit connections use the network in different ways for users with 5 Mbit connections. Access to trend data also helps network planning.

The 3G4G Blog: Quality of Service (QoS) and Deep Packet Inspection ...
src: 1.bp.blogspot.com


By government

In addition to using DPI for their own network security, governments in North America, Europe and Asia use DPI for various purposes such as surveillance and censorship. Many of these programs are classified.

United States

The FCC adopted the CALEA Internet requirement: The FCC, in accordance with its mandate from the US Congress, and in line with the policies of most countries around the world, requires that all telecommunications providers, including Internet services, support the execution of a court order to provide real-time forensic communications from certain users. In 2006, the FCC adopted a new Title 47, Subpart Z, a rule requiring Internet Access Providers to meet this requirement. DPI is one of the important platforms to meet this requirement and has been applied for this purpose throughout the US.

National Security Agency (NSA), with the cooperation of AT & amp; T Inc., has used Deep Packet Inspection to make smarter internet traffic, sorting and shipping controls. DPI is used to find out which packets carry e-mail or Voice over Internet Protocol (VoIP) phone calls. Traffic related to General Backbone AT & amp; T "split" between two fibers, dividing the signal so that 50 percent of the signal power flows into each fiber output. One of the output fibers is transferred to the safe space; the other brings communication to the switching equipment AT & amp; T. Safe space contains Narus traffic analyzer and logic server; Narus stated that the device is capable of collecting real-time data (recording data for consideration) and capturing at 10 gigabits per second. Certain traffic is selected and sent via a custom path to the "central location" for analysis. According to affdavit by expert witness J. Scott Marcus, former senior adviser on Internet Technology at the US Federal Communications Commission, traffic diverted "represents all, or substantially all, of AT & T's peeking traffic in the San Francisco Bay area", and by Thus, "the designers of the... configuration made no effort, in terms of location or position of fiber separation, to exclude data sources primarily comprising domestic data". The Narus Semantic Traffic Analyzer software, which runs on IBM or Dell Linux servers using DPI, sifting through IP traffic at 10Gbit/s to select specific messages based on targeted e-mail addresses, IP addresses or, in the case of VoIP, phone numbers. President George W. Bush and Attorney General Alberto R. Gonzales have asserted that they believe that the president has the authority to order a secret phone tapping and exchange of e-mail between people within the United States and their contacts abroad without obtaining a FISA warrant.

The Agency for Information Systems of Defense has developed a sensor platform that uses Deep Packet Inspection.

China

The Chinese government uses Deep Packet Inspection to monitor and censor network traffic and content that is claimed to be harmful to Chinese citizens or to state interests. These materials include pornography, information on religion, and political dissent. Chinese network ISPs use DPI to see if there are sensitive keywords through their network. If so, the connection will be disconnected. People in China often find themselves stymied while accessing websites containing content related to Taiwan and Tibet independence, Falun Gong, the Dalai Lama, Tiananmen Square protests and the 1989 massacre, political parties opposed to the ruling Communist party, or varieties of anti-Communist movements as materials signed as sensitive DPI keywords already. China previously blocked all VoIP traffic in and out of their country but many of the available VOIP applications now function in China. Voice traffic on Skype is not affected, although text messages are subject to DPI, and messages containing sensitive material, such as curse words, are not delivered at all, with no notice given to one of the participants in the conversation. China also blocked visual media sites like YouTube.com and various photography and blogging sites.

Iran

The Iranian government purchased a system, reportedly for in-depth package inspection, in 2008 from Nokia Siemens Networks (NSN) (Siemens AG joint venture, German conglomerate, and Nokia Corp., Finnish mobile phone company), now NSN is a Nokia Solution and Network, report in the Wall Street Journal in June 2009, citing NSN spokesman Ben Roome. According to unnamed experts cited in the article, the system "allows authorities to not only block communications but to monitor it to gather information about individuals, and change them for disinformation purposes".

The system was purchased by Telecommunication Infrastructure Co., part of Iran's government telecommunications monopoly. According to the Journal , NSN "provided equipment for Iran last year under the internationally-recognized concept of 'intercept of validity,' Mr Roome said. It deals with data tapping for the purpose of combating terrorism, child pornography, drug trafficking, and other criminal activities carried out online, a capability that most if not all telecom companies have, he said.... The monitoring center that Nokia Siemens Networks sold to Iran described in the company brochure as it allows' monitoring and interception of all kinds of voice and data communications across all networks. The joint venture came out of a business that included monitoring equipment, the so-called 'intelligence solution,' in late March, by selling it to Perusa Partners Fund 1 LP, a Munich-based investment firm, Roome said. the company decided that it was no longer part of its core business.

The NSN system was followed on a purchase by Iran from Secure Computing Corp at the beginning of the decade.

Questions have been raised about reporting the reliability of the Journal report by David Isenberg, independent analyst of Washington, DC and Cato Institute Adjunct Scholar, specifically said that Mr. Roome rejected the quotation given to him. and that he, Isenberg, also had a similar complaint with one of the same journalists Journal in the previous story. NSN has issued the following rejections: NSN "has not provided deep packet inspection, web censorship or Internet filtering capabilities to Iran". A concurrent article at The New York Times said NSN's sales had closed in "a series of news reports in April [2009], including The Washington Times ," and reviewed internet censorship and other media in the country, but did not mention the DPI.

According to Walid Al-Saqaf, the developer of Internet censorship of Alkasir circumventor, Iran used an in-depth inspection package in February 2012, bringing the internet speed across the country to a near misfire. This briefly removes access to tools such as Tor and Alkasir.

Russian Federation

DPI is not mandated in Russia. Federal law No. 139 imposes a blocking of websites on the Russian Internet blacklist using IP filtering, but does not force ISPs to analyze packet data sections. However some ISPs still use different DPI solutions to implement blacklisting.

Some human rights activists consider the Deep Packet inspection to be contrary to Article 23 of the Constitution of the Russian Federation, although the legal process to prove or disprove it never took place.

Singapore

City states are reportedly using an in-depth inspection package of Internet traffic.

Syria

The state is reportedly using an in-depth inspection package of Internet traffic, to analyze and block unwanted transit.

Malaysia

The ruling Malaysian Government, led by the Barisan Nasional, is said to use the DPI against political opponents during the 13th general election held on May 5, 2013.

The purpose of the DPI, in this case, is to block and/or block access to the selected website, e.g. Facebook accounts, blogs, and news portals.

Egypt

Since 2015, Egypt is reportedly beginning to join a list that is constantly rejected by Egyptian National Telecommunications Regulatory Authority (NTRA) authorities. However, it became news when the country decided to block an encrypted message application signal as announced by the app developer.

In April 2017, all VOIP apps including FaceTime, Facebook Messenger, Viber, Whatsapp, and Skype have been blocked in the country.

UniFi DPI (Deep Packet Inspection) - YouTube
src: i.ytimg.com


Neutrality neutral

People and organizations concerned about the privacy or neutrality of the network find a content layer examination of the Internet protocol to offend, saying for example, "Net built on open access and non-discrimination packets!" Critics of the network neutrality rule, meanwhile, call it "solution to problem-solving" and say that net neutrality rules will reduce the incentive to increase network and launch next generation network services.

Deep packet inspection is considered by many to damage the Internet infrastructure.

BlindBox: Deep Packet Inspection Over Encrypted Traffic - ppt download
src: slideplayer.com


Encryption and tunnel subvert DPI

With the increasing use of HTTPS and privacy tunneling using VPNs, the effectiveness of DPI is starting to be questioned. In response, many web application firewalls now offer HTTPS inspection , where they decrypt HTTPS traffic to analyze it. WAF can end encryption, so connections between WAF and client browsers use ordinary HTTP, or re-encrypt data using their own HTTPS certificates, which must be distributed to previous clients.

Deep Packet Inspection Software Engine - NAVL - Network ...
src: i.ytimg.com


Infrastructure security

Traditionally the mantras that have served ISPs well have only operated on layer 4 and under the OSI model. This is because it just decides where packets go and their routing is relatively very easy to handle safely. This traditional model still allows ISPs to accomplish the required tasks safely such as limiting bandwidth depending on the amount of bandwidth used (layer 4 and below) rather than per protocol or application type (layer 7). There is a very strong and often neglected argument that ISP action above layer 4 of the OSI model provides what is known in the security community as a 'stepping stone' or platform for performing man in the middle attacks from. This problem is compounded by ISPs who often opt for cheaper hardware with a poor security track record as it is very difficult and impossible to secure Deep Packet Inspection tasks.

OpenBSD packet filters specifically avoid DPI for that reason can not be done safely with confidence.

This means that DPI-dependent security services such as HomeSafe TalkTalk implementations actually trade multiple security (protected and often more effectively protected) with declining security costs for all user places are also likely to be much less than risk mitigation. HomeSafe services specifically prefer to block but DPI can not be set aside, even for business users.

BlindBox: Deep Packet Inspection Over Encrypted Traffic - ppt download
src: slideplayer.com


Software

nDPI (forks of OpenDPI being EOL by ntop developers) is an open source version for protocols that can not be disguised. PACE, another such machine, includes obfuscated and encrypted protocols, which are the types associated with Skype or encrypted BitTorrent. Because OpenDPI is no longer maintained, OpenDPI-fork named nDPI has been created, is actively maintained and extended with new protocols including Skype, Webex, Citrix and many others.

L7-Filter is a classifier for Netfilter Linux that identifies packets based on application layer data. It can classify packages such as Kazaa, HTTP, Jabber, Citrix, Bittorrent, FTP, Gnucleus, eDonkey2000, and others. It classifies streaming, mailing, P2P, VOIP, protocol, and gaming apps.

Hippie (Hi-Performance Protocol Identification Engine) is an open source project developed as a Linux kernel module. It was developed by Josh Ballard. It supports both DPI and firewall functions.

The SPID (Statistical Protocol Identification) project is based on network flow statistics analysis to identify application traffic. The SPID algorithm can detect application layer protocol (layer 7) by analyzing the flow (packet size, etc.) and payload stats (byte values, etc.) of the pcap file. This is only a proof of concept application and currently supports around 15 applications/protocols such as eDonkey Obfuscation traffic, Skype UDP and TCP, BitTorrent, IMAP, IRC, MSN, and others.

Tstat (TCP Stats and Analysis Tool) provides insight into traffic patterns and provides details and statistics for various applications and protocols.

Libprotoident introduced Light Packet Inspection (LPI), which checks only the first four bytes of charge in each direction. That makes it possible to minimize privacy issues, while reducing the disk space needed to store the required packet footprint for classification. Libprotoident supports more than 200 different protocols and the classification is based on a combined approach using pattern matching payload, payload size, port number, and IP matching.

A French company called Amesys, designed and sold the intrusive and massive Internet monitoring system Eagle to Muammar Gaddafi.

Comparison

Comprehensive comparison of the various network traffic groupings, which depend on Deep Packet Inspection (PACE, OpenDPI, 4 different configurations of L7-filters, NDPI, Libprotoident, and Cisco NBAR), is shown in the Independent Comparison of Popular DPI Tools for Traffic Classification.

Ubiquiti Networks - Create Deep Packet Inspection Firewall Rule ...
src: i.ytimg.com


Hardware

There is a greater emphasis placed on deep packet inspection - this comes in light after the rejection of both SOPA and PIPA bills. Many of the DPI methods are currently slow and expensive, especially for high bandwidth applications. More efficient DPI methods are being developed. Custom routers can now perform DPI; a router equipped with a program dictionary will help identify the purpose behind the LAN traffic and the internet it routes. Cisco Systems is now in the second loop of DPI routers enabled, with their announcement of the CISCO ISR G2 router.

Infonetics: Allot Takes the Lead in Deep Packet Inspection Market ...
src: mms.businesswire.com


See also


Network Traffic Analysis using Deep Packet Inspection and Data ...
src: i.ytimg.com


References


A Guide to Deep Packet Inspection - Catchpoint's Blog - Web ...
src: blog.catchpoint.com


External links

  • Testing Methodology - registration required
  • Redirecting Deep Packet Inspection to the Correct Way
  • What is "In-depth Inspection"?
  • A collection of essays from industry experts
  • http://seocompanyamd.in/
  • What is an In-depth Inspection Package and Why Controversy
  • The White Book "In-depth Package Inspection - Technology, Applications & Net Neutrality"
  • Virtual cyber-assisted efforts by US Companies - DPI used by the Egyptian government in recent internet repression
  • savetheinternet.com
  • Deep Packet Inspection puts its stamp on the evolving Internet
  • Validation of DPI policies using real applications
  • A handheld capture device with PCAP storage
  • Deep Packet Inspection Using Quotient Filter

Source of the article : Wikipedia

Comments
0 Comments