[Overview] Deep Packet Inspection Definition/Functions/Pros/Cons
This library posted by MiniTool team defines the meaning, features, advantages, and disadvantages of deep packet inspection. It also compares deep packet inspection with shallow packet inspection and shows their differences.
Deep Packet Inspection Definition
What Is Deep Packet Inspection?
Deep packet inspection (DPI) is a kind of data processing. It inspects the data being sent over a network in detail. According to different inspection results, DPI takes different actions like alerting, blocking, re-routing, or logging. It is also called packet sniffing.
There are a lot of methods to acquire packets for deep packet inspection and port mirroring, also called Span Port, is a common way. To physically insert a network tap that duplicates and sends the data stream to an analyzer for inspection is also a usual solution.
Deep Packet Inspection Functions
Deep packet inspection firewall is usually used to baseline program behavior, ensure correct data format, analyze network usage, troubleshoot network performance, check for malicious code, eavesdropping, and Internet censorship, among other purposes.
The rich data evaluated by the deep Packet Inspection tools provide a more robust mechanism for enforcing network packet filtering. DPI can be used to more accurately identify and block a large range of complex threats hiding in network data streams. Some of those threats are listed below:
- Malware
- Malicious commands and control communications
- Data exfiltration attempts
- Content policy violations
Though has been applied for Internet management for many years, some net neutrality advocates fear that deep packet inspection may be used anti-competitively or to reduce the openness of the Internet.
Deep packet inspection techniques are used in a variety of apps at the so-called “enterprise” level, such as large institutions and corporations, in telecommunications service providers and governments.
Deep Packet Inspection vs Stateful Packet Inspection
There are multiple headers for IP packets. Network equipment only needs to use the first of those headers for normal operation. The usage of the second header like TCP or UDP is normally considered to be shallow packet inspection (SPI), also known as stateful packet inspection (SPI), despite this definition.
Deep packet inspection will examine the full content of data packets including metadata associated with individual packets when they traverse a monitored network checkpoint while a conventional stateful packet inspection only evaluates packet header info like the source IP address, destination IP address, and port number.
Besides, the deep packet inspection firewall will not only scrutinize the information in the packet header, but also the content contained within the payload of the packet. Its capabilities have evolved to overcome the limitations of traditional firewalls that rely on stateful packet inspection.
Deep Packet Inspection Advantages and Disadvantages
Deep packet inspection’s added visibility of its probing analysis feature can help IT teams to enforce more comprehensive and detailed cybersecurity policies. So, many firewall vendors adopt it.
Yet, many organizations find that enabling deep packet inspection in firewall appliances usually introduces unacceptable network bottlenecks and poor performance. Thus, many users choose to skip the inspection. When they connect to cloud and online resources directly without a VPN connection, they end up bypassing the network perimeter protections altogether.
Moreover, for encrypted traffic, the process of decrypting data and inspecting it in line with traffic flows is a processor-intensive activity that overwhelms many hardware-based security devices. In response to that, many administrators usually choose to turn off their firewalls.