DPI is an advanced form of packet filtering that examines and manages network traffic
Deep packet inspection (DPI) is an advanced form of packet filtering that examines and manages network traffic. Unlike conventional packet filtering, which examines only packet headers, DPI looks in detail at the contents of the data packets traversing a network. It identifies, classifies, and detects packets with data payloads that hackers have obfuscated—e.g., executables concealed in an HTTP request—or for other reasons traditional packet analysis cannot detect. These capabilities make DPI a critical tool for SOC teams seeking to not only gain more thorough visibility into their networks but also control unwanted or potentially malicious traffic.
R&S PACE 2 DPI engine
The Indigo Software large-scale firewall integrates the R&S® PACE 2 DPI engine from the German cybersecurity leader Rohde & Schwarz. With throughput of up 14 Gbps per core, it is the the highest performing DPI engine available today. R&S PACE 2 also provides state-of-the-art IP traffic analytics capabilities, including behavior analysis.
As a result, the Indigo large-scale firewall delivers comprehensive network visibility, including granular information on applications and protocols to enable proper classification. This provides powerful benefits to network operator customers. For example, the Indigo firewall can reroute or block packets that network operators have defined by policy as illegitimate. At the same time, the Indigo solution provides industry-leading capabilities for minimizing false negatives and false positives, which avoids shutting off subscribers from legitimate use of services such as Google or AWS.
Flow and subscriber tracking / protocol decoders
Extensive flow and subscriber tracking coupled with protocol decoders enable the Indigo firewall to classify thousands of applications and protocols. The firewall provides content and metadata extraction regardless of whether the protocols use advanced obfuscation, port hopping techniques or encryption. This includes new applications as well as the latest versions of existing applications such as Signal. It also provides metrics and heuristics from IP traffic in real time. When used for large-scale network cybersecurity, this approach gives SOC teams unparalleled application visibility, which allows effective monitoring and control of applications using telco, mobile, satellite Internet, and ISP, networks.
Flow and subscriber tracking
- IP defragmentation
- TCP reassembly engine
- Tunnel decapsulation: GRE, L2TP, GTP-U
- HTTP response decompression
- Application and Protocol classification
- VoIP / Messaging: Skype, SIP, Skinny, H323, WhatsApp, Signal, WeChat, LINE, etc.
- Social Networking: Facebook, Twitter, MySpace, LinkedIn, Instagram, Tumblr, etc.
- P2P / Filesharing: BitTorrent, eDonkey, Rapidshare, Uploaded.to, 4shared, etc.
- Streaming: YouTube, Netflix, Hulu, Vimeo, QQLive, Youku, iTunes Radio, etc.
- Bitcoin transaction detection
Protocol decoders
- HTTP
- SSL
- DNS
- Email: POP3, SMTP, IMAP
- VoIP: SIP, RTP
- Chat: IRC, ICQ, Jabber, Oscar, Yahoo
- File Transfer: FTP, BitTorrent
- AAA: GTP, RADIUS, DIAMETER
DPI engine protects against web application attacks
According to Whitehat Security, web applications are perpetually vulnerable “40-60% of the time,” making them easy targets for hackers. The damage caused by a successful web application attack can range from hackers installing ransomware to them using a compromised server as a back door into the network and core applications to steal business-critical information.
When deployed as a web application firewall (WAF), the DPI engine enables the Indigo solution to detect today’s highly sophisticated application layer attacks. These include executable code such as SQL injection attacks and advanced persistent threats (APTs), which are typically obfuscated in HTTP requests to evade traditional detection methods.
