Showing results for 
Search instead for 
Did you mean: 
Create Post

Deep Packet Inspection - Keeping bad guys (and stuff) out

Level 10

In my last blog, I introduced some of the basics of network security and why enforcing traffic on the standard source port isn't enough to determine what’s in a payload. I've talked mostly about port 80 and HTTP, but the ports associated with DNS (UDP 53) are also often abused.

In the context of firewalls, Deep Packet Inspection (DPI) is often the first line of defence against port tunnelling or applications that obfuscate their intent. Different security vendors call it different things, but the differences amount to marketing and implementation. Firewall DPI looks beyond the simple source/destination/port three tuples and attempts to understand what is actually going on. There are two ways this is commonly achieved, protocol anomaly detection (PAD) and signatures checks.

Protocol Anomaly Detection

Commonly used protocols usually have an IETF RFC associated (the ones that don’t tend to be closed implementations of client/server apps). Each RFC defines the rules that two hosts must follow if they are to successfully communicate. As an example the specification for HTTP 1.1 is defined in RFC 2616*. It lays out the standard actions for GET, POST, DELETE etc.  PAD inspects the traffic flowing through the firewall (or IDS device, for that matter) and compares it with a literal definition of the RFCs (plus any common customizations). If TCP packet contains a payload of HTTP but is using the ports typically associated with DNS; then clearly something is amiss.  With PAD enabled, some applications that attempt to tunnel using any open port (Skype and VPN clients are common culprits) may be stopped by the firewall. Additionally, it prevents some vendor-implementation attacks. For example, if bounds checking isn't properly implemented a malformed string may cause a process to crash; or arbitrary code execution. A nice, tight, PAD engine should pick this up and protect a vulnerable server.  Code Red was the classic example and to this day, very occasionally, I see a match signature match in my firewall logs as some lonely, un-patched IIS server trawls the net looking for someone to infect..

PAD has it limitations though;

  • Some protocols change often and are not that well documented; valid traffic can sometimes be blocked by an out-of-date or too restrictive implementation of PAD
  • It’s not that hard to write an application that appears to confirm to the RFC but still allows the exchange of data

As result, PAD is often combined with another common defence; protocol signatures.

Protocol Signatures

Protocol signatures are analogous to desktop AntiVirus signatures. Every time something “bad” is detected (lets take Heartbleed as a recent example), security vendors scramble to create a pattern that matches so it can be identified and blocked. I've written about this elsewhere before, but signatures are also an imperfect measure of intention. There are often shades of grey (and no, there are not 50 of them, you filthy people) between what is definitely good traffic and definitely bad. But, it’s not all bad. As a side-effect, signatures can also be used to be provide fine control over the users web activities.
This is not an accurate science, and vendor implementations vary greatly in what they can offer.  For example, identifying Facebook over HTTP is straightforward enough, but blocking it outright is unlikely to win many friends, especially at the executive level. Apparently, a lot of business is conducted on Facebook so draconian policies are effectively impossible. As result, one has to disappear down the rabbit-hole of Facebook applications. Some vendors boast of being able to identify thousands of individual applications, but trying to establish a meaningful corporate security policy on each one would be futile. The best firewall implementations break it down into categories, and enable the creation of a policy along these lines:

  • Permit Chat applications, but warn the user they are logged (and not just by the NSA)
  • Block Games outright, except after 6pm
  • Otherwise Allow Facebook

This is not perfect, and indeed determined users will always find a way past, but it might deter that idiot in Sales from abusing his ex-girlfriend in Accounts on company time and equipment.

In most cases, both PAD and signatures are enabled on the firewall. Signatures are good for identifying stuff that is known to be bad, whilst PAD can mop up *some* of the unknown stuff and prevent some protocol tunnelling attacks.

For my next post, I’m going to move onto the “Making things go faster” aspects of DPI. Edit: Sorry, after the popular vote I've covered the security limitations of DPI. Plenty more to come!

* During the research for this post I discovered that RFC 2616 is essentially deprecated have been rewritten as a series of more precise RFCs, 7230-7235. I stumbled across this blog by one of the revision authors, so I thought it would be nice to share.

Level 11

This is really teaching me some good stuff about DPI. I've never really looked into it, but I'm glad this series has come along!

Level 12

Thank you for the new RFC info.  I didn;t even realize that there had been a revamp of the old RFC.  (only slightly out of touch I guess)

Level 10

Yeah it came as a surprise to me too! Things have really gone badly wrong if you are having to refer to an RFC, but it's good that such important ones are being actively maintained to make them better!

Level 10

Hi! Given how well the Security focus as been recieved on this blogs, I'm tempted to abandon my original intention and just focus on that, however, I don't want anyone to miss out, so if you have an opinion on what you'd like to see me write about next, please vote in the poll, it closes in 3 days so be quick!

Level 11

Really interesting and good stuff here.  My specialty is NOT security (thankfully we have others that are much better at that).  But I have a strong desire to get better at it and appreciate the work you're putting into it.  Although, I take strong offense to the "filthy people" comment.. To close to home!    But seriously, thank you.


Level 11

I agree with warning the users...good practice. and No games is how business should be.

Level 12

is there anything wrong with this topic? glenkemp

Level 10

Um, did I spell Library with one "r"' again?

Level 14

Cool high-level post. When implementing DPI rules, it can also be time-consuming finding those handful of systems that DO need to have port XYZ open, or these few systems which should be allowed to send protocol X traffic over protocol Y's port (because the software vendor was just that helpful.)

Level 12

you spelt Library just fine.. Thanks glenkemp

Level 13

In one particular case PAD allowed us to identify some unauthorized traffic and eliminate GBs of wasted bandwidth.  The traffic in that case was HTTP traffic going to a web server in Russia listening on TCP 53.  My primary firewall just identified the traffic as being DNS based on the destination port.  However, my content filtering firewall sitting in-line was able to properly identify and show this on a heat map.

This is also a good example to argue for proper egress filtering.


You lost me at "shades of grey"

Just kidding, great information. I'm not a security person either but it's nice learn about thi.

Level 12

Good blog about DPI cant wait to read more on this now.

Level 9

The balance of humor and realistic info is nice in this post.  Blending the two together also worked well, like here: "This is not perfect, and indeed determined users will always find a way past, but it might deter that idiot in Sales from abusing his ex-girlfriend in Accounts on company time and equipment."  This made me laugh and made me cringe at the same time.  Love it.  I'll be looking for the follow-ups!

Level 11

This is good. We are looking at turning on PAD on more of our firewalls / IPS modules.

We are a little concerned that turning on PAD will significantly eat up CPU horsepower on the devices and generally make traffic passing through seem "slow".

Anyone have performance problems running PAD?

Level 11

Nice responses. PAD does eat up CPU fast.

Level 10

Really enjoyed this post. Thank you for the RFC references!

Level 13

Sharing this with our InfoSec people. Great post!

Level 17

Very nice references glenkemp Keep on with the security, I am still picking up the pieces of my mind from this read.

Level 12

Real good information here.

Level 11

i Enjoyed the read.

Level 21

I think the best part of this was "Block Games outright, except after 6pm". 

Level 12

good Stuff

Level 10

Heh, it's just an example, and YMMV

Level 12

I like "Block Games outright" but I would also like "Permanently ban TwitBookEdIn+ for all but marketing" as it (in my despotic view) has no place in business... except for marketing...

Level 12

Here here syldra

I can support that perspective anyday

Level 12

I wish I had written "... except maybe for marketing..." as I am not convinced it's always the case...

Level 10

Ha Ha! Looks like we've discovered two BOFH's here then! I think it does depend on what kind of Org you are talking about, but IMHO social media does have a place, but it is easily abused. The way to deal with it is carrot + stick. Employees should be encouraged to use Social media, but they must have appropriate training to back that up and proper management of employees who abuse it or risk brining the company, by association into disrepute.  To coin a phrase, there is nothing more ingenious than a determined idiot, and if you make these things too difficult, people will find a way around and the result will often be significantly worse.

Level 11

I've never heard that particular phrase before, but I do like it. Nicely put!

Level 12

Haha ! You have no idea how much of a BOFH I can be.

"It's MY network"

Level 13

Case and point! Now vote for me and my ACTUAL Selfie!

Level 12

Haven't seen a BOFH reference in quite a while.  It gives me warm fuzzies.

Level 17

A user rings.

"Do you know why the system is slow?" they ask.

"It's probably something to do with..." I look up today's excuse "... clock speed."

"Oh" (Not knowing what I'm talking about, they're satisfied) "Do you know when it will be fixed?"

"Fixed? There's 275 users on your machine, and one of them is you. Don't be so selfish - logout now and give someone else a chance!"

Level 11

You should do like I have. Just take a knob off an old appliance and hang it in your office. Put a label above it that says "Network Speed," and put the dial to about 3.

Hilarity ensues.

Level 15

This was a beneficial introduction to the DPI and it inspired me to look further into the subject matter.  Thanks!

I've certainly appreciated McAfee's Firewall Enterprise DPI, but it's not a panacea.  Too many things aren't known/recognized, and are blocked by the firewall or incorrectly allowed by an admin overriding the "Application Defense."

Similarly, Cisco's AVC (Application Visibility and Control) can block at a pretty coarse level, but those who write new avoidance behavior for e-Donkey, gnutella, BitTorrent and the like, get around it, and Cisco's left passing the traffic.

ASA firewalls--same thing.  Once the RFC's allowed non-HTML traffic to be ported to port 80, firewall admins had to open it up so keep the users happy--at the expense of security.

Who's using Orion Firewall Security Manager, and does it do the job you need it to do?

About the Author
Glen Kemp is a professional services consultant for Fortinet Inc. in the U.K. His words are his own and do not necessarily reflect those of the company he works for. He designs and deploys network and application security tools, including access control, remote access, firewalls and other "keep the bad guys out" technologies. His blogs can be found at and at the Packet Pushers Podcast. Follow him on Twitter @ssl_boy.