• Identity 101
  • What Is Deep Packet Inspection (DPI)? Definition & Usage

What Is Deep Packet Inspection (DPI)? Definition & Usage

Okta
Updated: 02/14/2023 - 11:26
Time to read: 4 minutes

The smallest amount of data you can send over a network is called a packet. During deep packet inspection, a system examines those tiny pieces. Based on the results, your firewall might send the packet through, block it, or reroute it.

What is deep packet inspection?

Typically, system administrators don't want anything to come between a sender and a server. During man-in-the-middle attacks, for example, hackers sit in the middle of a conversation stream and steal data. But during deep packet inspection, a firewall works like a filter. It looks over everything before the recipient even sees the note.

Each time someone wants to send you something, that stream of information breaks into packets per the internet control message protocol. Each one has part of the message, along with a header. That header contains information about the sender, and it includes instructions for reassembly. When all the packets arrive, the server can put the message back together for delivery. 

In a conventional packet filtering system, tools analyze the header of each packet. Deep packet inspections go further. 

During deep packet inspections, systems can also read the contents of the packet. Filters also allow administrators to reroute information that comes from a specific internet address, and they can target messages that come from a specified app. 

You might use deep packet inspection to protect your company from hackers, viruses, spam, or offensive content. 

While private companies use packet inspection to protect their servers, many large organizations do the same thing. For example, internet service providers use DPI firewalls to capture information for long-term storage. If authorities request that data, the ISP can comply. 

How does deep packet inspection work?

As more devices (including mobile tools and connected appliances) go online, deep packet inspection grows more and more common. Plenty of approaches exist, which allow system administrators almost endless customization options. 

You, your system administrator, your network provider, or another entity creates the rules to enforce during deep packet inspection. Common approaches include:

  • Pattern matching. Every attack comes with a repeatable signature. The more teams know about how a hack worked, the more details they can program into their filters. For example, a successful hack against Capital One in 2019 resulted in the release of 140 thousand Social Security numbers. Forensic analysis of that hack, applied to deep packet inspection rules, could block the next similar attack. 
  • Deny by default. Programmers describe this approach as restricting traffic to only what is necessary. The system denies everything else, even if it's possibly valid. Use this technique, and you'll block anything you're not expressly sure is safe, based on how your network typically operates. 
  • System defaults. Your firewall provider may have present DPI network rules. Leave them as they are, and you'll allow the company to protect you.

You can change your approach and your rules as often as you need to. But adjusting your settings can take both time and expertise.

How DPI can help & harm you 

Employ deep packet inspection properly, and you could avoid the next major security risk your company faces. But some drawbacks do await you. 

A well-designed DPI firewall can help you avoid attacks embedded in seemingly harmless pieces of data. Deep packet inspection gets the credit for stopping things like:

  • Malware. If a hacker has used code that your firewall recognizes, your filters could stop it from ever touching your system. 
  • Spam. If a persistent salesperson sends multiple messages, you could block that person from ever reaching your system again. 
  • Theft. You could block packets stuffed with company secrets or valuable data from ever leaving your servers. 
  • Noncompliance. You train your staff not to take in something dangerous and not to send anything valuable out. Your DPI firewall enforces those rules, just in case your team forgets. 
  • Training. Your DPI system can also log items that seem dangerous but don't meet the threshold for blockage. Studying those notes could help you understand your specific security landscape so you can adjust accordingly. 

Common challenges associated with deep packet inspections include:

  • Irritation. Lock down the rules too tightly, and your staff may not be able to communicate freely. Your customers may not be able to reach you either. 
  • Complication. You must program your DPI tools, in most cases. You'll need to know a bit about code and threats, and making changes can be time-consuming. 
  • Speed. Your system needs time to look through each packet, and while your end users may not notice the lag in standard communication (like email), they may see the shift in other media (like video). 

You may decide that the protections you get from deep packet inspection far outweigh the risks. But be sure you know what you're getting into before you sign on. 

If you're looking for more information on what firewalls are and how they work, check out this blog post. And don't be afraid to contact us with questions! We're here to help.

References

Deep Packet Inspection: The Smart Person's Guide. (March 2017). TechRepublic. 

Seven of the Biggest Hacks in History. (July 2019). CNN. 

Why We Should Deny by Default. (November 2017). Cyber Kassandra.