What is Deep Packet Inspection (DPI)?

Network security solutions are designed to examine network traffic to identify and block potential malicious content or attempted data exfiltration. They can do so in various ways and by using different information contained within this traffic.

Deep packet inspection (DPI) involves examining the payloads of network packets as part of the inspection process. When successful, this provides the greatest ability to identify and block potential threats.

The Structure of a Network Packet

A network packet can be divided into two main sections. A packet will contain multiple headers as well as a payload.

Network packet headers are designed to help route the packet through the network to its destination and to help ensure a good connection. For example, the IP address and TCP/UDP port numbers used to identify the computer and application that a packet is intended for are contained within a packet header.

The packet payload contains the actual data that the network packet is designed to carry, and not all packets have payloads. For example, the content of a webpage requested via a browser will be contained within the payload of an HTTPS packet.

How Deep Packet Inspection Works

Some network security solutions will only examine the headers of a packet to determine whether it should be allowed to continue on to its destination. For example, a firewall may block traffic destined for certain IP addresses or ports that are not intended to be publicly accessible.

However, this approach doesn’t provide protection against all potential threats. For example, a network security solution can’t identify if a webpage has malicious content by looking at the headers.

Deep packet inspection (DPI) involves examining the payload of the packet as well as its headers. This enables the security solution to scan the packet for malware, data exfiltration, or other potential threats. With DPI, a network security solution can find and block threats that are undetectable when only analyzing packet headers.

Challenges of Deep Packet Inspection

DPI has the potential to enhance an organization’s network security. However, it does face certain challenges, including:

  • Encrypted Traffic: A growing percentage of network traffic uses encrypted protocols like HTTPS. This makes it infeasible for network security solutions to perform DPI without access to the necessary encrypted keys.

  • Data Volumes: Performing DPI means that an organization’s security tools will inspect and potentially store the full content of each network packet. This can be a massive amount of data, which can be expensive to store and difficult to analyze.

  • Performance Impacts: An in-line network security solution will need to inspect a packet’s content and make a decision before the packet can progress on to its destination. This can introduce latency if the DPI process is slow or the solution is overwhelmed.

Conclusion

DPI provides deeper insight into network traffic and potential threats to the network by inspecting the content of network packets as well as their headers. However, there are challenges associated with implementing DPI at scale while maintaining network performance and security.

KZero Staff
Explore more insightful content from the knowledgeable KZero staff on our blog. Dive into page 2 for a wealth of knowledge, expertise, and inspiration.

Want to Learn More?
Speak to an Expert

Witness the simplicity of passwordless access for your workforce and customers. Contact us today to arrange a customized demo.
Schedule a Meeting