Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 01-DPI overview | 129.47 KB |
DPI overview
Deep packet inspection (DPI) inspects application layer payloads to protect the network against application layer malicious activities, such as worms, viruses, spams, breaches, and information leakage.
Firewalls operate at the network layer and transport layer. DPI further enhances network security.
DPI functions
DPI inspects data packets centrally in the DPI engine and processes data packets in DPI service modules. This mechanism streamlines packet inspection and processing procedures, improves inspection efficiency, and simplifies configuration.
DPI provides the following functions:
· Service identification—The DPI engine identifies the service of a data flow by analyzing the application layer payload and matching the payload against signatures. DPI engine informs the DPI service modules of the identification results for service control.
· Service control—DPI service modules control services flexibly by using DPI service policies. Actions that DPI service policies use for data flows include permit, drop, block source, reset, capture, and log.
· Service statistics—DPI provides service statistics about service types, protocol parsing, signature inspection, and packet processing. Service statistics visually display the distribution of data flows and the use of different services. You can find factors that might promote service development or affect network operation.
DPI signature libraries
A DPI signature library is a collection of common signatures that DPI uses for service identification. H3C releases up-to-date signatures in the form of DPI signature library files. You can manually download the files or configure the device to automatically download the files to update the DPI signature libraries.
The device supports only the IPS signature library.
You can also define signatures of your own as required.
DPI services
DPI services that the device supports include IPS and NBAR. Table 1 provides more details about the DPI services.
Table 1 DPI services
|
DPI service |
Function |
|
IPS |
Monitors network traffic for malicious activities and proactively takes actions to protect the network against attacks. |
|
NBAR |
Identifies the application layer protocols of packets by comparing packet content against signatures. For more information about NBAR, see Security Configuration Guide. |
DPI mechanism
DPI must cooperate with relevant security features to form an integrated security system. Relevant security features include security zone, zone pair, object group, and object policy. For information about the security zone and zone pair, see Fundamentals Configuration Guide. For information about the object group and object policy, see Security Configuration Guide.
When receiving a packet of a zone pair, the device compares the packet against the object policy applied to the zone pair.
· If no matching object policy rule is found, the device drops the packet.
· If a matching object policy rule is found and the rule action is drop or pass, the device drops the packet or allows the packet to pass.
· If a matching object policy rule is found and the rule action is inspect, the device uses the specified DPI application profile to perform DPI on the packet. If the specified DPI application profile does not exist, the device allows the packet to pass.
Figure 1 DPI mechanism
DPI configuration workflow
Figure 2 shows the basic configuration workflow for DPI.
Figure 2 DPI configuration workflow
