Login
- Table of Contents
-
- 04-DPI Configuration Guide
- 00-Preface
- 01-DPI overview
- 02-DPI engine configuration
- 03-IPS configuration
- 04-URL filtering configuration
- 05-Data filtering configuration
- 06-File filtering configuration
- 07-Anti-virus configuration
- 08-Data analysis center configuration
- 09-WAF configuration
- 10-Proxy policy configuration
- 11-IP reputation configuration
- 12-Domain reputation configuration
- 13-APT defense configuration
- 14-DLP configuration
- 15-Content moderation configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 01-DPI overview | 104.27 KB |
DPI overview
About DPI
Deep packet inspection (DPI) inspects application layer payloads to protect the network against application layer malicious activities, such as worms, viruses, spams, breaches, and information leakage.
Traditional security technology relies on the network layer and transport layer. DPI further enhances network security.
DPI functions
DPI provides the following functions:
· Service identification—The DPI engine identifies the service of a data flow by analyzing the application layer payload and matching the payload against signatures. DPI engine informs the DPI service modules of the identification results for service control.
· Service control—DPI service modules control services flexibly by using DPI service policies. Actions that DPI service policies use for data flows include permit, drop, block source, reset, capture, and log.
· Service statistics—DPI provides service statistics about service types, protocol parsing, signature inspection, and packet processing. Service statistics visually display the distribution of data flows and the use of different services. You can find factors that might promote service development or affect network operation.
DPI signature libraries
A DPI signature library is a collection of common signatures that DPI uses for service identification. H3C releases up-to-date signatures in the form of DPI signature library files. You can manually download the files or configure the device to automatically download the files to update the DPI signature libraries. You can also define signatures of your own as required.
The device supports the following DPI signature libraries:
· IPS signature library.
· URL filtering signature library.
· APR signature library.
· Virus signature library.
· WAF signature library.
· IP reputation signature library.
· URL reputation signature library.
· Domain reputation signature library.
DPI services
Table 1 lists the supported DPI services.
Table 1 DPI services
|
DPI service |
Function |
|
IPS |
Monitors network traffic for malicious activities and proactively takes actions to protect the network against attacks. |
|
URL filtering |
Controls access to the Web resources by filtering the URLs that the users visit. |
|
Data filtering |
Inspects the content in application protocol packets and filters out illegal packets. With content filtering, you can prevent internal users from accessing inappropriate websites or receiving packets that carry illegal content from the Internet. |
|
File filtering |
Filters files by filename extensions. |
|
Anti-virus |
Inspects and handles viruses in files to protect the internal network. |
|
NBAR |
Identifies the application layer protocols of packets by comparing packet content against signatures. For more information about NBAR, see Security Configuration Guide. |
|
Web application firewall (WAF) |
Protects the internal clients and Web servers by blocking Web application layer attacks. |
|
IP reputation signature library |
Filters the network traffic by IP addresses in the IP reputation signature library. |
|
URL reputation signature library |
Filters out malicious URLs and controls access to the websites. |
|
Domain reputation signature library |
Filters the network traffic by domain names in the domain reputation signature library and controls access to the websites. |
DPI mechanism
DPI can be implemented based on security policies or object policies.
Security policy-based DPI mechanism
Figure 1 illustrates how security policy-based DPI works.
After receiving a packet, the device matches the packet against the configured security policy rules.
A security policy rule includes various match criterion types. A packet matches a policy rule if the packet matches all the criterion types in the rule. Each criterion type includes one or more criteria, and a packet matches a criterion type if it matches any criterion of the type.
For information about security policy rules, see security policy configuration in Security Configuration Guide.
· If no matching rule is found, the device drops the packet.
· If a matching rule is found, the device processes the packet according to the rule action:
¡ If the rule action is drop, the device drops the packet.
¡ If the rule action is pass and a DPI application profile is specified for the rule, the device uses the DPI application profile to perform DPI on the packet. If the DPI application profile does not exist, the device permits the packet to pass.
¡ If the rule action is pass and no DPI application profile is specified for the rule, the device permits the packet to pass.
Figure 1 Security policy-based DPI mechanism
Object policy-based DPI mechanism
Figure 2 illustrates how object policy-based DPI works.
After receiving a packet in a zone pair, the device compares the packet against the object policy rules contained in the object policy applied to the zone pair.
An object policy rule can contain a set of match criteria, including source IP address, destination IP address, and service type. A packet matches a rule if the packet matches all the criteria in the rule. For information about security zones and zone pairs, see security zone configuration in Security Configuration Guide.
· If no matching object policy rule is found, the device drops the packet.
· If a matching object policy rule is found, the device processes the packet according to the configured rule action:
¡ If the rule action is drop, the device drops the packet.
¡ If the rule action is pass, the device permits the packet to pass.
¡ If the rule action is inspect, the device uses the specified DPI application profile to perform DPI on the packet. If the specified DPI application profile does not exist, the device permits the packet to pass.
Figure 2 Object policy-based DPI mechanism
Restrictions: Hardware compatibility with DPI
|
Hardware platform |
Module type |
DPI compatibility |
|
M9006 M9010 M9014 |
Blade IV firewall module |
Yes |
|
Blade V firewall module |
No |
|
|
NAT module |
No |
|
|
M9010-GM |
Encryption module |
Yes |
|
M9016-V |
Blade V firewall module |
No |
|
M9008-S M9012-S |
Blade IV firewall module |
Yes |
|
Intrusion prevention service (IPS) module |
Yes |
|
|
Video network gateway module |
Yes |
|
|
M9008-S-6GW |
IPv6 module |
Yes |
|
M9008-S-V |
Blade IV firewall module |
Yes |
|
M9000-AI-E4 M9000-AI-E8 M9000-AI-E16 |
Blade V firewall module |
Yes |
|
M9000-X06 M9000-X10 |
Blade VI firewall module |
Yes |
Restrictions and guidelines: DPI configuration
Security policy-based DPI implementation is recommended because security policies provide more flexible packet filtering options based on users.
DPI configuration workflow
The basic DPI configuration workflow is shown in Figure 3 and Figure 4.
Figure 3 Security policy-based DPI configuration workflow
Figure 4 Object policy-based DPI configuration flow
