04-DPI Configuration Guide

HomeSupportConfigure & DeployConfiguration GuidesH3C SecPath Firewall Series Configuration Guides(V7)-6W60104-DPI Configuration Guide
01-DPI overview
Title Size Download
01-DPI overview 89.57 KB

DPI overview

About DPI

Deep packet inspection (DPI) inspects application layer payloads to protect the network against application layer malicious activities, such as worms, viruses, spams, breaches, and information leakage.

Traditional security technology relies on the network layer and transport layer. DPI further enhances network security.

DPI functions

DPI provides the following functions:

·     Service identification—The DPI engine identifies the service of a data flow by analyzing the application layer payload and matching the payload against signatures. DPI engine informs the DPI service modules of the identification results for service control.

·     Service control—DPI service modules control services flexibly by using DPI service policies. Actions that DPI service policies use for data flows include permit, drop, block source, reset, capture, and log.

·     Service statistics—DPI provides service statistics about service types, protocol parsing, signature inspection, and packet processing. Service statistics visually display the distribution of data flows and the use of different services. You can find factors that might promote service development or affect network operation.

DPI signature libraries

A DPI signature library is a collection of common signatures that DPI uses for service identification. H3C releases up-to-date signatures in the form of DPI signature library files. You can manually download the files or configure the device to automatically download the files to update the DPI signature libraries. You can also define signatures of your own as required.

The device supports the following DPI signature libraries:

·     IPS signature library.

·     URL filtering signature library.

·     APR signature library.

·     Virus signature library.

·     WAF signature library.

·     IP reputation signature library.

·     URL reputation signature library.

·     Domain reputation signature library.

DPI services

Table 1 lists the supported DPI services.

Table 1 DPI services

DPI service

Function

IPS

Monitors network traffic for malicious activities and proactively takes actions to protect the network against attacks.

URL filtering

Controls access to the Web resources by filtering the URLs that the users visit.

Data filtering

Inspects the content in application protocol packets and filters out illegal packets. With content filtering, you can prevent internal users from accessing inappropriate websites or receiving packets that carry illegal content from the Internet.

File filtering

Filters files by filename extensions.

Anti-virus

Inspects and handles viruses in files to protect the internal network.

NBAR

Identifies the application layer protocols of packets by comparing packet content against signatures.

For more information about NBAR, see Security Configuration Guide.

Web application firewall (WAF)

Protects the internal clients and Web servers by blocking Web application layer attacks.

IP reputation signature library

Filters the network traffic by IP addresses in the IP reputation signature library.

URL reputation signature library

Filters out malicious URLs and controls access to the websites.

Domain reputation signature library

Filters the network traffic by domain names in the domain reputation signature library and controls access to the websites.

DPI mechanism

DPI can be implemented based on security policies.

Security policy-based DPI mechanism

Figure 1 illustrates how security policy-based DPI works.

After receiving a packet, the device matches the packet against the configured security policy rules.

A security policy rule includes various match criterion types. A packet matches a policy rule if the packet matches all the criterion types in the rule. Each criterion type includes one or more criteria, and a packet matches a criterion type if it matches any criterion of the type.

For information about security policy rules, see security policy configuration in Security Configuration Guide.

·     If no matching rule is found, the device drops the packet.

·     If a matching rule is found, the device processes the packet according to the rule action:

¡     If the rule action is drop, the device drops the packet.

¡     If the rule action is pass and a DPI application profile is specified for the rule, the device uses the DPI application profile to perform DPI on the packet. If the DPI application profile does not exist, the device permits the packet to pass.

¡     If the rule action is pass and no DPI application profile is specified for the rule, the device permits the packet to pass.

Figure 1 Security policy-based DPI mechanism

 

DPI configuration workflow

The basic DPI configuration workflow is shown in Figure 2.

Figure 2 DPI configuration workflow

  • Cloud & AI
  • InterConnect
  • Intelligent Computing
  • Security
  • SMB Products
  • Intelligent Terminal Products
  • Product Support Services
  • Technical Service Solutions
All Services
  • Resource Center
  • Policy
  • Online Help
All Support
  • Become a Partner
  • Partner Resources
  • Partner Business Management
All Partners
  • Profile
  • News & Events
  • Online Exhibition Center
  • Contact Us
All About Us
新华三官网