• United States



by Chenxi Wang, Ph.D.

Forrester: Deep Packet Inspection As An Enabling Technology

Jun 04, 20095 mins
Network Security

While the market needs to mature, Chenxi Wang says deep packet inspection can provide much more than just security benefits

Deep packet inspection (DPI) is a technique that has seen success in traffic management, security, and network analysis. It is a technology that performs content analysis of network packets at line speed but is different from header or metadata-based packet inspection, which is typically performed by switches, firewalls, and IDS/IPS devices. A general DPI solution provides deep packet inspection for different applications.

Header-only processing limits what you can see from packet processing and hence cannot detect content-based threats or differentiate applications using common communication platforms. DPI inspects the content/payload of the packet and can extract content-level information, such as malware, specific data, and application types that are otherwise unavailable.

As network operators, Internet service providers (ISPs), and corporations alike are increasingly dependent on the efficiency of their networks and the applications that run on them, the need to manage bandwidth and control the complexity and security of communications becomes paramount. DPI provides exactly the means for such purposes. User organizations that seek better network management and compliance should view DPI as an essential technology.

DPI technology works by first reassembling packets into network flows. Data processing, including protocol classification, then kicks in and extracts information from the flow content. Flow reassembly and content extraction both require heavyweight-processing capabilities, especially in high-volume data streams. A successful DPI technology must therefore provide fundamental features like high performance computing and flexible support for analysis tasks.

A DPI-processing unit must provide scalability and performance that is in accordance with the performance of the communication network. Deep content inspection requires heavier processing than mere header inspection. As such, DPI often uses a parallel processing architecture to speed up computational tasks. A DPI technology ultimately provides users with information extracted from the network flow. The actual content processing can vary widely depending on the information extracted. DPI technology should behave somewhat like a platform—providing the utility (the “how”) for content processing, but letting users decide “what” is to be processed.

Service providers use DPI to segment network traffic. Many service providers are now using DPI to separate traffic into low-latency (voice), guaranteed-latency (Web traffic), guaranteed-delivery (application traffic), and best-effort-delivery applications (file sharing). Using this classification, they can better optimize their resources for mission-critical traffic, police use of noncritical ones, and minimize network congestion. Because of cheaper bandwidth, service providers can add value-added services for additional revenues, including security, peak-usage management, content-based billing, and targeted advertising. These all require deep visibility into the network traffic stream.

Large enterprises can use DPI to manage network performance. Enterprises with large networks covering many geographic regions have very diverse traffic types running across their internal networks. Beyond controlling costs and bandwidth usage, security is a constant challenge that requires an understanding of application traffic on the network. These enterprises are beginning to see the benefits of DPI analysis. For example, a network administrator can use DPI technology to rate limit certain application traffic when the network performance is low, and raise the limit when the performance goes back to normal.

More network security functions today require payload-level knowledge. Data leak prevention requires the understanding of actual content sent through the wire. A Layer 7 firewall works on payload content rather than header information. Security service providers in the cloud, such as antispam or Web filtering services, must gain real-time visibility of content across multiple customers’ traffic in order to quickly derive threat and attack information. They, too, require content-level intelligence.

Traditionally, such security functions are provided with special-purpose technologies, which may include some DPI capabilities. IPS, for instance, has built-in DPI. Secure Web gateways also provide DPI analysis for Web content. But each special-purpose technology results in an inefficient network infrastructure with many special-purpose boxes or incompatible software. A packet may end up being inspected multiple times for multiple purposes. In addition, these technologies do not provide a programmable interface, which means you cannot extract arbitrary information.

Beyond security, DPI has a major impact for cloud computing providers, where subscription and user management is a major challenge. Many vendors that use homegrown or off-the-shelf technology to manage service subscriptions are finding that it either lacks scalability or does not provide enough information for complex management tasks. DPI, on the other hand, is able to provide intelligence about user traffic, application usage, content communicated, and anomalous patterns. The service vendor can also use the programmable interface to glean other useful data, such as marketing intelligence and customer profiles.

Challenges Still Lie Ahead For Deep Packet Inspection

As a relatively young market, the DPI industry faces a number of challenges. For instance:

No standard benchmarks exist. The DPI market today is full of confusing, one-off, application-specific performance information. The industry needs standard benchmarks that would include connection setup time, TCP, UDP, and forward throughput testing. These benchmarks are essential to establishing comparable performance metrics among competing products.

Proprietary solutions limit potential. Different DPI technologies continue to emerge, and it is only a matter of time before the open architecture question arises. An “OpenDPI” movement would allow third-party developers to write DPI applications on top of different commercial solutions.

DPI technology market is here to stay. Today, its application maybe fragmented and non-consistent, but its huge potential and the industry-wide interest will ultimately push it towards a standardized and open DPI market for the greater community.

Chenxi Wang is a Principal Analyst at Forrester Reseach, where she serves Security & Risk professionals. She is a leading expert on content security, application security, Web. 2.0 security, and vulnerability management. (See her other articles on spam management best practices and application vulnerability management.) For free related research from Forrester, please visit