Deep packet inspection (DPI) is becoming increasingly popular as a tool for network security and for shaping and managing traffic. It consists of examining the contents of packets, not just the headers, as they move over the network. This is usually done at the firewall, but it can be done within the network.
DPI is somewhat controversial, because it can be used for censorship and keeping track of what network users are saying. Many repressive regimes, such as those in Iran, North Korea, and especially China, use DPI in this fashion. Some ISPs have also used DPI, though this produced such a strong reaction from privacy advocates that the practice has been generally discontinued in the United States. As a result of these
abuses, DPI has become something of a hot button, regardless of who is using it and how it is applied. This has probably slowed its adoption by enterprises.
Despite the controversy, DPI tools and appliances are widely available. Companies such as Dell, Vineyard Networks, and Stonesoft include it in their security suites. The market analysis firm Infonetics put DPI revenue at more than $400 million for 2011 and expects it to exceed $2 billion by 2016.
By inspecting packet contents via DPI, administrators can protect their networks against intrusion, unwanted file types, malware, and other threats in a much more sophisticated way than conventional security measures allow. Network administrators also can set elaborate business rules for what can and cannot pass over the network, and they can enforce those rules automatically at the packet level.
Beyond security, DPI can play an important role in managing traffic over the network. It allows very precise identification of applications and data. It also allows fine-grained management of the network by classifying packets by network type and applying a rule set to decide things like network priorities. For example, packets from videoconferencing or VOIP, which are sensitive to latency and jitter, can be given high priority to make sure they flow smoothly over the net. Applications such a spreadsheets, which are less sensitive, can be assigned lower priorities, and in most cases, the users will never notice.
Since DPI also examines headers, it is easy to use it to single out various classes of users and decide which classes are allowed to send and receive various kinds of traffic. As network use increases, this kind of control becomes more important in making the most efficient use of the network.
DPI usually compares packet contents against a database of characteristics to determine what kind of traffic the packet contains. Some DPI products include heuristics that allow the application to figure out what kinds of unknown or encrypted traffic the packet contains. This is especially important in controlling P2P recreational traffic, because sites and users often encrypt the packet contents to prevent identification. This keeps the application from reading the contents, but the packet's characteristics can still be used to deduce what sort of traffic is being sent.
All this comes at a price. DPI is computationally intensive, since virtually every byte moving over the network has to be unpacked and inspected. In the past, this prevented enterprises from widely applying DPI. However, with advances in computer power and the availability of appliances with specialized processors, this is much less of a problem.
DPI continues to stir some controversy, but its increased viability is ensuring its place in enterprise IT and its continued growth as an option for security and traffic management.
— Rick Cook is a prolific technology writer and author of the Wizardry series of fantasy novels.