Deep Packet Inspection

Available in DANOS 2009

1. Overview

Deep Packet Inspection (DPI) uses ntop's nDPI engine to identify layer 7 applications. User-defined applications can also be specified using L3 / L4 rules.

Firewall rules can be configured to allow or block the identified applications.

2. Configuration

2.1. Application firewall

Applications are configured in an "application firewall" using the "set security application firewall" command, which is similar to the existing firewall command ("set security firewall name ..."), but is specific to applications:

user@danos2009# set security application firewall name SAF1 ? Possible Completions: <Enter> Execute the current command description Ruleset description no-match-action Action when no match (default is drop) +> rule Rule number


Applications are specified by the DPI engine and the application name, protocol, or type. Applications are configured individually, one per rule.

user@danos2009# set security application firewall name SAF1 rule 10 engine ndpi ? Possible Completions: <Enter> Execute the current command name Specify an nDPI application name protocol Specify an nDPI application protocol type Specify an nDPI application type


Each rule can only match one application name or protocol or type in order to prevent conflicting configuration which would never match anything.

Multiple applications can be added by configuring multiple rules. Rules are evaluated in increasing numerical order.

user@danos2009# set security application firewall name SAF1 rule 10 engine ndpi name youtube user@danos2009# set security application firewall name SAF1 rule 10 action drop user@danos2009# set security application firewall name SAF1 rule 20 engine ndpi protocol ssh user@danos2009# set security application firewall name SAF1 rule 20 action accept user@danos2009# set security application firewall name SAF1 rule 30 engine ndpi type filesharing user@danos2009# set security application firewall name SAF1 rule 30 action drop


The application firewall is referenced from the regular firewall. The application firewall is configured under "session" because a stateful firewall is required for DPI because the DPI engine might have to examine several packets in the session before reaching a determination. Since application matching is only supported for UDP and TCP protocols, application firewalls require that either "protocol tcp" or "protocol udp" be specified in the enclosing firewall:

2.2. Default action

Initial packets are classified as application "Unknown", protocol "Unknown", until sufficient traffic is seen for a determination to be made. It's important to allow these packets through the firewall so that enough traffic is seen in the session in order for the DPI engine to reach a determination. Therefore the application firewall allows up to ten packets before applying the "no-match-action" if no classification has been made.

2.2.1. Firewall

A default firewall action may be specified either in a high-numbered rule:

set security firewall name FW1 rule 9999 action X

or using the "default action" command:

set security firewall name FW1 default action X

Both of these will match all packets, preventing subsequent 'implicit action' or rules in subsequent groups occurring.

2.2.2. Application firewall

A default application firewall action may be specified either in a high-numbered application firewall rule:

set security application firewall name AF1 rule 9999 action X

or using the "no-match-action" command:

set security application firewall name AF1 no-match-action X

Note that up to ten packets will be accepted per session before these rules are applied so that enough traffic is seen in the session in order for the DPI engine to reach a determination.

2.3. Application groups

Several applications can be combined in an application group. Application names, types, and protocols can be mixed within a group. The group matches any of the specified name, type, or protocol rules - ie the rules are OR'd together.


The application group is configured in an application firewall rule, together with the action to be performed on any traffic matching the group:


As above, the application firewall is referenced from the regular firewall. The application firewall is configured under "session" because a stateful firewall is required for DPI.

2.4. User-defined applications

User-defined applications can be defined using L3 / L4 rules using the "set service application... " command:


Rules consist of two parts: zero or more match criteria, and one or more "then" actions.

All of the matching criteria must match - ie the rules are AND'd together.

The "then" action specifies the application name, protocol, or type to be used for traffic matching the rule:


For example, if subnet 10.1.1.0/28 only contains webex servers, the traffic coming from those servers can be classified as application name webex and application type video:


User-defined applications are configured in application firewalls or application groups as shown earlier, except that the "user" engine is used:


Application groups can contain a mixture of nDPI and user-defined applications. The group matches any of the specified engine, name, type, or protocol rules - ie the rules are OR'd together.

3. Show commands

3.1. show session table application

Provided at least one DPI rule is configured, the "show session table application" command will show application information associated with each session. There is no output if no DPI rules are configured.

The columns are:

Conn ID

the connection ID as shown in the other "show session table ..." outputs.

Engine

which engine classified this traffic.

App-name

the application name according to this DPI engine.

L5-proto-name

the layer 5 protocol according to this DPI engine.

Offloaded

"false" if the engine still needs to see more packets.

"true" if the engine has made a final determination.

Error

"true" if a DPI error occurred.

"false" otherwise.

Fwd-pkts

the number of packets observed by the DPI engine in the forwards direction prior to offloading.

Fwd-bytes

the number of bytes observed by the DPI engine in the forwards direction prior to offloading.

Bwd-pkts

the number of packets observed by the DPI engine in the backwards direction prior to offloading.

Bwd-bytes

the number of bytes observed by the DPI engine in the backwards direction prior to offloading.

Type

the application type according to this DPI engine.


nDPI information will be shown if at least one nDPI rule is configured:


User-defined application information will be shown if at least one user-defined application rule is configured:


Both nDPI and user-defined application information will be shown for each session when at least one nDPI and one user-defined application rule are configured:

3.2. Journal logging

When firewall logging is enabled and DPI information is available for the session, this will be included in the session create, update, and delete logs seen in the system journal:

4. Examples

4.1. An application firewall allows access to permitted websites while blocking all other web traffic

Additional sites would be allowed by adding rules to the "ALLOWED-SITES" application firewall.

4.2. An application firewall is used with an application group to allow access to some permitted websites while blocking all other web traffic

Additional sites would be allowed by adding rules to the "ALLOWED-SITES-GROUP" application group.

4.3. An application firewall is used with an application group to block http requests while allowing https requests

HTTP requests would be allowed by adding http to the "WEB-APPS-GROUP" application group.

4.4. Traffic destined to the BBC news web site is identified with a user-defined name, protocol, and type

The web site is served by a range of addresses.

4.5 An application firewall is applied to traffic entering or leaving a GRE tunnel

Tunneled telnet and SSH traffic are dropped.

Traffic entering the vRouter from the tunnel is firewalled by applying the firewall in the “in” direction:

Traffic leaving the vRouter through the tunnel is firewalled by applying the firewall in the “out” direction:

4.6 An application firewall is applied to traffic entering or leaving a VFP IPSec tunnel

Tunneled telnet and SSH traffic are dropped.

Traffic entering the vRouter from the tunnel is firewalled by applying the firewall in the “in” direction:

Traffic leaving the vRouter through the tunnel is firewalled by applying the firewall in the “out” direction:

5. Debugging

5.1. show session table application

Enable any DPI rule. Examine the "show session table application" output to see how the traffic was classified, then modify the rule accordingly.

Pay particular attention to whether the application appears in the "App-name" or "L5-proto-name" column. eg as seen below, "LinkedIn" and "YouTube" are application names, while SSH is a protocol: