Deep Packet Inspection

Available in DANOS 2009

1. Overview

Deep Packet Inspection (DPI) uses ntop's nDPI engine to identify layer 7 applications. User-defined applications can also be specified using L3 / L4 rules.

Firewall rules can be configured to allow or block the identified applications.

2. Configuration

2.1. Application firewall

Applications are configured in an "application firewall" using the "set security application firewall" command, which is similar to the existing firewall command ("set security firewall name ..."), but is specific to applications:

1 2 3 4 5 6 user@danos2009# set security application firewall name SAF1 ? Possible Completions: <Enter> Execute the current command description Ruleset description no-match-action Action when no match (default is drop) +> rule Rule number


Applications are specified by the DPI engine and the application name, protocol, or type. Applications are configured individually, one per rule.

1 2 3 4 5 6 user@danos2009# set security application firewall name SAF1 rule 10 engine ndpi ? Possible Completions: <Enter> Execute the current command name Specify an nDPI application name protocol Specify an nDPI application protocol type Specify an nDPI application type


Each rule can only match one application name or protocol or type in order to prevent conflicting configuration which would never match anything.

Multiple applications can be added by configuring multiple rules. Rules are evaluated in increasing numerical order.

1 2 3 4 5 6 7 8 user@danos2009# set security application firewall name SAF1 rule 10 engine ndpi name youtube user@danos2009# set security application firewall name SAF1 rule 10 action drop user@danos2009# set security application firewall name SAF1 rule 20 engine ndpi protocol ssh user@danos2009# set security application firewall name SAF1 rule 20 action accept user@danos2009# set security application firewall name SAF1 rule 30 engine ndpi type filesharing user@danos2009# set security application firewall name SAF1 rule 30 action drop


The application firewall is referenced from the regular firewall. The application firewall is configured under "session" because a stateful firewall is required for DPI because the DPI engine might have to examine several packets in the session before reaching a determination. Since application matching is only supported for UDP and TCP protocols, application firewalls require that either "protocol tcp" or "protocol udp" be specified in the enclosing firewall:

1 2 3 user@danos2009# set security firewall name SF1 rule 10 session application firewall SAF1 user@danos2009# set security firewall name SF1 rule 10 protocol tcp user@danos2009# set security firewall name SF1 rule 10 action accept

2.2. Default action

Initial packets are classified as application "Unknown", protocol "Unknown", until sufficient traffic is seen for a determination to be made. It's important to allow these packets through the firewall so that enough traffic is seen in the session in order for the DPI engine to reach a determination. Therefore the application firewall allows up to ten packets before applying the "no-match-action" if no classification has been made.

2.2.1. Firewall

A default firewall action may be specified either in a high-numbered rule:

set security firewall name FW1 rule 9999 action X

or using the "default action" command:

set security firewall name FW1 default action X

Both of these will match all packets, preventing subsequent 'implicit action' or rules in subsequent groups occurring.

2.2.2. Application firewall

A default application firewall action may be specified either in a high-numbered application firewall rule:

set security application firewall name AF1 rule 9999 action X

or using the "no-match-action" command:

set security application firewall name AF1 no-match-action X

Note that up to ten packets will be accepted per session before these rules are applied so that enough traffic is seen in the session in order for the DPI engine to reach a determination.

2.3. Application groups

Several applications can be combined in an application group. Application names, types, and protocols can be mixed within a group. The group matches any of the specified name, type, or protocol rules - ie the rules are OR'd together.

1 2 3 4 5 6 7 user@danos2009# set resources group application-group AG1 engine ndpi type chat user@danos2009# set resources group application-group AG1 engine ndpi type shopping user@danos2009# set resources group application-group AG1 engine ndpi type game user@danos2009# set resources group application-group AG1 engine ndpi name ebay user@danos2009# set resources group application-group AG1 engine ndpi name facebook user@danos2009# set resources group application-group AG1 engine ndpi name youtube


The application group is configured in an application firewall rule, together with the action to be performed on any traffic matching the group:

1 2 user@danos2009# set security application firewall name SAF1 rule 40 group AG1 user@danos2009# set security application firewall name SAF1 rule 40 action drop


As above, the application firewall is referenced from the regular firewall. The application firewall is configured under "session" because a stateful firewall is required for DPI.

1 2 3 user@danos2009# set security firewall name SF1 rule 10 session application firewall SAF1 user@danos2009# set security firewall name SF1 rule 10 protocol tcp user@danos2009# set security firewall name SF1 rule 10 action accept

2.4. User-defined applications

User-defined applications can be defined using L3 / L4 rules using the "set service application... " command:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 user@danos2009# set service application rule 10 ? Possible Completions: <Enter> Execute the current command description Rule description > destination Destination parameters disable Disable rule dscp DSCP value to match in an incoming IP header dscp-group Group of DSCP values to match in an incoming IP header ethertype Ethertype to match (name or hex or decimal) > icmp ICMP for IPv4 > icmpv6 ICMP for IPv6 > ipv6-route IPv6 route log Enable logging for rule pcp 802.1 priority code point to match (0 to 7) protocol IP L4 protocol to match (name, number or leave unconfigured for all) protocol-group Group of IP L4 protocols to match > source Source parameters > tcp TCP parameters > then Specify actions


Rules consist of two parts: zero or more match criteria, and one or more "then" actions.

All of the matching criteria must match - ie the rules are AND'd together.

The "then" action specifies the application name, protocol, or type to be used for traffic matching the rule:

1 2 3 4 5 user@danos2009# set service application rule 30 then ? Possible Completions: name Specify application name protocol Specify application protocol +> type Specify application type


For example, if subnet 10.1.1.0/28 only contains webex servers, the traffic coming from those servers can be classified as application name webex and application type video:

1 2 3 user@danos2009# set service application rule 10 source address 10.1.1.0/28 user@danos2009# set service application rule 10 then name webex user@danos2009# set service application rule 10 then type video


User-defined applications are configured in application firewalls or application groups as shown earlier, except that the "user" engine is used:

1 2 3 4 5 6 user@danos2009# set resources group application-group AG1 engine user name webex user@danos2009# set resources group application-group AG1 engine user type video user@danos2009# set resources group application-group AG1 engine user protocol citrix user@danos2009# set security application firewall name SAF1 rule 50 engine user name webex user@danos2009# set security application firewall name SAF1 rule 50 action accept


Application groups can contain a mixture of nDPI and user-defined applications. The group matches any of the specified engine, name, type, or protocol rules - ie the rules are OR'd together.

1 2 3 4 5 6 7 user@danos2009# set resources group application-group AG1 engine ndpi name ebay user@danos2009# set resources group application-group AG1 engine ndpi name facebook user@danos2009# set resources group application-group AG1 engine ndpi name youtube user@danos2009# set resources group application-group AG1 engine user name webex user@danos2009# set resources group application-group AG1 engine user type voice user@danos2009# set resources group application-group AG1 engine user protocol citrix

3. Show commands

3.1. show session table application

Provided at least one DPI rule is configured, the "show session table application" command will show application information associated with each session. There is no output if no DPI rules are configured.

The columns are:

Conn ID

the connection ID as shown in the other "show session table ..." outputs.

Engine

which engine classified this traffic.

App-name

the application name according to this DPI engine.

L5-proto-name

the layer 5 protocol according to this DPI engine.

Offloaded

"false" if the engine still needs to see more packets.

"true" if the engine has made a final determination.

Error

"true" if a DPI error occurred.

"false" otherwise.

Fwd-pkts

the number of packets observed by the DPI engine in the forwards direction prior to offloading.

Fwd-bytes

the number of bytes observed by the DPI engine in the forwards direction prior to offloading.

Bwd-pkts

the number of packets observed by the DPI engine in the backwards direction prior to offloading.

Bwd-bytes

the number of bytes observed by the DPI engine in the backwards direction prior to offloading.

Type

the application type according to this DPI engine.


nDPI information will be shown if at least one nDPI rule is configured:

1 2 3 4 5 6 7 8 user@danos2009:~$ show session table application Conn ID Engine App-name L5-proto-name Offloaded Error Fwd-pkts Fwd-bytes Bwd-pkts Bwd-bytes Type ------- ------ -------- ------------- --------- ----- -------- --------- -------- --------- ---- 10 ndpi Unknown SSH true false 5 1409 4 1081 RemoteAccess 11 ndpi Unknown HTTP true false 3 136 2 126 Web 12 ndpi Unknown TLS true false 3 517 3 1436 Web 14 ndpi LinkedIn TLS true false 3 517 1 0 SocialNetwork 15 ndpi YouTube TLS true false 3 517 1 0 Media


User-defined application information will be shown if at least one user-defined application rule is configured:

1 2 3 4 user@danos2009:~$ show session table application Conn ID Engine App-name L5-proto-name Offloaded Error Fwd-pkts Fwd-bytes Bwd-pkts Bwd-bytes Type ------- ------ -------- ------------- --------- ----- -------- --------- -------- --------- ---- 20 user UD_NAME1 UD_PROTO1 true false 1 0 0 0 UD_TYPE1


Both nDPI and user-defined application information will be shown for each session when at least one nDPI and one user-defined application rule are configured:

1 2 3 4 5 user@danos2009:~$ show session table application Conn ID Engine App-name L5-proto-name Offloaded Error Fwd-pkts Fwd-bytes Bwd-pkts Bwd-bytes Type ------- ------ -------- ------------- --------- ----- -------- --------- -------- --------- ---- 23 user utube None true false 1 0 0 0 video 23 ndpi YouTube TLS true false 3 517 1 0 Media

3.2. Journal logging

When firewall logging is enabled and DPI information is available for the session, this will be included in the session create, update, and delete logs seen in the system journal:

1 2 3 4 5 6 7 user@danos2009# set system session log creation user@danos2009# set system session log deletion user@danos2009# set system session log periodic 60 user@danos2009:~$ journalctl | grep SESSION_ FIREWALL: SESSION_CREATE duration=0.692 ifname=dp0p1s2 session-id=22 proto=tcp(6) dir=out addr=10.0.0.1->157.240.1.35 port=59652->443 fw-rule=DPI:200 engine=ndpi app-name=Facebook proto-name=TLS type=SocialNetwork FIREWALL: SESSION_CREATE duration=2.002 ifname=dp0p1s2 session-id=7 proto=tcp(6) dir=out addr=10.0.0.1->212.58.233.253 port=52980->443 fw-rule=DPI:200 engine=user app-name=BBC proto-name=MYWEB type=MYNEWS

4. Examples

4.1. An application firewall allows access to permitted websites while blocking all other web traffic

Additional sites would be allowed by adding rules to the "ALLOWED-SITES" application firewall.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 # Ports for web traffic set resources group port-group WEB port 80 set resources group port-group WEB port 443 # Application firewall #   - accept specific applications #   - all other applications are dropped by default set security application firewall name ALLOWED-SITES rule 100 action accept set security application firewall name ALLOWED-SITES rule 100 engine ndpi name google set security application firewall name ALLOWED-SITES rule 200 action accept set security application firewall name ALLOWED-SITES rule 200 engine ndpi name linkedin   # Allow DNS traffic set security firewall name DPI rule 100 action accept set security firewall name DPI rule 100 destination address 8.8.8.8 set security firewall name DPI rule 100 session   # Send all web traffic through the application firewall set security firewall name DPI rule 200 action accept set security firewall name DPI rule 200 protocol tcp set security firewall name DPI rule 200 destination port WEB set security firewall name DPI rule 200 session application firewall ALLOWED-SITES   # Default action set security firewall name DPI rule 1000 action accept set security firewall name DPI rule 1000 session   # Apply firewall to interface set interfaces dataplane dp0p1s2 firewall out DPI

4.2. An application firewall is used with an application group to allow access to some permitted websites while blocking all other web traffic

Additional sites would be allowed by adding rules to the "ALLOWED-SITES-GROUP" application group.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 # Ports for web traffic set resources group port-group WEB port 80 set resources group port-group WEB port 443   # Application group set resources group application-group ALLOWED-SITES-GROUP engine ndpi name linkedin set resources group application-group ALLOWED-SITES-GROUP engine ndpi name google   # Application firewall #   - accept applications in the "WEB-SITES" application group #   - drop all other applications set security application firewall name WEB-TRAFFIC rule 100 action accept set security application firewall name WEB-TRAFFIC rule 100 group ALLOWED-SITES-GROUP set security application firewall name WEB-TRAFFIC no-match-action drop   # Allow DNS traffic set security firewall name DPI rule 100 action accept set security firewall name DPI rule 100 destination address 8.8.8.8 set security firewall name DPI rule 100 session   # Send all web traffic through the application firewall set security firewall name DPI rule 200 action accept set security firewall name DPI rule 200 protocol tcp set security firewall name DPI rule 200 destination port WEB set security firewall name DPI rule 200 session application firewall WEB-TRAFFIC   # Default action set security firewall name DPI rule 1000 action accept set security firewall name DPI rule 1000 session   # Apply firewall to interface set interfaces dataplane dp0p1s2 firewall out DPI

4.3. An application firewall is used with an application group to block http requests while allowing https requests

HTTP requests would be allowed by adding http to the "WEB-APPS-GROUP" application group.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 # Ports for web traffic set resources group port-group WEB port 80 set resources group port-group WEB port 443   # Application group set resources group application-group WEB-APPS-GROUP engine ndpi protocol tls   # Application firewall #   - accept applications in the "WEB-APPS" application group #   - drop all other applications set security application firewall name WEB-TRAFFIC rule 100 action accept set security application firewall name WEB-TRAFFIC rule 100 group WEB-APPS-GROUP set security application firewall name WEB-TRAFFIC no-match-action drop   # Allow DNS traffic set security firewall name DPI rule 100 action accept set security firewall name DPI rule 100 destination address 8.8.8.8 set security firewall name DPI rule 100 session   # Send all web traffic through the application firewall set security firewall name DPI rule 200 action accept set security firewall name DPI rule 200 protocol tcp set security firewall name DPI rule 200 destination port WEB set security firewall name DPI rule 200 session application firewall WEB-TRAFFIC   # Default action set security firewall name DPI rule 1000 action accept set security firewall name DPI rule 1000 session   # Apply firewall to interface set interfaces dataplane dp0p1s2 firewall out DPI

4.4. Traffic destined to the BBC news web site is identified with a user-defined name, protocol, and type

The web site is served by a range of addresses.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 # Ports for web traffic set resources group port-group WEB port 80 set resources group port-group WEB port 443   # Address group set resources group address-group BBC-SITE address-range 212.0.0.0 to 212.255.255.255   # User-defined application set service application rule 100 destination address BBC-SITE set service application rule 100 then name MYNEWS set service application rule 100 then protocol MYWEB set service application rule 100 then type MYNEWS   # Application firewall #   - accept traffic to the BBC #   - drop all other applications set security application firewall name BBC-TRAFFIC rule 100 action accept set security application firewall name BBC-TRAFFIC rule 100 engine user name MYNEWS set security application firewall name BBC-TRAFFIC no-match-action drop   # Allow DNS traffic set security firewall name DPI rule 100 action accept set security firewall name DPI rule 100 destination address 8.8.8.8 set security firewall name DPI rule 100 session   # Send all web traffic through the application firewall set security firewall name DPI rule 200 action accept set security firewall name DPI rule 200 protocol tcp set security firewall name DPI rule 200 destination port WEB set security firewall name DPI rule 200 session application firewall BBC-TRAFFIC   # Default action set security firewall name DPI rule 1000 action accept set security firewall name DPI rule 1000 session   # Apply firewall to interface set interfaces dataplane dp0p1s2 firewall out DPI

4.5 An application firewall is applied to traffic entering or leaving a GRE tunnel

Tunneled telnet and SSH traffic are dropped.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 # Group of applications to be blocked set resources group application-group BLOCKED engine ndpi name telnet set resources group application-group BLOCKED engine ndpi name ssh # Application firewall drops applications in the group # while accepting other traffic set security application firewall name APPFW no-match-action accept set security application firewall name APPFW rule 100 action drop set security application firewall name APPFW rule 100 group BLOCKED # Firewall set security firewall name SFW rule 100 action accept set security firewall name SFW rule 100 protocol tcp set security firewall name SFW rule 100 session application firewall APPFW # Default action set security firewall name SFW rule 1000 action accept set security firewall name SFW rule 1000 session # GRE tunnel configuration set interfaces tunnel tun1 encapsulation gre set interfaces tunnel tun1 address 15.0.0.1/24 set interfaces tunnel tun1 local-ip 128.0.0.11 set interfaces tunnel tun1 remote-ip 128.0.0.13

Traffic entering the vRouter from the tunnel is firewalled by applying the firewall in the “in” direction:

1 2 # Apply firewall to tunnel set interfaces tunnel tun1 firewall in SFW

Traffic leaving the vRouter through the tunnel is firewalled by applying the firewall in the “out” direction:

1 2 # Apply firewall to tunnel set interfaces tunnel tun1 firewall out SFW

4.6 An application firewall is applied to traffic entering or leaving a VFP IPSec tunnel

Tunneled telnet and SSH traffic are dropped.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 # Group of applications to be blocked set resources group application-group BLOCKED engine ndpi name telnet set resources group application-group BLOCKED engine ndpi name ssh # Application firewall drops applications in the group # while accepting other traffic set security application firewall name APPFW no-match-action accept set security application firewall name APPFW rule 100 action drop set security application firewall name APPFW rule 100 group BLOCKED # Firewall set security firewall name SFW rule 100 action accept set security firewall name SFW rule 100 protocol tcp set security firewall name SFW rule 100 session application firewall APPFW # Default action set security firewall name SFW rule 1000 action accept set security firewall name SFW rule 1000 session # VFP configuration set interfaces virtual-feature-point vfp1 address 169.254.0.1/32 set security vpn ipsec esp-group group1 lifetime 600 set security vpn ipsec esp-group group1 proposal 1 encryption aes256 set security vpn ipsec ike-group group1 lifetime 3000 set security vpn ipsec ike-group group1 proposal 1 encryption aes256 set security vpn ipsec site-to-site peer 128.0.0.13 authentication mode pre-shared-secret set security vpn ipsec site-to-site peer 128.0.0.13 authentication pre-shared-secret '********' set security vpn ipsec site-to-site peer 128.0.0.13 default-esp-group group1 set security vpn ipsec site-to-site peer 128.0.0.13 ike-group group1 set security vpn ipsec site-to-site peer 128.0.0.13 local-address 128.0.0.11 set security vpn ipsec site-to-site peer 128.0.0.13 tunnel 1 local prefix 12.0.0.0/24 set security vpn ipsec site-to-site peer 128.0.0.13 tunnel 1 remote prefix 13.0.0.0/24 set security vpn ipsec site-to-site peer 128.0.0.13 tunnel 1 uses vfp1

Traffic entering the vRouter from the tunnel is firewalled by applying the firewall in the “in” direction:

1 2 # Apply firewall to tunnel set interfaces virtual-feature-point vfp1 firewall in SFW

Traffic leaving the vRouter through the tunnel is firewalled by applying the firewall in the “out” direction:

1 2 # Apply firewall to tunnel set interfaces virtual-feature-point vfp1 firewall out SFW

5. Debugging

5.1. show session table application

Enable any DPI rule. Examine the "show session table application" output to see how the traffic was classified, then modify the rule accordingly.

Pay particular attention to whether the application appears in the "App-name" or "L5-proto-name" column. eg as seen below, "LinkedIn" and "YouTube" are application names, while SSH is a protocol:

1 2 3 4 5 6 user@danos2009:~$ show session table application Conn ID Engine App-name L5-proto-name Offloaded Error Fwd-pkts Fwd-bytes Bwd-pkts Bwd-bytes Type ------- ------ -------- ------------- --------- ----- -------- --------- -------- --------- ---- 14 ndpi LinkedIn TLS true false 3 517 1 0 SocialNetwork 15 ndpi YouTube TLS true false 3 517 1 0 Media 18 ndpi Unknown SSH true false 5 1409 4 1081 RemoteAccess