Deep Packet Inspection
- Scott Leishman
- Paul Aitken
- 1 1. Overview
- 2 2. Configuration
- 3 3. Show commands
- 4 4. Examples
- 4.1 4.1. An application firewall allows access to permitted websites while blocking all other web traffic
- 4.2 4.2. An application firewall is used with an application group to allow access to some permitted websites while blocking all other web traffic
- 4.3 4.3. An application firewall is used with an application group to block http requests while allowing https requests
- 4.4 4.4. Traffic destined to the BBC news web site is identified with a user-defined name, protocol, and type
- 4.5 4.5 An application firewall is applied to traffic entering or leaving a GRE tunnel
- 4.6 4.6 An application firewall is applied to traffic entering or leaving a VFP IPSec tunnel
- 5 5. Debugging
Available in DANOS 2009
1. Overview
Deep Packet Inspection (DPI) uses ntop's nDPI engine to identify layer 7 applications. User-defined applications can also be specified using L3 / L4 rules.
Firewall rules can be configured to allow or block the identified applications.
2. Configuration
2.1. Application firewall
Applications are configured in an "application firewall" using the "set security application firewall" command, which is similar to the existing firewall command ("set security firewall name ..."), but is specific to applications:
user@danos2009# set security application firewall name SAF1 ?
Possible Completions:
<Enter> Execute the current command
description Ruleset description
no-match-action Action when no match (default is drop)
+> rule Rule number
Applications are specified by the DPI engine and the application name, protocol, or type. Applications are configured individually, one per rule.
user@danos2009# set security application firewall name SAF1 rule 10 engine ndpi ?
Possible Completions:
<Enter> Execute the current command
name Specify an nDPI application name
protocol Specify an nDPI application protocol
type Specify an nDPI application type
Each rule can only match one application name or protocol or type in order to prevent conflicting configuration which would never match anything.
Multiple applications can be added by configuring multiple rules. Rules are evaluated in increasing numerical order.
user@danos2009# set security application firewall name SAF1 rule 10 engine ndpi name youtube
user@danos2009# set security application firewall name SAF1 rule 10 action drop
user@danos2009# set security application firewall name SAF1 rule 20 engine ndpi protocol ssh
user@danos2009# set security application firewall name SAF1 rule 20 action accept
user@danos2009# set security application firewall name SAF1 rule 30 engine ndpi type filesharing
user@danos2009# set security application firewall name SAF1 rule 30 action drop
The application firewall is referenced from the regular firewall. The application firewall is configured under "session" because a stateful firewall is required for DPI because the DPI engine might have to examine several packets in the session before reaching a determination. Since application matching is only supported for UDP and TCP protocols, application firewalls require that either "protocol tcp" or "protocol udp" be specified in the enclosing firewall:
user@danos2009# set security firewall name SF1 rule 10 session application firewall SAF1
user@danos2009# set security firewall name SF1 rule 10 protocol tcp
user@danos2009# set security firewall name SF1 rule 10 action accept2.2. Default action
Initial packets are classified as application "Unknown", protocol "Unknown", until sufficient traffic is seen for a determination to be made. It's important to allow these packets through the firewall so that enough traffic is seen in the session in order for the DPI engine to reach a determination. Therefore the application firewall allows up to ten packets before applying the "no-match-action" if no classification has been made.
2.2.1. Firewall
A default firewall action may be specified either in a high-numbered rule:
|
or using the "default action" command:
|
Both of these will match all packets, preventing subsequent 'implicit action' or rules in subsequent groups occurring.
2.2.2. Application firewall
A default application firewall action may be specified either in a high-numbered application firewall rule:
|
or using the "no-match-action" command:
|
Note that up to ten packets will be accepted per session before these rules are applied so that enough traffic is seen in the session in order for the DPI engine to reach a determination.
2.3. Application groups
Several applications can be combined in an application group. Application names, types, and protocols can be mixed within a group. The group matches any of the specified name, type, or protocol rules - ie the rules are OR'd together.
user@danos2009# set resources group application-group AG1 engine ndpi type chat
user@danos2009# set resources group application-group AG1 engine ndpi type shopping
user@danos2009# set resources group application-group AG1 engine ndpi type game
user@danos2009# set resources group application-group AG1 engine ndpi name ebay
user@danos2009# set resources group application-group AG1 engine ndpi name facebook
user@danos2009# set resources group application-group AG1 engine ndpi name youtube
The application group is configured in an application firewall rule, together with the action to be performed on any traffic matching the group:
user@danos2009# set security application firewall name SAF1 rule 40 group AG1
user@danos2009# set security application firewall name SAF1 rule 40 action drop
As above, the application firewall is referenced from the regular firewall. The application firewall is configured under "session" because a stateful firewall is required for DPI.
user@danos2009# set security firewall name SF1 rule 10 session application firewall SAF1
user@danos2009# set security firewall name SF1 rule 10 protocol tcp
user@danos2009# set security firewall name SF1 rule 10 action accept2.4. User-defined applications
User-defined applications can be defined using L3 / L4 rules using the "set service application... " command:
user@danos2009# set service application rule 10 ?
Possible Completions:
<Enter> Execute the current command
description Rule description
> destination Destination parameters
disable Disable rule
dscp DSCP value to match in an incoming IP header
dscp-group Group of DSCP values to match in an incoming IP header
ethertype Ethertype to match (name or hex or decimal)
> icmp ICMP for IPv4
> icmpv6 ICMP for IPv6
> ipv6-route IPv6 route
log Enable logging for rule
pcp 802.1 priority code point to match (0 to 7)
protocol IP L4 protocol to match (name, number or leave unconfigured for all)
protocol-group Group of IP L4 protocols to match
> source Source parameters
> tcp TCP parameters
> then Specify actions
Rules consist of two parts: zero or more match criteria, and one or more "then" actions.
All of the matching criteria must match - ie the rules are AND'd together.
The "then" action specifies the application name, protocol, or type to be used for traffic matching the rule:
user@danos2009# set service application rule 30 then ?
Possible Completions:
name Specify application name
protocol Specify application protocol
+> type Specify application type
For example, if subnet 10.1.1.0/28 only contains webex servers, the traffic coming from those servers can be classified as application name webex and application type video:
user@danos2009# set service application rule 10 source address 10.1.1.0/28
user@danos2009# set service application rule 10 then name webex
user@danos2009# set service application rule 10 then type video
User-defined applications are configured in application firewalls or application groups as shown earlier, except that the "user" engine is used:
user@danos2009# set resources group application-group AG1 engine user name webex
user@danos2009# set resources group application-group AG1 engine user type video
user@danos2009# set resources group application-group AG1 engine user protocol citrix
user@danos2009# set security application firewall name SAF1 rule 50 engine user name webex
user@danos2009# set security application firewall name SAF1 rule 50 action accept
Application groups can contain a mixture of nDPI and user-defined applications. The group matches any of the specified engine, name, type, or protocol rules - ie the rules are OR'd together.
user@danos2009# set resources group application-group AG1 engine ndpi name ebay
user@danos2009# set resources group application-group AG1 engine ndpi name facebook
user@danos2009# set resources group application-group AG1 engine ndpi name youtube
user@danos2009# set resources group application-group AG1 engine user name webex
user@danos2009# set resources group application-group AG1 engine user type voice
user@danos2009# set resources group application-group AG1 engine user protocol citrix3. Show commands
3.1. show session table application
Provided at least one DPI rule is configured, the "show session table application" command will show application information associated with each session. There is no output if no DPI rules are configured.
The columns are:
Conn ID | the connection ID as shown in the other "show session table ..." outputs. |
Engine | which engine classified this traffic. |
App-name | the application name according to this DPI engine. |
L5-proto-name | the layer 5 protocol according to this DPI engine. |
Offloaded | "false" if the engine still needs to see more packets. "true" if the engine has made a final determination. |
Error | "true" if a DPI error occurred. "false" otherwise. |
Fwd-pkts | the number of packets observed by the DPI engine in the forwards direction prior to offloading. |
Fwd-bytes | the number of bytes observed by the DPI engine in the forwards direction prior to offloading. |
Bwd-pkts | the number of packets observed by the DPI engine in the backwards direction prior to offloading. |
Bwd-bytes | the number of bytes observed by the DPI engine in the backwards direction prior to offloading. |
Type | the application type according to this DPI engine. |
nDPI information will be shown if at least one nDPI rule is configured:
user@danos2009:~$ show session table application
Conn ID Engine App-name L5-proto-name Offloaded Error Fwd-pkts Fwd-bytes Bwd-pkts Bwd-bytes Type
------- ------ -------- ------------- --------- ----- -------- --------- -------- --------- ----
10 ndpi Unknown SSH true false 5 1409 4 1081 RemoteAccess
11 ndpi Unknown HTTP true false 3 136 2 126 Web
12 ndpi Unknown TLS true false 3 517 3 1436 Web
14 ndpi LinkedIn TLS true false 3 517 1 0 SocialNetwork
15 ndpi YouTube TLS true false 3 517 1 0 Media
User-defined application information will be shown if at least one user-defined application rule is configured:
user@danos2009:~$ show session table application
Conn ID Engine App-name L5-proto-name Offloaded Error Fwd-pkts Fwd-bytes Bwd-pkts Bwd-bytes Type
------- ------ -------- ------------- --------- ----- -------- --------- -------- --------- ----
20 user UD_NAME1 UD_PROTO1 true false 1 0 0 0 UD_TYPE1
Both nDPI and user-defined application information will be shown for each session when at least one nDPI and one user-defined application rule are configured:
user@danos2009:~$ show session table application
Conn ID Engine App-name L5-proto-name Offloaded Error Fwd-pkts Fwd-bytes Bwd-pkts Bwd-bytes Type
------- ------ -------- ------------- --------- ----- -------- --------- -------- --------- ----
23 user utube None true false 1 0 0 0 video
23 ndpi YouTube TLS true false 3 517 1 0 Media3.2. Journal logging
When firewall logging is enabled and DPI information is available for the session, this will be included in the session create, update, and delete logs seen in the system journal:
user@danos2009# set system session log creation
user@danos2009# set system session log deletion
user@danos2009# set system session log periodic 60
user@danos2009:~$ journalctl | grep SESSION_
FIREWALL: SESSION_CREATE duration=0.692 ifname=dp0p1s2 session-id=22 proto=tcp(6) dir=out addr=10.0.0.1->157.240.1.35 port=59652->443 fw-rule=DPI:200 engine=ndpi app-name=Facebook proto-name=TLS type=SocialNetwork
FIREWALL: SESSION_CREATE duration=2.002 ifname=dp0p1s2 session-id=7 proto=tcp(6) dir=out addr=10.0.0.1->212.58.233.253 port=52980->443 fw-rule=DPI:200 engine=user app-name=BBC proto-name=MYWEB type=MYNEWS4. Examples
4.1. An application firewall allows access to permitted websites while blocking all other web traffic
Additional sites would be allowed by adding rules to the "ALLOWED-SITES" application firewall.
# Ports for web traffic
set resources group port-group WEB port 80
set resources group port-group WEB port 443
# Application firewall
# - accept specific applications
# - all other applications are dropped by default
set security application firewall name ALLOWED-SITES rule 100 action accept
set security application firewall name ALLOWED-SITES rule 100 engine ndpi name google
set security application firewall name ALLOWED-SITES rule 200 action accept
set security application firewall name ALLOWED-SITES rule 200 engine ndpi name linkedin
# Allow DNS traffic
set security firewall name DPI rule 100 action accept
set security firewall name DPI rule 100 destination address 8.8.8.8
set security firewall name DPI rule 100 session
# Send all web traffic through the application firewall
set security firewall name DPI rule 200 action accept
set security firewall name DPI rule 200 protocol tcp
set security firewall name DPI rule 200 destination port WEB
set security firewall name DPI rule 200 session application firewall ALLOWED-SITES
# Default action
set security firewall name DPI rule 1000 action accept
set security firewall name DPI rule 1000 session
# Apply firewall to interface
set interfaces dataplane dp0p1s2 firewall out DPI4.2. An application firewall is used with an application group to allow access to some permitted websites while blocking all other web traffic
Additional sites would be allowed by adding rules to the "ALLOWED-SITES-GROUP" application group.
# Ports for web traffic
set resources group port-group WEB port 80
set resources group port-group WEB port 443
# Application group
set resources group application-group ALLOWED-SITES-GROUP engine ndpi name linkedin
set resources group application-group ALLOWED-SITES-GROUP engine ndpi name google
# Application firewall
# - accept applications in the "WEB-SITES" application group
# - drop all other applications
set security application firewall name WEB-TRAFFIC rule 100 action accept
set security application firewall name WEB-TRAFFIC rule 100 group ALLOWED-SITES-GROUP
set security application firewall name WEB-TRAFFIC no-match-action drop
# Allow DNS traffic
set security firewall name DPI rule 100 action accept
set security firewall name DPI rule 100 destination address 8.8.8.8
set security firewall name DPI rule 100 session
# Send all web traffic through the application firewall
set security firewall name DPI rule 200 action accept
set security firewall name DPI rule 200 protocol tcp
set security firewall name DPI rule 200 destination port WEB
set security firewall name DPI rule 200 session application firewall WEB-TRAFFIC
# Default action
set security firewall name DPI rule 1000 action accept
set security firewall name DPI rule 1000 session
# Apply firewall to interface
set interfaces dataplane dp0p1s2 firewall out DPI4.3. An application firewall is used with an application group to block http requests while allowing https requests
HTTP requests would be allowed by adding http to the "WEB-APPS-GROUP" application group.
# Ports for web traffic
set resources group port-group WEB port 80
set resources group port-group WEB port 443
# Application group
set resources group application-group WEB-APPS-GROUP engine ndpi protocol tls
# Application firewall
# - accept applications in the "WEB-APPS" application group
# - drop all other applications
set security application firewall name WEB-TRAFFIC rule 100 action accept
set security application firewall name WEB-TRAFFIC rule 100 group WEB-APPS-GROUP
set security application firewall name WEB-TRAFFIC no-match-action drop
# Allow DNS traffic
set security firewall name DPI rule 100 action accept
set security firewall name DPI rule 100 destination address 8.8.8.8
set security firewall name DPI rule 100 session
# Send all web traffic through the application firewall
set security firewall name DPI rule 200 action accept
set security firewall name DPI rule 200 protocol tcp
set security firewall name DPI rule 200 destination port WEB
set security firewall name DPI rule 200 session application firewall WEB-TRAFFIC
# Default action
set security firewall name DPI rule 1000 action accept
set security firewall name DPI rule 1000 session
# Apply firewall to interface
set interfaces dataplane dp0p1s2 firewall out DPI4.4. Traffic destined to the BBC news web site is identified with a user-defined name, protocol, and type
The web site is served by a range of addresses.
# Ports for web traffic
set resources group port-group WEB port 80
set resources group port-group WEB port 443
# Address group
set resources group address-group BBC-SITE address-range 212.0.0.0 to 212.255.255.255
# User-defined application
set service application rule 100 destination address BBC-SITE
set service application rule 100 then name MYNEWS
set service application rule 100 then protocol MYWEB
set service application rule 100 then type MYNEWS
# Application firewall
# - accept traffic to the BBC
# - drop all other applications
set security application firewall name BBC-TRAFFIC rule 100 action accept
set security application firewall name BBC-TRAFFIC rule 100 engine user name MYNEWS
set security application firewall name BBC-TRAFFIC no-match-action drop
# Allow DNS traffic
set security firewall name DPI rule 100 action accept
set security firewall name DPI rule 100 destination address 8.8.8.8
set security firewall name DPI rule 100 session
# Send all web traffic through the application firewall
set security firewall name DPI rule 200 action accept
set security firewall name DPI rule 200 protocol tcp
set security firewall name DPI rule 200 destination port WEB
set security firewall name DPI rule 200 session application firewall BBC-TRAFFIC
# Default action
set security firewall name DPI rule 1000 action accept
set security firewall name DPI rule 1000 session
# Apply firewall to interface
set interfaces dataplane dp0p1s2 firewall out DPI4.5 An application firewall is applied to traffic entering or leaving a GRE tunnel
Tunneled telnet and SSH traffic are dropped.
# Group of applications to be blocked
set resources group application-group BLOCKED engine ndpi name telnet
set resources group application-group BLOCKED engine ndpi name ssh
# Application firewall drops applications in the group
# while accepting other traffic
set security application firewall name APPFW no-match-action accept
set security application firewall name APPFW rule 100 action drop
set security application firewall name APPFW rule 100 group BLOCKED
# Firewall
set security firewall name SFW rule 100 action accept
set security firewall name SFW rule 100 protocol tcp
set security firewall name SFW rule 100 session application firewall APPFW
# Default action
set security firewall name SFW rule 1000 action accept
set security firewall name SFW rule 1000 session
# GRE tunnel configuration
set interfaces tunnel tun1 encapsulation gre
set interfaces tunnel tun1 address 15.0.0.1/24
set interfaces tunnel tun1 local-ip 128.0.0.11
set interfaces tunnel tun1 remote-ip 128.0.0.13Traffic entering the vRouter from the tunnel is firewalled by applying the firewall in the “in” direction:
# Apply firewall to tunnel
set interfaces tunnel tun1 firewall in SFWTraffic leaving the vRouter through the tunnel is firewalled by applying the firewall in the “out” direction:
# Apply firewall to tunnel
set interfaces tunnel tun1 firewall out SFW4.6 An application firewall is applied to traffic entering or leaving a VFP IPSec tunnel
Tunneled telnet and SSH traffic are dropped.
# Group of applications to be blocked
set resources group application-group BLOCKED engine ndpi name telnet
set resources group application-group BLOCKED engine ndpi name ssh
# Application firewall drops applications in the group
# while accepting other traffic
set security application firewall name APPFW no-match-action accept
set security application firewall name APPFW rule 100 action drop
set security application firewall name APPFW rule 100 group BLOCKED
# Firewall
set security firewall name SFW rule 100 action accept
set security firewall name SFW rule 100 protocol tcp
set security firewall name SFW rule 100 session application firewall APPFW
# Default action
set security firewall name SFW rule 1000 action accept
set security firewall name SFW rule 1000 session
# VFP configuration
set interfaces virtual-feature-point vfp1 address 169.254.0.1/32
set security vpn ipsec esp-group group1 lifetime 600
set security vpn ipsec esp-group group1 proposal 1 encryption aes256
set security vpn ipsec ike-group group1 lifetime 3000
set security vpn ipsec ike-group group1 proposal 1 encryption aes256
set security vpn ipsec site-to-site peer 128.0.0.13 authentication mode pre-shared-secret
set security vpn ipsec site-to-site peer 128.0.0.13 authentication pre-shared-secret '********'
set security vpn ipsec site-to-site peer 128.0.0.13 default-esp-group group1
set security vpn ipsec site-to-site peer 128.0.0.13 ike-group group1
set security vpn ipsec site-to-site peer 128.0.0.13 local-address 128.0.0.11
set security vpn ipsec site-to-site peer 128.0.0.13 tunnel 1 local prefix 12.0.0.0/24
set security vpn ipsec site-to-site peer 128.0.0.13 tunnel 1 remote prefix 13.0.0.0/24
set security vpn ipsec site-to-site peer 128.0.0.13 tunnel 1 uses vfp1Traffic entering the vRouter from the tunnel is firewalled by applying the firewall in the “in” direction:
# Apply firewall to tunnel
set interfaces virtual-feature-point vfp1 firewall in SFWTraffic leaving the vRouter through the tunnel is firewalled by applying the firewall in the “out” direction:
# Apply firewall to tunnel
set interfaces virtual-feature-point vfp1 firewall out SFW5. Debugging
5.1. show session table application
Enable any DPI rule. Examine the "show session table application" output to see how the traffic was classified, then modify the rule accordingly.
Pay particular attention to whether the application appears in the "App-name" or "L5-proto-name" column. eg as seen below, "LinkedIn" and "YouTube" are application names, while SSH is a protocol:
user@danos2009:~$ show session table application
Conn ID Engine App-name L5-proto-name Offloaded Error Fwd-pkts Fwd-bytes Bwd-pkts Bwd-bytes Type
------- ------ -------- ------------- --------- ----- -------- --------- -------- --------- ----
14 ndpi LinkedIn TLS true false 3 517 1 0 SocialNetwork
15 ndpi YouTube TLS true false 3 517 1 0 Media
18 ndpi Unknown SSH true false 5 1409 4 1081 RemoteAccess