Deep Packet Inspection
- Scott Leishman
- Paul Aitken
- 1 1. Overview
- 2 2. Configuration
- 3 3. Show commands
- 4 4. Examples
- 4.1 4.1. An application firewall allows access to permitted websites while blocking all other web traffic
- 4.2 4.2. An application firewall is used with an application group to allow access to some permitted websites while blocking all other web traffic
- 4.3 4.3. An application firewall is used with an application group to block http requests while allowing https requests
- 4.4 4.4. Traffic destined to the BBC news web site is identified with a user-defined name, protocol, and type
- 4.5 4.5 An application firewall is applied to traffic entering or leaving a GRE tunnel
- 4.6 4.6 An application firewall is applied to traffic entering or leaving a VFP IPSec tunnel
- 5 5. Debugging
Available in DANOS 2009
1. Overview
Deep Packet Inspection (DPI) uses ntop's nDPI engine to identify layer 7 applications. User-defined applications can also be specified using L3 / L4 rules.
Firewall rules can be configured to allow or block the identified applications.
2. Configuration
2.1. Application firewall
Applications are configured in an "application firewall" using the "set security application firewall" command, which is similar to the existing firewall command ("set security firewall name ..."), but is specific to applications:
user@danos2009# set security application firewall name SAF1 ?
Possible Completions:
<Enter> Execute the current command
description Ruleset description
no-match-action Action when no match (default is drop)
+> rule Rule number
Applications are specified by the DPI engine and the application name, protocol, or type. Applications are configured individually, one per rule.
user@danos2009# set security application firewall name SAF1 rule 10 engine ndpi ?
Possible Completions:
<Enter> Execute the current command
name Specify an nDPI application name
protocol Specify an nDPI application protocol
type Specify an nDPI application type
Each rule can only match one application name or protocol or type in order to prevent conflicting configuration which would never match anything.
Multiple applications can be added by configuring multiple rules. Rules are evaluated in increasing numerical order.
user@danos2009# set security application firewall name SAF1 rule 10 engine ndpi name youtube
user@danos2009# set security application firewall name SAF1 rule 10 action drop
user@danos2009# set security application firewall name SAF1 rule 20 engine ndpi protocol ssh
user@danos2009# set security application firewall name SAF1 rule 20 action accept
user@danos2009# set security application firewall name SAF1 rule 30 engine ndpi type filesharing
user@danos2009# set security application firewall name SAF1 rule 30 action drop
The application firewall is referenced from the regular firewall. The application firewall is configured under "session" because a stateful firewall is required for DPI because the DPI engine might have to examine several packets in the session before reaching a determination. Since application matching is only supported for UDP and TCP protocols, application firewalls require that either "protocol tcp" or "protocol udp" be specified in the enclosing firewall:
2.2. Default action
Initial packets are classified as application "Unknown", protocol "Unknown", until sufficient traffic is seen for a determination to be made. It's important to allow these packets through the firewall so that enough traffic is seen in the session in order for the DPI engine to reach a determination. Therefore the application firewall allows up to ten packets before applying the "no-match-action" if no classification has been made.
2.2.1. Firewall
A default firewall action may be specified either in a high-numbered rule:
|
or using the "default action" command:
|
Both of these will match all packets, preventing subsequent 'implicit action' or rules in subsequent groups occurring.
2.2.2. Application firewall
A default application firewall action may be specified either in a high-numbered application firewall rule:
|
or using the "no-match-action" command:
|
Note that up to ten packets will be accepted per session before these rules are applied so that enough traffic is seen in the session in order for the DPI engine to reach a determination.
2.3. Application groups
Several applications can be combined in an application group. Application names, types, and protocols can be mixed within a group. The group matches any of the specified name, type, or protocol rules - ie the rules are OR'd together.
The application group is configured in an application firewall rule, together with the action to be performed on any traffic matching the group:
As above, the application firewall is referenced from the regular firewall. The application firewall is configured under "session" because a stateful firewall is required for DPI.
2.4. User-defined applications
User-defined applications can be defined using L3 / L4 rules using the "set service application... " command:
Rules consist of two parts: zero or more match criteria, and one or more "then" actions.
All of the matching criteria must match - ie the rules are AND'd together.
The "then" action specifies the application name, protocol, or type to be used for traffic matching the rule:
For example, if subnet 10.1.1.0/28 only contains webex servers, the traffic coming from those servers can be classified as application name webex and application type video:
User-defined applications are configured in application firewalls or application groups as shown earlier, except that the "user" engine is used:
Application groups can contain a mixture of nDPI and user-defined applications. The group matches any of the specified engine, name, type, or protocol rules - ie the rules are OR'd together.
3. Show commands
3.1. show session table application
Provided at least one DPI rule is configured, the "show session table application" command will show application information associated with each session. There is no output if no DPI rules are configured.
The columns are:
Conn ID | the connection ID as shown in the other "show session table ..." outputs. |
Engine | which engine classified this traffic. |
App-name | the application name according to this DPI engine. |
L5-proto-name | the layer 5 protocol according to this DPI engine. |
Offloaded | "false" if the engine still needs to see more packets. "true" if the engine has made a final determination. |
Error | "true" if a DPI error occurred. "false" otherwise. |
Fwd-pkts | the number of packets observed by the DPI engine in the forwards direction prior to offloading. |
Fwd-bytes | the number of bytes observed by the DPI engine in the forwards direction prior to offloading. |
Bwd-pkts | the number of packets observed by the DPI engine in the backwards direction prior to offloading. |
Bwd-bytes | the number of bytes observed by the DPI engine in the backwards direction prior to offloading. |
Type | the application type according to this DPI engine. |
nDPI information will be shown if at least one nDPI rule is configured:
User-defined application information will be shown if at least one user-defined application rule is configured:
Both nDPI and user-defined application information will be shown for each session when at least one nDPI and one user-defined application rule are configured:
3.2. Journal logging
When firewall logging is enabled and DPI information is available for the session, this will be included in the session create, update, and delete logs seen in the system journal:
4. Examples
4.1. An application firewall allows access to permitted websites while blocking all other web traffic
Additional sites would be allowed by adding rules to the "ALLOWED-SITES" application firewall.
4.2. An application firewall is used with an application group to allow access to some permitted websites while blocking all other web traffic
Additional sites would be allowed by adding rules to the "ALLOWED-SITES-GROUP" application group.
4.3. An application firewall is used with an application group to block http requests while allowing https requests
HTTP requests would be allowed by adding http to the "WEB-APPS-GROUP" application group.
4.4. Traffic destined to the BBC news web site is identified with a user-defined name, protocol, and type
The web site is served by a range of addresses.
4.5 An application firewall is applied to traffic entering or leaving a GRE tunnel
Tunneled telnet and SSH traffic are dropped.
Traffic entering the vRouter from the tunnel is firewalled by applying the firewall in the “in” direction:
Traffic leaving the vRouter through the tunnel is firewalled by applying the firewall in the “out” direction:
4.6 An application firewall is applied to traffic entering or leaving a VFP IPSec tunnel
Tunneled telnet and SSH traffic are dropped.
Traffic entering the vRouter from the tunnel is firewalled by applying the firewall in the “in” direction:
Traffic leaving the vRouter through the tunnel is firewalled by applying the firewall in the “out” direction:
5. Debugging
5.1. show session table application
Enable any DPI rule. Examine the "show session table application" output to see how the traffic was classified, then modify the rule accordingly.
Pay particular attention to whether the application appears in the "App-name" or "L5-proto-name" column. eg as seen below, "LinkedIn" and "YouTube" are application names, while SSH is a protocol: