nss labs dpi intro v3
DESCRIPTION
What is DPI? How can it be used effectively? What are the different use cases and requirements for such products? We discuss this and the methodologies needed to properly evaluate the DPI functionality of network devices under the demanding network conditions in which they will be deployed. http://nsslabs.com/DPITRANSCRIPT
Deep Packet InspectionApplications & Testing
Vik Phatak, CEORick Moy, President
Dennis Cox, CTO BreakingPoint Systems
Outline
• About NSS Labs• Defining “Deep Packet Inspection”• Applications of DPI• Key Requirements• Testing Content vs. Performance• Next Steps
Expert Testing & Certification
Largest independent lab for security & performance (100Gbps)
Public Certification & Private Testing Services Worldwide customers: 60+ vendors, 150 products Offices in San Diego, CA & Austin, TX• Operating since 1991
Customers
What is DPI?
• Visibility & Control• Beyond the header & basic packet filtering• Layer 4-7 “payload”• Content across packets & flows• Enabling technology for other services
Applications of DPI
• Security: IDS/IPS, DoS• Data Loss Prevention• Rate Shaping (QoS) & SLAs (monetization)• Lawful Intercept• Copyright Enforcement• Targeted Advertising
Key Use Case Requirements• Enterprises
– “Controlled” environment– Security & Management
• Service Provider – wired– High-bandwidth video, P2P– Longer lease IPs
• Wireless Service Provider– Smaller packet sizes– More change in IP addressing– Very latency sensitive
Examples
Application + Usage• Rate Shaping + Service Provider = High performance + protocol identification
• Targeted Advertising + Service Provider = simple pattern matching + high volume of users & flows
• Lawful Intercept + Wireless Service Provider = rotating IPs per user + very small packets + complex pattern matching
• Data Leak Prevention + Enterprise = Medium performance + complex recognition + obfuscation
= Requirement
General DPI Requirements• User/Subscriber Identification & Tracking• Content Identification• Applying Policies on Activity• Multi-gigabit Performance• Reporting
What makes a good DPI device?• Session Performance
• Accurate Matching
• Complex Matching
• Silent Operation
• Low Latency throughput
Example Test Case
• Gauge for the usage and network baseline– Example: A device that provides target advertising
on service provider networks • 100 Gigabit Network• 250,000 Unique Users (peak of 150k, base of 50k)
• From that we gather…– Device that can handle 100g or be split into
segments– netFlow statistics show average 12 sessions per
user• 12 * 150k = 1.8 million HTTP sessions
Testing Baselines
• Session Performance– Minimum: 1.8 million sessions– Maximum: 3 million sessions
• Accurate Matching– Can match under session load
• Complex Testing– Can match data it saw over an HTTP connection– Also data in a SMTP connection
• Silent Operation– Not necessary in most cases, but may be in hostile
environment
• Low Latency Throughput– The application should not effected by + or- %1
Minimum Session Performance
• Generate a constant give and take of 12 sessions of HTTP per user with 150k users– Load profile of 600k to a nice ramp to 1.8m
and a ramp down– We have no bandwidth numbers per flow so we
will run at three flow sizes that make a good average
• Small flow size: 3k • Normal flow size: 13k• Larger flow size: 1 megabyte
Maximum Session Performance
• Generate a load of 12 sessions of HTTP per user with 150k to 250k users– We don’t know the future so we will crawl from
1.8m sessions to 3m sessions– In this case we want to generate multiple cases
of load types• Creeping (Slowly ramping up connections)• Stair Step (Ramping up N connections every N
seconds)• Burst (Bursting to max connections for N seconds)
Accurate Matching
• Baseline your match– In the case we care about HTTP
• HTTP GET, POST Methods• HTTP Versions• Session Persistence
• Match under Minimum Session Performance
• Match under Maximum Session Performance
Complex Matching
• Can it match data across HTTP flows• Can it match data on different protocols• As attachments?
– Excel– Word– CSV– PowerPoint– RTF
Silent Operation
• Does it change TTL?• Does it do a full proxy?• Does it modify headers?• Does it not support all the necessary TCP
options the end point supports?• Does it declare itself?• Does it ARP spoof?
Low Latency Performance
• What latency does it add to the networks performance?
• How much latency for each protocol?• The more generic the match the worse the
performance?Example:Wireless carrier – very small HTTP packets to smart phones for web browsing. 8Gbps aggregation point.
Next Steps
• Ongoing testing projects• Advisory Group• Discussions at• Feedback for subsequent webinars• Draft Test Criteria Q4
Best of Breed Tools