SonicWALL Deep Packet Inspection Deep Packet Inspection looks at the data portion of the packet. The Deep Packet Inspection technology includes intrusion detection and intrusion prevention. Intrusion detection finds anomalies in the traffic and alerts the administrator. Intrusion prevention finds the anomalies in the traffic and reacts to it, preventing the traffic from passing through. Deep Packet Inspection is a technology that allows a SonicWALL Security Appliance to classify passing traffic based on rules. These rules include information about layer 3 and layer 4 content of the packet as well as the information that describes the contents of the packet’s payload, including the application data (for example, an FTP session, an HTTP Web browser session, or even a middleware database connection). This technology allows the administrator to detect and log intrusions that pass through the SonicWALL Security Appliance, as well as prevent them (such as dropping the packet or resetting the TCP connection). SonicWALL’s Deep Packet Inspection technology also correctly handles TCP fragmented byte stream inspection as if no TCP fragmentation has occurred. How SonicWALL’s Deep Packet Inspection Architecture Works Deep Packet Inspection technology enables the SonicWALL firewall appliance to investigate farther into the protocol to examine information at the application layer and defend against attacks targeting application vulnerabilities. This is the technology behind SonicWALL Intrusion Prevention Service. SonicWALL’s Deep Packet Inspection technology enables dynamic signature updates pushed from the SonicWALL Distributed Enforcement Architecture. The following steps describe how the SonicWALL Deep Packet Inspection Architecture works: 1 Pattern Definition Language Interpreter uses signatures that can be written to detect and prevent against known and unknown protocols, applications and exploits. 2 TCP packets arriving out-of-order are reassembled by the Deep Packet Inspection framework. 3 Deep Packet Inspection engine preprocessing involves normalization of the packet’s payload. For example, a HTTP request might be URL encoded and thus the request is URL decoded in order to execute correct pattern matching on the payload. 4 Deep Packet Inspection engine postprocessors execute actions that might either simply pass the packet without modification, or could drop a packet or could even reset a TCP connection. 5 SonicWALL’s Deep Packet Inspection framework supports complete signature matching across the TCP fragments without completing any reassembly (unless the packets are out of order). This results in a more efficient use of the processor and memory for greater performance. Figure 5. SonicWALL deep packet inspection architecture If TCP packets arrive out of order, the SonicWALL IPS engine reassembles them before inspection. However, SonicWALL’s IPS framework supports complete signature matching across the TCP fragments without having to do a complete reassembly. SonicWALL’s unique reassembly-free matching solution dramatically reduces CPU and memory resource requirements.
