I want to configure Deep Packet Inspection (DPI) on HTTP and DNS packets in my 5nine Cloud Security product. How do I do that?
DPI allows the data portion of the network packet to be examined and either allow or deny the packets based on DPI rules configured for HTTP and DNS traffic, even after the network packet is allowed by the existing virtual firewall rules.
Select the DPI node on the object tree view from the Console window and select the Add Rule menu option to configure DNS or HTTP rules.
- Name: Rule name to be displayed in the list
- Description: Optional field for clarification of the rule
- Action: Action drop down selection list has two settings
- Block – Deny the packet if it matches the defined criteria
- Allow – Permit the packet if it matches the defined criteria
- URL String: URL string which will be evaluated against the set HTTP DPI rules. This string can contain wild cards, for example *.UnwantedSite.com will match any host before the unwantedsite.com domain such as ww1.unwantedsite.com or ww2.unwantedsite.com
- User Agent String: UserAgent string dynamically returns a different value depending on the browser and platform versions. The User-Agent string contains information about the user agent originating the request and is used for statistical data, protocol violations and tailored responses based on characteristics or limitations of a browser and platform. Allow rules can be configured for supported browser and platform combinations and block rules can be set for unsupported or known suspicious and malicious tags. Examples of Known Malicious or Suspicious User Agent Strings are:
- Fake Antivirus – Malicious
- Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; AntivirXP08; .NET CLR 1.1.4322)
- Adware and Spyware – Sends data back to a remote host
- Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; PeoplePal 7.0; .NET CLR 2.0.50727)
- Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; FunWebProducts; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
- Scan Mode: Specifies DNS and or HTTP packet inspection
- Monitored HTTP Ports: Specifies the port or ports for HTTP packet inspection. Port 80 is set by default but other ports can be added in a comma delimited list. Please note that HTTPS traffic cannot be inspected.
In the DPI Rules Properties window, the advanced tab allows rules to be enforced based on time and days of the week.
Rules can be removed, edited, moved up or down the list by selecting the available menu options in DPI.
5nine Cloud Security, Deep Packet Inspection (DPI), DPI rules, HTTP traffic, DNS traffic