Firewalls With Deep Packet Inspection (DPI)?

Are there any client software firewalls that have deep packet inspection? Wikipedia: Deep Packet Inspection

I know there are some enterprise class hardware firewalls with DPI and was wondering if anyone here knew which consumer grade hardware or software firewalls use DPI, if any. Also, is there a significant security/performance advantage to using DPI? In theory it seems that it would improve security if done well, although it may be redundant with some RT AV, AT, etc. A hardware DPI might really be nice to offload the client from running these tasks in real time. I have seen enterprise firewalls with DPI and full real time AV, AT, AA, etc. done in hardware before packets can go into/out of the network. Seems a good idea.

I'm interested to hear what the Wilders crew has to say about DPI.

 

Personally I'd say DPI was overhyped and, at best, only partially effective. The reason is that sophisticated malware encrypts its communications rendering them unreadable to external viewers. DPI can tackle simple attacks with a known/fixed signature - but for most people that would just duplicate what their anti-virus scanner is doing.

Most DPI solutions currently use custom hardware due to the processing requirements - as such, its unlikely that any client-side firewall (where CPU usage has to be restricted) would add this feature in the near future.

 

Thanks P2K. Sorry for the noob question, but if a DPI can't detect the encrypted malware payload, how could anything else on the client detect it?

 

Because the client has to encrypt data in the first place it should be visible in non-encrypted form to memory-scanners. However more significantly, a client-side firewall can control network access by application while an external firewall can only restrict access by protocol/port/address. As such, it is far harder for malware to bypass a (decent) client-side firewall.

 

It would appear that some classes of malware would not encryot their communications as encryption would render their output useless. Those would be spam mail engines and ddos attack bots. Keyloggers might encrypt.

 

True, but the output from these would be "normal" traffic, only detectable as abnormal by a scanner using spam- or DDoS-signatures which would need to be constantly updated to be effective (especially for DDoS where the attacker would tailor an attack to a specific website and would likely keep altering it to improve its effectiveness). There are appliances for handling spam specifically but DDoS would be harder to filter without blocking legitimate access to sites under attack (with the exception of simple ICMP or TCP SYN attacks).

 

I believe that some ISP's have come up with ways to identify infected machines, both spam and ddos. They notify the owners and disconnect them if things are not fixed in a few days. This may be signature matching or something else.

 

Statistical analysis of outgoing port 25 connections would make more sense for spam - very few people should need to send more than 1,000 emails/day so this can detect zombies without the need for signatures (which would really need hourly updates at least to keep abreast of new spam outbreaks). DDoS attacks would be best handled via an online database of sites currently under attack - again, statistical analysis could pick out the zombies.