Ask the SIP Trunk Expert

Deep Packet Inspection: A Critical Security Measure

By Steven Johnson, President, Ingate Systems, Inc.  |  December 01, 2011

This article originally appeared in the Dec. 2011 issue of INTERNET TELEPHONY.

Deep packet inspection is a powerful way to protect not just SIP traffic, but also the network. Deep packet inspection is a form of computer network packet filtering that examines the data (or datagram) and UDP (News - Alert)/TCP header part of a packet as it passes through an enterprise session border controller.

When SIP traffic reaches the E-SBC, the E-SBC searches it for non-protocol compliance, viruses, spam, intrusions or other criteria that’s been predefined to decide if the packet can pass through, or if it needs to be routed to a different destination. Also, the E-SBC can examine the packet for the purpose of collecting statistical information. 

This is in contrast to shallow packet inspection (usually called just packet inspection), which only checks the UDP/TCP header portion of a packet. Shallow packet inspection is the kind of inspection commonly found in most NAT firewall devices.

An E-SBC with deep packet inspection capability can look at layers 2 through 7 of the OSI model. Since SIP is an application layer (layer 7) in the OSI model, these products have a unique ability to:

·         look at the SIP packets to provide non-protocol compliance rules, routing rules and statistical information, and

·         provide intrusion detection/intrusion prevention security features for an effective defense against buffer overflow attacks, denial of service attacks, sophisticated intrusions and a small percentage of worms that fit within a single packet. This includes attacks targeting headers and SIP structures as well as the actual payload of the message.

IDS/IPS also enables the E-SBC to block malicious SIP signaling packets designed to attack certain SIP phones, servers or other devices on the enterprise LAN. This secures the enterprise network, as the E-SBC handles the attacks while the servers and other SIP devices in the network can still be used.

Deep packet inspection will identify and classify the SIP traffic based on a signature database that includes information extracted from the data part of a UDP/TCP packet, providing extremely precise of control of any SIP traffic – finer than any classification based on header information only.


Steven Johnson is President of Ingate Systems (News - Alert), Inc. To read more of Steven’s articles, please visit his columnist page.

Edited by Stefania Viscusi