DPI vs SPI
Best Answer
-
CORRECT ANSWER
MasterRoshi
Moderator
@MPERU99 , every packet has two pieces, the header (source/destination, protocols, ports etc..) and the data(piece of the file/image etc..) that it carries. SPI only looks at the header data, so you are only looking to see if the traffic profile is allowed (at the airport, they would check your ticket and passport for example). DPI would also look at the data portion (having you go through security, your baggage through the machine in this analogy) to see what it is carrying is malicious or not. No one would recommend you go with SPI only from a security perspective. DPI also allow for more things like being able to block websites (since we are checking for them), blocking applications (because we are scanning for signatures) and more.. In general, firewalls/security is a higher level concept (a layer of abstraction if you will) so if you are new to the foundational networking concepts it is a bit difficult to grasp (believe me, I was there once upon a time) but your intuition in the last comment was correct. There is another layer here in what we call DPI-SSL or SSL decryption/http scanning which is another layer which involves decryption-> scanning->re-encryption of encrypted data in transit but we can leave that for another day.
1
Answers
SPI is for traditional stateful firewall. DPI is for next generation firewall which allow inspect on packet data portion.
To adopt security service on sonicwall, eg. anti-virus, IPS, app rule...You will need DPI enable.
Depends on your need but sonicwall will have DPI enabled by default.
Hi @MPERU99,
Thank you for visiting SonicWall Community.
Here is the detailed info on SPI and DPI.
SPI: Stateful packet inspection (SPI), which verified that the state of inbound and outbound traffic based upon state tables, and operated at layers 2, 3 and 4 of the OSI model.
DPI: Third-generation firewalls of the past decade have more processing power and broader capabilities, including deep packet inspection (DPI) of the entire packet payload, intrusion prevention, malware detection, gateway anti-virus, traffic analytics, application control, IPSec and SSL VPN. Unified Threat Management (UTM) represented the next trend in the evolution of the traditional firewall into a product that not only guards against intrusion, but also performs content filtering, data leakage protection, intrusion detection and anti-malware duties typically handled by multiple systems.
In short, SPI is used to get the firewall act as a router or layer 3 device whereas DPI makes the box to act as a layer 3 security appliance. So with DPI, protection to network is guaranteed. Throughput is less in DPI when compared to SPI since firewall consumes some bandwidth to scrutinize each and every traffic that leaves and comes in through it.
Hope this clarifies.
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services
yes i have read sonicwalls version of definition ,however i am looking for more of a layman's terms
I appreciate the sonicwall cut and paste, i read that but fully do not understand it, so i am looking for more of a layman's terms
so far my understanding is SPI is faster , yet not as secure, where DPI is slower and more secure.
So far my understanding (is vague at best) is SPI is allows faster throughput , not as secure, where-as DPI is slower , being more secure.
@MPERU99 - I think you missed reading my statement in the last comment. Please refer below,
"In short, SPI is used to get the firewall act as a router or layer 3 device whereas DPI makes the box to act as a layer 3 security appliance. So with DPI, protection to network is guaranteed. Throughput is less in DPI when compared to SPI since firewall consumes some bandwidth to scrutinize each and every traffic that leaves and comes in through it".
Hope this is easier to understand.
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services
I read that, please understand some of us are still learning what a router actually is/does and what a layer 3 device is.. without proper knowledge of those items it makes the explaination like a broken sentence
layer 2 is hardware level of something? and layer 3 is software level something? (software will be slower by nature vs. hardware)
I guess i dont understand if both SPI (stateful packet inspection) and DPI (deep packet inspection) are both packet inspectors how is is it that SPI is faster if it is doing packet inspections, does SPI only look for certain aspects of a packet where as DPI inpects every single data bit?
Thank you TO EVERYONE that helped, all of it led me to a better understanding. MasterRoshi thank you for a more layman's terms that i could correlate to how they each work. I can now confidently recommend NOT GOING TO SPI and why.