Deepfence’s Deep Packet Inspection (DPI) captures network traffic to and from applications and hosts. Together with on-host events like file system, process, and system call changes, network traffic gives the broadest set of signals and telemetry to identify malicious activities and threats in real time.
The Deepfence agent configures eBPF filters on each host for selective/surgical traffic capture and analysis. Captured traffic is sampled, pre-filtered, and reassembled into Layer 7 transactions, which are then inspected for anomalies and threat patterns. Suspicious requests can be archived on the Deepfence Console for later inspection and forensics.
Deepfence’s DPI does not require custom kernel modules, in-line proxies or other invasive capture methods. DPI uses the standard eBPF filters present in every modern Linux kernel to copy selected packets and pass them to the local agent for encapsulation and forwarding.
In normal operation, DPI is configured to only capture packets relating to processes of interest. For example, Deepfence DPI can exclude sidecar proxies (service mesh) and local internal services. The CPU requirements are low, typically no more than 1-2% on the production server.
When capturing TLS-encrypted packets, the Deepfence agent can extract the encryption key from the running process and submit this along with the packet data for decryption on the Management Server.
Deepfence avoids the use of proxies to capture traffic, which add significant latency, CPU, and additional points of failure to production systems. Deepfence’s approach minimizes load on production infrastructure by performing the necessary packet assembly and processing on a separate, scalable Console.
Capture network traffic to identify additional attack signals and anomalies
Fine-tune capture targets to minimize load and noise
TLS Decryption, including TLS 1.3 Perfect Forward Secrecy
Agents support a wide range of deployment options
Agents are deployed as a daemonset, a common pattern for log, metrics, monitoring, and security services that run alongside Kubernetes workloads in a non-intrusive manner.
Agents are deployed as a Docker container on each Docker host.
Agents are deployed as a Docker container on each operating system instance, using a Docker runtime. Both Windows and Linux instances are supported.
Deepfence supports AWS Fargate, where agents are deployed as a daemon service alongside each serverless instance.