Deepfence’s DPI does not require custom kernel modules, in-line proxies or other invasive capture methods. DPI uses the standard eBPF filters present in every modern Linux kernel to copy selected packets and pass them to the local agent for encapsulation and forwarding.
In normal operation, DPI is configured to only capture packets relating to processes of interest. For example, Deepfence DPI can exclude sidecar proxies (service mesh) and local internal services. The CPU requirements are low, typically no more than 1-2% on the production server.
When capturing TLS-encrypted packets, the Deepfence agent can extract the encryption key from the running process and submit this along with the packet data for decryption on the Management Server.
Deepfence avoids the use of proxies to capture traffic, which add significant latency, CPU, and additional points of failure to production systems. Deepfence’s approach minimizes load on production infrastructure by performing the necessary packet assembly and processing on a separate, scalable Console.
Capture network traffic to identify additional attack signals and anomalies
Fine-tune capture targets to minimize load and noise
TLS Decryption, including TLS 1.3 Perfect Forward Secrecy
Agents support a wide range of deployment options
Agents are deployed as a daemonset, a common pattern for log, metrics, monitoring, and security services that run alongside Kubernetes workloads in a non-intrusive manner.
Agents are deployed as a Docker container on each Docker host.
Agents are deployed as a Docker container on each operating system instance, using a Docker runtime. Both Windows and Linux instances are supported.
Deepfence supports AWS Fargate, where agents are deployed as a daemon service alongside each serverless instance.