DPI (Deep Packet Inspection)

Deep Packet Inspection (DPI) est l'analyse en profondeur du contenu (payload) des paquets réseau au-delà des headers L3/L4 — examine application data L7 pour classification, security filtering, et content control. Centre des firewalls next-gen, IPS, et application visibility tools modernes.

Capacités : (1) **Application identification** — reconnaître apps même sur ports non-standard ou tunnels (HTTPS, QUIC, P2P, VoIP, gaming, streaming) ; (2) **Malware detection** — signatures dans payload ; (3) **Data Loss Prevention** — détecter SSN, credit cards, classified data ; (4) **Content filtering** — block based content (porn, malicious URLs) ; (5) **QoS application-aware** ; (6) **Compliance** (HIPAA, PCI logs).

Méthodes : (1) **Pattern matching** (signatures known apps/threats) ; (2) **Heuristic analysis** ; (3) **Statistical/behavioral** (encrypted traffic classification via JA3 fingerprinting, packet sizes, timing) ; (4) **ML-based** (modern next-gen FW utilisent ML pour identify apps inconnues).

Challenges modernes : (1) **TLS encryption** dominant — 95%+ web traffic HTTPS. Solutions : (a) **TLS interception** (SSL Inspection — install CA cert sur clients, MITM, decrypt-inspect-reencrypt) — controversial privacy, complex, breaks certificate pinning ; (b) **encrypted traffic analytics** (Cisco ETA, ML based metadata analysis without decrypt) ; (2) **QUIC** (HTTP/3) more difficult to inspect ; (3) **Privacy regulations** (GDPR scrutinizes DPI for personal data).

Products : Palo Alto Networks (App-ID), Cisco Firepower, Fortinet FortiGate, Check Point, Sophos XG, Forcepoint, Zscaler, Cloudflare. Use cases : enterprise FW, ISP traffic management, government surveillance (controversial). Compétences CCNP Security, AZ-500, CISSP.