How can DPI be used in security?
After the last post where we learned about deep packet inspection (DPI), we will talk about how this tool can be used in security products such as redborder.
1. The DPI examines the content of data packets using specific rules preprogrammed by the user or a network administrator, or an Internet Service Provider (ISP). It then decides how to handle the threats it discovers. Not only can the DPI identify the existence of threats, but, using the packet content and its header, it can also find out where the packet is coming from. In this way, the DPI can identify the application or service that launched the threat.
2. You can also configure the DPI to work with filters that allow it to identify and redirect network traffic coming from a specific online service or IP address.
3. The IPS or IDS system relies heavily on deep packet inspection. Therefore, it allows you to detect specific types of attacks that a normal firewall may not be able to detect.
4. If the company has allowed employees to bring their own devices (BYOD) to work or use them to connect to a virtual private network (VPN), then DPI can be used to prevent them from accidentally spreading spyware, worms and viruses on the organization’s network.
5. When DPI is implemented correctly, the results allow you to have the option of deciding which applications employees can interact with. If there are applications that may threaten the network or hinder productivity, DPI can be used to determine if they are being accessed. Whenever you discover that any of these applications are being accessed, incoming traffic can be redirected.
6. DPI can clearly identify packets coming from your most business-critical processes/applications and assign higher priority over other less crucial packets, such as regular browsing packets. In addition, if you are trying to overcome peer-to-peer download load, DPI can be used to identify this specific type of transmission and speed up the data.
7. Most modern NGFWs at the network perimeter use DPI to detect malware before it enters the network and compromises assets.
8. In addition, DPI can provide visibility over the entire network by analyzing activity using heuristics to identify any anomalies. Heuristics involve examining packets of data in an effort to detect anything out of the ordinary that may indicate a potential threat to the organization.
9. The DPI can also be used to inspect outgoing traffic when it attempts to leave the network. You can set up filters designed to prevent data leakage. It can also be used to find out where the data is going.
10. DPI’s analytic capabilities can be used to block usage patterns that violate company policy. As well as to block unauthorized access to specific data from company-approved applications.
Challenges posed by IPR
IPR can be a powerful tool. But it brings tremendous challenges:
For example, many organizations have found that enabling DPI on their firewall devices often introduces unacceptable network bottlenecks and performance degradation.And why does this happen?
– The first reason is that these local devices are tied to corporate networks that have their own workload and performance issues.
– The second problem is that these organizations tend to backhaul ALL traffic emanating from remote users through this infrastructure for packets to run through DPI inspection checkpoints.
The result is a huge amount of latency being introduced to the large number of users/employees.
This results in another trend of skipping DPIs altogether. If no VPN service has been implemented and these users connect directly to the cloud and online resources, they end up bypassing network perimeter protections altogether. And this is a lose-lose situation for everyone …
Then there is the challenge of encrypted traffic. While some firewalls claim to perform deep packet inspection on HTTPS traffic, the process of decrypting data and inspecting it inline with traffic flows is a processor-intensive activity that overwhelms many hardware-based security devices. In response, administrators often choose to disable the capability within their firewalls. Another lose-lose situation …
So where is the solution?
It should be assumed that the primary purpose of a firewall is still to protect the network perimeter. Then a cloud-adapted solution such as redborder live should be adopted to completely remove this performance burden of deep packet inspection from these devices. This provides a more consistent path for policy enforcement when managing security policies across multiple locations.