Recently I wrote a piece on Deep Packet Inspection (DPI), and issues related to its use within the Virgin Media Network in the United Kingdom. In that case, opponents to its use cited UK legislation that prohibits the unauthorized capture of communications and conversations on networks. I found this to be curious as this case dealt with Virgin’s desire to deploy a specific tool that focuses on the detection and identification of peer-to-peer (P2P) networks such as eDonkey, Bit Torrent, and Gnutella. The tool, CView, was to provide a DPI function important to ensuring the integrity and purity of good traffic while aiding in the identification, observation and remediation of bad traffic. Virgin’s concern was the health of its network and its desire to manage anomalous bandwidth consumption while combating illegal use and distribution of copy righted / trade marked materials. This doesn’t sound terribly unreasonable nor does it sound like a ‘violation of privacy’ rights as the opposition suggested.
This case caused me to reflect on challenges and opposition I have seen in hundreds of cases and clients with respect to Deep Packet Inspection (DPI) technologies. I believe many organizations and professionals within them have a fundamental lack of understanding of not only DPI, but also more elementary concepts such as traffic analysis (read: the ability to read and decipher packet captures). I’ve heard every possible technical and cultural argument against the use of packet inspection or session based analysis tools known to man. Some more well articulated and supported than others. I’ve been in countless hundreds of meetings where white board diagramming sessions ensued and network diagram sessions erupted into long debates regarding implementation and positioning of a technology and every reason why a given device could not be implemented. These conversations are healthy and important; they need to be had. However, facts are facts and most of the ‘concerns’ or arguments used against the adoption of intelligent, network-based security products is in fact flawed. Take for example one of my favorite arguments against the adoption of Deep Packet Inspection (DPI) technologies:
- Deep packet inspection solutions introduce latency into the network and in effect are prohibitive to the continued flow of traffic:
- This argument, when first presented, had some validity however DPI solutions, specifically Intrusion Prevention Solution (IPS) appliances have undergone evolution to the third generation. Most if not all offer some form of bypass kit which ensures that in the event of cataclysm (as defined by you or your organization), provided the building is not a smoking crater and that electricity continues to flow so to will your traffic
- Additionally, most platforms if not all offer multiple modes of deployment where in an organization has the ability to segue slowly into full inline integration DPI from a passive monitoring (IDS) mode
- It is true that any time any device is introduced into the flow of traffic some latency – no matter how infinitesimal, will be introduced. This is true of any device be it a router, switch, load balancer, server, firewall, ips etc.
- Deep Packet Inspection (DPI) solutions, specifically Intrusion Prevention Solutions are often never fully implemented often times seeing them remain in a passive monitoring mode. As a result, organization would never fully realize the Return on Investment (ROI), they expected as a result of making their purchase and likely could have settled for a much less sophisticated and costly platform:
- The adoption of the technology and / or the enterprise in questions readiness has no bearing on the efficacy of the technology
- It is intellectually dishonest to assert that had proper due diligence been performed and a readiness assessment undertaken, Return on Investment (ROI) and Total Cost of Ownership (TCO) would not have yielded positive results technical or otherwise
- The threat landscape is moving at a rate which no one can properly contend with and as a result, combat in its entirety:
- This not true for all systems utilizing Deep Packet Inspection (DPI) technology. Yes, there are some which rely on archaic and in some cases less well defined engines and analysis technologies however those who truly ascribe to the definition of Deep Packet Inspection (DPI) should be impacted far less by this than those who do not
- Deep Packet Inspection (DPI) solutions are complex and esoteric; they are not intuitive:
- This argument is weak but needs to be taken in context. In my experience when clients brought this point to the debate table it had more to do with the experience level of their staff than the tools complexity
- This can be overcome quickly and easily provided a proactive, open relationship exists between the vendor and the client
- Education should be ongoing; failure to educate (it is not only the responsibility of the vendor but the organization purchasing and adopting the technology) to ensure
- Fire-walls which adopt and integrate Deep Packet Inspection (DPI) are complex, introduce latency and are less intuitive than their less complex packet-filtering and stateful inspection peers:
- The application of this type of technology is traditionally done by those who are fluent and well versed in the need for it
- It is neither new nor is it beyond comprehension
- Given today’s threats and the complexities researchers and analysts continue to see in record numbers technologies such as this are now more important than ever before not to mention more effective than packet filtering and / or stateful inspection only systems
- Fire-walls which adopt and integrate Deep Packet Inspection (DPI) are complex, introduce latency and are less intuitive than their less complex packet-filtering and stateful inspection peers:
Conclusion:
The reality is that technologies such as Deep Packet Inspection (DPI) are extremely important. Their importance, though debated cannot be ignored and as a result they are more important now than ever than ever before. No longer are we contending with largely unsophisticated threats and adversaries. Cyber-criminals do not sleep. Nor do they take vacations or observe change windows. They are on the job 24 x 7 x 365 and are not deterred by (in fact I would imagine they welcome the objections which are proposed against the adoption of technologies such as DPI) by the presence of traditional mitigative technologies and controls. As a result, the need to strengthen our positions architecturally as well as procedurally must be recognized and acted upon. Time is of the essence and hesitation accompanied by intellectually dishonest or malformed thought processes must be overcome in order to address these threats.
Comments
Leave a Reply
