Recently I wrote a piece on Deep Packet Inspection (DPI), and issues related to its use within the Virgin Media Network in the United Kingdom. In that case, opponents to its use cited UK legislation that prohibits the unauthorized capture of communications and conversations on networks. I found this to be curious as this case dealt with Virgin’s desire to deploy a specific tool that focuses on the detection and identification of peer-to-peer (P2P) networks such as eDonkey, Bit Torrent, and Gnutella. The tool, CView, was to provide a DPI function important to ensuring the integrity and purity of good traffic while aiding in the identification, observation and remediation of bad traffic. Virgin’s concern was the health of its network and its desire to manage anomalous bandwidth consumption while combating illegal use and distribution of copy righted / trade marked materials. This doesn’t sound terribly unreasonable nor does it sound like a ‘violation of privacy’ rights as the opposition suggested.
This case caused me to reflect on challenges and opposition I have seen in hundreds of cases and clients with respect to Deep Packet Inspection (DPI) technologies. I believe many organizations and professionals within them have a fundamental lack of understanding of not only DPI, but also more elementary concepts such as traffic analysis (read: the ability to read and decipher packet captures). I’ve heard every possible technical and cultural argument against the use of packet inspection or session based analysis tools known to man. Some more well articulated and supported than others. I’ve been in countless hundreds of meetings where white board diagramming sessions ensued and network diagram sessions erupted into long debates regarding implementation and positioning of a technology and every reason why a given device could not be implemented. These conversations are healthy and important; they need to be had. However, facts are facts and most of the ‘concerns’ or arguments used against the adoption of intelligent, network-based security products is in fact flawed. Take for example one of my favorite arguments against the adoption of Deep Packet Inspection (DPI) technologies:
- Deep packet inspection solutions introduce latency into the network and in effect are prohibitive to the continued flow of traffic:
- This argument, when first presented, had some validity however DPI solutions, specifically Intrusion Prevention Solution (IPS) appliances have undergone evolution to the third generation. Most if not all offer some form of bypass kit which ensures that in the event of cataclysm (as defined by you or your organization), provided the building is not a smoking crater and that electricity continues to flow so to will your traffic
- Additionally, most platforms if not all offer multiple modes of deployment where in an organization has the ability to segue slowly into full inline integration DPI from a passive monitoring (IDS) mode
- It is true that any time any device is introduced into the flow of traffic some latency – no matter how infinitesimal, will be introduced. This is true of any device be it a router, switch, load balancer, server, firewall, ips etc.
- Deep Packet Inspection (DPI) solutions, specifically Intrusion Prevention Solutions are often never fully implemented often times seeing them remain in a passive monitoring mode. As a result, organization would never fully realize the Return on Investment (ROI), they expected as a result of making their purchase and likely could have settled for a much less sophisticated and costly platform:
- The adoption of the technology and / or the enterprise in questions readiness has no bearing on the efficacy of the technology
- It is intellectually dishonest to assert that had proper due diligence been performed and a readiness assessment undertaken, Return on Investment (ROI) and Total Cost of Ownership (TCO) would not have yielded positive results technical or otherwise
- The threat landscape is moving at a rate which no one can properly contend with and as a result, combat in its entirety:
- This not true for all systems utilizing Deep Packet Inspection (DPI) technology. Yes, there are some which rely on archaic and in some cases less well defined engines and analysis technologies however those who truly ascribe to the definition of Deep Packet Inspection (DPI) should be impacted far less by this than those who do not
- Deep Packet Inspection (DPI) solutions are complex and esoteric; they are not intuitive:
- This argument is weak but needs to be taken in context. In my experience when clients brought this point to the debate table it had more to do with the experience level of their staff than the tools complexity
- This can be overcome quickly and easily provided a proactive, open relationship exists between the vendor and the client
- Education should be ongoing; failure to educate (it is not only the responsibility of the vendor but the organization purchasing and adopting the technology) to ensure
- Fire-walls which adopt and integrate Deep Packet Inspection (DPI) are complex, introduce latency and are less intuitive than their less complex packet-filtering and stateful inspection peers:
- The application of this type of technology is traditionally done by those who are fluent and well versed in the need for it
- It is neither new nor is it beyond comprehension
- Given today’s threats and the complexities researchers and analysts continue to see in record numbers technologies such as this are now more important than ever before not to mention more effective than packet filtering and / or stateful inspection only systems
- Fire-walls which adopt and integrate Deep Packet Inspection (DPI) are complex, introduce latency and are less intuitive than their less complex packet-filtering and stateful inspection peers:
Conclusion:
The reality is that technologies such as Deep Packet Inspection (DPI) are extremely important. Their importance, though debated cannot be ignored and as a result they are more important now than ever than ever before. No longer are we contending with largely unsophisticated threats and adversaries. Cyber-criminals do not sleep. Nor do they take vacations or observe change windows. They are on the job 24 x 7 x 365 and are not deterred by (in fact I would imagine they welcome the objections which are proposed against the adoption of technologies such as DPI) by the presence of traditional mitigative technologies and controls. As a result, the need to strengthen our positions architecturally as well as procedurally must be recognized and acted upon. Time is of the essence and hesitation accompanied by intellectually dishonest or malformed thought processes must be overcome in order to address these threats.
Deep Packet Inspection: A Legal Liability?
Deep packet inspection is not a new concept. It is, in fact, quite mature and takes advantages of the best of IDS (intrusion detection solutions), IPS (Intrusion Prevention Solutions), and Stateful Inspection Firewalls. The technology is extremely effective in combating malicious code and content attacks and in enforcing policy to a variety of ends. Additionally, the technology is quite good at providing detailed intelligence with respect to application behavior and patterns as they appear within a given infrastructure. In modern enterprise and carrier networks this technology is both common and integral in ensuring operational efficiency while managing and minimizing risk.
Recently it has come under fire however and in at least one case, been dubbed a measure by which the privacy rights of end users can and will no doubt be violated. The case in question is that of the recent announcement by Virgin Media to utilize and deploy a DPI like technology package called CView within its network environment in order to better understand the prevalence and associated patterns of use seen in peer-to-peer networking sessions. The tool would be in effect, capable of tracking sessions associated with peer-to-peer networks such as Gnutella, Bit Torrent or eDonkey which has created a negative buzz amongst organizations such as Privacy International who appealed to the EU to step in and review the package proposed by Virgin Media. Virgin’s intentions seem straightforward to me but perhaps that is due to my being an information security professional:
- Gain an understanding of the usage and patterns of associated usage with these P2P networks and clients
- Analyze instability presented by them within the network in terms of inordinate resource consumption
- Analyze content for purposes of legality (avoid in the trafficking of either copy righted material of illicit illegal material)
- Implement throttling if necessary
- Implement policy control if found to be necessary by law or by virtue of Virgin Policy
- Mitigate risk posed to the Virgin Media network environment and its user community
- Prevent malicious code and content propagation to and including the propagation of advanced malcode kits and bot nets
I have to believe the goal of using a tool such as CView (if you look the tool up you will see it does not tie individual identity information to information harvested) is pretty straightforward and reflects much, if not all of what is seen above. I find it hard to believe that this is a case where privacy should be an issue though I am aware that in the UK under the Regulation of Investigatory Powers Act (RIPA), intercepting communications is a criminal offense regardless of what is being done with the data. While I am no expert in British Parliamentary process or law, it would seem that this act would be prohibitive, if not crippling in providing advanced security solutions while potentially curtailing illicit, illegal activity. Deep packet inspection is not the problem here, the problem is perception as it relates to the lengths to which personal ‘freedom’ extends and illegal activity begins.
