deep packet inspection technologies

Upload: althaff-mohideen

Post on 03-Jun-2018

221 views

Category:

Documents


0 download

TRANSCRIPT

  • 8/12/2019 Deep Packet Inspection Technologies

    1/5

    28/01/2014 15:56Deep Packet Inspection Technologies

    Page 1 of 5http://www.infosectoday.com/Articles/Deep_Packet_Inspection_Technologies.htm

    New Books

    Deep Packet Inspection TechnologiesAnderson Ramos

    Tweet 4LikeLike

    IntroductionThe explosion of the commercial use of the Internet has created spec ific business and te chnology demands for products that could allow organizations to explore the opportunities th at arose without co mpromising their sec urity. Thousands of internal networks, with a high level of trust for their owners, have been connected to apublic an d loosely controlled network; this has opened those organiz ations to a series of new security problems.

    One of the first concerns was the need of having a security mechanis m that co uld allow basic definitions in termsof access control. The development of a network security policy to determine what resources could be accessedby w hich users, including th e o peration s th at could be perform ed, was always recommended as a good first step.Onc e th e organ izati on had this basic de finition of th e p ermissio ns that should be enforced at the connecting pointwith this new ex tern al world , it was rea dy to implem ent technol ogies for achieving this goal.

    The net work se curit y killer appl ication o f this emerg ing era was the firewall. Basically, we can define firewalls asa system, formed by one or more components, responsible for networ k access con trol. These systems haveused a number of different technologies for performing their operations. Well-known examples are packet filters,proxies, and stateful inspection devices. In general, those technologies analyze packet information, allowing or

    disallowing their flow, considering aspects like source/destination addresses and ports. So me of them have muchmore complex analysis, as well granularity in terms of configuration, but the basic purpose is the same. Theyhave achieved a partial success in their objectives.

    Partial success means that those technologies were able to guarantee that multiple ports that used to be openfor communication (thus exploitation) before the advent of the firewalls were, more or less, closed. One of thekey success factors here was the default deny approach, a key security principle, correctly implemented in thedesign of the security policies' structuring. The remaining problem that most organizations today are willing toaddress is how secure are the few communication ports still opened though their firewalls. In other words, how toguarantee that our few authorized channels are not used in an unauthorized way. This is far more complex.

    The reason for this actual concern comes from the fact that, over recent years, the attacks have migrated fromthe network level to the application level. Because firewalls were effective in blocking several ports that would beopened for network exploitation, the research of new attacks have been concentrated in applications that areoften open through most firewall security policies, focusing on protocols like hypertext transfer protocol (HTTP),simple mail transfer protocol (SMTP), database access protocols, and others. Additionally, HTTP has becameone of the most important paths to a number of new software-developing technologies, designed for making thedelivery of new Web applications easier and full of rich new features that were previously unavailable.

    This vast use of HTTP and the other protocols that have been mentioned have forced most network and securityadministrators to create specific rules in their firewalls for allowing these types of communication in an almostunrestricted way. Several software developers of applications such as instant messaging or Internet telephonyhave adapted them for using these open communication channels, in an attempt to avoid organization enforcedrestrictions and controls. Some have even adapted their code to search and use any open port in the firewall,through approaches that remember port scanners, tools historically used for network and host security evaluationand invasion, although the reason for doing that can go beyond network security issues. 1

    The network access control needs to become more granular, going beyond the basic functions provided by mosttechnologies. The point is not blocking or not unblocking the HTTP port, but guaranteeing that this open port isbeing used only for specific types of authorized HTTP traffic. This includes protection against things like:

    Unauthorized download of mobile code, like ActiveX controls and Java applets Application-level attacks against Web sitesMalware propagation through authorized protocolsUse of authorized open ports by unauthorized applicationsSpecific behaviors that could characterize an attack.

    Different technologies have been used in these tasks, with limited success. Intrusion detection systems (IDS)were one of them. Although the main purpose of these technologies was to work as an auditing tool, severalvendors have promised effective protection through firewall integration or active responses, such as connectionresets. However, a Gartner report, published in 2003, 2 pointed out several fundamental issues with the use of

    Subscribe toInformation SecurityToday

    Enter e-mail address:

    Subscribe Now

    Powered byVerticalResponse

    ShareThis

    http://www.en.hakin9.org/http://www.en.hakin9.org/https://twitter.com/intent/tweet?original_referer=http%3A%2F%2Fwww.infosectoday.com%2FArticles%2FDeep_Packet_Inspection_Technologies.htm&text=Deep%20Packet%20Inspection%20Technologies&tw_p=tweetbutton&url=http%3A%2F%2Fwww.infosectoday.com%2FArticles%2FDeep_Packet_Inspection_Technologies.htmhttp://www.en.hakin9.org/http://www.infosectoday.com/Articles/Deep_Packet_Inspection_Technologies.htm#authorhttp://www.en.hakin9.org/http://void%280%29/http://www.crcpress.com/shopping_cart/products/product_detail.asp?sku=K11123&parent_id=&pc=&af=W1135http://www.crcpress.com/shopping_cart/products/product_detail.asp?sku=K11189&parent_id=&pc=&af=W1135http://www.crcpress.com/shopping_cart/products/product_detail.asp?sku=K12343&parent_id=&pc=&af=W1135http://www.crcpress.com/shopping_cart/products/product_detail.asp?sku=AU7941&parent_id=&pc=&af=W1137http://www.crcpress.com/shopping_cart/products/product_detail.asp?sku=AU5217&parent_id=&pc=&af=W1135http://www.crcpress.com/shopping_cart/products/product_detail.asp?sku=K13771&parent_id=&pc=&af=W1135http://www.crcpress.com/shopping_cart/products/product_detail.asp?sku=K11123&parent_id=&pc=&af=W1135http://www.crcpress.com/shopping_cart/products/product_detail.asp?sku=K11189&parent_id=&pc=&af=W1135http://www.crcpress.com/shopping_cart/products/product_detail.asp?sku=K12343&parent_id=&pc=&af=W1135http://www.crcpress.com/shopping_cart/products/product_detail.asp?sku=AU7941&parent_id=&pc=&af=W1137http://www.crcpress.com/shopping_cart/products/product_detail.asp?sku=AU5217&parent_id=&pc=&af=W1135http://www.crcpress.com/shopping_cart/products/product_detail.asp?sku=K13771&parent_id=&pc=&af=W1135http://www.crcpress.com/shopping_cart/products/product_detail.asp?sku=K11123&parent_id=&pc=&af=W1135http://www.crcpress.com/shopping_cart/products/product_detail.asp?sku=K11189&parent_id=&pc=&af=W1135http://www.crcpress.com/shopping_cart/products/product_detail.asp?sku=K12343&parent_id=&pc=&af=W1135http://www.crcpress.com/shopping_cart/products/product_detail.asp?sku=AU7941&parent_id=&pc=&af=W1137http://www.crcpress.com/shopping_cart/products/product_detail.asp?sku=AU5217&parent_id=&pc=&af=W1135http://www.crcpress.com/shopping_cart/products/product_detail.asp?sku=K13771&parent_id=&pc=&af=W1135http://www.crcpress.com/shopping_cart/products/product_detail.asp?sku=K11123&parent_id=&pc=&af=W1135http://www.crcpress.com/shopping_cart/products/product_detail.asp?sku=K11189&parent_id=&pc=&af=W1135http://www.crcpress.com/shopping_cart/products/product_detail.asp?sku=K12343&parent_id=&pc=&af=W1135http://www.crcpress.com/shopping_cart/products/product_detail.asp?sku=AU7941&parent_id=&pc=&af=W1137http://www.crcpress.com/shopping_cart/products/product_detail.asp?sku=AU5217&parent_id=&pc=&af=W1135http://www.crcpress.com/shopping_cart/products/product_detail.asp?sku=K13771&parent_id=&pc=&af=W1135http://www.infosectoday.com/http://www.infosectoday.com/http://www.infosectoday.com/http://www.infosectoday.com/http://www.en.hakin9.org/http://void%280%29/http://www.verticalresponse.com/?ref=oifhttp://www.infosectoday.com/http://www.infosectoday.com/Articles/Deep_Packet_Inspection_Technologies.htm#2http://www.infosectoday.com/Articles/Deep_Packet_Inspection_Technologies.htm#1http://www.infosectoday.com/Articles/Deep_Packet_Inspection_Technologies.htm#authorhttp://www.crcpress.com/shopping_cart/products/product_detail.asp?sku=K13771&parent_id=&pc=&af=W1135http://www.crcpress.com/shopping_cart/products/product_detail.asp?sku=AU5217&parent_id=&pc=&af=W1135http://www.crcpress.com/shopping_cart/products/product_detail.asp?sku=AU7941&parent_id=&pc=&af=W1137http://www.crcpress.com/shopping_cart/products/product_detail.asp?sku=K12343&parent_id=&pc=&af=W1135http://www.crcpress.com/shopping_cart/products/product_detail.asp?sku=K11189&parent_id=&pc=&af=W1135http://www.crcpress.com/shopping_cart/products/product_detail.asp?sku=K11123&parent_id=&pc=&af=W1135http://www.infosectoday.com/https://twitter.com/intent/tweet?original_referer=http%3A%2F%2Fwww.infosectoday.com%2FArticles%2FDeep_Packet_Inspection_Technologies.htm&text=Deep%20Packet%20Inspection%20Technologies&tw_p=tweetbutton&url=http%3A%2F%2Fwww.infosectoday.com%2FArticles%2FDeep_Packet_Inspection_Technologies.htm
  • 8/12/2019 Deep Packet Inspection Technologies

    2/5

    28/01/2014 15:56Deep Packet Inspection Technologies

    Page 2 of 5http://www.infosectoday.com/Articles/Deep_Packet_Inspection_Technologies.htm

    those systems, urging customers to replace them by new emerging technologies capable of not only detectingattacks, but blocking them in real time. Basically, the key arguments were:

    IDS cannot block attacks effectively, only detect them.Their detection capabilities were also limited, with a high number of false positives and negatives.The management burden is huge, theoretically demanding 24-hour monitoring of their functioning.They were not able to analyze traffic at transmission rates greater than 600 Mbps.

    Although the report had some flaws, 3 including technical errors like the speed limit, a huge and passionatedebate was initiated. Security managers and professionals that have invested their budgets in IDS tried to justifytheir decisions. Vendors went even further, attempting to disqualify Gartner's arguments. But, curiously, mostvendors at that time were already offering in their product ranges new options known as intrusion prevention

    systems (IPSs). These are probably the most stable and mature technology capable of doing some of the actionsdemanded by the research report, which indicates that even they were aware of some of their product'slimitations. Additionally, the report has also mentioned another recent Gartner research document that focusedon a technology called deep packet inspection (DPI), that was new and then still loosely defined.

    Since then, several products offering DPI capabilities have emerged. The purpose of this document is toinvestigate what this technology is, its application in the current network/computer security scenario, and how todecide if it is appropriate for your organization's environment.

    Deep Packet Inspection DefinitionDeep packet inspection (DPI) is normally referred to as a technology that allows packet-inspecting devices, suchas firewalls and IPS, to deeply analyze packet contents, including information from all seven layers of the OSImodel. This analysis is also broader than common technologies because it combines techniques such asprotocol anomaly detection and signature scanning, traditionally available in IDS and anti-virus solutions.

    It is right to affirm that DPI is a technology produced by the convergence of traditional approaches used innetwork security, but performed by different devices. The improvement of hardware platforms and thedevelopment of specific hardware devices for network security tasks have allowed functions that used to becarried out by separate components to be carried out by just one. However, it is not possible to argue that thisconvergence is complete. Vendors are still maturing their technologies and there is a huge space for improvement.

    Due to this convergence, it is important to understand which technologies have preceded DPI and what their drawbacks are because they have driven the demand for new technologies by not fulfilling all current networksecurity needs.

    Understanding Previous TechnologiesOne of the first technologies used for performing network security were packet-filtering firewalls. Those systemswere implemented, basically, by using access control lists (ACL) embedded in routers. Access control was one of the primary concerns of the early age of commercial use of the Internet in the 1990s. Because routers are theconnection point between internal and external networks, their use as access control devices were very naturaland appropriate.

    Simple packet filters analyze each of the packets passing through a firewall, matching a small part of their contents against previously defined groups of access control rules. In general, we can say that basic limitationswere:

    Because they analyze individual packets, they could not identify security violations that can only bevisualized by screening more of the traffic flow;Very little information from the packets was analyzed, avoiding the identification of several problems thatcould only be seen in the application layer.The rules were static, creating many security problems for screening protocols that negotiate part of thecommunication options, like ports and connections, on the fly (the FTP service is a classic example).In general, router ACLs, implemented through command-line parameters, are harder to manage thanrules created in easy-to-use graphical user interfaces.

    Due to those deficiencies, an alternative, known as application-layer firewalls or proxies, was developed.Designed with the purpose of solving the security limitations of the packet-filtering technology, proxies haveadopted a very effective approach in terms of security, but are radical from the networking point of view.

    Instead of analyzing packets as they cross the gateway, proxies break the traditional client/server model. Clientsare required to forward their requests to a proxy server instead of the real server. After the proxy receives thoserequests, it will forward them to the real server only if the requests meet a predefined security policy. The realserver receives the requests from the proxy, which forces it to believe that the proxy is the real client. This allowsthe proxy to concentrate all requests and responses from clients and servers.

    Because a proxy is normally developed with the purpose of filtering a specific application, its security controlsand mechanisms are much stronger than packet filters. Instead of just allowing or not allowing the application,the proxy can have more granularity, specifying exactly which parts of the communication are allowed, whichcontent is allowed, etc. Using HTTP as an example, it is possible to define that users can access Web sites, butdownload of Java applets or ActiveX controls is prohibited.

    However, this new paradigm requires applications to be adapted for taking advantage of their features. Clientsmust be aware that there is a proxy in the middle of the communication and must format their requests in anappropriate way. Protocols and toolkits, such as SOCKS, have been developed for making this work easier.More recently, transparent proxies have been solving this issue while keeping the security capabilities of thetechnology.

    But the worst problem was cost, and the cost will affect the use of proxy technologies in two ways. First, it isexpensive and time consuming to write code for proxy servers. The programmer must know not only everythingabout the protocol being "proxied," but must also have specific code for implementing the necessary securitycontrols. Second, there is a performance problem. Because connections will be always recreated from the proxyto the real server and the analysis being done is more sophisticated, the performance cost is much higher than itis in packet filters.

    Considering that those two technologies are opposite in a number of ways, an intermediate technology, marketedas stateful inspection, focused on improving the security of packet filters. The idea was to keep a performancesimilar to packet filters while improving their security to an acceptable level. This improvement is made possiblethrough the use of state tables. When packets are analyzed by stateful firewalls, they store important information

    http://www.infosectoday.com/Articles/Deep_Packet_Inspection_Technologies.htm#3
  • 8/12/2019 Deep Packet Inspection Technologies

    3/5

    28/01/2014 15:56Deep Packet Inspection Technologies

    Page 3 of 5http://www.infosectoday.com/Articles/Deep_Packet_Inspection_Technologies.htm

    about the connection in those tables, allowing them to improve the quality of the screening process because theflow of the information is considered when making network access control decisions, instead of single packets.This mechanism also allows the creation of dynamic rules, intended for permitting very specific communicationchannels to be open on the fly. If the protocol negotiates some connection using a random port, for example, thefirewall can realize this through a full seven-layer analysis on the packet, and create a dynamic rule, allowing the

    communication on this port if the source/destination information is correct, and for a limited time.

    This was a huge improvement for packet filters in terms of security, but could not solve all of the securityproblems. However, developing "intelligence" for firewalls like this-adapting them for new protocols as theyemerge-is much simpler and easier than developing new application proxies. This created cheaper products,delivered to the market faster than proxy-based solutions, allowing companies that invested in this technology,like CheckPoint, Netscreen (now Juniper) and Cisco, to establish themselves as market leaders.

    Although it represented a good improvement for packe t filters, stateful inspection still lacked important securitycapabilities. Network access control was being performed very well, but it still was not capable of detectingattacks at the application level. Some of the vendors were using internal transparent application proxies whentheir customers needed more extensive checks. But as performance needs have increased, the statefulinspection/proxy combination has not scaled very well. Additionally, the number of network attacks wasincreasing dramatically, and the proxy part of this combination was not being updated for addressing all of them.

    For this reason, many customers willing to add an additional layer of monitoring and protection have acquiredIDS. Those systems, from a network perspective, are basically monitoring devices, although most of them havesome firewall integration features that could also give some level of reaction and protection. Copies of thepackets crossing the monitored networks are sent to the network IDS that analyze this information, normallyusing pattern (signature) matching technologies. This approach is very similar to the approach used by anti-virussoftware, being equally ineffective. Only previously known viruses/attacks can be detected. Attempts to solve thisissue using statistical analysis for defining an expected baseline and examining for deviations from it, could evenidentify attacks not defined in the signatures database, but raised the false positives to unsustainable levels.

    However, from a security perspective, pattern-matching approaches are even more ineffective in IDS than in anti-virus software. Most anti-virus software can block viruses in real-time once they are found, while most IDS canonly generate an alert. They can also send a command to the firewall, asking for blocking of the source of a just-identified attack. However, this approach has at least two serious problems:

    Some attacks, including several denial-of-service techniques, can be performed using very few packets,disrupting their targets before the firewall responsible for blocking them receives any notification.IDSs are famous for their false positives. In case of a false alarm, the firewall can block legitimate traffic,compromising the availability of the services and creating huge administrative problems.

    The most logical evolution of this scenario would be to combine stateful inspection performed by firewalls withthe content inspection performed by IDSs in a single box that could identify and block attacks in real-time, butimproving their detection capabilities for avoiding the false positives issue. In this way, the analyses done by bothcomponents would be performed simultaneously.

    A single-box approach is appealing. Customers prefer to have just one single security solution that would redu cethe total cost of ownership (TCO) of the system, in addition to greatly simplifying the administration. Vendorswould prefer to eliminate their competitors and be the only network security company present on their customer'snetwork. The Gartner "IDS is dead" report, as it is popularly known, only served as a kick-off element of thisprobable transition, as mentioned in the previous section.

    Deep Packet Inspection DebutThere are two types of products, different but similar, using DPI. First, we have firewalls that have implementedcontent-inspection features present in IDS systems. Second, we have IDS systems working with an in-linepositioning approach, intended to protect the networks instead of just detecting attacks against them.

    First, with regard to analyzing firewalls that have incorporated IDS features, there are two key technologiesmaking this possible: pattern (signature) matching and protocol anomaly. The first approach incorporates adatabase of known network attacks and analyzes each packet against it. As previously mentioned, success inthe protection is normally obtained only for known attacks, which have signatures previously stored in thedatabase. The second approach, protocol anomaly, incorporates a key security principle, already mentioned inthe first section, known as default deny. The idea is to, instead of allowing all packets in which content does notmatch the signatures database, define what should be allowed, based on the definitions of how the protocolworks. The main benefit is to block even unknown attacks. Because the time window between the discovery of anew vulnerability and their exploitation by tools or worms has dramatically decreased, this ability can beconsidered almost indispensable nowadays.

    Additionally, this reduction in the time frame for exploitat ion forces companies to pay more attention to their patch

    management procedures. This creates a painful dilemma: should they apply patches as soon as possible,without adequate testing, exposing them to availability problems arising from problematic patches, or should theytest patches before applying, exposing them to the vulnerability exploitation risk during the test period? Thismanagement concern has been explored by DPI vendors. Some claim 4 that their products can protectcompanies from attacks, giving them the ability to test patches adequately, applying them then whenever possible. These claims have strong marketing appeal, but a poor security vision. The connection to the Internet isnot the only source of problems that could explore unpatched systems, although it is the primary one.

    Some well-recognized security experts 5 argue that the protocol-anomaly approach is not the best implementationof the default-deny approach for network security purposes. From their point of view, proxies are much better interms of performance. Curiously, vendors such as CheckPoint have abandoned mixed architectures, usingstateful inspection and transparent application-level gateways towards DPI approaches. 6 This may suggest thatproxy-only solutions could have even more problems, although it is very questionable.

    Besides the firewall/IDS combination, there are a number of solutions marketed as IPS that also implement DPItechnologies. Generally speaking, IPS are in-line IDS. They have almost the same capabilities, but IPSs canblock attacks in real-time if they are detected. Careful and conservative policies are implemented with thepurpose of avoiding one of the key limitations of IDS systems: false positives. Using their IDS systems as acomparison parameter, several customers were reluctant to purchase IPSs, fearing that they could blocklegitimate traffic.

    Another mechanism commonly implemented for avoiding possible availability problems related to IPS

    http://www.infosectoday.com/Articles/Deep_Packet_Inspection_Technologies.htm#6http://www.infosectoday.com/Articles/Deep_Packet_Inspection_Technologies.htm#5http://www.infosectoday.com/Articles/Deep_Packet_Inspection_Technologies.htm#4
  • 8/12/2019 Deep Packet Inspection Technologies

    4/5

    28/01/2014 15:56Deep Packet Inspection Technologies

    Page 4 of 5http://www.infosectoday.com/Articles/Deep_Packet_Inspection_Technologies.htm

    ma unc onng s e newor pass- roug . n case o any pro em n e , suc as a power suppy a ure ,the pass-through mechanism will connect the network cables directly, maintaining network connectivity. Althoughthis is a desired feature for a device used in combination with a firewall, it should never be implemented in afirewall itself. It is an approach against a basic security engineering concept known as fail-safe. According to fail-safe, security components should fail in a way that does not compromise their security goals. In practical terms,firewalls that implement this concept should not allow any traffic if problems arise, as opposed to allowingeverything.

    In general, IPSs can identify and block many more attacks than firewalls with embedded IDS functionalities. Additionally, they usually do not have the same filtering capabilities and administration features present inproducts that used to be simple firewalls in the past. But the fact is that both combinations have been improvedfor solving their limitations, producing very broad network security solutions. A number of new technologies arealso being embedded in those new products. Some examples include:

    Anti-spam filtersMalware analysisURL filteringVirtual private networksNetwork address translationServer and link load balancingTraffic shaping.

    Besides the numerous benefits existent in the single-box approach, the drawbacks from the security point of viewshould not be ignored. Since the early days of network security, defense in-depth has been almost unanimity.The combination of multiple security controls that complement each other, following solid architectural securityprincipals, increases security and creates resiliency, thereby allowing a longer time frame for detecting andresponding to attacks before they reach the most valuable information assets, usually the internal servers.

    Additionally, there exists a second a problem, not less re levant, related to availability. Single-box designsinherently create single points of failure. Fortunately, this problem is not so hard to solve and several vendorshave hot-standby and cluster options for their DPI solutions.

    Other IssuesThe initial convergence of technologies that produced the first so-called DPI devices was involved in a paradigm.Part of it was possible due to new hardware improvements. However, hard-coding security analysis in chipswould prevent vendors from quickly and effectively responding to new demands. This supposed limitation washeavily explored by vendors producing software-based solutions. 7

    At the same time, most of these answers from vendors are, basically, updates to their signature databases. A

    great part of these updates would be unnecessary with a truly effective and well-implemented default-denyapproach, using protocol-anomaly technologies. This raises the question of whether the signature approach ismore interesting to vendors than it is to their customers, which must depend on software subscriptions andupdate services for keeping their structures running. Formal research on the network attacks discovered in thelast few years could be helpful in measuring the real effectiveness of the protocol-anomaly approach and answer this question more precisely.

    Nevertheless, innovative approaches in network hardware appliances seems to be producing solutions to thisdilemma, allowing the creation of devices with good performance, while keeping their ability to receive updatesfrom external sources. This is being achieved through packet analysis optimization methods, which unifyhardware and software technologies for parallelizing filters and verifications.

    Another architectural issue, but a broader one, is the fact that the migration of IDS-like technologies to access-control devices have almost totally ignored other very relevant and important aspects of intrusion detection as awhole. Those aspects are related to host-based IDSs and the correlation of events generated by them withnetwork-based captured data. Several vendors of DPI technologies do not have host-based protection or evendetection systems. The path that has been crossed by IDS systems, with the objective of improving their detection capabilities, was almost interrupted.

    Some attack behaviors can only be detected, or at least more precisely detected, correlating host and networkcaptured data. Host-based systems can understand local vulnerabilities and analyze the consequences of anattack, besides detecting that the packet was malicious.

    This kind of feature is very desirable, especially if considering that secure application protocols, designed for providing end-to-end security, seem to be a trend. Furthermore, any type of encryption on the transport or network layer would compromise almost every functionality of DPI technologies, except for basic filtering.

    This phenomenon, among other things, has lead to a popularization of a radical security approach, know as de-

    perimeterization. This concept, also known as boundary-less information flow, is not new, but is now beenseriously researched and supported by a number of companies and vendors worldwide. 8 The idea is togradually remove most perimeter security barriers and focus more on secure protocols and data-levelauthentication, extensively using encryption for achieving these goals.

    Only the future will prove if totally removing perimeters is a reasonable approach, but the people that support thede-perimeterization concept do exist today. Most VPN clients, for example, have personal firewall capabilitieswhere the objective is to protect laptops frequently connected directly to the Internet when they leave thecorporate network. Critical servers often have host-based IDS solutions that can, in a number of ways, protectagainst some attacks in real-time, besides detecting them, working like a device that could be called a host-based IPS.

    Those examples can be clear signals that a multilayer approach, considering also the protection of hosts usingtechnologies that used to be available only for network security, will prevail in the medium and long terms.Integrated management solutions are probably going to be implemented for allowing the administration of thoselayers in a centralized way, reducing the TCO and improving the effectiveness of the solutions.

    ConclusionDPI technologies are based on a number of old approaches that used to be implemented by different devices.Hardware and software advances have allowed the convergence of those approaches into single-boxarchitectures that increases the security provided by them and makes their administration easier.

    However, single-box architectures lack defense in-depth, a key network security concept that has been used for

    http://www.infosectoday.com/Articles/Deep_Packet_Inspection_Technologies.htm#8http://www.infosectoday.com/Articles/Deep_Packet_Inspection_Technologies.htm#7
  • 8/12/2019 Deep Packet Inspection Technologies

    5/5

    28/01/2014 15:56Deep Packet Inspection Technologies

    Page 5 of 5http://www.infosectoday.com/Articles/Deep_Packet_Inspection_Technologies.htm

    , . ,compromise network availability. Nevertheless, both can be solved using technology largely available from mostvendors and correct security design principles, implementing network perimeters according to specific securityneeds of each network. The popularization of the use of protocols with native encryption reduces theeffectiveness of such solutions, but do not make then dispensable. Integrated approaches, using intrusionprevention controls, that normally include DPI, both at host and network levels, will probably be the bestapproach in the medium and long terms.

    References1. Skype Technical FAQ . (accessed October 27, 2006).2. Pescatore, J., Stiennon, R., and Allan, A. Intrusion detection should be a function, not a product. ResearchNote QA-20-4654, Gartner Research, July 2003.3. Ellen Messmer. Security Debate Rages . Network World, October 6, 2003, (accessed October 27, 2006).4. Tipping Point Intrusion Prevention Systems . (accessed October 27, 2006).5. Ranum, M. 2005. What is 'Deep Inspection.' 6. Check Point Software Technologies Ltd, Check Point Application Intelligence, February 22, 2006, (accessedOctober 27, 2006).7. Check Point Software Technologies Ltd, The Role of Specialized Hardware in Network Security Gateways ,(accessed October 27, 2006).8. The Open Group, The Jericho Forum . (accessed October 27, 2006).

    About the Author

    From Information Security Management Handbook, Sixth Edition, Volume 3, edited by Harold F. Tipton and MickiKrause. New York: Auerbach Publications, 2009.

    Copyright 2009-2011 Auerbach Publications

    http://www.auerbach-publications.com/http://www.auerbach-publications.com/http://www.amazon.com/Information-Security-Management-Handbook-Sixth/dp/1420090925/ref=sr_1_1?ie=UTF8&s=books&qid=1243778765&sr=1-1http://www.opengroup.org/jericho/http://www.checkpoint.com/products/downloads/downloads/Specialized_Hardware-WP.pdfhttp://www.checkpoint.com/products/downloads/applicationintelligence_whitepaper.pdfhttp://www.ranum.com/security/computer_security/editorials/deepinspect/http://www.tippingpoint.com/pdf/resources/datasheets/400917-002_TP-IPS.pdfhttp://www.networkworld.com/news/2003/1006ids.htmlhttp://www.skype.com/help/faq/technical.html