Network Security Essentials: Deep Packet Inspection
It's a truism that the Internet has transformed the way we think, share knowledge, do business, communicate, and interact. But along with all of its marvelous benefits the Internet has spawned unique problems as well -- spam and malware being two of the most notable.
According to Forrester security analyst Rick Holland, traditional security solutions, such as Web gateways and filtering solutions, aren't doing a good job of protecting enterprises from today's complex threats.
"Most of the breaches we've seen this year have come via e-mail; a person clicks on a malicious link that takes them via outbound Web to a malicious server, and then they download software," he said. "These blended threat e-mails are getting in and the traditional content security solutions aren't doing a good job of stopping them."
The most promising development on the security technology side, according to Holland, is deep packet inspection. "Deep inspection into the packets so they can see what's going on is absolutely vital. Because the traditional signature-based antivirus and reputation-based filtering just aren't going to cut it against the threats we deal with today," he explained.
The logical place to deploy security apparatus, according to Cassio Sampaio, assistant vice president of Product Management for Waterloo, Ontario-based vendor of network policy control infrastructure Sandvine Corporation, is in the service provider network.
"The service provider is best positioned to make the networks cleaner and safer to the end user," he said."Being the last mile, being closer to the subscriber really enables those networks to take those infections, to take those malicious activities out of the network, either before they leave the service provider premises, or before they enter the client premises."
The unblinking eye
According to Sampaio, new network-based technologies that have evolved over the past several years have really changed the game. "Now more things can be done on the network level. The increased processing capacity in the technology now allows very large networks to be fully monitored and policed in terms of security threats."
Sandvine's network elements, for example, have the ability to scale -- in a single network point -- to "many hundreds of gigabits of traffic inspection and policy enforcement per second," Sampaio said.
While traditional scanning for malware signatures still has its place in network security, it's helpless against today's more sophisticated threats.
"Botnets and those sorts of technologies have become incredibly smarter," Sampaio explained. "They're able to work using encrypted channels, using a distributed architecture almost like a distributed brain where multiple elements that communicate with each other will organize an attack in a very stealth manner."
And given that so much malware is encrypted, it is network behaviors that give away the culprits. "By inspecting 100 percent of the traffic, we can correlate the behavior of the network activity, and by looking at that behavior, we can start to enable some triggers that indicate that some malicious activity is happening," he said.
Moreover, it is crucial that this inspection process not degrade the end-users' Web experience. Sandvine's system "has been designed from day one to be deployed in-line in high-speed networks, introducing the minimum possible switching type of latency to the network," Sampaio asserted. "We're talking about micro-seconds, not milliseconds of latency being introduced."
A very similar outlook was expressed by Hongwen Zhang, president and CEO of Calgary, Alberta-based provider of security-as-a-service, Wedge Networks, which boasts a customer list that includes numerous large ISPs throughout India and Asia.
With the stated goal of defending service provider networks from intrusion, spam and malware, "We see the major technical requirement as trying to get more visibility into what we have moving through the network, so the network resources can be better utilized, and the user satisfaction can be guaranteed," Zhang said.
Like Sandvine, Wedge Networks deploys on its own, patented infrastructure a combination of signature scanning and intensive traffic inspection for network behaviors but they take it perhaps a step farther.
"As service providers, we can command something beyond the traditional deep packet inspection. We call this deep content inspection meaning we understand not just what an individual packet carries through but also understand the content part that is being carried through," Zhang explained.
That is, Wedge's technology is able to track content streams, not just isolated packets, and distinguish between various types of HTTP applications and do it at "line speed" so no significant latency is introduced.
In Wedge's view, ISPs and MSPs are not only obliged to secure the Internet from a practical standpoint so that their networks aren't overwhelmed by malicious content but offering reliable security is a plus from a customer satisfaction perspective as well.
"As the demand for network security systems grows, ISPs are beginning to sell security as an advantage to customers," Zhang said. He went on to predict that the security-as-a-service market will continue to expand rapidly as ISPs look to increase security beyond protecting their own infrastructure, but as a marketable differentiator to customers.
[Correction: It was originally reported that Telus and Rogers in Canada, and AT&T in the U.S. were customers were customers of Wedge Networks. That is not the case.]