Avoiding the Pitfalls of Purpose: The Case for Deep Packet Inspection
The deep packet inspection market is expected to experience substantial growth over the next four years, but what’s driving corporate interest?
The technology itself is straightforward: Instead of simply examining packet headers, deep packet inspection (DPI) goes deeper to analyze the contents of any packet passing through specific checkpoints—typically firewalls—and can make real-time decisions about what happens to these packets based on enterprise or ISP rules. For some companies, the switch to DPI comes with specters of performance issues and potential problems. But there’s a huge advantage to DPI: Detecting and stopping attacks that could cause massive network damage.
Deep packet inspection “is an advanced method of examining and managing network traffic. It is a form of packet filtering that locates, identifies, classifies, reroutes, or blocks packets with specific data or code payloads.” It’s a necessary improvement over conventional packet analysis because attackers are getting better at hiding malicious payloads in plain sight and slipping them past digital gatekeepers, which only examine packet headers. Occupying the application layer of the Open Systems Interconnection (OSI) reference model, DPI tools are typically used as part of firewall solutions to reduce total risk.
It’s no surprise that DPI analysis is bandwidth and processor intensive, since these tools are handling far greater data volumes and must analyze code inside packets to determine if they pose a threat or can continue to their destination. There’s also concern over interaction with legacy tools: Some firewalls simply aren’t designed to support deep packet inspection, prompting worry about sudden performance drops or total failure of protective network systems.
The Case for Complete Analysis
So, is implementing deep packet inspection really worth it? Consider recent attack examples:
Starbucks patrons at a branch in Buenos Aires recently had their devices in November 2017 hijacked to mine cryptocurrency for hackers. What happened? A public WiFi connection in the café wasn’t being offered by the business itself but by malicious actors—when users connected, the network forced a 10-second delay during which user computer processing power was co-opted to mine the cryptocurrency Minero. DPI used here could have revealed the real intentions behind this seemingly benign coffee shop offering.
Meanwhile, a hacker group named MoneyTaker has successfully stolen assets from U.S., U.K. and Russian banks using a combination of point-of-service malware, keyloggers and screen capture tools along with the Citadel and Kronos banking Trojans. What’s more, these hackers are experts at wiping away any traces of their activities once they’re done taking what they want, making it difficult for banks to effectively respond. Advanced DPI tools offer the potential for defensible front lines—strange packet data could prompt immediate quarantine and help banks avoid becoming the next potential victim.
Mention of the Mirai botnet still sends shivers up the spines of many IT experts; the Internet of Things attack brought down critical pieces of the Internet’s backbone infrastructure and delivered the biggest DDoS attack to date. The botnet was the work of three college students looking to gain an advantage in the online game “Minecraft.” Once they realized the power of their creation, however, they decided to expand operations and caused massive chaos. The essential component of their attacks? Insecure IoT devices they recruited to act as bots.
The value of DPI here would be taking a hard look at incoming traffic requests: Why are 50,000 cameras and printers all trying to access corporate networks at the same time? While header analysis might not yield anything of value, deep packet inspection could have helped mitigate Mirai before damage got out of hand.
Easing Performance Worries
So how do companies leverage deep packet inspection without crippling current security services? AppNeta provides simplified deployment that doesn’t require specific hardware, device reconfiguration, third-party flow collection and a software server. Instead, companies plug in and start monitoring with no servers to manage. You get the ability to perform remote packet captures and resolve the hostnames of local systems across DHCP and DNS systems, and can leverage custom application definitions to account for unique apps that fall outside our continually updated 2,000-app list.
The result? Packet transparency: Get alerts when application patterns or overall usage changes, and get details like protocol dissection, pattern matching and semantic awareness. And since our DPI tool doesn’t require on-site hardware or server management, you get all the benefits of better packet inspection without worrying about performance or integration issues.
Bottom line? Packets have purpose. Knowing the header gives you cursory knowledge of a packet’s intention, but real security stems from deep analysis. Use deep packet inspection to discover exactly what’s happening on your network—right now. Contact AppNeta today for a demo and see how DPI can help you.