Deep Packet Inspection – Is It Enough?

Thursday, June 7, 2018
Deep Packet Inspection

Security analysts oftentimes feel that Deep Packet Inspection (DPI) is a fundamental requirement for detecting malware and tracking network data loss. This tried and tested method has been around since the early 2000s and it absolutely does have merit, but is it sufficient by itself to prevent inbound threats and track data exfiltration?

In it’s heyday, Deep Packet Inspection reigned superior across firewalls, intrusion prevention systems, and secure web gateways. These technologies needed to process network packets as efficiently as possible to reduce any network delay. Security was built into these applications in the form of packet inspection. Since threat analysis with minimal network latency was the ultimate focus –analysis was contained to the contents of a single packet.

Deep packet inspection implies the ability to examine packet headers such as TCP/UDP headers and throughout the evolution of DPI, techniques have been improved to analyze the packet payload and extract valuable information – including web addresses and user attributes. Regardless of the development though, the decision is always limited to a singular packet.

Deep Packet Inspection does have a distinct value in today’s world of modern threats. It was, and still is, an effective method of detecting security issues such as DDoS attacks, SQL injection attempts, and buffer overflow attacks. These are all examples of threats within the packet and DPI works great with anything that requires flow-based analysis to detect communication to or from known threat actors.

There is however a key limitation of this technology that should be considered when developing the modern network security architecture – there is a fundamental visibility gap. This is because within the context of a single packet, the ability to inspect the content itself is limited. With this technique you can read the packet content to determine a character set – for example English, Chinese, or Russian – and extract a domain name or URL. However, it’s incredibly difficult to extract the actual content within the packet – such as embedded binary and textual data that represents threats and data leakage. This means that the host computer receiving the network data can’t do anything with the packets beyond reassembling them into content useful for the specific application. If you need to secure content, you need a security process that can understand the content in the same way as the host computer that will use it.

So, how do you plug this critical gap? Deep Packet Inspection technology has proven to be a necessary, but insufficient means to defend against cyber-attacks. Defense against network threats requires visibility into content and context. Are there any technologies that can overcome the visibility restrictions of Deep Packet Inspection and provide additional content-focused context? Rebuilding network traffic into application level content and then decoding it to extract valuable insight is critical to detecting content-focused security issues such as detection of malware and data breaches.

Fidelis Cybersecurity has patented one such technology – Deep Session Inspection® (DSI).  Deep Session Inspection was designed to overcome this shortcoming and act as the host computer to reassemble the network traffic into application content. DSI is conceptually similar to endpoint protection and its capabilities can be applied to network choke points, email systems, proxied traffic, and at internal data center access points. In addition to its protection capabilities, DSI also offers the ability to monitor all network activity and record metadata that can be used as the basis of manual or machine-automated analysis. Learn more about Deep Session Inspection (DSI) and how it can provide an additional layer of visibility in our next blog.

- Kaustubh Jagtap
Product Marketing Manager