Timely article. DPI features are mostly found in expensive and complex control appliances: Secure Web Gateway, Data loss prevention, IPS and so forth. If someone is curious about what content is flowing in and out of their network, there are few choices available to them without having to drag one of these boxes onto the scene and reconfigure everything. There are some open source tools: Mix one part geek with 10x time and 20x money. Shake vigorously. Provide at least 7 days notice. Results will vary.
I'm still amused by the marrying of DPI with control. "How cool would it be if we could detect and stop it?" The idea that a piece of technology can identify content on-the-fly and control is fun and mostly folly. I cite anti-virus as an example. If new viruses get by a scanner on a regular basis, which happens, metering an entire English lexicon, ripping and filtering each word at wire speed and trying to effect control, I'm left feeling a little hazed and confused. Language is much more complex than virus code. The idea that a machine can understand what's happening while executives can't even communicate well speaking face-to-face... Well, you get the picture.
Also, I question this idea of a DLP product identifying an email containing confidential info and stopping it at the perimeter? Hasn't the breach already occurred? The breach occurred when an uninformed or malicious user made the choice to do so. This is where the policy compliance, enforcement and user education begins. Installing hardware to cull words from the wire is, at best, only a partial solution. It could even be considered closing the barn door after the horse has left. Security is a process: Horse. Door. Someone watching, tending to and feeding the horse. You can't automate compliance.
I agree that deep packet inspection is needed but is mostly poorly understood by the market. I know many IT professionals who review native device logs to verify system effectiveness. They don't believe a device-independent tool will tell them anything more than they can get by reviewing logs. My reply: no control technology will tell you what it missed. These discrete devices provide only limited visibility into network activity. They don't show what's happening. And most don't offer ANY CONTENT DETAIL. It's usually only connection-level detail. Personally, this is not enough information to do the job well or very efficiently. But who am I to call out the IT guys? Don't they already have enough work on their plates? Perhaps. But if I have to work extra hard so should they. Actually, they should have to show their work and stop hiding behind the wall of technology obfuscation. Start talking in business-speak so everyone can understand. Perhaps even start talking about how IT delivers an ROI and bottom-line contribution? Hmmm?
I'm all about having an open discussion about deep packet inspection because our solution does it pretty darn well. It's exceptionally easy to use. It's very powerful and scalable. It doesn't require a lot of CPU. In fact, it'll run on a pretty modest box and profile thousands of concurrent devices without breaking a sweat. And it also costs less than sending one technician to a one week Checkpoint firewall refresher course excluding travel and meals.
You don't know what you're missing until to actually look at everything!
I agree this is an interesting and informative article and the comment about DPI being an enabling technology for subscription-based services is spot on and is an area that Syphan and other vendors are targeting with success.
I would however, challenge the view that DPI technology necessarily works by first reassembling packets into network flows. This is a performance and scalability limiting feature of current-generation DPI products. Flow re-construction offers the same capabilities but in a much more scalable and higher performance way.
The inefficiencies of inspecting a packet multiple times, often using similar DPI functions, for different applications either across multiple boxes or blades in a chassis is also an interesting issue, and one that hopefully more of the vendors will seek to address.
Forrester: Deep Packet Inspection As An Enabling Technology
While the market needs to mature, Chenxi Wang says deep packet inspection can provide much more than just security benefits
» View Article
Timely article. DPI features are mostly found in expensive and complex control appliances: Secure Web Gateway, Data loss prevention, IPS and so forth. If someone is curious about what content is flowing in and out of their network, there are few choices available to them without having to drag one of these boxes onto the scene and reconfigure everything. There are some open source tools: Mix one part geek with 10x time and 20x money. Shake vigorously. Provide at least 7 days notice. Results will vary.
I'm still amused by the marrying of DPI with control. "How cool would it be if we could detect and stop it?" The idea that a piece of technology can identify content on-the-fly and control is fun and mostly folly. I cite anti-virus as an example. If new viruses get by a scanner on a regular basis, which happens, metering an entire English lexicon, ripping and filtering each word at wire speed and trying to effect control, I'm left feeling a little hazed and confused. Language is much more complex than virus code. The idea that a machine can understand what's happening while executives can't even communicate well speaking face-to-face... Well, you get the picture.
Also, I question this idea of a DLP product identifying an email containing confidential info and stopping it at the perimeter? Hasn't the breach already occurred? The breach occurred when an uninformed or malicious user made the choice to do so. This is where the policy compliance, enforcement and user education begins. Installing hardware to cull words from the wire is, at best, only a partial solution. It could even be considered closing the barn door after the horse has left. Security is a process: Horse. Door. Someone watching, tending to and feeding the horse. You can't automate compliance.
I agree that deep packet inspection is needed but is mostly poorly understood by the market. I know many IT professionals who review native device logs to verify system effectiveness. They don't believe a device-independent tool will tell them anything more than they can get by reviewing logs. My reply: no control technology will tell you what it missed. These discrete devices provide only limited visibility into network activity. They don't show what's happening. And most don't offer ANY CONTENT DETAIL. It's usually only connection-level detail. Personally, this is not enough information to do the job well or very efficiently. But who am I to call out the IT guys? Don't they already have enough work on their plates? Perhaps. But if I have to work extra hard so should they. Actually, they should have to show their work and stop hiding behind the wall of technology obfuscation. Start talking in business-speak so everyone can understand. Perhaps even start talking about how IT delivers an ROI and bottom-line contribution? Hmmm?
I'm all about having an open discussion about deep packet inspection because our solution does it pretty darn well. It's exceptionally easy to use. It's very powerful and scalable. It doesn't require a lot of CPU. In fact, it'll run on a pretty modest box and profile thousands of concurrent devices without breaking a sweat. And it also costs less than sending one technician to a one week Checkpoint firewall refresher course excluding travel and meals.
You don't know what you're missing until to actually look at everything!
www.congruitytech.com
I agree this is an interesting and informative article and the comment about DPI being an enabling technology for subscription-based services is spot on and is an area that Syphan and other vendors are targeting with success.
I would however, challenge the view that DPI technology necessarily works by first reassembling packets into network flows. This is a performance and scalability limiting feature of current-generation DPI products. Flow re-construction offers the same capabilities but in a much more scalable and higher performance way.
The inefficiencies of inspecting a packet multiple times, often using similar DPI functions, for different applications either across multiple boxes or blades in a chassis is also an interesting issue, and one that hopefully more of the vendors will seek to address.
Dirty Tricks: Social Engineers' Favorite Pickup Lines
Tabletop Exercises: 3 Sample Scenarios
19 Ways to Build Physical Security Into Your Data Center
Get instant notifications when whitepapers, webcasts and case studies are added to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
» More blogs
CSO Perspectives
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
Trend Micro ranked #1 against real-world malware. Read more.
64-page prescriptive guide to security, compliance, and IT operations.
Removing Barriers To Better Server Virtualization Efficiency
Mining for Gold: Cybercrime Prevention and the Role of Log Management
The Executive Guide to Data Loss Prevention
Organizations can spend up to 50% more on compliance efforts than necessary.
White Paper: A Security Blueprint Delivered From within the Network
Read the RSA report: Security for Business Innovation
Upgrading to VMware vSphere with vWire
Explore the increasing importance of log management as cybercrime threats grow.
The Tripwire HIPAA Solution: Meeting the Security Standards Set Forth in Section 164
Implementing Best Practices for Web 2.0 Security
Five Ways to Reduce Your IT Audit Burden
THE IDG NETWORK