Deep Packet Inspection

Network Visibility and Deep Packet Inspection (DPI) Deliver Better Threat Detection Together

DPI complements basic packet filtering

Basic packet filtering reads the data contained inside packet headers, an efficient approach that avoids overtaxing traditional firewalls and wasting processing resources. Newer tools that perform or integrate DPI functions can filter entire network packets to obtain deeper insight. Together, the two capabilities fuel more granular analysis, so long as they work efficiently in tandem.

How DPI works

DPI gives administrators and service providers the flexibility they need to define rules concerning packet inspection and what happens next when the tool uncovers anomalies. For example, upon spotting a potential threat in the header or contents of a packet, the DPI feature may then attempt to identify the application or service that launched the transmission. Some DPI tools go so far as to reroute traffic from a suspicious IP address.

Modern firewalls and intrusion detection systems (IDS) perform DPI using a variety of techniques like protocol anomaly, intrusion prevention, and pattern or signature matching. Protocol anomaly uses an approach referred to as “default deny.” With default deny, content is allowed to pass according to preset protocols. Only content that fits the acceptable profile gets through.

What is an ‘IPS solutions’?

An IPS solutions can block threats in real time, and some of them also use DPI. One challenge, however, is that IPS solutions may issue false positives. Establishing conservative policies helps to curb excessive use of IPS to avoid generating false-positive alerts.

With pattern or signature matching, the contents of a data packet are analyzed and compared against a database of previously identified threats. This works well with continuous and timely threat intelligence, but even so, brand new attacks may at first go undetected since there’s no established pattern to compare something to.

What are the benefits of using DPI?

DPI delivers obvious benefits generally associated with cybersecurity. More visibility into applications increases the odds of finding hidden threats before they do damage. DPI helps to identify dangerous data that slips past the watchful eye of a firewall and can be configured to block data from undesirable sites or applications. Governments may even employ DPI to scan and block transmissions from unapproved sources outside the country.

Deep packet inspection also provides richer insight into the types of information passing through your network. Firewalls running DPI more precisely manage the flow of data and the ways in which it gets processed. Last but not least, DPI can be used to inspect and stop outbound threats and data leaks and exfiltration and provide insight into where data is headed.

DPI’s value goes beyond security

DPI can be used to optimize performance as well. For example, prioritizing sensitive application traffic such as VOIP, video, and conferencing services like Teams or Zoom. Inspecting this traffic first and allowing it to go to the front of the line helps to ensure these apps get allocated the bandwidth they need to deliver a high-quality user experience.

By identifying which packets are most critical, DPI can ensure they receive priority over less crucial packets or time-sensitive applications and services. Admins can also limit the applications their workers interact with.

When should enterprises use DPI?

Popular use cases for DPI include:

• Deploying DPI alone or in conjunction with intrusion detection systems (IDS) to spot attacks that may elude regular firewalls
• Preventing employees from connecting personal or unmanaged devices to the company virtual private network (VPN) and depositing malware and other potential threats
• Blocking malicious requests to prevent distributed denial-of-service attacks (DDoS) attacks from overwhelming Internet of Things (IoT) devices
• Working with threat detection algorithms to block malware before it enters the network
• Enhancing visibility across the entire network

Visibility makes DPI more efficient

Like other areas of cybersecurity and network/application performance monitoring (NPM/APM), a strong visibility platform provides the ideal foundation for efficient DPI. Visibility essentially optimizes the data companies send to their monitoring tools from their network environments.

Keysight’s Vision network packet brokers (NPBs) optimize traffic from the network or cloud by removing duplicate packets, stripping out headers and other unnecessary data, and balancing the load so that each tool receives all the data it needs, and only as much as it can handle at any given time. Together, pre-processing and load balancing traffic allow the DPI process to unfold quickly and effectively without wasting network, cloud, and tool capacity — which saves money and reduces admin cycles.

Don’t forget to inspect traffic from the cloud

Companies tend to assume that certain processes become unnecessary when workloads move to the cloud, or that public cloud service providers do all the necessary analysis. That’s rarely the case.

Moving critical workflows and processes to the cloud is all the more reason to inspect traffic thoroughly for signs of potential cyberthreats. Integrated solutions work best.

For example, Keysight packet brokers integrate with Microsoft’s recently announced Azure virtual taps (vTaps) to extract and process data from the cloud. The more closely visibility, monitoring, and detection tools work together, the easier it is to manipulate packets, add rich metadata and separate valuable insights from extraneous data and false alerts.

AI raises the stakes

The trend toward leveraging artificial intelligence, generally known as ”AI,” to conduct phishing and ransomware campaigns at cloud scale makes DPI more valuable than ever before. Combining DPI with visibility helps to ensure the scale needed to keep up with modern AI threats, machine-led attacks, and exploding traffic volumes.

Related

Resources