Network inspector 5 key5/8/2023 ![]() ![]() For instance, it has made it much harder for an attacker to break up malicious code into smaller packets in order to bypass an IDS device. ![]() Proper DCI has brought some major advantages, however. This is usually done by the detection of a certain MIME (file) type, after which the data is captured, reconstructed and analyzed by, for instance, an antivirus or malware sandbox application.ĭCI has been adopted in most products that support DPI, and the terms are sometimes intermixed because they are quite similar. Where DPI covers the analysis of data inside individual network packets, Deep Content Inspection is capable of detecting how multiple packets together can make up a file or data stream. Although the destination system is not directly inline, the extensive flexibility of this option allows for inter-device messaging where, for instance, an IDS automatically directs a firewall to block a malicious IP detected by an IDS signature.Ī modern evolution of Deep Packet Inspection is called Deep Content Inspection (DCI). This could be an Intrusion Detection System, a Netflow sensor or a Malware Sandbox. The benefit here is that network encryption such as SSL is less of a challenge, because the endpoint should see much of the data in unencrypted form.įinally, a virtual network TAP for example offered by Microsoft Azure can provide a full network traffic feed to any destination. The endpoints not only process network traffic, but also forward a copy of selected (or all) raw traffic to a security monitoring system. The benefit here is the ease of deployment, support and management.Īnother product range is based on agents running on customer endpoints. These could be virtual instances such as the Sophos UTM9 product, a NextGen Firewall product with inbuilt IDS and Application Layer 7 controls (for which DPI is required). The first one is to use the vendor solutions already built for this exact purpose. There are several approaches to successfully deploy a security control based on Deep Packet Inspection within a public cloud environment. On top of this, cloud providers do not like to give their customers such close access to network traffic within their multi-tenant platform, for customer-to-customer data leak security concerns.įinally, the network traffic within a shared cloud platform is effectively encapsulated in order to separate the customer and management flows, which often means traditional network-based DPI solutions will experience challenges processing the observed cloud traffic. The existence of SSL interception, where encrypted traffic is intercepted, decrypted and analyzed, only increases these concerns. In a perfect world this data should all be encrypted, but this is not always the case. The data in network packets can contain anything, including social security numbers, credit cards details and even passwords. Challenges in the Cloudĭeep Packet Inspection raises several privacy concerns. Lateral movement between a compromised (cloud) system and other systems, both within the cloud or on-premises, is very important to detect and where possible to block as well. It is also important to look past this perimeter-based defense layer and more inwards. Deep Packet Inspection is essential in keeping the bad traffic out but letting the good traffic through without too much interruption. ![]() This means cloud servers and applications are regularly attacked using a very broad range of methods from anywhere on the globe. ![]() Many cloud services are accessible to the entire Internet, after all, and an important driver for cloud migrations is the improved accessibility of the systems. This technology is called Deep Packet Inspection (DPI), and although it comes with some processing and latency costs, it is an essential part of a secure environment. Other packets might contain malware or shellcode which needs to be correctly identified and actioned. That earlier-mentioned SQL query, for instance, could be malicious and could intend to drop an entire database or return its passwords, requiring it to be blocked, instead of successfully delivered for processing. Modern security tools, such as most Intrusion Detection and Prevention Systems and next-generation or application layer firewalls, inspect the data part of the network packets in order to determine the contents. Traditional security controls such as firewalls relied heavily on these headers in order to filter out malicious content, think of IP addresses and ports being blocked. ![]()
0 Comments
Leave a Reply. |