A lot of attention has been paid to Deep Packet Inspection lately. DPI has developed a bad reputation for its role in
censorship, data mining and eavesdropping. It is seen by many as a
threat to Net neutrality and online privacy.
The depiction of DPI as a detrimental technology was highlighted during the recent unrest in Iran when the Wall Street Journal claimed that DPI was used to spy on citizens and
block traffic deemed undesirable by the state. Several media outlets jumped on the bandwagon calling DPI "a technology ripe for abuse".
Because of the negative media coverage around Deep Packet Inspection several parties have tried to affirm that, like most technologies, DPI is neutral. As a tool it can be leveraged for good or evil.
The Canadian government, wanting to allay concerns over privacy, went as far as to launch an entire website dedicated to DPI. They invited industry experts to share their opinions on what role the technology should play.
Even when DPI is used for positive purposes like information security, there is debate. Recently I have heard several industry experts caution that for security controls like intrusion detection/prevention, web application firewalls and data leakage prevention, the necessary protocol parsing is a duplication of effort that may be evadable, or worse yet present additional vulnerabilities. Vendors work extremely hard to mitigate these concerns.
Despite the negative image being cast on DPI it's important to remember that as a technology it plays a vital role in information security, since no alternative options exist that are as capable.
There are five main reasons security controls rely on DPI:
Prevention - The majority of today's data enters and exits systems through the network. While there are plenty of ways to detect malicious code or behavior once a system has been compromised (and in some cases remediate), network filtration provides an interception point suitable for true prevention.
Ubiquity - Some applications like browsers and email programs expose APIs that can be used for inspection and prevention of the fully normalized data. Unfortunately such programs are few and far between, and only cover data entering the system. The only way to 'see' most of the data entering or leaving the system is through the network layer (DLP is also concerned with information leaving systems on other forms of media).
Altitude - If applications universally provide inspection points there are still risks below that layer of the stack. For instance, vulnerabilities in the TCP/IP stack could be be used to compromise the operating system. Higher up for example, in the pre-render hooks browsers provide, significant amounts of code has already parsed the data in the document. The higher you are on the software stack the more abstraction exists and the more chance the layers under you may be compromised.
Choice - DPI can be deployed host-based, on physical appliances, or using new options like cloud-based security as a service, third party vSwitches or Hypervisor introspection APIs. Because all of the traffic is based on standards (defacto or otherwise) consumers can mix and match vendors and control types without difficulty.
Layers - DPI can be applied cleanly as a serial chain of filters. Traditionally a network starts with a Firewall, behind which any number of components are deployed (IDS/IPS, Web Proxy, Network Anti-Virus, Anti-Spam). These layers form a funnel of traffic without having to be aware of each other.
As a technology DPI should not be condemned for how it may be used; DPI itself is not inherently good or evil. Until there are alternative means of policing information exchange with these positive attributes, DPI will continue to be a necessary and useful technology.
Comments