Strategy, Threats, Cybercrime

Good & evil: Deep packet inspection

October 4, 2010

Deep packet inspection (DPI) can be relied on for security and forensics, but also can be used for snooping into online lives, reports Deb Radcliff.

Enterprises need better analysis to detect zero days, employee abuse and other nefarious behaviors on their networks. Government and law enforcement agencies need deeper intelligence to know what to collect in their sensors and what to actually analyze. Telecommunications companies and internet service providers (ISPs) need more visibility into their network traffic to provide better quality of service.

To do all these things and much more, organizations are using deep packet inspection (DPI), although many would rather do so without the public noticing, due to privacy concerns.

“DPI has this image of Big Brother tracking what you load on your devices,” says Shira Levine, directing analyst at Infonetics Research, an international market research and consulting firm specializing in data networking and telecom. “A number of DPI vendors provide lawful intercept and data retention, but few want to publicly discuss this because of these fears.”

Part of DPI's image problem stems from confusion about what, exactly, DPI is. To purists like Eugene Schultz, chief technology officer of consulting firm Emagined Security, DPI means looking inside packet headers to tell what type of traffic, services, protocols and ports that packets are carrying and connecting to, and how long they have been connected.

“The main use of the technology is to tell if packets are legitimate because malicious packets are often fabricated by attack tools,” says Schultz. “On the flip side, bad-doers can find out a lot about a person through packet header information.”

By today's definition, DPI technology is morphing to do much more than analyze packet header information. Multiple DPI technologies can translate, copy, store and parse packet information based on thousands of parameters. Some go beyond packet header information by unwrapping the data packets themselves — even on data that has been encrypted.

Enterprise protection

“You can attribute DPI's growth to improved processing speeds,” says Jarrod Siket, senior vice president and general manager, sales and marketing for Netronome, whose network flow processors scale to more than 40 gigabits per second and allow network and security appliances to deliver line rate DPI. “DPI is already embedded in enterprise security tools, in the carrier space and in government agencies,” he says.

From an enterprise perspective, DPI can be used to tune the network for better performance and to monitor more closely for security and abuse violations and data leakage prevention — so long as users are aware that their activities are being monitored, says Mark Leary (left), chief information security officer at TASC, a defense company that provides advanced systems engineering, integration and decision-support services to the intelligence community, Department of Defense and civilian agencies of the federal government.

“The enterprise owns the data asset, and exfiltration of intellectual property is a real concern,” he says. “So DPI is used to detect data leakage, as well as for network forensics to identify packet contents over the event's lifecycle to estimate impact.”

The enterprise also should have processes in place to open only the data packets that are absolutely necessary based on type of investigation. In addition, if they are to look into data packets, there should be a way to protect any sensitive data – such as passwords and other personal data or intellectual property – from being viewed, copied or stored by authorized users.

Today's DPI tools often have this capability baked in. For example, Gigamon's GigaSMART can mask (encrypt) specified data types (usually personal and financial data) so others can't be seen by administrators and investigators looking into data packets.

The GigaSMART tool also can be tuned to capture and parse only slices of the packet data, such as capturing the activity on a single IP address, says Kevin Jablonski, vice president of marketing and business development at Gigamon. Or the tool could be set to look for a series of actions that happened during a specific session or time.
“Say law enforcement was given a court order stating that they had from 8 a.m. until 2 p.m. on this date to pull data from this section of traffic looking for this phone number or IP address,” explains Jablonski. “Time-stamp technology can tell where the packet came from and when it arrived.”

Net neutrality

ISPs have their own set of uses for DPI — particularly to support quality of service and terms of use, copyright enforcement and target marketing – that get dicey where privacy is concerned.  

“For ISPs, DPI can go deep into the packets and distinguish if its voice, video, streaming video, messaging or other types of traffic, and subsequently enable tiered billing,” says Levine. “For these reasons, pure-play DPI is huge in the telecom market.”

By 2013, pure play DPI is projected to be a $1.5 billion market, according to an Infonetics report released in August.

For this level of visibility, ISPs all over the world are using DPI, but many of these businesses are keeping it buried in service agreements and off the public record, says Christopher Parsons, lead researcher at DPI Canada, a volunteer-based nonprofit, which researches and reports on DPI usage among Canadian service providers.

“Canadian providers have to be transparent about their use of this technology,” he adds. “Some other countries aren't being transparent about their use of DPI and this is raising privacy issues.”

Targeted ads targeted

In the United States, pressure from groups such as the Electronic Privacy Information Center (EPIC) and the Electronic Frontier Foundation (EFF) have held advertisers back from running amok with behavior monitoring through DPI. For example, after pressure from EFF, Charter Communications in 2008 halted its use of the controversial targeted ad program NebuAd. The program used DPI appliances placed in ISP networks to scan traffic and then forge packets. These forgeries led browsers to mistakenly trust embedded JavaScript code, which was used to load cookies for advertising — thereby violating the primary tenet of routing: Don't change packets.

“Right now, advertisers are laying low on their DPI use because behavior-based advertising has become politically sensitive,” says Richard Esguerra, an EFF activist, who worked on the Charter Communications case. “The other large concern is over DPI being used by carriers to restrict access to services based on bandwidth use.”
This issue of bandwidth allocation has the European Union working to legislate restrictions against service providers under what has come to be known as “net neutrality.”

Wireless battleground
In North America, Google and Verizon are pushing their own net neutrality legislation that “spells out the role and authority of the FCC in the broadband space,” according to a Verizon release. This would include new enforcement mechanisms for the FCC to use on broadband, but would not yet apply to wireless.

However, EFF's Esguerra, Infonetics' Levine and other analysts think the ultimate DPI battleground will be over wireless, where advertisers can stream ads to phones based on preferences and shoppers' location.

A larger concern: Do users really want Verizon and Google dictating net neutrality? Dozens of commenters to the Verizon release expressed serious concerns about this arrangement. They are particularly worried given that in the same release, Verizon discusses how to use DPI for offering “specialized services to customers,” such as better gaming and health care applications.

To many, this “improved services” model looks like bandwidth discrimination – something Verizon and Google say they're trying to prevent.

This opens the door up for comments such as: “Oh, you like to play massively multiplayer online games (MMOs)? We have this service that gives you great speed for World of Warcraft for just $10 more!,” as one poster wrote to the Verizon release. “Rinse and repeat for any bandwidth-intensive task.”

Integral to business

Clearly DPI is a controversial technology, even as it becomes embedded in routing and switching structures, enterprises and even in the nation's universities, which are mandated to block peer-to-peer pirating or risk losing government funding.

“ISPs have very different uses for DPI than enterprises, such as retailers and financial institutions, where security and availability are integral to business operations,” says Eddie Schwartz, chief security officer of NetWitness, which provides network forensics and automated threat intelligence solutions. “There's no question that the advanced analytics offered by DPI could be used for good or evil.”

[sidebar]

EINSTEIN: Deployment

While some federal agencies and departments have implemented only the most basic of protections, others have developed quite advanced cybersecurity postures, embracing the government's latest mandates for Trusted Internet Connections (TIC). Einstein 2 intrusion detection and domain name system security extensions (DNSSEC) are examples.

Integral to TIC compliance is the use of Einstein 2 intrusion detection appliances, which also collect NetFlow data, a network protocol for collecting and analyzing IP traffic information.

In the government's cybersecurity evolution, TIC represents the first step in establishing a minimum, standardized level of security across the federal enterprise, says Nicole Dean, deputy director of the U.S. Department of Homeland Security's National Cyber Security Division (NCSD), which leads the TIC and Einstein efforts. “It's about setting baseline security practices that every federal executive, civilian branch department or network would have to implement – anti-virus, anti-spam, network firewalls and things to that effect,” she says.

As of early July, the NCSD had Einstein 2 operational at the majority of its designated agencies and departments, with the IDS devices deployed – but not yet live – at a thirteenth, Dean says. However, the bulk of departments and agencies have opted to use managed IDS services from AT&T, Qwest Communications International, Sprint and Verizon – the four government-sanctioned managed trusted internet protocol services (MTIPS) providers. Already deployed within those networks, the Einstein 2 devices should go operational shortly, she adds.

The system is providing, on average, visibility into more than 278,000 indicators of potentially malicious activity per month, Dean says. From those, DHS is gaining valuable insight into the nature of attacks being launched against .gov infrastructure. “I'm not saying we've answered all the ‘whys,' but being able to get that big picture helps us know, ‘OK, this one is scattershot, but this one hits one agency,' so we can focus our analysis appropriately.”

 – Beth Schultz
prestitial ad