Carlos Ferro, SVP and General Manager International Region, for LiveAction.
Deep Packet Inspection (DPI) is growing increasingly irrelevant in the face of modern security and network performance demands – and many organisations are ditching it.
Firstly, it should be said that DPI grows out of a real and pressing need for both security and network operations. Its intended value is that by watching the incoming flow of traffic – the packets – and inspecting them, security and network operations teams can micromanage network performance by efficiently allocating bandwidth and spotting cyber threats as they head towards your network.
However, encrypted traffic is becoming the norm and DPI is struggling to keep up with this new development. According to Google, 90% of traffic coming to Chrome is encrypted. Because of that, DPI increasingly has to resort to decryption in order to actually inspect the traffic coming in.
Unsurprisingly, most malware arrives via encryption too – allowing many threats to pass into enterprise networks without the notice of network or security teams. In fact, according to researchers from Sophos, around half of all malware was delivered using encrypted sessions in 2020.
That’s why DPI has to increasingly rely on SSL/TLS inspection to decrypt that traffic and attempt to find malicious code or latency problems in what must seem like an ocean of incoming traffic.
For many years DPI decryption has been a useful – if imperfect – practice to manage incoming traffic. It allows the identification of specific files and types of data within a packet. In doing so, security threats and potential network problems can be caught before they hit the network. Without it, enterprises can only intuit payload sizes, destination IPs, payload sizes and protocols. Still, the price of traffic decryption is high, even if many organisations need the capability.
Traffic decryption is a resource-heavy activity and, as a result, performance suffers in a variety of areas.
As traffic heads towards the network boundary, the firewall has to stop that traffic in order to decrypt and inspect it. This increases the CPU load on the firewalls, which can be overwhelmed by the sheer scale of traffic they have to decrypt. In turn, this has a deleterious effect on network performance due to the increased amount of compute resources that have to be used and thus, more latency is introduced.
Some organisations even choose to turn DPI functions off entirely for their firewalls, setting the stage for much larger problems down the line.
There is often significant redundancy in this process too. Organisations will often use a variety of tools to cover different areas of their cybersecurity. By having multiple tools decrypt the same packets and traffic, they multiply the resource drain the traffic decryption already introduces. This ultimately creates bottlenecks and contributes further to the aforementioned latency and performance problems.
Packet loss is often an unfortunate side effect of DPI traffic decryption. Because traffic decryption has to stop packets in their tracks to inspect them, incoming traffic can become congested. When the incoming traffic pipe gets held up by this often-cumbersome process – packets get lost. Because the network is dealing with more traffic than it can handle, packets will often be discarded or ignored entirely. This can get especially bad during peak hours when traffic is already at its height.
Ethical privacy concerns
Traffic decryption often risks violating various ethical rules and regulations around privacy. Because organisations can’t tell what’s actually in the packet before they decrypt it, they could accidentally expose personally identifiable information, including health records or credit card data as well as other compromising details, thus breaching the personal privacy of the data subject.
That breaks a fundamental element of trust that should exist between users and organisations and opens up broad scope for abuse. Some companies have even used DPI to collect data which they then used for advertising, prompting an outcry from consumers and privacy advocates alike.
Even if organisations don’t care about breaching their customer’s privacy, regulators do. Many regulations set strict boundaries around this kind of activity. The EU’s General Data Protection Regulation (GDPR), for example, introduces strict rules around encryption and the protection of personal data. Both PCI DSS – a card payment industry regulation which governs data use – as well as HIPAA – A US regulation which governs healthcare data – severely restricts the use of decryption or disclosure of personal data under certain conditions.
The US state of Texas has even forbidden the decryption of personal data since 2017 unless that act has a legitimate business purpose. These would all be easy to comply with if organisations already knew what was contained within the packet they wanted to decrypt. Unfortunately, the only way to know is to decrypt, thus potentially thrusting them into non-compliance. Without the necessary legal know-how, organisations may find themselves in violation of regulations.
From DPI to DPD
DPI often means that organisations have to effectively launch Man In the Middle attacks on their own packets. Doing so introduces latency and inefficiency to a process that is supposed to preserve network performance and violates privacy in a process that is meant to preserve it. In short, DPI fails on its own terms.
As a result, many organisations are moving away from DP and towards other methods to cover this area. Deep Packet Dynamics (DPD) is emerging as a way to avoid the pitfalls of DPI decryption.
Behaviour vs payload
The reality is that to detect attacks and performance problems, behaviour is often a better marker than direct packet inspection. DPD illustrates exactly that point.
DPD uses metadata, behavioural profiling and fingerprinting techniques to spot abnormal behaviour and reveal threats within encrypted traffic, without needing to decrypt.
Instead, DPD monitors behaviour. It looks at network traffic, using behavioural analysis to collect information about network connections. While DPD does not decrypt packets, it does capture header information and enriches it with other behavioural data and traditional flow tuple information like IP addresses, ports and protocols.
DPD’s behavioural analysis, for example, will alert security teams when large amounts of UDP traffic flow between a communications application and an internal accounting application, signifying suspicious behaviour.
Machine Learning algorithms often supplement this functionality by analysing metadata and behaviour to understand the nature and type of threat that might be approaching the network. For instance, it can compare the details of an HTTPS session against known attack patterns from phishing websites, thus establishing whether this behaviour is a phishing attempt.
With this, comes greater opportunities for intelligent packet capture that makes data storage more efficient. When IT teams realise that a particular packet is not malicious, they have no need to store it and so only need to retain certain parts of the packet that might be useful for forensic analysis later down the line. In turn, this can make organisational data storage vastly more efficient and longer lived than it might otherwise be.
DPI has often been an important part of traffic monitoring and security. However, as the nature of traffic changes – it introduces greater and greater burdens upon its users, compromising the objective for which it was employed in the first place. Many organisations are finding that the latency, performance degradations and privacy infringements that so often accompany DPI traffic decryption are too high a price to pay. In turn, they’re realising that packet payloads matter less than they once thought and turning to behaviour analysis in the form of DPD.