Comment: Don’t Compromise on Visibility, Speed or Security

Walker-Brown examines the jigsaw puzzle of deep packet inspection
Walker-Brown examines the jigsaw puzzle of deep packet inspection

The evolving nature and delivery schemes of viruses, malware and spyware have radically changed the scope and best practices of network security.

First-generation firewalls were designed around one objective: to block direct threats coming from outside the firewall in a perimeter-based attack. But these stateful firewalls (firewalls that perform stateful packet inspection [SPI] or stateful inspection) alone are no longer enough.

Mobile employees are using multiple devices to connect to critical business data from home broadband or public wireless hotspots. Mountains of media and rich digital content are an ever-growing part of business software applications. Data inspection at the application-content level is necessary to protect against sophisticated hacking schemes. In the pursuit of application-level protection, deep packet inspection (DPI) has become the preferred approach.

However, not all deep packet inspection strategies are the same. The hard reality for senior IT management (and even the C-suite) in considering next-generation security (and by extension, DPI) is the need to optimize for two simultaneous – but not always harmonious – goals: to protect critical business data from the most sophisticated threats, while still enabling the business to enjoy the productivity benefits of enterprise mobility, multiple devices and rich content. And also to maintain that robust, comprehensive security capability against the tidal wave of employee demands and network usage, without causing significant performance issues.

There are two core approaches to implementing DPI: proxy-based DPI and stream-based DPI. Both focus on delivering robust network protection via application-level inspection and scanning. They involve, however, fundamentally different ways of solving the problem, each with a distinctly different impact upon network latency and performance.

Application proxies function by breaking the TCP/IP communication between a client and server when a request is passed. The application proxy receives and buffers the entire request, inspects the request and then creates a new connection to the server. This scheme does insert DPI between the two endpoints of the connection and increases the level of network protection. Conversely, proxy-based DPI works one application-level request or response at a time – and each one, in a typical enterprise application, can span megabytes or gigabytes (in cases of file downloads).

Imagine a large data file or application content as a complete photograph carved into a jigsaw puzzle of packets, which, in turn, is sent and received at the corporate server in random order. The application proxy scanner takes each piece of the puzzle, copies it onto a separate buffer file and holds all of the pieces in that file until the entire jigsaw puzzle can be reassembled – and only then is it scanned for any threats. A proxy-based solution cannot “infer” what the photograph looks like until it is reassembled, or it risks missing key elements of the picture.

As a result of proxy-based DPI, CPU cycles are spent on buffering versus other tasks, and the CPU has to multi-task and prioritize between several files already buffered for scanning. This introduces very high latency for proxy-based solutions, compounded by ever-increasing amounts of network traffic containing rich content and multiple applications. Because application proxies are application-specific, an unknown application creates a potential security loophole or compatibility issue.

Against a backdrop of continually expanding social media usage in business computing, application proxies are not highly scalable. Thus, application proxies present definite implementation challenges when trying to achieve robust security and effective performance.

In contrast, stream-based DPI scans the jigsaw puzzle pieces in order of arrival. There is no limit to the file size – no buffering of packets (except for out-of-order case) until they can all be scanned at once. It deems the photograph ‘threat-free’ once it scans the last jigsaw piece, without the need for reassembly. Multiply that capability across the typical flow of network traffic, and the performance benefits of the stream-based approach are easy to grasp. Stream-based DPI is a very low-latency approach and speaks directly to ‘need for speed’ in network performance. The ability of stream-based DPI to support all communications protocols (not just HTTP/HTTPS, SMTP and FTP) gives it a scalability advantage as well. This makes stream-based DPI not only faster, but easier to deploy, manage and update.

As far as security differences, stream-based scanning is more secure when scanning for threats in real-world deployment scenarios. For example, because proxy-based solutions have to buffer content completely, there is never enough memory on the device to buffer all content that is downloaded concurrently by all users on the network. The increasingly large file sizes involved in enterprise applications further compounds the problem. Proxy-based solutions have to skip scanning some or most of the downloaded content.

But can a stream-based DPI solution truly scale across all file types – again, driven by the almost-daily introduction of new social media applications and enterprise app modules? One of the biggest misperceptions about a stream-based approach is that it is less secure than proxy-based, particularly for file formats that require full buffering before being decompressed. The real-world implementation of high-quality stream-based solutions has demonstrated that they are indeed capable of decompressing most common compression formats without reassembly.

As with any business approach to network security, it is important that stream-based solutions are developed in conjunction with a knowledgeable and capable in-house security research team. It is always better to have your own in-house team do security research and signature development, rather than have third parties develop signatures for you and not being aware of how threats really spread in the wild. But with a strong vendor–customer partnership that ensures the broadest possible protocol support and insight into the real nature of potential threats, a stream-based DPI solution can actually align both speed and security concerns in a meaningful way.


Andrew Walker-Brown CISSP, CEH, has over 18 years of experience in the IT industry, with over seven years of this time based at SonicWALL, where he is the systems engineering manager for Northern Europe, Middle East and Africa. He has maintained this role for the last four years and manages a team of five sales engineers across his region and has responsibility for their recruitment, team development and training.

Before working for SonicWALL, Walker-Brown held various IT positions, including technical director and co-owner of Blue River Systems in Guildford (UK) for two years. Previous to this, he maintained a role as a pre-sales consultant at IKON responsible for new business development and account management. Before this, Walker-Brown had several technical roles in Sheffield and Salford, after graduating from the University of Hertfordshire with a BSc (Hons) in computer science.

When he’s not working, he enjoys Scuba diving, motor sport and engineering, DIY and playing the piano.

What’s hot on Infosecurity Magazine?