One Article Review
| Source |  AlienVault Blog |
|---|---|
| Identifiant | 1952439 |
| Date de publication | 2020-10-02 18:12:00 (vue: 2020-10-02 19:06:35) |
| Titre | Deep packet inspection explained |
| Texte | What is deep packet inspection? Deep packet inspection (DPI) refers to the method of examining the full content of data packets as they traverse a monitored network checkpoint. Whereas conventional forms of stateful packet inspection only evaluate packet header information, such as source IP address, destination IP address, and port number, deep packet inspection looks at fuller range of data and metadata associated with individual packets. Deep packet inspection will not only scrutinize the information in the packet header, but also the content contained within the payload of the packet. The rich data evaluated by the deep packet inspection provides a more robust mechanism for enforcing network packet filtering, as DPI can be used to more accurately identify and block a range of complex threats hiding in network data streams, including: Malware Data exfiltration attempts Content policy violations Criminal command and control communications Deep packet inspection capabilities have evolved to overcome the limitations of traditional firewalls that rely upon stateful packet inspection. To understand the advancement offered by deep packet inspection, think of it in terms of airport security. Stateful packet filtering would be like validating the safety of baggage by checking luggage tags to make sure the origination and destination airports match up against the flight numbers on record. In contrast, filtering using deep packet inspection would be more like examining bags through an x-ray to ensure there's nothing dangerous inside before routing them to their proper flights. Use cases for deep packet inspection Analysis of traffic flows through deep packet inspection opens up a range of new and improved security use cases. Blocking malware When paired with threat detection algorithms, deep packet inspection can be used to block malware before it compromises endpoints and other network assets. This means it can help filter out activity from ransomware, viruses, spyware, and worms. More broadly, it also provides visibility across the network that can be analyzed through heuristics to identify abnormal traffic patterns and alert security teams to malicious behavior indicative of existing compromises. Stopping data leaks Deep packet inspection can be used not only for inbound traffic, but also outbound network activity. This means organizations can use that analysis to set filters to stop data exfiltration attempts by external attackers or potential data leaks caused by both malicious and negligent insiders. Content policy enforcement The added application visibility afforded by deep packet inspection allows organizations to block or throttle access to risky or unauthorized applications, such as peer-to-peer downloaders. Similarly, the deeper analysis from DPI opens the path for organizations to block policy-violating usage patterns or prevent unauthorized data access within corporate-approved applications Benefits and challenges of DPI The added visibility provided by DPI's probing analysis helps IT teams to enforce more comprehensive and detailed cybersecurity policies. This is why many firewall vendors have moved to add it to their feature lists over the years. However, many organizations have found that enabling DPI in firewall appliances often introduces unacceptable network bottlenecks and performance degradation. First of all, these on-premises appliances are tied to corporate networks and require organizations to backhaul traffic from remote users through this infrastructure for packets to run through DPI inspection checkpoints. This introduces tremendous latency for this growing body of users and is increasingly unworkable as so many companies have been forced to support completely distributed workforces. What's more, these performance issues are likely to s |
| Envoyé | Oui |
| Condensat | abnormal access accurately across activity add added additional address administrators advancement afforded against airport airports alert algorithms all allows also altogether analysis analyzed appliances application applications approved architecture are assets associated attackers attempts backhaul baggage bags base based been before behavior benefits blind block blocking body both bottlenecks broadly burden but bypassing can capabilities capability cases caused challenge challenges channels checking checkpoint checkpoints choose claim cloud command communications companies completely complex comprehensive compromises confines connect connecting connection consistent contained content contrast control conventional corporate cover criminal current cybersecurity dangerous data decrypting deep deeper degradation departments destination detailed detection devices directly distributed downloaders dpi dpi's enable enabling encrypted end endpoints enforce enforcement enforcing ensure estimates evaluate evaluated evolved examine examining exfiltration existing explained extending external face feature filter filtering filters firewall firewalls first flight flights flows forced forms found from full fuller functionality gateway gateways generated growing grows hardware have header help helps heuristics hide hiding how however http https huge ideally identify improved inbound including: increasingly indicative individual industry information infrastructure inline inside insiders inspecting inspection intensive internet introduces issues latency leaks leaves like likely limitations lists location locations look looks luggage make makes malicious malware managing many match means mechanism metadata method monitored more moved much multiple negligent network networks new not nothing now number numbers occurs off offer offered offers offloading often online only opens organizations origination other out outbound outside over overcome overwhelms packet packets paired path patterns payload peer perform performance perimeter policies policy port potential premises pressuring prevalence prevent primarily probing process processor proper protect protections provided provides purpose range ransomware ray reap recognize recognizing record refers regardless rely remote remove require resources response result rich risky robust routing run safety same scale scrutinize scrutiny secure security seeking serve set show similarly simpler skip some source spot spur spyware stateful stop stopping streams such support sure tags teams technical tend terms that's them then there's these they're think thirds threat threats throttle through tied tls/ssl today traditional traffic traverse tremendous turn turning two unacceptable unauthorized under understand unworkable upon usage use used user users using validating valuable vein vendors victims violating violations viruses visibility vpn web what what's when whereas which why widespread will within without workforces worms would years |
| Tags | Malware Threat |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.