This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.
The evolving nature and delivery schemes of viruses, malware and spyware have radically changed the scope and best practices
of network security. Data inspection at the application-content level is necessary to protect against sophisticated hacking schemes. In the pursuit
of application-level protection, “deep packet inspection” (DPI) has become the preferred approach. There are two core DPI approaches: proxy-based and stream-based DPI.
Both focus on delivering robust network protection via application-level inspection and scanning. However, they have fundamentally
different ways of solving the problem, each with a distinctly different impact upon network latency and performance.
ANALYSIS: Is application security the glaring hole in your defense?
Application proxies function by breaking the TCP/IP communication between a client and server when a request is passed. The application proxy receives and buffers the entire request, inspects the request and then creates
a new connection to the server. This scheme inserts DPI between the endpoints of the connection and increases the level of
network protection. However, proxy-based DPI works one application-level request or response at a time — and each one, in
a typical enterprise application, can span megabytes or gigabytes (in cases of file downloads).
Imagine application content or a large data file as a complete photograph carved into a jigsaw puzzle of packets, which in
turn is sent and received at corporate HQ. The application proxy scanner takes each piece of the puzzle, copies it into a
separate buffer file and holds all of the pieces in that file until the entire jigsaw puzzle can be reassembled — and only
then is it scanned for any threats. A proxy-based solution cannot “infer” what the photograph looks like until it is reassembled
or it risks missing key elements of the picture.
As a result of proxy-based DPI, CPU cycles are spent on buffering versus other tasks, and the CPU has to multitask and prioritize
between several files already buffered for scanning. This introduces very high latency for proxy-based solutions, compounded
by ever-increasing amounts of network traffic containing rich content and multiple applications. Because application proxies are application-specific, an unknown application creates a potential security loophole or compatibility
issue.
Against a backdrop of continually expanding social media usage in business computing, application proxies are not highly scalable. Thus, application proxies present definite implementation challenges against
the two core — but not always harmonious — goals:
1. Protect critical business data from the most sophisticated threats, while still enabling the business to enjoy the productivity
benefits of enterprise mobility, multiple devise and rich content.
2. Maintain that robust, comprehensive security capability against the tidal wave of employee demand and network usage –
without causing significant performance issues.
Article source: http://www.networkworld.com/news/tech/2012/032612-deep-packet-inspection-257657.html?source=nww_rss
View full post on National Cyber Security » Spyware/ Cyber Snooping