Published on November 13, 2013
DEEP PACKET INSPECTION (DPI) AS A SOLUTION TO MANAGING SECURITY THREATS Ian Betteridge November 2013
THE SECURITY CHALLENGE • More sophisticated and effective cyber attacks mean traditional security solutions e.g. firewall, IDS/IPS, UTM are struggling to cope. • Need flexible and customized security policy control for real pro-active cyberdefense, especially to meet the high security needs of the government sector.
IPOQUE PACE = STATE OF THE ART DPI PREPROCESSING • Defragmentation Engine • Packet Re-ordering • Connection subscriber tracking • L3 encapsulation CLASSIFICATION METADATA EXTRACTION EXTRA FEATURES • Protocol • Traffic statistics • OS detection • Protocol group • Users/Subscribers’ statistics • Client-Server identification • QoS parameters • Tethering detection • Sub protocol • Application • Ads detection • Custom defined protocol • Fast Path
PACE – HOW WE DO DPI • We use a variety of analysis techniques to reliably detect network protocols: • Pattern matching • Finite state machine • Behavioral & heuristic analyses • Lengths checks • Frequency of packet sending/receiving • Amount of connections opened by a single subscriber • Encryption usage
PRE PROCESSING IMPROVES ACCURACY AND RATE OF CLASSIFICATION PREPROCESSING • Defragmentation Engine • Packet Re-ordering • Connection subscriber tracking • L3 encapsulation • Key Benefits • • Accuracy Flexibility • High performance
CLASSIFICATION Protocol History CLASSIFICATION Protocol • Flash (Group Streaming) • HTTP (Group Web) Sub Protocol • Media Application • YouTube (Group Streaming) www.ipoque.com/sites/default/files/mediafiles/ documents/data-sheet-supported-protocols.pdf
METADATA EXTRACTION METADATA EXTRACTION • Examples • • • • • • • User ID IP address Time and date of login/off Host User agent Emailsubject, body, sender, receiver, attachm ent etc. File transfer: sender, receiver, login, attachment etc.
METADATA OUTPUT NORMALIZATION Applications of same type produce the same Class Events: - i.e. each webmail has a different look and feel and proprietary structure - PADE Solution: normalize all required fields in a unified format FROM TO (CC/BCC) SUBJECT TIMESTAMP …
EXTRA FEATURES EXTRA FEATURES • Extra features • • • • • • OS detection Client-Server identification Tethering detection Advertising detection Custom defined protocols Optimization features • • • Dynamic upgrades SMP support Fast path
SECURITY BENEFITS IN USING DPI • Use application pre-filtering to recognize threats in adaptable flexible way • Improve security intelligence to qualify and block an attack in real-time • Gain efficiency by focusing only on real security threats • Stay current with dynamic changes in protocols and applications • Supports recognition of your custom-defined apps and protocols • Granular customization of security policy rules
USING PACE AS A SECOND LINE OF DEFENSE PACE DPI Cyber attacks Off the Shelf Security Products Anti-Spam, anti-virus, antimalware, firewall, DLK. Cyber Defense Solution Critical Infrastructure
HOW PACE ENSURES ACCURACY Looking for parameters a, b and c Looking for parameters d, e, f, and g Looking for parameters x and y 80 % 97% 100%
PACE DETECTION RATE All Network Elements: Protocol Groups Over 95% detection rate 71% 22% Streaming Protocols 3% Unclassified Traffic 1% VoIP Protocols 1% P2P Protocols 2% 2,000+ Applications and Protocols recognised Web Protocols Other
PACE PERFORMANCE TEST RESULTS Max. concurrent connections Average packet size (Bytes) Top 5 Protocols Gbps/core 418.720 569 HTTP, FLASH, BITTOR RENT, MPEG, SKYPE 3,4 71.191 523 HTTP, SSL, RTP, FLAS H, OPENVPN 5,6 Test Conditions: • • • Hardware: i3-2120 CPU @ 3.30GHz All application enabled All features enabled
PACE STRENGTHS AS A DPI SOLUTION • Fast Performance • High frequency of protocol and DPI engine updates • High classification accuracy (no false positives) • Low processor to memory consumption ratio • Support for over 500 protocols • Support for thousands of applications
THANK YOU! Ian Betteridge Ian.firstname.lastname@example.org Phone +49 341 594030 Fax +49 341 59403019
Share DSS ITSEC 2013 Conference 07.11.2013 ... reporting • Sign-off management • Automated ... 2013 Conference 07.11.2013 - IPOQUE Traffic ...
DSS ITSEC 2013 Conference 07.11.2013 - IPOQUE Traffic Management Andris Soroka. Centre technique-brochure AREVA. English Espanol Portugues Français Deutsche
IBM X-Force 2013 Mid-Year Trend and Risk Report ... 4th international annual conference “DSS ITSEC 2013 ... (07.11.2013) 4 IBM Security ...
In 2013, based on a thorough ... (PCI DSS) required by Visa and ... Procedures, and Standards: guidelines for effective information security management ...
Network data traffic: ... Simulation and Education Conference (I/ITSEC) ... A Journal of the Institute for Operations Research and the Management Sciences;
(1.07.2013) – DDoS attack on ... 40Gbps of legitimate traffic Anti-DoS, NBA ... HW или VA Security Event Management (SEM) 17 . DefensePro Protection ...
... Director of Security Product Management at Radware ... after a cohort of site traffic was served ... DSS ITSEC 2013 Conference 07.11.2013 -Radware ...