dss itsec 2013 conference 07.11.2013 - ipoque traffic management
DESCRIPTION
Presentation from one of the remarkable IT Security events in the Baltic States organized by “Data Security Solutions” (www.dss.lv ) Event took place in Riga, on 7th of November, 2013 and was visited by more than 400 participants at event place and more than 300 via online live streaming.TRANSCRIPT
DEEP PACKET INSPECTION (DPI) AS A SOLUTION TO MANAGING
SECURITY THREATS
Ian Betteridge
November 2013
THE SECURITY CHALLENGE
• More sophisticated and effective cyber attacks mean traditional security solutions e.g. firewall, IDS/IPS, UTM are struggling to cope.
• Need flexible and customized security policy control for real pro-active cyber-defense, especially to meet the high security needs of the government sector.
PRE-PROCESSING
• Defragmentation Engine
• Packet Re-ordering
• Connection subscriber tracking
• L3 encapsulation
CLASSIFICATION
• Protocol
• Protocol group
• Sub protocol
• Application
METADATA EXTRACTION
• Traffic statistics
• Users/Subscribers’ statistics
• QoS parameters
EXTRA FEATURES
• OS detection
• Client-Server identification
• Tethering detection
• Ads detection
• Custom defined protocol
• Fast Path
IPOQUE PACE = STATE OF THE ART DPI
• We use a variety of analysis techniques to reliably detect network protocols:
• Pattern matching
• Finite state machine
• Behavioral & heuristic analyses
• Lengths checks
• Frequency of packet sending/receiving
• Amount of connections opened by a single subscriber
• Encryption usage
PACE – HOW WE DO DPI
PRE-PROCESSING
• Key Benefits • Accuracy • Flexibility • High performance
PRE PROCESSING IMPROVES ACCURACY AND RATE OF CLASSIFICATION
• Defragmentation Engine
• Packet Re-ordering
• Connection subscriber tracking
• L3 encapsulation
CLASSIFICATION
Protocol
• Flash (Group Streaming)
• HTTP (Group Web)
Sub Protocol
• Media
Application
• YouTube (Group Streaming)
Pro
toco
l H
isto
ry
www.ipoque.com/sites/default/files/mediafiles/documents/data-sheet-supported-protocols.pdf
CLASSIFICATION
METADATA EXTRACTION
• Examples • User ID• IP address • Time and date of login/off • Host • User agent • Email- subject, body, sender,
receiver, attachment etc.• File transfer: sender, receiver,
login, attachment etc.
METADATA EXTRACTION
METADATA OUTPUT NORMALIZATIONApplications of same type produce the same Class Events:
- i.e. each webmail has a different look and feel and proprietary structure
- PADE Solution: normalize all required fields in a unified format
…
TIMESTAMP
SUBJECT
TO (CC/BCC)
FROM
METADATA EXAMPLE
EXTRA FEATURES
• Optimization features • Dynamic upgrades• SMP support• Fast path
EXTRA FEATURES
• Extra features • OS detection• Client-Server identification• Tethering detection • Advertising detection• Custom defined protocols
• Use application pre-filtering to recognize threats in adaptable flexible way
• Improve security intelligence to qualify and block an attack in real-time
• Gain efficiency by focusing only on real security threats
• Stay current with dynamic changes in protocols and applications
• Supports recognition of your custom-defined apps and protocols
• Granular customization of security policy rules
SECURITY BENEFITS IN USING DPI
Critical Infrastructure
Cyber Defense Solution
Off the Shelf Security ProductsAnti-Spam, anti-virus, anti-malware, firewall, DLK.
Cyber attacks
USING PACE AS A SECOND LINE OF DEFENSE
PACE DPI
HOW PACE ENSURES ACCURACY
Looking for parameters
a, b and c
Looking for parameters d, e, f, and g
Looking for parameters
x and y
80 % 97% 100%
PACE DETECTION RATE
71% Web Protocols22% Streaming Pro-tocols3% Unclassified Traf-fic1% VoIP Protocols1% P2P Protocols2% Other
All Network Elements: Protocol Groups
Over 95% detection rate
2,000+ Applications and Protocols recognised
Max. concurrent connections
Average packet size (Bytes)
Top 5 Protocols Gbps/core
418.720 569HTTP, FLASH,
BITTORRENT, MPEG, SKYPE
3,4
71.191 523 HTTP, SSL, RTP, FLASH, OPENVPN
5,6
Test Conditions:• Hardware: i3-2120 CPU @
3.30GHz • All application enabled• All features enabled
PACE PERFORMANCE TEST RESULTS
• Fast Performance
• High frequency of protocol and DPI engine updates
• High classification accuracy (no false positives)
• Low processor to memory consumption ratio
• Support for over 500 protocols
• Support for thousands of applications
PACE STRENGTHS AS A DPI SOLUTION