Rise of Zero-Trust and SASE Shines New Spotlight on Deep Packet Inspection (DPI)
Guest blog post by Roy Chua, Founder and Principal of AvidThink
PART 2 OF 2
Build or Buy Your DPI
Security solution providers again face the age-old build-or-buy decision around DPI engines. In addition, because of the rise of TLS, TLS decryption is often deployed hand-in-hand with DPI to facilitate content inspection or more accurate classification. And so, DPI engines often include TLS decryption functions.
As in the past, select vendors choose to build and maintain their engines, viewing DPI as strategic and a key differentiator. A subset of these vendors may have been investing for a decade or two into their DPI, evolving from NGFW vendors in the past into more comprehensive security providers today. These vendors believe the ongoing investment can provide them with differentiation and, thus, a lasting return on their investment.
Yet others may view DPI as an essential function, but one that’s best licensed from a best-of-breed vendor. These vendors treat DPI as a licensable element like an operating system or a visualization library. These vendors seek differentiation in unique and intelligent ways of utilizing the categorization and metadata output from the DPI engines. They instead create value by allocating their investments to other product and service enhancements.
There’s no one correct answer. Those who choose to build need to ensure they can dedicate ongoing resources to develop and maintain their application catalogs and classification techniques, including DNS and IP databases, and research into AI/ML-assisted classification approaches. Given the ongoing evolution of the threat landscape and an ever-increasing number of applications, plus the dynamic nature of where those applications are hosted (private data centers, public clouds, edge sites), the work can be significant, even if starting with an open-source foundation.
DPI R&D teams are a sizable investment because they need to track and update new protocols and applications and, require staff with unique expertise.
Some organizations are concerned that using open source could advantage attackers who have pre-studied these libraries and developed yet unpublished zero-day exploits or workarounds. The more paranoid worry about sophisticated attackers contributing code to open source that surreptitiously introduces hidden weaknesses.
However, other organizations like open source believe an open approach results in fewer vulnerabilities because of the collaborative environment and collective efforts of developers globally reviewing contributions. Even leveraging open source, DPI R&D teams are a sizable investment because they still need to track and update new protocols and applications and, importantly, require staff with unique and hard-to-recruit-for expertise.
Separately, those who decide to buy and license their DPI engines should understand the criteria for selecting the right engine.
Evaluating DPI Vendors
For those looking at licensing, in addition to the list of criteria covered above, there are additional considerations centered around ease of library integration, deployment form factors (Linux container, SDK library, VM, etc.), performance and efficacy of the engine on the target platform (CPU or CPU with data processing unit (DPU) and SmartNIC support), support for acceleration libraries like data plane development kit (DPDK) and vector packet processing (VPP).
Vendors should look at a DPI vendor’s history and credibility in the market, whether they have a strong and reputable customer base, and their support services.
Beyond focusing on product capabilities, vendors should look at the DPI vendor’s history and credibility in the market, whether they have a strong and reputable customer base, and their support and engineering services. Incorporating a DPI engine is a strategic decision, and companies must tread carefully.
We suggest verifying each vendor’s accuracy claims in protocol detection and the strength of relationships with their existing licensees (especially security vendors). If licensee references are available, reach out to them —we’ve found that security is a secretive arena, and few security vendors are willing to reveal their underlying solution components. Also, some DPI engines may offer more than straight protocol and application identification, generating helpful security metadata that can be used to detect attacks more rapidly or accurately. Finally, evaluate how the DPI solution integrates with or provides solutions for TLS decryption. Look for one that enables a seamless and efficient process.
Make the Right Choice for You
DPI continues to be important today, but today’s DPI needs are not yesterday’s. The security products using DPI will evolve, but traffic classification and characterization are critical functions regardless of the buzzword du jour.
To read PART 1, click here.