Put simply, network packets are made up of headers and data. While the headers are used to direct the traffic to the right destination in the right manner, the data inside the packet -- the payload -- is the reason the traffic exists in the first place.
For example, consider a packet that carries a SQL query to update a database record on a server. The packet headers ensure the packet payload arrives at the correct network interface of the SQL database server. Once there, the server examines the transport layer protocol headers to process and deliver the update request to the correct port, where the application takes over and processes the SQL query itself.
Traditional security controls, such as firewalls, relied heavily on these headers in order to filter out malicious content by blocking IP addresses and ports. Modern security tools, such as most intrusion detection systems (IDS) and intrusion prevention systems and next-generation or application layer firewalls, inspect the data in the network packets in order to make a determination of their contents.
That SQL query, for instance, could be a malicious attempt to drop an entire database or return its passwords, which would result in it being blocked instead of being successfully delivered for processing. Other packets might contain malware or shellcode, which needs to be correctly identified and dealt with.
This technology is called deep packet inspection (DPI), and although it comes with some processing and latency costs, it is an essential part of a secure environment.
Why use the cloud for DPI
Many cloud services are accessible to the entire internet, which means improved system accessibility is an important driver for cloud migrations. However, cloud servers and applications are regularly attacked using a broad range of methods from anywhere on the globe.
Deep packet inspection is essential to keep the bad traffic out while letting the good traffic through without too much interruption. It is also important to look beyond this perimeter-based defense layer. Lateral movement between a compromised cloud system and other systems is dangerous, and companies should look to detect and prevent it.
Security and privacy concerns about deep packet inspection
Deep packet inspection raises several privacy concerns. The data in network packets can contain anything, including personally identifiable information and even passwords and authentication tokens. In a perfect world, this data would all be encrypted, but this is not always the case. The existence of SSL interception -- in which encrypted traffic is intercepted, decrypted and analyzed -- only increases these concerns.
Additionally, cloud providers do not like to give their customers close access to network traffic within their multi-tenant platforms because of the risk of customer-to-customer data leaks.
Finally, the network traffic within a shared cloud platform is effectively encapsulated in order to separate the customer and management flows, which often means traditional, network-based deep packet inspection technologies will have trouble processing cloud traffic.
How to handle DPI in the cloud
There are several approaches to successfully deploy a security control based on deep packet inspection within a public cloud environment. The first one is to use the vendor offerings already built for this exact purpose. These could be virtual instances, such as the Sophos UTM 9 product, which is a next-generation firewall product with built-in intrusion detection and application Layer 7 controls, for which deep packet inspection is required. The benefit here is the ease of deployment, support and management.
Another line of products is based on agents running on customer endpoints. The endpoints not only process network traffic, but they can also forward a copy of selected raw traffic to a security monitoring system. MetaFlows is one vendor that offers such a product. The benefit here is that network encryption like that provided by the Transport Layer Security protocol is less of a challenge because the endpoint can see much of the data in an unencrypted form.
Finally, a virtual network terminal access point can provide a full network traffic feed to any destination. This could be an intrusion detection system, a NetFlow sensor or a malware sandbox. Although the destination system is not directly inline, the extensive flexibility of this option allows for inter-device messaging where an intrusion detection system can automatically direct a firewall to block a malicious IP detected by an IDS signature.
Deep packet inspection in the cloud does not need to be complicated. The level of complexity really depends on the security controls required for the environment. A range of vendor tools and services can provide IDS and next-generation firewall capabilities without the worry of how to implement deep packet inspection, as the vendor has done this already.
If more specific controls are needed, the limitations and challenges of deep packet inspection within the various cloud platforms need to be given consideration in order to prevent any surprises.