Finding the right balance: Deep packet inspection encourages innovation and information sharing while protecting DoD networks

Story

August 14, 2009

Kevin Curran

Bivio Networks

Faced with growing network usage, the DoD can look to deep packet inspection to differentiate authorized, unauthorized, and recreational traffic at a deeper level for better security, bandwidth management, and overall information assurance.

Modern warfare places very particular requirements on network communications infrastructure. As the Department of Defense (DoD) evolves to support a net-centric environment, the agency's networks are critical to maintaining the secure collaboration and information sharing necessary for a common operational picture of the battlefield and mission operations.

Yet DoD networks also support a wide range of traffic that is not mission critical. With a growing pool of next-generation converged applications, like VoIP and streaming multimedia, unauthorized and recreational use of the network increasingly occupies the bandwidth needed for vital mission operations. In addition to placing a heavy strain on defense networks, this high volume of unauthorized network traffic conceals malicious content from security tools.

The inherent threat posed by a larger user population along with a greater appetite for mission-critical information means that the DoD needs to fully understand and manage who is on the network, what users are doing, and the resources to which they have access. DoD network administrators must look beyond legacy network analysis methods toward the implementation of Deep Packet Inspection (DPI) technologies to keep the agency's networks reliable, timely, and secure.

DoD threats, both foreign and domestic

According to informal estimates, 70 percent of DoD network traffic is deemed "unofficial." This means that traffic unrelated to DoD business is largely dominating the agency's available bandwidth, diminishing the throughput available to conduct and support missions, and harming network security.

For example, streaming media websites like YouTube are particularly troublesome for DoD networks. Often quite large, these files can create asymmetric traffic flows that lead to bandwidth problems. Independent analysis of DoD network traffic finds that use of such streaming media websites peaks during high-profile events such as the NCAA March Madness tournament and the Olympics.

Needless to say, this recreational use of bandwidth poses a very real threat to national security. In fact, a recent DoD report to the Senate Armed Services Committee on DoD personnel access to the Internet highlighted that, if left unchecked, unauthorized and recreational use of DoD networks can leave less bandwidth available for, and even obstruct, mission-critical data transfers. In addition, and frankly even more problematic, by creating an even higher volume of traffic, recreational use potentially camouflages and allows intruders, viruses, and other malicious threats to masquerade as benign traffic. According to a report to Congress on DoD Personnel Access to the Internet[1], Peer-to-Peer (P2P) traffic, like music file sharing from Kazaa, can be especially dangerous since it often introduces corrupt files to the network and can elude traditional security tools.

Recent observations of the DoD's in-bound network traffic indicate that the overwhelming majority is associated with ports typically related to Web traffic, which are outlined in Table 1. By itself, this association does not imply that the traffic is legitimate.

Table 1: The majority of traffic inbound to the DoD is associated with these typical Web ports, but this association does not imply that the traffic is legitimate.

(Click graphic to zoom by 1.5x)

In fact, oftentimes this traffic represents malicious activity that simply "disguises" itself as legitimate Web traffic. Cyber-related attacks on agency networks increased 158 percent in 2007, according to the Department of Homeland Security (DHS), and disguised traffic is likely in part responsible for this sharp uptick. Considering this very real and growing threat, the DoD must eliminate the potential for recreational network use to contribute to potential security lapses.

As an example of efforts underway to tackle the network security and bandwidth challenge, the Defense Information Systems Agency (DISA) put in place the Global Information Grid – Bandwidth Expansion (GIG-BE) program to increase bandwidth and diversify physical access to approximately 87 critical sites in the continental United States. The DoD also blocks access to popular recreational websites such as YouTube, MySpace, and Photobucket on official military computers in the battlefield.

While these proactive efforts help improve network reliability, some of the methods are limited, at best, in their capabilities. What is needed are DPI-enabled applications that offer richer visibility into the traffic traversing the network.

DPI: A policy-centric approach to a net-centric challenge

To protect the integrity of DoD networks and ensure sufficient bandwidth for essential operations, administrators must determine the exact nature of the traffic consuming network bandwidth, as well as block or prioritize traffic with network-wide policy enforcement. What's more, detection and analysis must take place without compromising network speed or adding latency.

Through standard Transmission Control Protocol (TCP)/Internet Protocol (IP) networking, data is sent between systems using small packets that quickly traverse the network and are reassembled at the respective end points to recreate the original information. The purpose of current traffic monitoring and management technologies is to scan the individual data packets to detect specific patterns, issue alerts about attacks or unauthorized use, and block harmful activity.

For instance, common security applications include Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), and firewalls. Firewalls are generally used to block harmful traffic at Internet ports or suspect IP addresses. Many modern-day firewalls can also identify and block harmful protocols. While firewalls inspect both inbound and outbound traffic, they only provide protection at the deployment site, do not protect the network at the fourth through seventh levels of the Open Systems Interconnection (OSI) model, and also do not articulate policies to determine rights of access. Figure 1 illustrates the additional visibility offered by DPI-enabled technologies.

Figure 1: DPI goes beyond the surface layers of the OSI model to view the actual contents of each data packet.

(Click graphic to zoom by 1.9x)

DPI-enabled devices, on the other hand, permit the transfer of extremely large amounts of data at wire speed while giving unprecedented visibility into deeper levels of network traffic to identify and remedy security vulnerabilities and unauthorized use.

Operating at layers two through seven of the OSI model, DPI-enabled applications can direct, filter, and log IP-based applications and Web traffic, regardless of the protocol or application type, by searching for defined protocol-specific characteristics such as URLs for http or an e-mail address for SMTP in the data's "DNA." These variables are configured by the network administrator in a rules or policy engine that implements those polices according to signature-based comparisons; heuristic, statistical, or anomaly-based techniques; or some combination of these. For example, many DPI devices can identify packet flows (in addition to conducting a packet-by-packet analysis), allowing the implementation of control actions based on accumulated flow information.

By nature, DPI applications require definitions of each applicable protocol in order to operate. Thousands of Ethernet protocols exist, each with their own unique session format. Moreover, these protocol definitions change frequently due to modifications from standards groups or the introduction of new protocols. While many L4 security devices only examine the IP header of a data packet to identify the IP and port information before making packet-handling decisions, DPI systems can solve greater packet processing challenges due to a more comprehensive examination of data protocol and characteristics.

Purpose-built DPI platforms can combine the functionality of an IDS, IPS, and firewall as well as any other DPI-based applications (that is, those for lawful intercept and data leakage prevention), thus delivering significant additional features and protections to allow network administrators to streamline and secure traffic flow. A message tagged as "high priority," such as a mission-critical communication, can be routed to its destination ahead of low-priority messages or packets involved in recreational activities such as viewing sports highlights or listening to streaming radio. The deeper level of visibility also means that malicious data associated with unauthorized use can be identified and acted upon. This capability is essential to combating the challenges presented by recreational or unauthorized use of military networks.

A common operational platform for network management

DPI-enabled appliances enhance the capabilities of traditional security, traffic management, and network monitoring and analysis solutions. Ideally, the DoD should look to deploy these technologies on one common operational platform leveraging both internally developed Government Off-the-Shelf (GOTS) applications and Commercial Off-the-Shelf (COTS) applications. The network devices must keep pace with multi-gigabit line rates and support real-time deep-packet processing.

To satisfy the requirements for DPI, a platform must be:

Linux-based, as a majority of forward-leaning security and network monitoring applications are open source and Linux-based
Customizable to accommodate ever-changing network solutions requirements
Cost-efficient, since physical space, facilities, and power costs force the DoD to make budget-conscious, high-performance decisions
Programmable so the DoD can rapidly develop, deploy, and manage mission-critical operations, new services, and applications
Policy-centric, allowing the DoD to define its own policies for network traffic
IPv6 supported, since the government has mandated the adoption of Internet Protocol version 6 (IPv6) this year

Meeting the DoD's vision of a secure and robust network supporting all information classification levels and collaboration requires unique network analysis and control capabilities. Supported by a flexible platform and comprehensive policies, DPI-enabled applications surpass traditional security tools to provide an unprecedented level of visibility for sound bandwidth and security controls. Ultimately, this technology can help the DoD find the right balance between encouraging communications and innovation while also protecting the security and integrity of DoD data.

References:

1. Report to Congress: A Report in Response to Request on Page 323 of Senate Armed Services Committee Report Number 110-77: Department of Defense Personnel Access to the Internet, Sept. 2007, www.dod.mil/pubs/foi/other/SASC_response_report110-77_0907.pdf

Kevin Curran is Vice President of Federal Sales at Bivio Networks. A 20-year IT industry veteran, he holds a Bachelor's in Business Administration and Finance from Virginia Tech and is an active member of the Armed Forces Communications and Electronics Association (AFCEA) and the American Council for Technology/Industry Advisory Council (ACT/IAC). He may be reached at [email protected].

Bivio Networks 925-924-8600 www.bivio.net