Deep Packet Inspection in the Cloud
When looking at network traffic in a very simplified way, network packets are made up of headers and data (or code). While the headers are mostly used to direct the traffic to the right destination in the right manner, the data inside the packet is the reason the traffic exists in the first place.
For instance, imagine an SQL query to update a database record on a server. The headers within the many OSI layers of the packet make sure the data inside arrives at the listening port of the SQL database server, where the application takes over and processes the SQL query (the data) itself.
Learn Cloud Security
Traditional security controls such as firewalls relied heavily on these headers in order to filter out malicious content, think of IP addresses and ports being blocked. Modern security tools, such as most Intrusion Detection and Prevention Systems and next-generation or application layer firewalls, inspect the data part of the network packets in order to determine the contents. That earlier-mentioned SQL query, for instance, could be malicious and could intend to drop an entire database or return its passwords, requiring it to be blocked, instead of successfully delivered for processing. Other packets might contain malware or shellcode which needs to be correctly identified and actioned.
This technology is called Deep Packet Inspection (DPI), and although it comes with some processing and latency costs, it is an essential part of a secure environment.
Why in the Cloud?
Many cloud services are accessible to the entire Internet, after all, and an important driver for cloud migrations is the improved accessibility of the systems. This means cloud servers and applications are regularly attacked using a very broad range of methods from anywhere on the globe. Deep Packet Inspection is essential in keeping the bad traffic out but letting the good traffic through without too much interruption.
It is also important to look past this perimeter-based defense layer and more inwards. Lateral movement between a compromised (cloud) system and other systems, both within the cloud or on-premises, is very important to detect and where possible to block as well.
Challenges in the Cloud
Deep Packet Inspection raises several privacy concerns. The data in network packets can contain anything, including social security numbers, credit cards details and even passwords. In a perfect world this data should all be encrypted, but this is not always the case. The existence of SSL interception, where encrypted traffic is intercepted, decrypted and analyzed, only increases these concerns.
On top of this, cloud providers do not like to give their customers such close access to network traffic within their multi-tenant platform, for customer-to-customer data leak security concerns.
Finally, the network traffic within a shared cloud platform is effectively encapsulated in order to separate the customer and management flows, which often means traditional network-based DPI solutions will experience challenges processing the observed cloud traffic.
Solutions
There are several approaches to successfully deploy a security control based on Deep Packet Inspection within a public cloud environment. The first one is to use the vendor solutions already built for this exact purpose. These could be virtual instances such as the Sophos UTM9 product, a NextGen Firewall product with inbuilt IDS and Application Layer 7 controls (for which DPI is required). The benefit here is the ease of deployment, support and management.
Another product range is based on agents running on customer endpoints. The endpoints not only process network traffic, but also forward a copy of selected (or all) raw traffic to a security monitoring system. Metaflows offers such a product. The benefit here is that network encryption such as SSL is less of a challenge, because the endpoint should see much of the data in unencrypted form.
Finally, a virtual network TAP for example offered by Microsoft Azure can provide a full network traffic feed to any destination. This could be an Intrusion Detection System, a Netflow sensor or a Malware Sandbox. Although the destination system is not directly inline, the extensive flexibility of this option allows for inter-device messaging where, for instance, an IDS automatically directs a firewall to block a malicious IP detected by an IDS signature.
Deep Content Inspection
A modern evolution of Deep Packet Inspection is called Deep Content Inspection (DCI). Where DPI covers the analysis of data inside individual network packets, Deep Content Inspection is capable of detecting how multiple packets together can make up a file or data stream. This is usually done by the detection of a certain MIME (file) type, after which the data is captured, reconstructed and analyzed by, for instance, an antivirus or malware sandbox application.
DCI has been adopted in most products that support DPI, and the terms are sometimes intermixed because they are quite similar. Proper DCI has brought some major advantages, however. For instance, it has made it much harder for an attacker to break up malicious code into smaller packets in order to bypass an IDS device. It also provides the ability to dynamically analyze entire (often encrypted) extracted malware files in order to observe suspicious behavior. The solutions mentioned here, around DPI usage within a cloud environment are mostly applicable for DCI as well. Some performance overhead can be expected, because of the sessions that remain open while files and data streams are reassembled.
Learn Cloud Security
Conclusion
Deep Packet Inspection in the cloud does not need to be complicated. The level of complexity really depends on the required security controls within the environment. A range of vendor solutions will simply provide IDS and next-gen firewall capabilities without the worry about how to implement the underlying DPI requirement; the vendor has done this already. If more specific controls are needed, the limitations and challenges of DPI within the various cloud platforms need to be given consideration in order to prevent any surprises.
In this Series
- Deep Packet Inspection in the Cloud
- The rise of cloud computing: Trends and predictions
- Understanding the basics of cloud infrastructure: What you need to know
- How cloud security, data privacy, and cybersecurity convergence drives successful careers
- Secure cloud computing: What you need to know
- Working across multiple cloud service providers: CSP security learning path
- Securing cloud-based applications training: What you need to know
- Security risks of cloud migration
- DevSecOps in the Azure Cloud
- Amazon Athena Security: 6 essential tips
- Securing cloud endpoints: What you should know
- AWS security and compliance overview
- CloudGoat walkthrough series: IAM privilege escalation by attachment
- CloudGoat walkthrough series: EC2 server-side request forgery (SSRF)
- CloudGoat walkthrough series: Remote code execution
- CloudGoat walkthrough series: Lambda Privilege Escalation
- Information security strategy for the hybrid and multi-cloud
- CloudGoat walkthrough series: Cloud Breach S3
- CloudGoat walkthrough series: IAM privilege escalation by rollback
- Working with CloudGoat: The “vulnerable by design” AWS environment
- Malicious Amazon Machine Images (AMIs)
- Key findings from Ponemon’s State of Vulnerability Management in the Cloud and On-Premises report
- Cloud Pentesting Certification Boot Camp: The ultimate guide
- Cloud Based IDS and IPS Solutions [Updated 2019]
- AWS Security Monitoring Checklist [Updated 2019]
- Amazon Inspector: A cloud-based vulnerability assessment tool
- System administrator vs. cloud administrator
- 5 key cloud security use cases
- Honeypots in the Cloud
- Biometrics in the Cloud
- Open-Source Intelligence Collection in Cloud Platforms
- How to Safeguard Against the Privacy Implications of Cloud Computing
- AWS Cloud Security for Beginners — Part 2
- AWS Cloud Security for Beginners — Part 1
- AWS Security Monitoring Checklist — Part 2
- Rise of the Rogue Cloud: The Fundamental Security Mistake Enterprises Make and How to Correct It
- Controlling the Risks of Cloud-Enabled End-Point Security Products
- The Ultimate Guide to CCSP Certification
- Five Reasons Why Security Professionals Need the Cloud
- Amazon S3 Buckets-Hardening
- Cloud Service Reconnaissance
- Cloud Computing Security: Be Secure Before Moving to Cloud
- Cloud Technology Bringing New Possibilities in Threat Management
- Attacking the Cloud
- Man in the Cloud Attacks: Prevention and Containment
- Cloud originated DDoS attacks
- Where Is Your Data Safer? In the Cloud Or On Premise?
- DDOS Protection for Public Cloud Customers
- Security Barriers in the Adaptation of Cloud Technology
- SIEM as a Service
- Cloud Security Incident Compensation
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Cloud security
Cloud security