Deep Packet Inspection is obsolete. Here's why.
HTML-код
- Опубликовано: 15 сен 2024
- Deep Packet Inspection used to be considered as the standard method for creating asset inventories and spot potentially malicious network traffic. But that's an antiquated, and quite inefficient view of reality. This video explains how data flow analysis yields much more comprehensive results at lower cost.
Referenced material
Daniel Behrens (Cisco) at S4x19: • Network Traffic Collec...
David Cole and Gen. Michael Hayden at Johns Hopkins Foreign Affairs Symposium: • The Johns Hopkins Fore...
#DPI #Netflow
Interesting.
I asked Bard the same question. here's its answer.
---------------------------------------
DPI (Deep Packet Inspection) is not considered obsolete nowadays, but it is increasingly being complemented by metadata analysis. Metadata analysis is a more lightweight approach to network traffic analysis that does not require inspecting the full contents of every packet. This makes it less resource-intensive and more scalable than DPI, which is important as network traffic continues to grow.
Metadata analysis can provide many of the same benefits as DPI, such as the ability to identify malicious traffic and enforce security policies. However, it is not as effective at detecting new or unknown threats. This is because metadata analysis typically relies on pre-defined signatures or rules to identify malicious traffic. If a new threat does not match any of these signatures, it may not be detected by metadata analysis.
DPI, on the other hand, can inspect the full contents of every packet, which allows it to detect new or unknown threats. However, this also makes DPI more resource-intensive and less scalable than metadata analysis.
In general, metadata analysis is a good choice for organizations that need to monitor network traffic for known threats and enforce security policies. DPI is a good choice for organizations that need to detect new or unknown threats.
In some cases, organizations may choose to use both DPI and metadata analysis together. This can provide the best of both worlds, as it allows organizations to detect both known and unknown threats.
Here is a table that summarizes the pros and cons of DPI and metadata analysis:
Feature DPI Metadata Analysis
Performance Can slow down network performance, especially on large networks Less resource-intensive and more scalable
Complexity Can be complex to configure and manage Less complex to configure and manage
Cost More expensive than traditional packet filtering Less expensive than DPI
Visibility Can provide detailed visibility into network traffic Provides less detailed visibility into network traffic
Threat detection Can detect both known and unknown threats Better at detecting known threats than unknown threats
As someone who helped design the original discovery methods (proprietary) used in a very a famous dpi product/retailer who sells to ISP’s and transit providers, I beg to differ… Netmp can help, and views into TLS meta data and other tidbits are definitely effective and time consuming (on cpu resources), but they aren’t everything. This is for certain…