Deep Packet Inspection: The Modern Miracle of Cybersecurity

There is an often-overlooked cybersecurity feature on your firewall that, when configured, could save your company in the event of an attack. You may have not heard of it before, but you probably already own it. This modern miracle of cybersecurity we are referring to is known as Deep Packet Inspection (DPI) or SSL Inspection.

How Does This Modern Miracle Work?

In a previous blog post, we mentioned the evolution of cybersecurity and how the “bad actors” began using standard, common tools to evade detection. This is another instance of that happening. SSL encryption normally protects you. SSL (or TLS as the new version is known) is an industry standard that helps verify you are connected to the legitimate organization’s servers and encrypting that data in transit. That’s why you have been told for years to use HTTPS or look for a green lock in your browser’s address bar when you go to a web site. It is making sure you are connected to your actual bank (instead of a fake) and that your credit card number or login information is not sent over the internet in plain text every time you log in to check your account balance - this is where the problem comes in.

Because SSL/TLS is encrypting the data between two points, (e.g. between your web browser on your laptop and your bank’s web server) nothing in the middle can see what that traffic is. It also means your firewall cannot scan any of the encrypted traffic for anything malicious either. Your firewall probably has features that need to examine the content of the traffic, like:

• antivirus scanning
• intrusion detection
• intrusion prevention
• & many other intelligent features (meaning not based on simplistic, static rules)

Analogy Time

Imagine you are going on a trip, and you want to carry your heavy-duty metal briefcase reinforced with strong locks onto the plane. What happens when you get to the airport? The TSA needs to check your briefcase for potentially dangerous materials, and those metal alloys are probably blocking their scanners. The TSA needs to check the contents of your suitcase to do their job just like your firewall needs to examine the contents of those network packets. But you have secured the contents of the briefcase (and your network packets) in a way that blocks all forms of examination from the outside. If the TSA (your firewall) can’t scan the briefcase (content of the network traffic), they cannot do their job.

Why Isn’t This Feature Always On? Can’t We Just Check the Box?

Part of the SSL/TLS protocol is also verifying the destination is what and who it says it is. If getting in the middle of this secure conversation was so simple, the bad guys would be able to do it too. To get this feature to work isn’t difficult but it is more complicated than a check box. Your firewall, this device in the middle, has to be trusted as well. This is analogous to TSA employees that must be screened before they are hired, go through training, get ID badges to access employee entrances at airports, and wear a standard uniform and photo ID for easy identification by anyone. All the devices on your network need to know that your firewall is a trusted device and is allowed to intercept traffic. Even with some of this advanced work being done, not every application and/or web service will work well with this feature. There are instances where the firewall must be set NOT to do SSL Inspection for traffic to and from certain internet locations. Just like not every security screening is appropriate for the TSA. The President of the United States is rarely spotted going through the airport and being subject to standard TSA security screening to board Air Force One. There are different security protocols for those situations.

This Seems Difficult… Should We Bother?

Enabling SSL Inspection or DPI isn’t difficult. It just takes some planning. Typically, if you have central management of your workstations/devices, this can be done in under 4 hours of labor if you already have the trusted SSL certificates that are needed. If you don’t, it will add a little time and, potentially, a couple hundred dollars for new SSL certificates.

The other potential problem is, it’s not unusual for 80% or more of your network traffic to be encrypted. If your firewall isn’t sized properly and you suddenly add decrypting, scanning, and encrypting all that network traffic, your internet connection may slow to an unacceptable crawl and, in some rare instances, might even crash. It is very important that someone with knowledge of your firewall looks at your firewall’s performance metrics before anything is turned on. In some cases, if your company is too close to maxing out your firewall’s performance already, you may need to upgrade your firewall before you can enable this feature.

If you want to discuss this topic further, reach out to us and let us know. We’ll be happy to help you get this enabled and better protect your network!