Peering Deeply Into Network Traffic

A quick count earlier this month yielded more than two dozen different devices performing a variety of similar features: antivirus, intrusion detection, intrusion prevention and more. Almost all of the appliances perform what is known as stateful packet inspection: They superficially inspect data packages in clusters for potential threats. By and large, industry research indicates that this approach works just fine, helping VARs stop more than half of all enterprise attacks at the network door.

Still, those performance statistics aren't good enough for some. A handful of security companies recently have blazed new trails in perimeter hardware security, integrating a newer and more sophisticated inspection technology into channel-friendly appliances. This new technology, dubbed deep-packet inspection, scans every bit and byte of every piece of data as it crosses the network perimeter. While it takes slightly longer than stateful inspection, deep-packet results are off the charts"nearly 95 percent of all attacks never even make it past the firewall.

"We have customers who didn't even know they had been attacked when the Sasser worm hit until they looked at the log files," said Rick Kagan, vice president of marketing at Sunnyvale, Calif.-based Fortinet, which incorporates deep-packet inspection into its FortiGate appliance. "Our technology is that good."

Fortinet has taken typical deep-packet inspection and run it though an ASIC-powered process for a feature that the firm calls Complete Content Protection. Through this process, FortiGate appliances take apart packets, scan them individually, glue them back together, and process them. The entire procedure takes less than half a second"not "realtime," but pretty darn close, Kagan said.

Fellow Sunnyvale vendor Juniper Networks offers similar technology with its NetScreen-5GT and NetScreen-ISG2000 gateways, which bundle stateful and deep-packet inspection with IPsec VPN services, antivirus technology and more. Earlier this month, Juniper unveiled the NetScreen-5GT ADSL, a device designed for remote-office locations connected to ADSL services.

Scott Walker, vice president of operations at Denver-based solution provider Accuvant, said the new product's inspection capabilities enable him to promise customers more than what many competitors offer. "The way we see it, deep-packet inspection is a great value-add," he said. "These types of technologies are the ones that really make a difference, and our customers know it."

At DeepNines Technologies, a relatively new vendor in Dallas, deep-packet inspection is only one part of an innovative overarching strategy to help channel partners add value by eliminating vulnerabilities altogether. The DeepNines solution, an appliance dubbed Sleuth9, actually sits outside the network router"an attempt to provide deep-inspection scanning on traffic before it gets anywhere near the network edge.

Company President Dan Jackson said that this outside-the-router approach enables DeepNines resellers to promise customers deep-packet inspection on all traffic passing in and out of the network. Because the device sits in front of a network firewall, it actually scans traffic without any noticeable delay, performing threat protection in what the company refers to as "stealth" mode.

"Too many times, organizations try to lock down routers and the more filters they apply to it, the more they actually degrade the performance," Jackson said. "Our goal is to provide top performance, and do it invisibly."

Of course no discussion of deep-packet inspection would be complete without mentioning Check Point Software Technologies, the Redwood City, Calif.-based vendor that essentially coined the technology last year. As part of its Interspect, Connectra and Firewall-1 gateway devices, Check Point offers both stateful and deep-packet inspection in one feature dubbed SmartDefense.

The functionality also integrates with the Check Point SMART management and reporting infrastructure to provide a single, centralized console for monitoring and auditing. According to Mark Noppe, enterprise sales leader at Allstream Security Solutions, Chicago, this type of usability is what sets Check Point's technology apart, and what will most likely characterize the deep-packet integrated appliance market moving forward.

"In the integrated appliance world of today, superior technologies that focus on deep-packet inspection are out there," Noppe said. "Now it's up to vendors to provide [solution providers] with interfaces that make the technology understandable and easy to use."