DPI goes blind as encryption adoption increases

Governments and businesses that have traditionally relied upon deep packet inspection (DPI) or content-level inspection technologies to identify threats or control access across the perimeter of their networks are at the cusp of a dramatic and non-reversible sea change. Month on month organisations have observed the silent shift to encrypted communications, and with that, their visibility and control of network traffic has incrementally diminished.

As the encryption of North-South corporate network traffic reaches levels of 60 per cent or more in most environments, organisations are finding themselves in the uncomfortable position of having to plan for the abandonment of the DPI-based perimeter defences they’ve depended upon for a decade and a half. It would seem that IDS, IPS, DLP, and ADS are rapidly turning dark.

Many organisations are revisiting SSL Termination technologies as a means of countering the increased use of encrypted communications and providing an keyhole through which the can extend the life and usefulness of earlier DPI investments.

Unfortunately, I don’t think this approach will provide the longevity many are hoping for.

The encryption problem

Much of the 'encryption problem' enterprises are facing can be attributed to the likes of Google, Yahoo, and social media sites uniformly adopting HTTPS for all web browser communications. While much of the data searched for, viewed, or commented upon generally does not leak any personal information of the users using these services, in some cases it could – and in some countries with more authoritarian governments, five years or so ago, the biggest web businesses chose to enforce HTTPS to protect everyone. Today businesses are publicly chastised if they don’t offer encryption by default.

The purpose of HTTPS is to protect HTTP traffic from inspection and modification by intermediaries. The use of SSL Terminators to 'man in the middle' (MITM) user traffic obviously stands counter to why the biggest and most popular Internet service providers have universally adopted HTTPS by default.

What many organisations seeking to leverage SSL Terminators have failed to understand is that there are a bunch of new extensions to web browser technologies that are in the process of being adopted and, within a short period of time, will permanently shut down that inspection window.

The extensions of the future

The first and most important is HTTP Public Key Pinning (HPKP). What this security feature does is to inform the web browser to associate a specific cryptographic public key with a certain web server; thereby preventing MITM attacks with forged certificates. The web server provides a list of public key hashes so that the web browser can check to ensure that the encryption certificate it is being served is actually one authorised by the web server they want to communicate with. This allows the user’s web browser to determine whether communications are being intercepted and choose to carry on or not.

The second important security extension is HTTP Strict Transport Security (HSTS). This allows the Internet server to prevent protocol downgrade attacks, cookie hijacking, and dictates to a conforming browser that this and all subsequent connections (for a configurable amount of time) to the subject site should only be performed over SSL. Additionally, users are no longer permitted the capability to bypass SSL/TLS certificate errors; preventing browser click-through in the event of expired or otherwise untrusted certificates.

While HPKP and HSTS are not universally deployed and enforced yet, they are built in to the current generation of web browser technologies, and it will only be a short period of time before they – just like the universal enforcement of HTTPS before it – are universally deployed. Already today, some top-level domains such as .trust (see the .trust technical policy) and .bank mandate their use.

What starts with web browsers will rapidly trickle down to all other desktop applications within corporate networks.

SSL Termination may, with a little luck, extend the lifetime of DPI-based protection technologies by an additional couple of years for non-web browser traffic inspection. However, organisations should already be evaluating alternative network security technologies that can detect threats whether or not they are over encrypted channels.

Math intensive machine learning and advanced signal processing techniques are currently at the forefront of the battle. They are capable of keeping up with today’s traffic speeds and detecting threats despite increasing (or eventual ubiquity of) encryption of the content layer.

Gunter Ollmann, CSO, Vectra Networks