Дата: 24.03.2024
Автор: Vyacheslav Slinkin

Introduction

The article describes the advantages of using DPI software not on endpoint devices. It is important to note that, despite the title of the article, the described cases are not related fully to inline mode and it is also applicable for asymmetric and mirroring modes.

Endpoint node attack

In the field of information security, no one will be surprised when an attacker gets into the local network of the company and gains access (or even root access) to some device within it. Such cases can be very costly to the company. Even more, if an attacker continues invasion by infecting other devices in the network this can lead to critical consequences.

The recommended sequence of actions in such a case:

• Detect invasion
• Isolate infected node
• Collect the important data from the affected device and remove malware/spyware software
• Analyze the incident

DPI system helps to detect and prevent further spreading of infection (or evil activity) inside the local network. In addition to that, it provides valuable log information for the incident analysis.

The advantages of having DPI system on the local network:

• It is clearer to detect suspicious activity in the network log than to analyze different kinds of logs on different machines running different operating systems.
• If an attacker gains _root access_ then they can clean any log data on the infected computer to hide traces of the presence such as established connections, login events, data transmitting, etc.
• If an attacker tries to scan the network or do network spoofing - such activity will be visible on DPI node immediately. On endpoint devices, such activity can be undetected.

Endpoint hardware limitation

These days, there are many IoT devices that operate within local networks. The main lack of using them is hardware limitation. They are invented/built to perform one task and nothing more. It is absolutely different story than PC/Laptop/etc. IoT devices in the most cases cannot be upgraded.

In a case, when DPI system is presented in the network then there is no need to install security programs on each device. DPI collects all network activity and the network engineer can get network log information for any interested device.

Agent control

Another important note about event collection is a count of agents. When the network is huge enough and it contains machines with different hardware and different operating systems - it becomes difficult to manage them. Much easier to collect data when count of agents are limited by few instances.

In such cases it is more reliable to have one DPI system for the whole network or at least on instance per network cluster for network log collection. It will reduce the amount of work for network software debugging at endpoint devices drammaticly.

Endpoint software limitation

IoT devices are the part of many companies and they cannot be ignored. They are difficult to manage, not to mention difficult to install anything on them (in most cases, simply impossible). But they also need protection, because like any device on the network, it is accessible and potentially vulnerable.

For such cases, DPI can resolve the problem just like in all previous cases - monitoring traffic on a separate node.

Conclusion

No one argues, it is important to have security software on endpoint devices. However, it doesn't always work and much better to have DPI system in your local network and also have another security solution since working together they provide the best results. DPIДля подобных случаев **DPI** решает проблему так же, как во всех вышеописанных случаях, посредством анализа трафика на отдельном сетевом узле. plays not only security role. It also provides an important information about network activity what can be used for network touble shooting and building reports of user activities or network load statistic.