Updated: May 7, 2019
How deep packet inspection and Simple Network Management Protocol is being replaced by network telemetry
“Do not go gentle into that good night, Old age should burn and rave at close of day; Rage, rage against the dying of the light.” — a rapturous ode to the unassailable tenacity of the human spirit by the Welsh poet Dylan Thomas wrote in 1914 couldn’t better describe what I’ve seen over the past two decades in the quiet obsolescence of legacy security solutions like antivirus and network intrusion detection.
These solutions have found their final resting places at the beginnings of the 20th century to be replaced by a newer, smarter way of doing things, whether it’s mobile push notifications replacing passwords, network threat analytics replacing network IDS, machine learning replacing signatures, encrypted protocols replacing unencrypted protocols, to now, telemetry data replacing deep packet inspection (DPI) and simple network management protocol (SNMP). While there still remain situations in which DPI and SNMP version 1, 2, or 3 are perfectly suited — the fact remains that the old is quickly being replaced by the new.
Deep packet inspection is the analysis of packet data traversing a network from the outermost header of the datagram (Ethernet Header) to its trailer in the payload containing application data. DPI is being quickly rendered obsolete by the growing amount of north-south and east-west encrypted traffic on networks, which now accounts for over 73% of the traffic on the internet.
DPI became a thing in the initial days of unified threat management (UTM) and network IDS that combined the functionality of an intrusion detection system (IDS) and an intrusion prevention system (IPS) with a traditional stateful firewall. The combination made it possible to detect certain attacks that neither the IDS/IPS nor the stateful firewall could see on their own. Stateful firewalls, while able to see the beginning and end of a packet flow, could not catch events on their own as they would be out of bounds for a particular application. DPI-enabled devices had the ability to look at Layer 2 and beyond Layer 3 of the OSI model. In some cases, DPI could even be invoked to look through Layers 2–7 of the OSI model. This included headers and data protocol structures as well as the payload of the message.
Having said that, the very nature of DPI inspecting beyond the shallow headers of a packet all the way to its payload is rendered impotent when encryption is used in command and control (c2), if the attack is carried inside a VPN tunnel, or if a web application attack is performed over SSL. The fact of the matter is, as unencrypted protocols like HTTP, telnet, and FTP are replaced by HTTPS, SSH, and SFTP, DPI will eventually become no more than a fond memory for my generation and generations before me who were around long enough to remember it.