h1

Will AppIDs replace deep packet inspection?

March 2, 2011

A growing number of IT security vendors are moving away from packet inspection of internet traffic in favour of monitoring the credentials of the user and the applications they are using, reports Steve Gold (@stevewgold)

The world of IT security is changing – largely as a result of increasing data traffic and faster internet connections, which make it more challenging to analyse the data flowing across those connections in real-time.

A number of IT security vendors have been grappling with the problem of larger bandwidth internet data flows for some time.

As internet caching specialist Akamai’s latest quarterly report shows, there are more and more users on the global internet generating ever increasing volumes of data traffic. According to the Akamai Q3 2010 “State of the Internet” report, more than 533 million unique IP addresses from 235 countries connected to its global network of caching servers during the third quarter of last year.

That’s an astonishing increase of 20 per cent over the same quarter a year previously. Wow.

IT security vendors have traditionally carried out a process called deep level packet inspection on Internet Protocol (IP) data flows, but with the rising tide of data flowing across the internet, typically in 10 Gbps chunks, deep packet inspection is rapidly (no pun intended) proving to be technically difficult. A growing number of security vendors are therefore moving away from packet inspection of traffic in favour of monitoring the credentials of the user and the applications they are using.

By working out whether a user is authorised to do what he or she is doing from a given IP address, companies and carriers can allow or disallow the session in real time.

Then, by monitoring the application(s) the user is running, which can be analysed using their signatures (known as AppIDs), the user’s IP session can be risk-assessed and allowed or disallowed as required.

AppIDs are central to this new way of security analysis. One vendor I spoke to recently had even allocated a range of AppIDs to botnets, taking the idea to a whole new level.

If the principle sounds familiar, it’s because it was the basis of a Windows security application – now long gone, sadly – called Guardian in the early 1990s.

That was in the days of dial-up modems, of course…

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: