WedgeNetworks


Home Resources Technologies Deep Content Inspection With WedgeOS

Deep Content Inspection With WedgeOS

  • Print

Deep Content Inspection Vs. Deep Packet Inspection

The abilities to make sense of Data In Motion are at the core of many interesting technologies. These abilities vary depending on what can be comprehended from the Data In Motion:

  • Early generations of Firewalls have the ability to inspect the network packet headers. This ability allows firewalls to implement allow/block network access policies since the intent of the packages can be determined where they come from, where they are going, and what ports they are passing through
  • In addition to the packet headers, the IDS/IPS technology also looks into the packet bodies, a.k.a Deep Packet Inspection (DPI). The advantage of IDS/IPS over the simply Firewall is obvious: packets going to the same place may not have the same intention.
  • With the ability to inspect the packet body, more things can be seen. For example, tools have been developed to extract application level source addresses, such as URLs and SMTP sources, from the packets. Once an application level source address is extracted, it is then compared with a Reputation Database to infer the intention of this communication session based on the reputation of the source.
  • One problem with only inspecting a single packet is the inability to comprehend information that spans multiple packets.  In order to address this problem, Stream based IDS/IPS systems apply pattern matching to multiply packets.
  • Some streamed based inspection systems have very sophisticated pattern matching rules, such as rules for Application Classification. These systems do not look at more information, but understand more than the Stream based IDS/IPS.
  • For many applications, the ultimate goal of inspecting a Data In Motion session is to understand the intention of the session. This goal can only be accomplished with the ability of inspecting the digital objects, executables, images, pdf files, etc, that are carried over the packet streams as application level content. This ability is referred as Deep Content Inspection. Once the digital objects in a Data In Motion session can be comprehended, we can gain many insights of the intention of the session, not only with simple pattern matching, reputation search, but also unpacking, and behaviour analysis.
  • In a typical network, at any given time and any location, there are many concurrent Data In Motion sessions carried over many applications protocols. The ability to look at all these sessions at the same time allows us to build the correlation of these sessions to gain holistic understanding of the intention of the digital objects transmitted. This ability is referred as Cross Session Deep Content Inspection.

The following table compares what can be seen from ways a Data In Motion session is looked at:

Method

Look at

Can see

Cannot see

Early Firewall

Packet header

Packet header information

Packet body

IDS/IPS

+ Packet body

String within the packet body

Strings span multiple packets

Streamed based IDS/IPS

+Multiple packet bodies

Strings span multiple packets

Digital objects and their intentions

Application Classification

Same as above

Application types

Same as above

Deep Content Inspection

+Application level content payload

Digital objects and their intentions

Correlation of the Data In Motion sessions

Cross Session Deep Content Inspection

+content payload in many sessions

Correlation of the data In Motion sessions

 

Deep Content Inspection Technology in WedgeOS

Embedded in the WedgeOS Deep Content Inspection Platform is a set of advanced technologies that:

  • Extract the digital objects from a  Data In Motion session in real-time
  • Correlate the digital objects in a population of Data In Motion sessions
  • Support both the Explicit Proxy Mode and Transparent Proxy Mode 

Compared with other Data In Motion inspection technologies, the DCI technology in WedgeOS has the following advantages:

  • The ability to extract digital objects in real-time from the Data In Motion sessions leads to the complete comprehension of the intention of the sessions
  • The ability to correlate the comprehension of the digital objects transmitted in many communication sessions leads to new ways of network performance optimization and intelligence
  • The ability to support ICAP and WCCP for explicit proxy mode deployments reduces the cost of network reconfiguration
  • The ability to support transparent proxy mode deployments eliminates the cost of network reconfiguration and supports unlimited VLANs.

Deep Content Inspection Service Policy Manager

A WedgeOS powered device can be configured to apply different inspection services to different network traffics. The configurations are specified with DCI Service Policies. The DCI Service Policy Manager is the software module that manages these policies in a fully customizable, detailed interface.

Too often, managing a set of policies for an organization becomes a time consuming task.  IT Staff are overwhelmed by the difficulties of setting up simple rules and procedures and are frustrated with amount of productivity lost while configuring usage policies. However, with Wedge Service Policy Manager, set up has never been more simple, straight forward and functional.

DCI Service Policy Benefits 

Providing a rich set of syntaxes to define the security service policies, Wedge Networks offers ease of management with the following parameters:

  • Type of the service, e.g. anti-malware, anti-spam, etc.
  • Target network applications, e.g. HTTP, POP, etc
  • Target application traffics. The syntax can provide the following specifications:
 

              1. Network segments: defined by source and destination IP address or subnets
              2. Users/groups: defined by entries in LDAP, Active Directory, or Radius

  • Time period when the policy is effective
  • Direction of the network traffic to be inspected
  • Exception policies, e.g. "provide deep content keyword scan for all traffics except that from host 192.168.0.2"

The DCI Service Policy Manager creates, updates, deletes, queries, and performs backup/restore of these policies and offers the following advantages:

  • Unified management for all services, network applications, and network traffics
  • Fine grained control on how DCI services are applied to suit the business requirements
  • Differentiated services for better customer service and new revenue models

DCI In Use with Wedge Data Loss Prevention App

Another key usage of DCI can be seen in Wedge's Data Loss Prevention App.  Deep Content Inspection is required to accurately scan both structured and unstructured data so that organizations can ensure that their valuable information is not leaking out of their networks.  Please view the demonstration video here.