Enforcing security in a network may include preventing data from leaking out of the network and preventing viruses and bots that hijack servers from coming into the network. Data leakage has become one of the top concerns for corporate clients who install networks, ranking just below concerns regarding viruses. Network security devices (e.g., firewalls) have attempted to prevent unauthorized access to networks and data leakage from networks since the inception of network security.
Deep packet inspection (DPI) is a conventional security approach used by network security devices to examine a data and a header of a data packet in a data flow that passes through a network security device. The DPI approach may search for viruses, non-compliance with protocol, spam, intrusions, predefined criteria, and so on, within the data of the data packet. The DPI approach may use several criteria to decide if the packet is to be allowed or dropped. In contrast, shallow packet inspection may only check the header of the data packet. Shallow packet inspection is considered to be insufficient to enforce network security in many network environments and may be insufficient to enforce fine-grained access control.
There has been an increase in the use of encrypted data throughout networks. This may be due, in part, to the increased use of virtual private networks (VPNs) that encrypt network traffic between different private network locations that form a single network. These private networks may be connected by an unsecure public network (e.g., the Internet). Another reason for the increase is the use of encryption at the transport layer. Network applications like web traffic (HTTP) use encryption provided by the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocols, which encrypt the application traffic between a client and server. Although encryption may appear to increase security for VPNs or for applications using SSL or TLS, encryption decreases and/or eliminates the effectiveness of DPI. This is because encryption masks harmful data from the scanning associated with DPI that examines the data of the data packet. SSL is becoming a nearly ubiquitous choice for securing a number of applications including, for example, web-based transactions, emails, Web VPNs, and so on. Due to simplicity and cost-effectiveness, SSL is also used to identify and validate endpoints and to encrypt communications. SSL may be used within an intranet (e.g., LAN) to secure communications between departments, between groups, and so on.
Another conventional approach associated with network security devices is session level verification. Session level verification may keep track of whether a data packet of a data flow is at the start of a new connection (e.g., new data flow), a part of an existing connection, or is an unauthorized packet. This approach may scrutinize the first packet of a data flow, however, subsequent packets in the data flow may be assumed to be secure due to the authentication of the first packet in the data flow. This approach may verify the identity of the source of a data flow only at initiation (e.g., login). However, botnet controllers that have infiltrated the network may spoof the address of an endpoint of an already authenticated connection. This spoofing allows the botnet to send messages that traverse the network security device. By using the already authenticated connection (e.g., pin hole through the network security device) the data may exit the “secure” network and be monitored by another bot that uses promiscuous mode monitoring. This may facilitate data leakage. Another risk involves spoofing or masquerading the identity of legitimate entities, as may occur during phishing attacks.
Other conventional approaches of network security devices analyze protocols of the data flow and determine if the data flow is being routed through the appropriate port based on the protocol. This approach may determine if an unwanted protocol is attempting to sneak through a non-standard port that does not match the protocol. However, this approach does not catch sophisticated network intrusion software that can match ports with their associated protocols.
An additional issue unrelated to security may also arise. Encrypted data traffic may be difficult to classify. Examination of the type of data carried by a data packet may allow a network security device the ability to determine an appropriate level of service (e.g., quality of service (QoS)) to provide for the data flow. For example, streaming video may require high bandwidth allocation to prevent interrupted (e.g., choppy) video display. However, a streaming encrypted video may not be identified as a video stream by a network security device. This may prevent the encrypted video stream from receiving the high bandwidth allocation that it requires.