Fine-grained policies as enabled by Layer 7-aware classification and metadata extraction already provide a high grade of security. However, there are scenarios where even more security measures should be applied.
Consider for example:
- (Industrial) Internet of Things
We speak of Internet of Things when “devices” like cars, homes & whole cities are connected to the Internet. While promising a lot of comfort and benefits to the costumer, security & safety have to be considered on every layer in order to prevent malicious behavior intended to take control, steal data or disrupt services.
- CRITIS (Critical Infrastructures)
Critical infrastructures such as energy, health, food, traffic and transport have become frequent targets of sophisticated hacking attacks. Often these infrastructures and the legacy communication protocols they use (e. g. SCADA, Modbus, DNP3) have not been designed with security in mind. Therefore, it is essential to harden industrial networks with “bump-in-the-wire” security equipment to enhance the integrity, confidentiality, or reliability of communications across an existing logical link without altering the communications' endpoints.
DPI-enabled security solutions can be used to secure the communication in this and other scenarios by:
- Enforcement of authentication & encryption quality
Cryptographic certificate information, such as used ciphers, issuer & validity, transferred upon connection establishment, can be extracted in order to enforce sender authentication and encryption quality (e.g. blocking SSLv3).
- Surgical validation on the instruction level
Industry-specific atomic metadata extraction as provided by API can be used to whitelist single commands and even instructions. For example, a command to set a safety-critical value to an engine control unit (ECU) in a car can be denied. Such whitelisting can also prevent attacks as carried out by STUXNET in order to destroy critical infrastructure components.