In Packet Inspection Race, Cisco Sees FPM As Key To Network Security

Cisco has an interesting tease for an upcoming Webcast entitled "Defending Your Router in 256 Bytes or Less." The thesis is that "the increase in accuracy and performance of network security products has pushed hackers to create attacks within the first 256 bytes of code that slip into networks under the radar." The upshot is that Cisco is pitching Flexible Packet Management (FPM), a technique it developed as a more effective way to block attacks than the deep packet inspection methods that are widely used.

I'm no expert, but something jumps out at me here. Indeed, it's implicit in the fact that Cisco is holding this seminar, and also that there are multiple packet-examination techniques extant, that we've got something of a packet-inspection arms race going on. Hackers are getting smarter and more focused in their attacks, and vendors have to jump through ever tighter hoops to protect their routers, firewall appliances, etc.

I think the "hoops" analogy is apt, because if the idea now is that the most successful attacks take place in the initial packets, this means that the network doesn't have much (any) time to get its act together. No lengthy analyses allowed; just cut to the chase and protect. Now.

OK, so let's do a short short on the two techniques at hand. Here's a brief description of deep packet inspection (DPI), from a 2005 article by Dr. Thomas Porter, in SecurityFocus. DPI, he notes, is performed in firewall applicances:

"[The] DPI engine scrutinizes each packet (including the data payload) as it traverses the firewall, and rejects or allows the packet based upon a ruleset that is implemented by the firewall administrator. The inspection engine implements the ruleset based upon signature-based comparisons, heuristic, statistical, or anomaly-based techniques, or some combination of these."Now here's Cisco's explanation of flexible packet matching:

"Flexible Packet Matching (FPM) is the next generation access control list pattern matching tool, providing more thorough and customized packet filters. . .FPM is useful because it enables users to create their own stateless packet classification criteria and to define policies with multiple actions (such as drop, log, or send Internet Control Message Protocol unreachable) to immediately block new viruses, worms, and attacks."

I should note in closing that packet inspection, however you approach it, is very much a moving target and an evolving field. On the one hand, there appears no single technique that can protect against everything. At the same time, the more inspection and analysis you do, the more complexity you add to the network. Unfortunately, these tough protection constraints play into the hands of the bad guys, which means this security arms race is going to get more challenging in the future.

Follow me on Twitter.

Write to me directly [email protected].