Applied Intelligence

Throughout the history of Ethernet, starting from late 1970s, when Robert Metcalf started 3COM, network evolution has been clustered around few specific themes every decade. In the 80s, the industry was focused on improving the span of basic network connectivity by connecting localized LAN clouds with each other. By early 90s, the focus for LAN equipment providers had moved from basic connectivity to broader attributes such as assured connectivity, ease of deployment, whereas backbone and service providers were focusing on uptime, resilience, and capacity.

Late 90s and the following decade saw dependence on networking grow to historic levels, especially with the advent of voice as well as video on previously known as data networks-a move that industry termed as 'triple play'. Today, the need for ubiquitous connectivity is driving wireless network rollouts which are becoming a big part of the connectivity cloud. Thus, the journey that started in the 70s in serving the need to connect stationary computers has come all the way to connecting people on the move. A lot has changed over time. User expectations from todays' networks have increased and there are future demands for omnipresence, resilience, cost-effectiveness, scalability, speed, capability (packets/voice/video), mobility, ease of use and deployment, interoperability, etc. That is indeed a lot of change within four decades.

From an enterprise perspective, networks have moved on from being productivity enhancement tools to becoming a business continuity infrastructure. These three decades have given rise to new technologies and thus led to the demise of many old businesses. Connecting small businesses to global markets (eBay, Alibaba), carrying stock trades without the transaction involving paper (Merrill, Schwab), affording economies of scale to rural areas (Amazon) are some of the real value additions for consumers. Networks are helping squeeze inefficiencies out of the supply chain, enabling better products at yesterdays' price. Networking technology has had a deep impact on businesses, where several industries (bricks and mortar, stock brokerages, travel agents, airline service staffs, etc) have changed forever.

From the government and social perspective, availability of ubiquitous and cheaper ways of dissemination of information has brought down the barriers in accessing information and has enabled greater participation of the masses. Unlike earlier times, access to timely information has helped humanity cope with better disaster planning and more widespread support in case of natural and man-made disasters. Lot of this would not have been possible without the key networks that have connected supply with demand for the economic world while connecting populace with information like never before. As we can see, networks have been ever transforming and are now the quintessential part of the modern human existence.

Ports and Protocols

While the number of users on the Internet was increasing, evolution of file sharing applications such as Napster put enormous loads on the global network infrastructure. Loads of users around the world sharing files through large downloads created denial of service (DoS) affecting the resilience and availability of service providers as well as enterprises networks. Early firewalls which were designed to defend networks from malicious attacks were capable of identifying applications based on standard port numbers and protocols (TCP/UDP/others) by sniffing packet headers. It seemed sufficient to address user behavior generated DoS (as compared to malicious DoS). This was the first line of defense against file sharing services. The author classifies such applications as standard applications running over standard ports (SASP).

Soon the arms race heated up and protocols surfaced where application writers started reusing port numbers. To recognize such applications one needed to broaden the existing ports to applications association by binding ports and protocols with known source and/or destination IP addresses through access control lists (ACLs). Such applications can be classified as standard services over non-standard ports (SANP).

The next generation of applications was much harder to identify. Peer to peer file sharing applications such as Kazaa are not tied to a central pool of identifiable control servers (hence ACLs are helpless) and many of them use standard HTTP port 80 for transport. Since most of the web traffic runs on HTTP port 80, disabling port 80 in order to stop Kazaa is thus not a viable solution. These and other hard to detect next generation applications can be identified only through inspection of not just packet headers but as well content of packets.This category can be classified as signature based application detection (SBAD). This deeper inspection (or content inspection) works for the inspector searching for strings of interest within packet content and identifying applications based on the matches found.

Signatures

Bringing SBAD to reality presents many issues that need to be solved, first of which falls in the general class of string abstraction. Strings of interest needs to be strong and sufficiently abstracted. For example, if one was interested in uniquely identifying the author, a signature with just the first name would not be enough. For example, 'Naresh' would not be sufficient to identify the author, specifically since it would identify all his namesakes. A stronger signature would contain 'Naresh', as well as his second name, 'Sharma' and the name of his company, 'XYZ', whereas the strongest signature will additionally contain the name of the state and the educational institute as well. This example illustrates that the first method of using the author's first name has a lot of false positives, whereas a stronger signature which most uniquely describes the author has near zero or better, zero false positives. Reduction of false positives is driven by the uniqueness of strings. To help improve uniqueness within strings, the signature writers use techniques of anchoring and usage of grammar. The second big issue with SBAD is the issue of false positives and false negatives. False negatives occur when the inspection machine misses detecting an application when it's really there.

Deep packet inspection, thus has complexities involved in specifying what to search for and analyzing whether the abstraction yields acceptable false positives and zero false negatives. These complexities are solved today by signature compilers and post processing tools. For effective application recognition, fixed attributes based checks (port numbers, protocol, etc) need to be applied in conjunction with SBAD as well as with deeper contextual checks.

Other big areas of discussion remains on how today's designers are going about building systems that are capable of inspecting every packet at high throughput and also in identifying next generation applications that use encrypted communication leaving content inspection helpless. While the idea of deep packet inspection has been around for sometime, building scalable and cost-effective solutions for constantly evolving application landscape is still an evolving area.

Deepak Lala, engineering director, networking components division, LSI

vadmail@cybermedia.co.in