Wednesday, July 21, 2021

CMV: Deep packet inspection breaks zero trust

Hi,

I just had a thought today, and it may be obvious/common knowledge, but I see DPI being touted as a security feature and it always rubbed me the wrong way. I think I finally found a framework to express how it rubs me the wrong way.

So for context, I mostly work in cloud, but I know datacenter too and this still applies to datacenter networking. Current best practices are to implement what's called "zero trust", which is basically just an extension/rewording of older best practices of "don't make a big central firewall". So for zero trust to exist, there cannot be a central point of trust. To build on this, it is best practice, at least in cloud, to encrypt all data in transit (in AWS, all endpoints they give you from ALBs to SQS queues are all HTTPS) even if the traffic is "internal". So, to implement DPI in this setup, you route all traffic across a centralized point that inspects the traffic and applies rules, but its encrypted so you can only get the header information.

This leaves 2 possibilities:

  • You only inspect the headers
  • You decrypt SSL on device with injected certificates

If you only inspect the headers, then what's the point of a central firewall? Especially in cloud where everything gets a firewall through security groups or equilavent, though any ol' device can do basic header filtering with minimal overhead.

If you decrypt SSL, then that creates a central point of trust since it has certificates accepted by all devices and its also a central point for data collection.

Is there something wrong with this logic? It seems that common practice is to implement it but I don't see the actual benefit of implementing it.



No comments:

Post a Comment