He points out that it would take acres of the very best deep packet machines, consuming megawatts of power, to match the ingress of a moderately powerful router.

He also uses an example where he asks someone in the (small) audience to stand up, and says at the speed of light, the start of one packet to the start of the next is about 6' 6", and unless you're OK with injecting latency you can't really make any decisions.

Furthermore, he points out that Google no longer uses firewalls to protect the LAN - it's essentially fully open to the Internet.

Thank you. I watched it in the last six months or so but I assume it could have been filmed in the last two years.


ETA:

I have no idea what you're talking about.

I would be interested to see this also.

I think you can see that a lot on redtube.

It looks like more fun than folly though.

https://www.google.com/?gws_rd=ssl#q=deep+packet+insertion&tbm=vid

TRG

As someone who is doing deep packet inspection for an ISP I would also like to know WTF he's talking about.

Please don't listen to that man.

Deep packet inspection is done all the time. Firewalls have tools that can scan for viruses during connections and block before the download finishes. This tech has been in firewalls for years. Scanning is accomplished through the use of FPGA or ASICs and/or offloaded to secondary processing systems. There are also firewalls and deep packet scanning that forward URLs and info to cloud servers that visit and scan websites in realtime to identify threats before users can visit them.

IE - You browse arfcom at work. Firewall sends that URL to a cloud server which also visits the URL and all page elements scanning for malicious content. It will also follow links and scan other parts of the site looking for malicious content. It will report back to the firewall anything that should be blocked.

Layer 7 firewalls and intrusion detection systems also ensure that connections conform to the protocol that is supposed to be running on them. If someone tries to send malformed SMB traffic over the wire firewalls can block it. You can also designate that HTTP traffic runs over port 80, SSH traffic runs over port 22, and so on. If someone tries to run a different protocol over the port other than what is specified the firewall will block it.




At the speed modern processors operate at light travels fractions of an inch for each clock cycle. But none of this is relevant to the issue at hand.

Fun fact.  Many of the proponents of Net Neutrality wanted it to include a federal ban on DPI.

I mentioned that because it stuck with me and might help ID the video. The rest of the stuff I could mention is unremarkable - bad audio, bad lighting.

Also, I was let down by that, because I'd hoped he had something pithy like Grace Hopper.

Grace Hopper was cool as fuck.

I named my son after Alan Turing. I'd hoped to name a daughter after Grace Hopper, but I had to settle for a middle name of MAE. Whatever my ex thinks that name stands for, I agreed to it because it aligned with my interests.

Here is a blog post that expands on the video a little



And this, folks, is why you log all your irc. I found this by grepping a couple years of irc logs.

20:20 <+ry> this guy says docker security is "aspirational". I love him. http://etherealmind.com/why-firewalls-wont-matter-in-a-few-years/  watch the video

You know Lockheed Martin doesn't have firewalls either, much like Google.  Why? Because cause they have advanced IDS/IPS that uses Deep Packet Inspection.  Much like Google.

OP take a look at Gigavue, you can store days worth of data off 10g links and recreate data from a specific tcp stream



So make packet sniffing in the realm of money laundering and racketeering. As something only the government can do?

So much for defense in depth.





 

I think we are overlooking a key factor here. DPI or not, are they filtering the MACs?

I finally get around to perusing the UC forum and this is the first thread I see...

It's a party in here.

It sure as hell is now.

So dmnoid77.  Please, enlighten us, do you feel that DPI is a folly and a pox upon routing everywhere and that we need giant fusion reactors and multiple CRAY super clusters to be able to have decent throughput?

Also, do you feel that DPI is an infringement on your personal liberty and god-given natural rights as a human?

How much latency is acceptable? DPI is less of an issue than duplicative ACLs at the perimeter and every router down to the edge.

You lie sir!  DPI is the debil, and we need fusion reactors to power them!

What commercially available DPI tools use hardware?  Last I heard it was research only because of the small space for signatures and low throughput.  

The issue that I work around everyday is l4-l7 services can not keep up with 10,40 and 100gb links.  This is only going to get worse with 25gb servers coming to market soon.  The only answer is picking off non-encrypted traffic (the only real use for DPI) via layer 4 switch and running through DPI tools.  Also makes sense to monitoring traffic anomalies via IP headers.

PA and CheckPoint both have chassis that are up to 40gb capable. You are going to spend a SHITLOAD of money, but it's doable.





CheckPoint is currently researching and building 100gb capable chassis systems.

 

We have carrier stuff that does GigE.

By GigE I assume you mean 1gb/s ethernet? I would hope you have more than that for carrier class.





 

They will do 1Gbps, we put them in in the CO'S to shape last mile. The vendor does have units that will do 40Gbps and you can stack them as well.

Yes and other vendors also have high bandwidth solutions.  They all get there by distributing workload across multiple CPU's across multiple chassis.  Also keep in mind that that when they say 40g or any other speed they usually mean large packet size which is easier for CPU based devices to handle.  Real world numbers (IMIX) are usually around 1/2.  Moreover they are not applying next-gen firewall functions, its just stateful l4.   (The box may have next-gen FW features, however not at that BW)

Point is its not ASIC or FPGA based its general purpose CPU (usually Intel, running Linux)