The lines are blurred in the modern business lifestyle. There’re no boundaries between employees working from the office or anywhere in the world. And technological privilege enables linking personal devices to work applications for user and organization convenience.
This flexibility and ability to be mobile also mean that business matters simultaneously mix with personal activities online. And mobility is not alone to blame — the internet is often a necessary tool to perform job tasks and operate in different organization layers. Uncontrolled access to the internet provides vast resources incompatible with the work environment. How to manage what employees can do online without imposing risks on the company?
Deep Packet Inspection (DPI) is one of the most straightforward tools that limit free roaming online while connected to the company network. Establishing a set of restrictions helps create a secure perimeter for online activities within the company network.
It’s an important feature that supports performance and security efforts. Non-work-related activities can distract and reduce productivity. Moreover, entering various websites and apps can lure employees into malicious activities, so DPI is a choice for IT administrators to get a grip on the company’s traffic flow.
DPI solution using NordLayer
NordLayer solution offers a DPI Lite feature that allows IT administrators to control what user-requested data goes through or gets blocked from entering the company’s network.
The DPI Lite technology at NordLayer works on nDPI open-source protocol classification engine. It offers the most popular and acknowledged services (ports and protocols) that are used by websites and network apps to operate on the internet.
With NordLayer, admins choose specific ports and protocols they want to include in the custom-defined block list. The policy applies only when a user is connected to the organization’s virtual private gateway. Thus, employees who work on job-related projects can’t simultaneously use blocklisted online resources and network applications with restricted access.
How does NordLayer’s DPI Lite feature work?
The cloud-based feature is available only with a virtual private gateway configuration. It’s set to active within 24 hours upon request. IT admins can add or remove specific ports and protocols open to access through the company’s network. They can do it by submitting an inquiry via NordLayer’s Control Panel.
The IT administrators can navigate and choose from a wide range of alphabetically arranged services (no slot restriction) that cover dual-use online resources, potentially harmful to business operations:
Apple services
Domain Name System
E-commerce
Email client protocol/Email services
File sharing
Gaming
Google services
Hypertext Transfer Protocol
Identity
Infrastructure/Networking
IP tunneling protocol
Messaging protocol/services
Microsoft services
Monitoring/SCIM
Music streaming services
News services
Peer-to-peer file sharing
Remote Access
Social media
Software Development
Streaming services
VoIP protocol
VPN services
Other (miscellaneous)
Our internal data shows the tendency to stop services primarily related to unapproved Peer-to-peer file sharing, Social media, and Gaming categories. It comes as no surprise that customers are particularly interested in limiting access to non-work-related services that impose the biggest risks to company assets and staff performance.
However, if an employee needs access to company-level blocked sources, for example, a Social Media Manager working on Facebook and LinkedIn, IT administrators can purchase a separate dedicated Virtual Private Gateway for such employees and configure it with fewer restrictions.
The categories expand to a complete list of 250 available ports and protocols. You can choose only certain types of services, like blocking all messaging services except Slack, used for organizational communication.
NordLayer’s DPI Lite feature is managed only by the IT administrator and doesn’t have an ON/OFF function on the user side. The feature operates on the Application layer (OSI model Level 7) and Browser layer (OSI model Level 3). It means DPI inspects incoming data on the web and within network apps.
Enabled DPI Lite runs when the user, connected to the company’s virtual private network (or VPN), sends a request to access online resources or uses network-dependent applications. Once disconnected from the organizational network, the DPI policy isn’t active. Thus, it’s crucial to permit access to internal resources and applications only when they are connected to the network.
The incoming data is screened and filtered using the nDPI engine against the DPI Policy defined by the company’s IT administrator. The user is connected to a requested website if traveling data packets don’t include blocked services.
However, the connection to the requested online resource is restricted if there is a match between the data packet and the DPI block list policy.
How NordLayer’s DPI Lite is different?
Some solutions allow DPI to incorporate extensive categories and be customizable for every client’s preferences to restrict content online. However, a more complex approach may lead to excessive expenses. It may also require challenging configuration and become limiting to the company’s disadvantage.
Extensive data processing defined with all types of possible keywords can disrupt the connection flow and block access to online resources that initially weren’t intended to be restricted. On the other hand, if the company is set for hardware infrastructure and decides to continue with the same type of DPI technology, it will need to know how to configure and perform in-house maintenance. All these additional steps create an unnecessary workload for IT administrators.
To streamline the DPI implementation to the company infrastructure, NordLayer incorporates an easy-to-launch and control DPI Lite feature. It is cloud-native and easy to add or remove without investing in excessive resources. Its activation takes short notice and can be managed centrally, enabling flexibility and focus to the teams and operations:
Keep productivity on point. NordLayer’s DPI Lite feature encloses the company network with work-only online resources within employees’ reach. Leave no space for distractions, so teams are less likely to spend time on their personal activities and decrease the chances of human error.
Establish security levels. Entering unsecured websites or downloading data to work-linked endpoints can become a freeway for malicious actors accessing internal data and resources. DPI Lite can help filter out hidden remote computer access and control software planted by cybercriminals.
Quick implementation and adoption. DPI Lite, like all the other NordLayer features, is entirely cloud-based and thus simple to integrate into existing infrastructure. Besides short enablement time, it is compatible with other data processing features like DNS filtering by category, constructing a more robust organization security posture.
Easy to adhere to business needs. The categories or services of DPI Lite are simple to manage. A complete list or a few exceptions can be added or removed from the DPI Policy as required to suit the company’s service scope.
NordLayer offers a packet inspection solution that doesn’t overwhelm network security strategy and focuses on the most common business pain points. A well-sifted service list doesn’t leave space to overthink data to block or spend time researching what online resources to consider, so no openings are left. Overall, DPI Lite helps organizations handle their teams’ efficiency and activity while at work.
Benefits of DPI Lite
Establishing limits for online activity while working is like a reminder to focus on your tasks. But it’s not just about preventing employees from distractions using company gateways.
Adding DPI Lite as an additional security measure fortifies network security and advances business performance in different ways.
Prevent data leaking
Whether intentional or accidental, data leaks are damaging to businesses. DPI Lite adds to security measures by restricting the download of data-leaking apps or the usage of data-sharing and emailing services. Suppose employees try to send files from the company network via Dropbox or Google Drive. In that case, DPI Lite will recognize data packets containing related ports, protocols, and headers and will stop the action from completing the request.
Eliminate traffic overload
Online activities create traffic on network gateways: the more requests, the more overloaded infrastructure, ultimately resulting in performance issues. DPI Lite implementation to the virtual private gateways helps limit created traffic as users cannot access online resources. Online streaming and seeding services or visual-heavy social media increase network usage a few folds. Hence, with DPI blocking, fewer data packets must be inspected and unclog the network. Out of user sight, out of admin mind.
Protect static IP addresses
Unrestricted internet usage could create convenient conditions for employees to hide behind company IP addresses to perform illegal activities. For example, using torrents on a work network can result in copyright holders initiating blocked IP addresses or even legal prosecution for piracy on the organizational level.
With open internet access, scam attempts have a free pass. If law enforcement authorities identify IP during their investigation of a crime done by your employee from the company’s IP address, it might lead to the company’s liability and even hardware confiscation. Hence, whether the network is managed internally or via a vendor like Internet Service Provider (ISP), deep packet inspection as an additional security measure can help establish internal online activity limits to prevent any illicit acts from happening under the company name.
Entering NordLayer’s DPI Lite
Organization-first mindset while at work or dealing with company-related content can be seen as restricting user activity. Although it’s a strong push toward cybersecurity strategy implementation, preventing possible gaps and openings.
Deep packet inspection is part of the bigger picture when combined with other NordLayer security features like DNS filtering by category, ThreatBlock, and Jailbroken/rooted device detection. Enforcing our remote network access solution into your company infrastructure and activating the DPI Lite feature is a matter of a couple of days or less. Organization administrators need to access NordLayer Control Panel, navigate to Servers or Gateways under the Network tab, and configure it by selecting Deep Packet Inspection (Lite) categories as required.
Utilizing simple and affordable tools like NordLayer’s DPI Lite doesn’t overcomplicate the existing cybersecurity strategy and upgrades team productivity, network performance, and company security for better business performance.
Andrius Buinovskis
Head of Product
Andrius Buinovskis, Head of Product at NordLayer, began his IT journey in the early ’90s when he exclusively experienced the thrill of technology by accidentally deleting and then reinstalling Windows on his own PC. Since then, his passion for IT has grown, leading him to specialise in developing IT services across diverse industries, including banking, telco, aviation, and cyber defence. At NordLayer, Andrius is now deeply involved in strategising and leading the product development agenda, further trailing his mark in cybersecurity.