the future of deep packet inspection (dpi)
TRANSCRIPT
1
AUGUST 2020
TRAFFIC
INTELLIGENCE
THE FUTURE OF DEEP PACKET INSPECTION (DPI)A Survey of Product Managers Reveals the Top Challenges Facing Telecom, Networking & Security Solution Vendors
WWW.ENEA.COM
2TRAFFIC INTELLIGENCE
What challenges does DPI address, and how should it evolve to deliver the traffic visibility required in telecommunication, cybersecurity and enterprise markets? Enea conducted a survey among high-tech product managers to find out.
Solution vendors and their customers are facing rapid changes as cloud transformation, 5G networking, work from home, and the Internet of Things (IoT) have a profound effect on network users, devices, and services. Understanding and controlling network traffic is key to surviving these changes. This is only possible with accurate, real-time, application-level visibility. As a result, DPI remains an essential technology, which must evolve and continue to deliver the much-needed visibility.
Vendors rely on DPI to help them address challenges like accuracy of traffic classification even with high throughput and the widespread adoption of encryption. This is driving technology evolution toward the broader concept of
traffic intelligence: the boundaries of DPI have been greatly expanded to deliver important insights about network traffic even without inspecting the main content (or payload) of packets. This trend continues with the introduction of new techniques such as machine learning, connected device identification, and classification of industrial/IoT traffic.
The survey indicates that vendors plan to embed DPI in future products, including in cloud-based solutions. It also confirms that vendors recognize the value of commercial DPI, based on precise classification, high performance, ease of integration, and access to critical maintenance and support.
EXECUTIVE SUMMARY
MAJOR CHANGES ARE UNDERWAY IN THE TELECOMMUNICATION AND SECURITY INDUSTRIES THAT REQUIRE DPI TO ADAPT AND EVOLVE
WWW.ENEA.COM
33TRAFFIC INTELLIGENCE
So, as DPI product managers, it seemed like a good time for us to pause and reach out to OEM product managers who are navigating these changes from the front lines. We conducted a DPI survey that has yielded valuable insights into current operations and roadmaps that we think will be of interest to the industry at large.
We thank everyone who responded to the survey and hope all readers of this report will benefit from the insights their responses provide.
If you didn’t have the opportunity to participate, we welcome your feedback (and questions) any time – please feel free to contact us to arrange a discussion.
Thank you
Mitrasingh Chetlall Sebastien SynoldProduct Manager, Product Manager,Qosmos ixEngine Qosmos Probe
WWW.ENEA.COM
4TRAFFIC INTELLIGENCE
NOTE ON SURVEY PARTICIPANTS
The survey was conducted among product managers working for the following types of solution vendors:
Telecommunications• Software-Defined Networking
(SD-WAN, SASE, NFV)
• Network Performance Management
• Subscriber Experience Management
• Revenue Assurance & Fraud Management
Enterprise Networking• Cloud Networking
(SD-WAN/SASE)
• Network Performance Management
• Operations Intelligence & Automation
Cybersecurity• Network Security
(NG Firewalls, Cyber Threat Hunting, …)
• Cloud/WAN Security (SD-WAN/SASE, Web Gateways, Web Application Firewalls, …)
• Security Platforms (SIEM, Security Operations Automation & Orchestration,…)
• Cyber Defense (Crime Fighting, Cyber Intelligence, …)
(Lists are provided as examples and are not exhaustive.)
WWW.ENEA.COM
55TRAFFIC INTELLIGENCE
Baseline DPI1. Application-level visibility is a requirement for 100%
of respondents across markets. It simply has to be there for the analytics that will drive the management and security of future networks.
2. Machine learning and solutions built on weak signal intelligence are gaining ground in long range product planning.
3. Precision and accuracy of traffic classification remains paramount and will need to be maintained even as extreme latency and throughput requirements increase.
Evolved DPIVendors need an evolved DPI that can deliver new capabilities like:
1. Abnormal traffic detection (70%)
2. Contextual data such as connected device classification (70%)
3. Greater visibility into VPN/tunneled traffic and industrial/IoT traffic
KEY HIGHLIGHTS
WWW.ENEA.COM
66TRAFFIC INTELLIGENCE
KEY HIGHLIGHTS (CONTINUED)
New FrontiersVendors need DPI to help them address major challenges, and capitalize on major opportunities, like:
1. Encryption (impacting 90% of respondents)
2. Cloud migration (65% have or will be transitioning there)
3. SASE (even though it's a new paradigm, half of vendors are already developing SASE offers)
The OEM/DPI Partnership1. Vendors are confident that DPI evolution will keep
pace with market evolutions: • 100% plan to include DPI in future products
• 100% do or will include DPI in their cloud solutions
• 90% envision a role for DPI in their SASE offer
2. Vendors recognize the value of commercial DPI, and the importance of current commercial grade differentiators along with the beyond-DPI capabilities to come.
WWW.ENEA.COM
7TRAFFIC INTELLIGENCE
BEYOND DPI NEW FRONTIERSBASELINE DPI THE OEM / DPI PARTNERSHIPPage 8 Page 12 Page 17
Page 24
WWW.ENEA.COM
88TRAFFIC INTELLIGENCE
BASELINE DPI
We began the survey with DPI basics. When choosing a DPI solution:
• What matters most?
• What kind of traffic visibility is most helpful?
• What kinds of core DPI uses are most important?
WWW.ENEA.COM
9TRAFFIC INTELLIGENCE
Application classification was identified as a must-have for every respondent. Metadata was ranked least important, however comments indicated that metadata is finding new value as weak signal intelligence for advanced analytics (like anomaly detection and user or device fingerprinting).
WHAT LEVEL OF TRAFFIC VISIBILITY DO YOU REQUIRE?
100%
ApplicationIdentification
WhatsApp, MS Teams, YouTube, Instagram,
Facebook, Google Maps…
Traffic Categorization
Video, audio, file transfer, adult content, social
network, ICS/SCADA…
80%
SSL: Common name, Skype: Service Info, RTP:
MOS, NFS: file name…
Metadata Extraction
55%
WWW.ENEA.COM
1010TRAFFIC INTELLIGENCE
RULES BASED ON CLASSIFICATION
MACHINE LEARNING
ANOMALY DETECTION
10%
20%60%
10%
10% 15%
40%35%
20%5%
30%
45%
20%
20%40%
20%
RULES BASED ON METADATA
Crucial/Top Importance Important
Somewhat ImportantVery Important
HOW WOULD YOU RATE THE IMPORTANCE OF THESE DPI USES IN YOUR PRODUCT ROADMAP?Developing orchestration and security rules based on DPI traffic classification metadata has been a core use of DPI for decades, and will continue to be so.However one interesting trend is the fact that machine learning has nudged its way to second place in terms of those ranking it as most important, while at the same time receiving the most ‘least important’ ratings.
This dichotomy may indicate that to some vendors, automation is the key to facing the next decade’s challenges, and, in this case, machine learning is the key to automation, while others may be hesitant to venture into unfamiliar waters if business as usual can sustain market share in the short term.
WWW.ENEA.COM
11TRAFFIC INTELLIGENCE
This is an interesting response!
Classification precision and accuracy are considered so much more important than performance. As we know, performance will be a major challenge in emerging hyperscale cloud and 5G
environments, so this response indicates that even as DPI adapts to extreme latency and throughput needs, the main focus must still remain on boosting precision and accuracy.
WHICH CRITERIA ARE MOST IMPORTANT FOR CHOOSING A DPI ENGINE?
82%
18%
QUALITY
47%24%
29%
UPDATES
47%
24% 29%
PERFORMANCE
76%
12%6%
6%
WW SUPPORT
Crucial/Top Importance Important Somewhat ImportantVery Important
QUALITYAccuracy & Precision
82%
WWW.ENEA.COM
1212TRAFFIC INTELLIGENCE
BEYOND DPI
Going further into the survey, we asked what solution vendors need that goes beyond the boundaries of classic DPI.
WWW.ENEA.COM
13TRAFFIC INTELLIGENCE
BEYOND FLOW CLASSIFICATION & METADATA EXTRACTION, WHAT ELSE DO YOU EXPECT FROM A DPI ENGINE OR PROBE?Here, the top-ranking spot for abnormal traffic detection indicates that behavioral analytics are becoming more mainstream across markets. This makes sense as it offers an important strategy for identifying security or orchestration issues in complex, hybrid, distributed-edge networks.
None of the Above
5%
70%
Abnormal Traffic
Detection
User Identification
35%
Device Identification
70%
IP/Domain Name
Reputation
57%
File Extraction
35%
WWW.ENEA.COM
14TRAFFIC INTELLIGENCE
Let’s break it down by solution market.Beyond abnormal traffic detection, it’s interesting to see the high importance of device identification across markets.For security, this aligns with the need to detect connections by devices with known security vulnerabilities, and to provide
valuable context for threat hunting and forensics.
Telco and networking customers have likewise expressed a need for device identification to create and enforce network access policies, to create device-specific KPIs, and to create device-dependent routing or content delivery rules. (Download our device classification datasheet to learn more about this need
and how it integrates with DPI).
Another finding of interest is that 100% of security vendors need and expect File Extraction, which is key to DLP and advanced malware detection.
IP/Domain Name
Reputation
None of the Above
11%
89%
Abnormal Traffic
Detection
User Identification
22%
Device Identification
56%44%
File Extraction
11%
Telecom
WWW.ENEA.COM
1515TRAFFIC INTELLIGENCE
IP/Domain Name
Reputation
None of the Above
0%
60%
Abnormal Traffic Detection
User Identification
60%
Device Identification
80%
20%
File Extraction
100%
Security
None of the Above
0%
40%
Abnormal Traffic
Detection
Device Identification
80%
IP/Domain Name
Reputation
File Extraction
20%IT Network
40%
User Identification
20%
WWW.ENEA.COM
16TRAFFIC INTELLIGENCE
Respondents were also free to express other ‘beyond DPI’ needs. They pointed out a need for more visibility from a wide range of traffic types, but these five appeared in the responses of respondents across all markets.
One in particular, Industrial/IoT traffic, surfaces in comments to other questions as well, indicating the growing pressure to shape solutions for hybrid IT/OT networks, and for some, private 5G industrial networks.
WHERE ELSE DO YOU NEED MORE VISIBILITY?
Industrial/IoT
Voice/Video/Call Services
VPN/Tunneling
Instant Messaging
Social Networks
WWW.ENEA.COM
1717TRAFFIC INTELLIGENCE
NEW FRONTIERS
We asked about major challenges and important industry evolutions facing telco, networking and security solution vendors:• What is the effect of encryption?
• How far is the transition to cloud networks?
• Who’s moving to SASE?
WWW.ENEA.COM
1818TRAFFIC INTELLIGENCE
Some impact now No impact
90% YES
ENCRYPTION (OUCH!)
Will render ineffective No impact yet, but coming
IS NETWORK ENCRYPTION IMPACTING THE EFFECTIVENESS OF YOUR CURRENT SOLUTION?This finding reinforces what we regularly hear in conversations with our customers:
encryption is a near-universal concern, its impact ranges from moderate to critical, and it is being felt now.
[You can visit our Encryption Resource Hub to learn more about this challenge, and how our team is addressing it.]
WWW.ENEA.COM
19TRAFFIC INTELLIGENCE
Telecom
100%
IT Network
100%
Security
80%
IMPACT OF ENCRYPTION BY MARKET
Moderate to high impact now, or to come soon:
ENCRYPTION (OUCH!)
WWW.ENEA.COM
20TRAFFIC INTELLIGENCE
65% YES
35% NO
CLOUD HERE WE COME
It’s quite impressive that 2/3 of all vendors have or will offer a cloud solution, including 80% of telco vendors.
And, as you can see on the next page,
most vendors expect their DPI to move to the cloud with them.
ARE YOU PLANNING A MOVE TO THE CLOUD (IF YOU’RE NOT THERE ALREADY)?
WWW.ENEA.COM
2121TRAFFIC INTELLIGENCE
By solution market
Where DPI will be deployed in cloud offers
IT Network
100% Telecom
80%
Security
89%
86%
Cloud
14%
Premise
Telecom
100%
Cloud
IT Network
67%
Cloud
33%
Premise
Security
CLOUD HERE WE COME
WWW.ENEA.COM
2222TRAFFIC INTELLIGENCE
DO YOU SEE SASE AS THE NEXT STAGE FOR YOUR PRODUCT?The move to SASE (Secure Access Service Edge) is more closely tied to vendor market than general cloud offerings, with least relevance for telco solution vendors (but maybe 5G will alter that pattern). However, it is quite notable that a full
50% of vendors plan a SASE offering even though it is a new paradigm. It shows that in a cloud world, SaaS-based networking and security is coming of age, as is the integration of NetOps and SecOps.
SASE –WHO’S IN?
WWW.ENEA.COM
23TRAFFIC INTELLIGENCE
SASE AS THE NEXT STAGE FOR YOUR PRODUCT -THE MARKET VIEW FOR “YES” REPLIES
Security
80%YESIT Network
60%
SASE –WHO’S IN?
Telecom22%
WWW.ENEA.COM
2424TRAFFIC INTELLIGENCE
THE OEM / DPI PARTNERSHIP
We wanted to know about the future of DPI.• How important is it for new products?
• Will vendors still use it when they move to the cloud?
• How does commercial DPI compare with open source?
WWW.ENEA.COM
25TRAFFIC INTELLIGENCE
WILL YOUR FUTURE PRODUCTS INCLUDE EMBEDDED DPI?
55% 35%
10%
YESYESif encrypted traffic can be classified
YESif new use cases require DPI
100% YES
100% of respondents plan to include DPI in future products (as long as the critical encryption challenge is addressed).
WWW.ENEA.COM
2626TRAFFIC INTELLIGENCE
IF YOU ARE PLANNING A CLOUD OFFER, WILL IT INCLUDE DPI? 100% YES
DPI+
90%YES
10%NO
IF YOU ARE PLANNING A SASE OFFER, WILL IT INCLUDE DPI?
100% do or will include DPI in cloud solutions.
90% envision a role for DPI in their SASE offer.
WWW.ENEA.COM
27TRAFFIC INTELLIGENCE
WHAT DO YOU THINK
OF OPEN SOURCE?
5%DON’T KNOW
75%NO
20%YES
ARE OPEN SOURCE DPI LIBRARIES A GOOD ALTERNATIVE TO COMMERCIAL DPI LIBRARIES?
WWW.ENEA.COM
2828TRAFFIC INTELLIGENCE
50%NO
45%YES
5%DON’T KNOW
WHAT DO YOU THINK OF OPEN SOURCE?
ARE OPEN SOURCE DPI PROBES A GOOD ALTERNATIVE TO COMMERCIAL DPI PROBES?
WWW.ENEA.COM
29TRAFFIC INTELLIGENCE
IF NO, WHAT ARE THE MAIN OBSTACLES?
67%
Lack of maintenance and support is a showstopper
Integration and/or performance problems along with other issues
20%
Protocol coverage is not sufficient for security solutions
13%
WHAT DO YOU THINK OF OPEN SOURCE?
WWW.ENEA.COM
3030TRAFFIC INTELLIGENCE
DPI application classification was identified as a must-have for network management and traffic metadata continues to play an essential role in orchestration and security. Precision and accuracy are DPI’s strengths, considered even more important than performance.
Vendors need DPI that can extract traffic intelligence that is independent of payload inspection, or, in the case of inspection, that can provide new kinds of insights through more innovative techniques.In cybersecurity, this correlates to the continuous quest for new strategies to handle advanced, persistent threats, and on the telco and networking side, the challenge of managing increasingly complex and heterogeneous networks.
Encryption, cloud migration, and the rise of SASE (Secure Access Service Edge, or integrated SD-WAN and
security offered in SaaS mode) are having a major impact on vendors across markets. DPI must evolve and adapt to meet their new needs and continue to provide the visibility required by network operators.
Commercial DPI outruns open source. It is preferred for its classification capabilities, performance and ease of integration while also providing vital maintenance and support.
With these differentiators and a host of beyond-DPI functionalities now available, advanced, commercial DPI technologies (such as those available from Enea) have been recognized as essential components in networking solutions and will be around for the long haul, wherever the networks of the future may lead.
CONCLUSIONS
LOOKS LIKE WE’RE IN IT TOGETHER WWW.ENEA.COM
3131TRAFFIC INTELLIGENCE
THANK YOU & SELECTED COMMENTS“ACCURACY IS KEY”
“As visibility into encrypted traffic via current means decreases, the necessity of encrypted traffic classification increases”
“MitM evasion techniques impact responsible corporate inspection.”
“Lots of focus going into microservice environments, tracking network traffic between pods, nodes, services”
“eSNI spread might degrade QoS/zero-rating features”
“Accuracy is key"
We really appreciate the time product managers took to respond to the survey questions, and the numerous additional comments that were so useful to our understanding of DPI in today’s and tomorrow’s networks.
Here is a sample of the many remarks we found helpful in reminding us what we need to do to live up to customer expectations.
WWW.ENEA.COM
3232TRAFFIC INTELLIGENCE
“[Encryption] complicates the solution by requiring the use of SSL Proxy which is a complex feature to use with various dependencies in the field”
“Our clients demand encrypted applications detection with high accuracy for quota-based gating”
“Encryption requires passing more packets before classification is done, that leads to non-blocking of some apps when they should be blocked”
“It's hard to prioritize quality and performance to tell the truth”
“More [metadata] is better. Metadata extraction to support fingerprinting and anomaly detection key.”
And our personal favorite:
“Keep going! Good work!”
“MORE [METADATA] IS BETTER”
WWW.ENEA.COM
33
TRAFFIC
INTELLIGENCE
Enea is the world-leading supplier of innovative software components for telecommunications, networking and cybersecurity. Focus areas are cloud-native, 5G-ready products for mobile core, network virtualization, and traffic intelligence. More than 3 billion people rely on Enea technologies in their daily lives. Enea is listed on Nasdaq Stockholm. For more information: www.enea.com
The embedded traffic intelligence products provided by Enea classify traffic in real-time and provide granular information aboutnetwork activities. The portfolio includes the Enea Qosmos ixEngine and the Enea Qosmos Probe. The products support a wide range of protocols and are delivered as software development kits or standalone network sensors to network equipment manufacturers, telecom suppliers, and vendors of cybersecurity software.
WWW.ENEA.COM