the future of deep packet inspection (dpi)

1

AUGUST 2020

TRAFFIC

INTELLIGENCE

THE FUTURE OF DEEP PACKET INSPECTION (DPI)A Survey of Product Managers Reveals the Top Challenges Facing Telecom, Networking & Security Solution Vendors

WWW.ENEA.COM

http://www.enea.com/traffic_intelligence

2TRAFFIC INTELLIGENCE

What challenges does DPI address, and how should it evolve to deliver the traffic visibility required in telecommunication, cybersecurity and enterprise markets? Enea conducted a survey among high-tech product managers to find out.

Solution vendors and their customers are facing rapid changes as cloud transformation, 5G networking, work from home, and the Internet of Things (IoT) have a profound effect on network users, devices, and services. Understanding and controlling network traffic is key to surviving these changes. This is only possible with accurate, real-time, application-level visibility. As a result, DPI remains an essential technology, which must evolve and continue to deliver the much-needed visibility.

Vendors rely on DPI to help them address challenges like accuracy of traffic classification even with high throughput and the widespread adoption of encryption. This is driving technology evolution toward the broader concept of

traffic intelligence: the boundaries of DPI have been greatly expanded to deliver important insights about network traffic even without inspecting the main content (or payload) of packets. This trend continues with the introduction of new techniques such as machine learning, connected device identification, and classification of industrial/IoT traffic.

The survey indicates that vendors plan to embed DPI in future products, including in cloud-based solutions. It also confirms that vendors recognize the value of commercial DPI, based on precise classification, high performance, ease of integration, and access to critical maintenance and support.

EXECUTIVE SUMMARY

MAJOR CHANGES ARE UNDERWAY IN THE TELECOMMUNICATION AND SECURITY INDUSTRIES THAT REQUIRE DPI TO ADAPT AND EVOLVE

WWW.ENEA.COM



So, as DPI product managers, it seemed like a good time for us to pause and reach out to OEM product managers who are navigating these changes from the front lines. We conducted a DPI survey that has yielded valuable insights into current operations and roadmaps that we think will be of interest to the industry at large.

We thank everyone who responded to the survey and hope all readers of this report will benefit from the insights their responses provide.

If you didn’t have the opportunity to participate, we welcome your feedback (and questions) any time – please feel free to contact us to arrange a discussion.

Thank you

Mitrasingh Chetlall Sebastien SynoldProduct Manager, Product Manager,Qosmos ixEngine Qosmos Probe

WWW.ENEA.COM

https://www.qosmos.com/book-your-one-on-one-meeting/



NOTE ON SURVEY PARTICIPANTS

The survey was conducted among product managers working for the following types of solution vendors:

Telecommunications• Software-Defined Networking

(SD-WAN, SASE, NFV)

• Network Performance Management

• Subscriber Experience Management

• Revenue Assurance & Fraud Management

Enterprise Networking• Cloud Networking

(SD-WAN/SASE)

• Network Performance Management

• Operations Intelligence & Automation

Cybersecurity• Network Security

(NG Firewalls, Cyber Threat Hunting, …)

• Cloud/WAN Security (SD-WAN/SASE, Web Gateways, Web Application Firewalls, …)

• Security Platforms (SIEM, Security Operations Automation & Orchestration,…)

• Cyber Defense (Crime Fighting, Cyber Intelligence, …)

(Lists are provided as examples and are not exhaustive.)

WWW.ENEA.COM



Baseline DPI1. Application-level visibility is a requirement for 100%

of respondents across markets. It simply has to be there for the analytics that will drive the management and security of future networks.

2. Machine learning and solutions built on weak signal intelligence are gaining ground in long range product planning.

3. Precision and accuracy of traffic classification remains paramount and will need to be maintained even as extreme latency and throughput requirements increase.

Evolved DPIVendors need an evolved DPI that can deliver new capabilities like:

1. Abnormal traffic detection (70%)

2. Contextual data such as connected device classification (70%)

3. Greater visibility into VPN/tunneled traffic and industrial/IoT traffic

KEY HIGHLIGHTS

WWW.ENEA.COM



KEY HIGHLIGHTS (CONTINUED)

New FrontiersVendors need DPI to help them address major challenges, and capitalize on major opportunities, like:

1. Encryption (impacting 90% of respondents)

2. Cloud migration (65% have or will be transitioning there)

3. SASE (even though it's a new paradigm, half of vendors are already developing SASE offers)

The OEM/DPI Partnership1. Vendors are confident that DPI evolution will keep

pace with market evolutions: • 100% plan to include DPI in future products

• 100% do or will include DPI in their cloud solutions

• 90% envision a role for DPI in their SASE offer

2. Vendors recognize the value of commercial DPI, and the importance of current commercial grade differentiators along with the beyond-DPI capabilities to come.

WWW.ENEA.COM



BEYOND DPI NEW FRONTIERSBASELINE DPI THE OEM / DPI PARTNERSHIPPage 8 Page 12 Page 17

Page 24

WWW.ENEA.COM



BASELINE DPI

We began the survey with DPI basics. When choosing a DPI solution:

• What matters most?

• What kind of traffic visibility is most helpful?

• What kinds of core DPI uses are most important?

WWW.ENEA.COM



Application classification was identified as a must-have for every respondent. Metadata was ranked least important, however comments indicated that metadata is finding new value as weak signal intelligence for advanced analytics (like anomaly detection and user or device fingerprinting).

WHAT LEVEL OF TRAFFIC VISIBILITY DO YOU REQUIRE?

100%

ApplicationIdentification

WhatsApp, MS Teams, YouTube, Instagram,

Facebook, Google Maps…

Traffic Categorization

Video, audio, file transfer, adult content, social

network, ICS/SCADA…

80%

SSL: Common name, Skype: Service Info, RTP:

MOS, NFS: file name…

Metadata Extraction

55%

WWW.ENEA.COM



RULES BASED ON CLASSIFICATION

MACHINE LEARNING

ANOMALY DETECTION

10%

20%60%

10%

10% 15%

40%35%

20%5%

30%

45%

20%

20%40%

20%

RULES BASED ON METADATA

Crucial/Top Importance Important

Somewhat ImportantVery Important

HOW WOULD YOU RATE THE IMPORTANCE OF THESE DPI USES IN YOUR PRODUCT ROADMAP?Developing orchestration and security rules based on DPI traffic classification metadata has been a core use of DPI for decades, and will continue to be so.However one interesting trend is the fact that machine learning has nudged its way to second place in terms of those ranking it as most important, while at the same time receiving the most ‘least important’ ratings.

This dichotomy may indicate that to some vendors, automation is the key to facing the next decade’s challenges, and, in this case, machine learning is the key to automation, while others may be hesitant to venture into unfamiliar waters if business as usual can sustain market share in the short term.

WWW.ENEA.COM



This is an interesting response!

Classification precision and accuracy are considered so much more important than performance. As we know, performance will be a major challenge in emerging hyperscale cloud and 5G

environments, so this response indicates that even as DPI adapts to extreme latency and throughput needs, the main focus must still remain on boosting precision and accuracy.

WHICH CRITERIA ARE MOST IMPORTANT FOR CHOOSING A DPI ENGINE?

82%

18%

QUALITY

47%24%

29%

UPDATES

47%

24% 29%

PERFORMANCE

76%

12%6%

6%

WW SUPPORT

Crucial/Top Importance Important Somewhat ImportantVery Important

QUALITYAccuracy & Precision

82%

WWW.ENEA.COM



BEYOND DPI

Going further into the survey, we asked what solution vendors need that goes beyond the boundaries of classic DPI.

WWW.ENEA.COM



BEYOND FLOW CLASSIFICATION & METADATA EXTRACTION, WHAT ELSE DO YOU EXPECT FROM A DPI ENGINE OR PROBE?Here, the top-ranking spot for abnormal traffic detection indicates that behavioral analytics are becoming more mainstream across markets. This makes sense as it offers an important strategy for identifying security or orchestration issues in complex, hybrid, distributed-edge networks.

None of the Above

5%

70%

Abnormal Traffic

Detection

User Identification

35%

Device Identification

70%

IP/Domain Name

Reputation

57%

File Extraction

35%

WWW.ENEA.COM



Let’s break it down by solution market.Beyond abnormal traffic detection, it’s interesting to see the high importance of device identification across markets.For security, this aligns with the need to detect connections by devices with known security vulnerabilities, and to provide

valuable context for threat hunting and forensics.

Telco and networking customers have likewise expressed a need for device identification to create and enforce network access policies, to create device-specific KPIs, and to create device-dependent routing or content delivery rules. (Download our device classification datasheet to learn more about this need

and how it integrates with DPI).

Another finding of interest is that 100% of security vendors need and expect File Extraction, which is key to DLP and advanced malware detection.

IP/Domain Name

Reputation

None of the Above

11%

89%

Abnormal Traffic

Detection

User Identification

22%


56%44%

File Extraction

11%

Telecom

WWW.ENEA.COM

https://www.qosmos.com/qosmos-libdevice-2-0-for-device-classification/



IP/Domain Name

Reputation

None of the Above

0%

60%

Abnormal Traffic Detection

User Identification

60%


80%

20%

File Extraction

100%

Security

None of the Above

0%

40%

Abnormal Traffic

Detection


80%

IP/Domain Name

Reputation

File Extraction

20%IT Network

40%

User Identification

20%

WWW.ENEA.COM



Respondents were also free to express other ‘beyond DPI’ needs. They pointed out a need for more visibility from a wide range of traffic types, but these five appeared in the responses of respondents across all markets.

One in particular, Industrial/IoT traffic, surfaces in comments to other questions as well, indicating the growing pressure to shape solutions for hybrid IT/OT networks, and for some, private 5G industrial networks.

WHERE ELSE DO YOU NEED MORE VISIBILITY?

Industrial/IoT

Voice/Video/Call Services

VPN/Tunneling

Instant Messaging

Social Networks

WWW.ENEA.COM



NEW FRONTIERS

We asked about major challenges and important industry evolutions facing telco, networking and security solution vendors:• What is the effect of encryption?

• How far is the transition to cloud networks?

• Who’s moving to SASE?

WWW.ENEA.COM



Some impact now No impact

90% YES

ENCRYPTION (OUCH!)

Will render ineffective No impact yet, but coming

IS NETWORK ENCRYPTION IMPACTING THE EFFECTIVENESS OF YOUR CURRENT SOLUTION?This finding reinforces what we regularly hear in conversations with our customers:

encryption is a near-universal concern, its impact ranges from moderate to critical, and it is being felt now.

[You can visit our Encryption Resource Hub to learn more about this challenge, and how our team is addressing it.]

WWW.ENEA.COM

https://www.qosmos.com/resources/use-case-hubs/encryption-2/

http://www.enea.com/


Telecom

100%

IT Network

100%

Security

80%

IMPACT OF ENCRYPTION BY MARKET

Moderate to high impact now, or to come soon:

ENCRYPTION (OUCH!)

WWW.ENEA.COM



65% YES

35% NO

CLOUD HERE WE COME

It’s quite impressive that 2/3 of all vendors have or will offer a cloud solution, including 80% of telco vendors.

And, as you can see on the next page,

most vendors expect their DPI to move to the cloud with them.

ARE YOU PLANNING A MOVE TO THE CLOUD (IF YOU’RE NOT THERE ALREADY)?

WWW.ENEA.COM



By solution market

Where DPI will be deployed in cloud offers

IT Network

100% Telecom

80%

Security

89%

86%

Cloud

14%

Premise

Telecom

100%

Cloud

IT Network

67%

Cloud

33%

Premise

Security

CLOUD HERE WE COME

WWW.ENEA.COM



DO YOU SEE SASE AS THE NEXT STAGE FOR YOUR PRODUCT?The move to SASE (Secure Access Service Edge) is more closely tied to vendor market than general cloud offerings, with least relevance for telco solution vendors (but maybe 5G will alter that pattern). However, it is quite notable that a full

50% of vendors plan a SASE offering even though it is a new paradigm. It shows that in a cloud world, SaaS-based networking and security is coming of age, as is the integration of NetOps and SecOps.

SASE –WHO’S IN?

WWW.ENEA.COM



SASE AS THE NEXT STAGE FOR YOUR PRODUCT -THE MARKET VIEW FOR “YES” REPLIES

Security

80%YESIT Network

60%

SASE –WHO’S IN?

Telecom22%

WWW.ENEA.COM



THE OEM / DPI PARTNERSHIP

We wanted to know about the future of DPI.• How important is it for new products?

• Will vendors still use it when they move to the cloud?

• How does commercial DPI compare with open source?

WWW.ENEA.COM



WILL YOUR FUTURE PRODUCTS INCLUDE EMBEDDED DPI?

55% 35%

10%

YESYESif encrypted traffic can be classified

YESif new use cases require DPI

100% YES

100% of respondents plan to include DPI in future products (as long as the critical encryption challenge is addressed).

WWW.ENEA.COM



IF YOU ARE PLANNING A CLOUD OFFER, WILL IT INCLUDE DPI? 100% YES

DPI+

90%YES

10%NO

IF YOU ARE PLANNING A SASE OFFER, WILL IT INCLUDE DPI?

100% do or will include DPI in cloud solutions.

90% envision a role for DPI in their SASE offer.

WWW.ENEA.COM



WHAT DO YOU THINK

OF OPEN SOURCE?

5%DON’T KNOW

75%NO

20%YES

ARE OPEN SOURCE DPI LIBRARIES A GOOD ALTERNATIVE TO COMMERCIAL DPI LIBRARIES?

WWW.ENEA.COM



50%NO

45%YES

5%DON’T KNOW

WHAT DO YOU THINK OF OPEN SOURCE?

ARE OPEN SOURCE DPI PROBES A GOOD ALTERNATIVE TO COMMERCIAL DPI PROBES?

WWW.ENEA.COM



IF NO, WHAT ARE THE MAIN OBSTACLES?

67%

Lack of maintenance and support is a showstopper

Integration and/or performance problems along with other issues

20%

Protocol coverage is not sufficient for security solutions

13%

WHAT DO YOU THINK OF OPEN SOURCE?

WWW.ENEA.COM



DPI application classification was identified as a must-have for network management and traffic metadata continues to play an essential role in orchestration and security. Precision and accuracy are DPI’s strengths, considered even more important than performance.

Vendors need DPI that can extract traffic intelligence that is independent of payload inspection, or, in the case of inspection, that can provide new kinds of insights through more innovative techniques.In cybersecurity, this correlates to the continuous quest for new strategies to handle advanced, persistent threats, and on the telco and networking side, the challenge of managing increasingly complex and heterogeneous networks.

Encryption, cloud migration, and the rise of SASE (Secure Access Service Edge, or integrated SD-WAN and

security offered in SaaS mode) are having a major impact on vendors across markets. DPI must evolve and adapt to meet their new needs and continue to provide the visibility required by network operators.

Commercial DPI outruns open source. It is preferred for its classification capabilities, performance and ease of integration while also providing vital maintenance and support.

With these differentiators and a host of beyond-DPI functionalities now available, advanced, commercial DPI technologies (such as those available from Enea) have been recognized as essential components in networking solutions and will be around for the long haul, wherever the networks of the future may lead.

CONCLUSIONS

LOOKS LIKE WE’RE IN IT TOGETHER WWW.ENEA.COM



THANK YOU & SELECTED COMMENTS“ACCURACY IS KEY”

“As visibility into encrypted traffic via current means decreases, the necessity of encrypted traffic classification increases”

“MitM evasion techniques impact responsible corporate inspection.”

“Lots of focus going into microservice environments, tracking network traffic between pods, nodes, services”

“eSNI spread might degrade QoS/zero-rating features”

“Accuracy is key"

We really appreciate the time product managers took to respond to the survey questions, and the numerous additional comments that were so useful to our understanding of DPI in today’s and tomorrow’s networks.

Here is a sample of the many remarks we found helpful in reminding us what we need to do to live up to customer expectations.

WWW.ENEA.COM



“[Encryption] complicates the solution by requiring the use of SSL Proxy which is a complex feature to use with various dependencies in the field”

“Our clients demand encrypted applications detection with high accuracy for quota-based gating”

“Encryption requires passing more packets before classification is done, that leads to non-blocking of some apps when they should be blocked”

“It's hard to prioritize quality and performance to tell the truth”

“More [metadata] is better. Metadata extraction to support fingerprinting and anomaly detection key.”

And our personal favorite:

“Keep going! Good work!”

“MORE [METADATA] IS BETTER”

WWW.ENEA.COM


33

TRAFFIC

INTELLIGENCE

Enea is the world-leading supplier of innovative software components for telecommunications, networking and cybersecurity. Focus areas are cloud-native, 5G-ready products for mobile core, network virtualization, and traffic intelligence. More than 3 billion people rely on Enea technologies in their daily lives. Enea is listed on Nasdaq Stockholm. For more information: www.enea.com

The embedded traffic intelligence products provided by Enea classify traffic in real-time and provide granular information aboutnetwork activities. The portfolio includes the Enea Qosmos ixEngine and the Enea Qosmos Probe. The products support a wide range of protocols and are delivered as software development kits or standalone network sensors to network equipment manufacturers, telecom suppliers, and vendors of cybersecurity software.

WWW.ENEA.COM


the future of deep packet inspection (dpi)

Documents