Next-gen DPI restores visibility of encrypted IP traffic
Ken Wieland, Light Reading contributing editor
It can sometimes resemble a clash between two different sets of network security technologies.
On one side sits encryption tech, which is getting increasingly sophisticated at encoding IP traffic flows. This is to be welcomed, albeit cautiously. Enhanced cloud security and more secure remote working are all possible with clever encryption algorithms, but there is a danger that enterprises are lulled into a false sense of security. Encrypted packets of data can make networks opaque and create security gaps.
Traditional deep packet inspection (DPI) tech, to persist with our ‘clash’ theme, is on the opposing side to encryption. Designed to provide visibility and analysis of IP traffic, DPI can spot abnormal behaviour and mitigate network security risks.
The steelier the IP encryption, however, the more likely conventional DPI tools will be blunted. Encryption makes it much harder to look into packets of data.
How deep is your packet inspection?
DPI tech has been around since the 1990s. Subsequent advances made DPI an incredibly useful way for network administrators to erect firewalls and deploy IP probes for monitoring and real-time network analysis. Optimized and intelligent routing of traffic flows, and increased security through detection of hackers and malware, are key features of the DPI story.
The DPI narrative is not as straightforward as it once was. There is anxiety among many equipment suppliers, which rely on deep traffic analytics, that DPI is not keeping up with more advanced encryption methods. IP traffic visibility, they fear, is becoming blurred.
Next-gen DPI software specialist ipoque, a Rohde & Schwarz company, lays out the extent of the problem in a new research report entitled ‘Deep packet inspection and encrypted traffic visibility for IP networks.'
“Encryption renders traditional DPI techniques partly ineffective, as payload information is secured by complex algorithms, obscuring the identity of the underlying applications,” says the ipoque team. The reports adds that the introduction of newer encryption protocols, such as TLS (Transport Layer Security) 1.3, ESNI (Encrypted Server Name Indication) and IPsec tunneling — among others — “severely limit the information that is available to DPI tools.”
One upshot of undecrypted packets, as ipoque points out, is that traditional monitoring tools can no longer identify performance attributes of individual apps. That’s a big problem. Lack of packet visibility disrupts the effectiveness of service providers’ policy control and charging functions, which assign network resources according to app performance requirements and play a vital role in churn reduction among high-value customers. Performance anomalies can go undetected.
Another pressing challenge is that tighter IP encryption can allow malware and threat information to fly under the radar of conventional DPI methods of detection. TLS, for example, which encrypts web apps, conceals suspicious packet movements.
“Loss of traffic visibility can have devastating effects on the network due to heightened vulnerability to security threats, non-optimized management of traffic and poor analytics,” remarks Dr. Martin Mieth, VP Engineering at ipoque.
The overwhelming majority of network vendors — those which need accurate IP traffic monitoring to provide security, performance and traffic management, analytics, and policy control — seem to agree. According to a survey of them conducted by ipoque in partnership with telecoms/IT publisher The Fast Mode between October and December 2022, more than 85% of the 34 suppliers canvassed said visibility loss from encryption was a “major concern.”
Restoring traffic visibility in an IP encrypted world
Most network vendors, according to the ipoque survey, are turning to a wide variety of tools to combat visibility problems posed by IP encryption.
The most popular is a non-decryption method that studies behavioral patterns using statistical and heuristic analysis. By analyzing packet metadata, such as size, rates and delay — as well as traffic direction initiated by the protocol — it becomes possible to identify underlying applications. This approach is not without its downsides, however. It’s resource intensive and can inadvertently block legitimate users.
Another popular non-decryption tool is machine learning (ML) and deep learning (DL), which can help vendors acquire real-time insights into encrypted traffic flows. Most ML/DL solutions on the market are proprietary, requiring suppliers to use third parties. As with the study of traffic patterns using statistical analysis, ML/DL requires high-intensity computing capabilities.
DPI is not waning in importance, however, despite the challenges presented by IP encryption. Among the vendors taking part in the ipoque survey, around half already use DPI. Of the remainder nearly 80% say they plan to use it.
To meet market demand ipoque has developed what it calls a next-generation DPI solution incorporating encrypted traffic intelligence (ETI). ETI, says ipoque, combines a mix of ML and DL algorithms with high-dimensional data analysis. Not only is it capable of accurately and reliably detecting encrypted applications and services, maintains the company, it’s also future-proof.
Moreover, unlike decryption using SSL/TLS inspection, ML-powered DPI purports to preserve the privacy and confidentiality of information traversing today’s networks. This, says ipoque, should assuage any regulatory concerns.
By augmenting non-decryption methods with advanced DPI, the industry expectation is that network and cybersecurity vendors and their customers will not be blindsided by evolving IP encryption.
This content is sponsored by ipoque, a Rohde & Schwarz company.