Shaping application traffic with DPI-powered application delivery controller

Underpinning the thriving digital economy and the app era are rich IT infrastructures, platforms and software stacks that bring together the computing and storage required to continuously receive, process and deliver terabytes of information from and to end users. Web servers and application servers are at the heart of these rapidly expanding IP networks, enabling users to access any application in just seconds, from any location. Over the years, capacity requirements and the need for thousands of new application features led to the proliferation of such servers, resulting in increasingly complex web farms.

Application delivery controller (ADC) and application traffic visibility

An application delivery controller (ADC) is a crucial component in managing these web farms, where incoming network traffic is load balanced between multiple servers to ensure consistent speeds and performance. The ADC sits between a data center firewall and the web farm where it inspects, filters and forwards traffic. ADCs have evolved tremendously in recent years with the addition of various layer 4 to layer 7 functionalities, including access control and content management, transforming application delivery controller from simple load balancers to powerful application gateways.

A major trend in the ADC market is the shift from traditional appliance-based, on-premises solutions to virtualized ADCs deployed in the cloud. This stems from the migration of IT workloads to the cloud and the rising number of remote users. Cloud ADCs combine the management of applications across hybrid and multi-cloud networks, supporting highly distributed enterprise networks.

The combination of a virtualized, cloud-based application delivery controller with expanded functionalities necessitates real time network traffic and application visibility that comes with high-speed packet processing, a capability that is synonymous with DPI engines R&S®PACE 2 and R&S®vPACE. In particular R&S®vPACE, a vector packet processing-based engine, is specifically designed for computing intensive environments, with a speed that is 3 to even 5 times that of scalar packet processing (SPP). The high throughput preserves the performance of applications that are latency-sensitive, especially for applications processed at the edge.

In or out?

Among the new functionalities assigned to ADCs is access control, a key task that requires granular application traffic insights. DPI software provides application classification, which allows application delivery controllers to authenticate requests based on the identity of the underlying applications. This includes the implementation of OTP and two-way authentication as well as CAPTCHA and anti-spam checks that are customized to different applications and services. Pre-authentication by an ADC removes the strain on the web and application servers from having to filter millions of unauthorized access attempts.

SSL/TLS termination is another function that is now offloaded to ADCs to speed up application response times. The advent of new encryption protocols such as TLS 1.3 and ESNI necessitates complex decryption before the right forwarding action can be taken. DPI software helps application delivery controllers to avoid outright decryption which is often associated with unwanted latencies, breach of privacy regulations and security risks. Our next-gen DPI software R&S®PACE 2 and R&S®vPACE provides encrypted traffic intelligence by combining machine learning, deep learning and high dimensional data analysis alongside behavioral, statistical and heuristic analysis to identify not only encrypted applications, but also anonymized or obfuscated applications. This preserves ADCs’ forwarding functions despite encryption, and allows decryption to be handled separately via dedicated middleboxes.

Deep packet inspection for intelligent load balancing

A key prerequisite for today’s ADCs is intelligent load balancing which goes beyond standard traffic distribution algorithms, such as least packets and least bandwidth. DPI software by ipoque enables application delivery controllers to enhance these standard algorithms with protocol and application insights as well as packet information, such as user location, service and content type. This allows network traffic to be routed directly to the exact server in charge. At a macro level, this information enables a global server load balancer to pass application traffic to the right ADCs based on factors such as user proximity and disruptions in local nodes.

Intelligent load balancing also helps in rate shaping by taking into account the performance and QoS needs of different applications. Application classification information provided by ipoque’s suite of DPI solutions helps ADCs ensure that packets from critical applications are prioritized within the demilitarized zone through smaller queues and less congested pathways. Critical applications that involve large financial transfers and latency-sensitive applications, such as remote surgery, benefit from this arrangement, as it ensures minimum time-outs and a superior user experience.

Security is another fast-evolving functionality of ADCs. From addressing DDoS attacks and preventing illegitimate access, today’s application delivery controller tools incorporate web/DNS application firewalls and other security elements such as intrusion detection/prevention. By pinning down malicious, suspicious and anomalous flows, our DPI software enables application firewalls to block threats such as data breaches, SQL injections and cross-site scripting. DPI also empower DNS application firewalls to identify and block harmful sites that users may access unwittingly.

Content complexities

Improvements in video technology and the popularity of next-gen applications, such as AR/VR, have led to richer and heavier applications that demand bigger bandwidth and more computing resources. This has given rise to various traffic and content optimization tactics. Caching and compression are the most popular among these tactics, with an increasing number of ADCs now featuring them as added capabilities. With our DPI software R&S®PACE 2 and R&S®vPACE, application delivery controllers can reduce the complexities associated with identifying the content and applications that require optimization and the degree to which they should be optimized. For example, by distinguishing on-demand video streaming from video downloading, deep packet inspection aids ADCs in implementing the most appropriate caching and compression policies that are suited to the underlying application and service.

The biggest value-add from advanced DPI technology is real-time analytics. Analytics plays an important role in network and application monitoring as well as in troubleshooting performance issues across nodes, data centers and WAN. ipoque’s DPI technology merges traffic insights from the network and application layer, allowing the health of servers, supporting a specific service or application, to be in check at all times. From identifying the speed and latency of network connections to establishing parameters such as jitter and packet loss, ipoque provides ADCs with network insights that can be used to pinpoint issues at the infrastructure, platform and software level, as well as issues originating from the user end.

Powering application experience with DPI

ADCs allow application traffic management to be consolidated via a single, powerful gateway. With application traffic insights, application delivery controllers go many steps further by allowing policies and network services to be customized to each application and service, consistently, across the entire distributed network. Using virtualization and microservices, this customization can be refined even further to specific web pages, transactions and end user attributes, such as country, language and content preferences; creating a truly dynamic application experience. Deep packet inspection thus plays an integral part in any application delivery controller solution, ensuring application delivery remains efficient, fast and responsive.