DPI for ZTNA and SSE: Killing two birds with one stone

Sebastian Müller portrait

By Sebastian Müller
Published on: 08.08.2024

Reading time: ( words)

ZTNA and SSE are ingenious ideas. Both are made for an era where everything is deployed in the cloud, even if it is security. While ZTNA and SSE share several similarities, both are essentially very different. ZTNA is about access control. It is built on the premise of ‘zero-trust’, where trust is never implicit and the user is continuously authenticated based on an adaptive context.

ZTNA combines various techniques, from microsegmentation to least privilege access, where users only get access to the absolute minimum required to carry out their tasks. ZTNA solutions are used by enterprises to ensure uniform access controls for all its ‘users’, including work-from-anywhere (WFA) employees and IoT nodes. Deployed in the cloud, ZTNA allows an enterprise to streamline its access policies and keep its users, applications and devices in check.

Tackling security fragmentation via SSE

SSE on the other hand, is an umbrella solution under which ZTNA is a key component. It unifies and delivers security services from the cloud that are previously hosted on-premises. SSE circumvents inefficiencies and latencies arising from backhauling WFA and IoT traffic to private data centres for centralized security filtering. Apart from ZTNA, a typical SSE suite offers the following services:

  • Secure web gateway (SWG): to manage Internet traffic
  • Cloud acces security broker (CASB): to manage access to Cloud/SaaS traffic
  • Firewall-as-a-Service (FWaaS): to filter and block malicious flows
  • Browser isolation: to protect users from risky websites
  • SSL Inspection: to filter SSL-encrypted traffic
  • Data loss prevention (DLP): to safeguard enterprise resources from infiltration or exfiltration
  • Endpoint security: to protect user devices

Building continuous adaptive context for ZTNA with DPI

Both ZTNA and SSE benefit from deep packet inspection (DPI). DPI provides fine-grained analytics in real-time to support ZTNA in terms of user, device and application identification. It also detects anomalous behaviour, which helps network administrators terminate sessions and revoke access for potentially harmful users and devices.

Application classification by DPI is particularly critical in the workings of ZTNA. Let’s take our own suite of OEM DPI software solutions, R&S®PACE 2 and its VPP-native counterpart R&S®vPACE. Both engines deploy advanced statistical, behavioural and heuristic analysis to identify standardized protocols such as HTTP(s) or RTP but also proprietary protocols such as BitTorrent or MTProto, applications such as Microsoft Teams, Salesforce or Zoom and service attributes such as video streaming, messaging or audio. This level of granularity reported by DPI allows administrators to incorporate various privilege tiers and time- and usage-based thresholds. These minimize resource misuse, attacks and rogue users, and ensure a better user experience for legitimate users.

DPI’s past analyses also help ZTNA vendors to identify access issues such as authentication lags, detect threat patterns and uncover general application usage trends. This information can be used by enterprises to refine their access policies, improve their threat detection mechanisms and better protect vulnerable assets. For ZTNA solution providers, DPI’s data can be translated into better distributed PoPs and the automation of authentication processes.

Enhancing SSE with DPI-enriched zero-trust implementation

Interestingly, where ZTNA is deployed as part of SSE, the benefits of DPI spill over to the entire SSE suite in the following ways:

  1. With fine-grained, highly accurate analytics, DPI helps ZTNA to, partly, eliminate security risks in the network, and thus alleviate the processing load borne by other security tools in SSE. For example, by blocking unauthorized sessions more effectively, by making network topology less visible and by curbing the lateral movement of threats, DPI-enhanced ZTNA reduces the inherent number of malicious transactions that need to be handled by FWaaS or DLP.

  2. ZTNA acts as the first line of defence. During validation of access requests and continuous monitoring of sessions, a DPI-enhanced ZTNA tool can accurately detect and report sessions, users, devices and applications that have been compromised. Feed from ZTNA can pre-empt respective tools, such as SWG and CASB, and speed up the invocation of security controls, such as user blocking or session termination.

  3. ZTNA vendors can open DPI inputs to other tools in the toolkit and thus enable shared intelligence. This promotes a leaner SSE architecture with a single software benefiting the entire toolkit. It also enables a high degree of consistency in how traffic flows are classified, measured and handled, ensuring no lags or performance issues due to conflicting actions. Latest signatures additionally become available to the entire toolkit in a single upgrade.

      Building greater synergies between security tools

      Whether embedded into ZTNA or deployed in parallel, here are some ways how DPI enhances other functionalities in the SSE toolkit:

      1. CASB - DPI’s data can be used to identify cloud connection requests and the applications that are being accessed. A CASB benefits from being able to ascertain if such requests are aligned to their usage rights and context (e.g. location and timing), while gaining comprehensive insights into the usage of cloud resources (e.g. bandwidth and frequently used cloud services). DPI’s data also enables CASB to detect irregularities relating to cloud usage, for example, sudden surges in the use of cloud applications such as an ERP or a HRMS system or the transmission of sensitive data such as PII and financial information.

      2. FWaaS - DPI analytics used by ZTNA can be repurposed for FWaaS. Often, employees’ visits to unauthorized sites and engagement with third-party content, such as links in spam emails, can result in a user device being exposed to threats such as viruses, ransomware and spyware. DPI’s threat analytics, which encompasses real-time detection of malicious and suspicious flows, enable an FWaaS to single out such flows, and implement immediate blocking or quarantining.

      3. SSL inspection - ipoque’s encrypted traffic intelligence (ETI) plays a critical part in this aspect. Embedded in its DPI engines, ipoque’s ETI combines machine learning, deep learning, advanced caching and high-dimensional data analysis to detect traffic flows despite encryption, anonymization and obfuscation. As SSL inspection involves decrypting traffic flows, it requires a traffic filtering technology that is capable of handling not just basic encryption protocols, but tougher and more complex protocols, such as TLS 1.3, QUIC and ESNI. ETI provides this capability for SSL inspection tools, allowing SSE to stay ahead of encrypted applications as well as encrypted threats.

          Deep packet inspection in unified cloud-based security

          Despite being a relatively new concept, ZTNA and SSE are picking up pace as enterprises opt for flexible and scalable cloud-driven architectures for managing security. DPI adds a crucial enhancement to this equation by delivering real-time context for ZTNA and by introducing a layer of intelligence for SSE, which collectively, ensure a secure and seamless experience for every user.

          To learn more about how DPI empowers ZTNA and SSE with real-time traffic visibility, download our whitepaper "Real-time traffic visibility for ZTNA with next-gen DPI".

          Sebastian Müller portrait

          Sebastian Müller

          Contact me on LinkedIn

          Sebastian is a passionate DPI thought leader guiding a cross-functional team to build the networks of the future with leading traffic analytics capabilities. He has over ten years of dedicated experience in the telecom and cybersecurity domain, providing him with deep understanding of market requirements and customer needs. When he’s not at work, you can either find him on his road bike or hiking in the mountains.

          Email: Seb.Mueller@rohde-schwarz.com
          ipoque blog - discover the latest news and trends in IP network analytics

          Sign up for the ipoque newsletter

          Stay informed about the latest advances and trends in
          deep packet inspection and network traffic visibility