Maximizing the potential of ZTNA with deep packet inspection

Christine Lorenz portrait

By Christine Lorenz
Published on: 23.02.2022

Reading time: ( words)
Categories: Network security

As the frequency and severity of cybercrime increase each year, companies are strengthening their defenses by implementing zero-trust policies for their networks. Zero trust in this context entails checking every instantiation of access to every asset in a network before accepting or denying it. This concept of granular and highly segmented access, which leverages user and context awareness to assign different privileges for different users and different IT assets, is known as zero-trust network access (ZTNA).

Zero trust network access: to the edge, cloud and everywhere

ZTNA is becoming increasingly important when managing corporate networks. Cybersecurity is more of an issue than ever, with a 15 % annual increase in cybercrime costs expected between 2020 and 2025.[1] Application architectures are becoming more distributed, a trend that goes hand in hand with the efficiency and performance of hybrid and multi-cloud architectures. The pandemic and the associated trend of remote working has led to an expanding network perimeter with users and endpoints becoming more scattered. While these new setups have their clear benefits, they lead to the challenges of expanded attack surfaces and misaligned identification processes. Addressing them requires implementing ZTNA.

Security at a cost

ZTNA, however, is not without limitations. It requires users to re-authenticate and verify their credentials every time they access network assets such as clouds, files, folders or applications. Continuous authentication adds to network processing cycles, strains bandwidth and reduces network performance. Most obviously, it impacts the user experience as it requires the user to remember and reproduce their credentials at frequent intervals.

Pairing ZTNA with an advanced deep packet inspection (DPI) engine such as R&S®PACE 2 can alleviate these difficulties. ZTNA needs to implement a granular authentication policy in the most efficient way possible. DPI provides visibility into what is going on in a network by providing real-time identification and classification of network traffic by applications or protocols along with insights on parameters relating to traffic performance and users. This feeds into a ZTNA solution and greatly enhances its ability to mete out and fine-tune its policies and controls.

No more one rule fits all

ZTNA authenticates users as they log into the corporate network. These users can access corporate, cloud or SaaS applications that cover various business processes such as sales, customer management, marketing and human resource management. Given the increasing dependency on digital tools that are hosted and delivered online and the prevalence of shadow IT in today’s companies, ZTNA must often process traffic that involves hundreds of different applications and services. By leveraging DPI’s traffic classification capability, which identifies the underlying protocols, applications and services in real time, ZTNA can speed up the authentication process by separating ungated applications from gated applications and imposing application-based access rules.

Deep packet inspection essentially uses the identification of protocols such as SMTP, FTP, HTTP/HTTPS and SNMP and its comprehensive, frequently updated library of traffic signatures to enable ZTNA to granulate its access rules based on the risk profile of the applications they represent, e.g. email, file transfer, web browsing and network management. Such granularity can be extended through application classes (cloud, SaaS or corporate) and distribution models (multi-cloud vs. single server), covering not just company-owned but also cloud-hosted (e.g. SAP HCM, SAP ERP and Microsoft Exchange) and SaaS applications (e.g. Salesforce, Zoom, Cisco Webex and Dropbox). For example, a remote worker accessing an ERP application hosted in the corporate data center over the public internet is clearly a high-risk user, so double authentication access could be implemented (e.g. one-time pin (OTP) and password). This can then be supplemented by repeated authentication for each new file or application that is accessed. On the other hand, an employee performing a Google search from the head office may only need a single-layer validation using a password.

In the footsteps of the intruder

As ZTNA centers on security, it can leverage DPI’s anomaly detection to identify attacks on the network by looking at access patterns. Multiple access requests from a single IP address or the use of the same access credentials from different locations can indicate malicious activity. DDoS attacks, for example, can target login points and cause network downtime. DPI’s ability to detect anomalies in access patterns of a single user through the course of their session can be used to map the activities of threat actors that have successfully infiltrated the network perimeter. In a data theft scenario, for example, these patterns will reveal simultaneous access requests to various different databases in a single or consecutive session.

Being aware of IoT hijacks

DPI’s anomaly detection can be expanded in ZTNA for use cases relating to the internet of things (IoT). As the number of devices and machines connecting to the corporate network increases, so will the number of sessions involving IoT applications. These can range from cloud and SaaS applications to applications deployed in corporate data centers and edge networks. With thousands of sessions managed across multiple applications and data centers, companies require DPI-driven insights to keep track of the behavior of these devices once they are in the network perimeter.

Through deep packet inspection, ZTNA can determine if the applications being accessed are authorized and match the endpoints. In addition, it can detect anomalies in their navigation patterns, including access of sensitive files and databases and potential misuse of protocols. This is particularly important where mobile connectivity, particularly 5G, is deployed to extend corporate connectivity to IoT endpoints as in the case of smart cities and industrial automation. As 5G involves network slicing, it is imperative that these applications are routed through the correct slices. With DPI information, ZTNA is able to identify rogue devices on the network and authorized devices that may have been hijacked by malicious threat actors. Additionally, ZTNA can extend its monitoring to identify devices and sessions that may be experiencing connectivity issues due to congestion or external tampering.


In today’s hybrid enterprise environments, ZTNA is becoming increasingly important to improve the end-user experience while ensuring that the network is secured against attacks and malicious activities. This is possible with DPI tools such as R&S®PACE 2 whose real-time network insights enable ZTNA to dispense the right access privileges and controls, keeping the entire ecosystem of people, things, clouds and applications securely connected at all times.


[1] Cybercrime To Cost The World $10.5 Trillion Annually By 2025 - GlobeNewswire - 2020 -

Christine Lorenz portrait

Christine Lorenz

Contact me on LinkedIn

Christine is DPI marketing expert at ipoque, joining the company in 2013. With her background in marketing communications, she is passionate about making people aware of the capabilities of traffic analytics and DPI use cases. Christine is a lover of Vietnamese food and spends most of her spare time running and cycling, exploring nature and the outdoors and dreaming of becoming a ranger in a national park.

Related material

ipoque blog - discover the latest news and trends in IP network analytics

Sign up for our newsletter

Stay informed about the latest news and insights from ipoque