The role of deep packet inspection in zero trust network access

Roy Chua, AvidThink portrait

By Roy Chua, AvidThink
Published on: 14.05.2024

Reading time: ( words)

In today's rapidly evolving enterprise network landscape, organizations face unprecedented security challenges. With the proliferation of remote work, cloud adoption and IoT devices, traditional perimeter-based security models are inadequate. This has led to the adoption of zero trust access, a security framework that assumes no implicit trust, verifies every access request using a rich set of data points (including identity) and may continuously perform risk assessments, watching for anomalous behavior.

Zero trust network access (ZTNA) has emerged as a powerful solution to address these challenges and replace legacy VPNs, providing secure, fine-grained access control to on-premises and remote assets across private and public clouds. However, the effectiveness of ZTNA heavily relies on having rich context. This is where deep packet inspection (DPI) can add significant value to ZTNA, providing comprehensive traffic visibility and ongoing content awareness.

The principles of zero trust network access

Let's quickly revisit the core tenets underpinning ZTNA: least privilege, fine-grained segmentation, strong authentication and identity, and continuous context-based evaluation and authorization. Least privilege access ensures that users are granted the minimum permissions necessary to perform their tasks. Fine-grained segmentation or microsegmentation limit access to the smallest subset of resources needed, reducing the attack surface and limiting lateral movement. Strict authentication and continuous authorization involve verifying the identity of users and devices, leveraging strong authentication methods like multi-factor, biometrics, and trusted-platform modules (and equivalents), and then continually verifying device postures throughout the lifetime of a session. By adhering to these principles, ZTNA provides a robust security framework for access to resources from anywhere, at any time.

ZTNA — establishing continuous trust and assessment

While the framework around ZTNA is robust, the effectiveness of ZTNA depends on having a strong identity system coupled with rich context for authorization. Comprehensive device posture and ongoing risk score calculation based on user and device behavior are important for an accurate assessment of whether a system is in the middle of being attacked or compromised.

This means that greater visibility into the nature of the application being accessed, the type of data being transferred and the actions of the user and/or device are needed. However, achieving this level of visibility can be challenging due to the increasing use of encryption, the emergence of new protocols, and the sheer volume and diversity of network traffic. Insufficient visibility can lead to security blind spots, allowing threats to go undetected and compromising the effectiveness of ZTNA.

    Next-gen deep packet inspection strengthens ZTNA

    Next-gen DPI technologies offer a powerful solution to the visibility challenges faced by ZTNA. By leveraging advanced techniques, such as machine learning and deep learning, next-gen DPI provides encrypted traffic intelligence, enabling comprehensive visibility into application network traffic, even in the presence of end-to-end encryption (e.g., TLS 1.3 and ESNI) and obfuscation.

    Granular application awareness enables ZTNA to distinguish between various applications and services, facilitating precise access control policies based on application type, risk level, and user roles. The ability of deep packet inspection to enable the detection of known and unknown threats bolsters ZTNA's defense against malware infections, data breaches and other security incidents. By identifying unusual traffic patterns and behavior, DPI helps ZTNA pinpoint potential insider threats, compromised devices and other security risks.

    Furthermore, next-gen DPI can provide advanced capabilities such as first packet classification, enabling instant access decisions from the very first packet, ensuring early enforcement against threats and consistent security across the entire session.

    DPI-powered ZTNA use cases

    The benefits of DPI-powered ZTNA extend across various real-world scenarios:

    1. Secure remote access: In the context of secure remote access for employees, DPI enables ZTNA to enforce granular access policies based on the specific applications and services being accessed. This ensures that remote employees can securely connect to corporate resources without compromising security. DPI's ability to identify shadow IT applications and analyze encrypted traffic further enhances ZTNA's effectiveness in managing remote access.
    2. Industrial IoT security: In the manufacturing sector, DPI can help ZTNA protect Industrial IoT (IIoT) assets by detecting anomalous traffic patterns and potential threats, such as unauthorized access attempts, lateral movement of attacks or malware infection. By providing visibility into proprietary IIoT protocols and applications, DPI allows ZTNA to establish secure perimeters around critical industrial systems.
    3. Hybrid cloud environments: In hybrid cloud environments, DPI can spot traffic between users and applications, or even between applications that may not be conformant to the expected protocol exchanges typical of the application. This enables ZTNA to detect potential data exfiltration attempts, unauthorized access to sensitive cloud resources, lateral movement of malware or misuse of cloud services

    Considerations for implementing DPI into ZTNA solutions

    When integrating next-gen DPI capabilities into ZTNA solutions, organizations have two main options: building in-house or buying from a third-party vendor. Building in-house requires significant expertise, resources and ongoing maintenance, while buying from a well-known vendor can offer a more streamlined and cost-effective approach. In addition, a specialized DPI vendor has better scale economies and incentives to drive innovation around DPI capabilities than a single networking or security vendor. Especially as machine learning techniques are increasingly leveraged for DPI, the more aggregate data available for training, the more accurate the model.

    Other considerations for selecting a DPI software include ease of integration, performance, detection accuracy and vendor support. Vendors and enterprises looking to enhance their ZTNA solutions should seek advanced DPI technology that seamlessly integrate with ZTNA solutions, providing high-performance encrypted traffic analysis and comprehensive options for inspecting and classifying a rich set of applications. Ideally, the DPI software solutions need to be scalable and efficient and take up a small resource footprint.


    As enterprises navigate the complexities of the modern network landscape, ZTNA has become a necessity for securing access to critical resources. However, the success of ZTNA relies on the ability to conduct accurate continuous assessments of sessions, which requires real-time network traffic visibility. Next-generation DPI plays a vital role in enabling this visibility, empowering ZTNA solutions with granular application awareness, advanced threat intelligence and anomaly detection capabilities.

    With the growing adoption of encrypted protocols and the increasing sophistication of cyber threats, the importance of deep traffic inspection will only continue to grow. By leveraging cutting-edge DPI software, ZTNA vendors can future-proof their solutions and deliver the robust, context-aware access control that enterprises demand. As ZTNA continues to evolve, DPI will remain an indispensable component of any comprehensive zero-trust security strategy.

    This post is sponsored by ipoque, a Rohde & Schwarz company. If you would like to learn more about how next-gen DPI can enhance ZTNA, check out this

    Roy Chua, AvidThink portrait

    Roy Chua, AvidThink

    Contact me on LinkedIn

    Roy, an entrepreneurial executive with 20+ years of IT experience, is the founder of AvidThink, an independent analyst firm covering infrastructure technologies at both carriers and enterprises. AvidThink's clients include Fortune 500 technology firms, early-stage startups, and upstart unicorns. Roy has been quoted by and featured on major publications including WSJ, FierceTelecom/Wireless, The New Stack and Light Reading. Roy is a graduate of MIT Sloan (MBA) and UC Berkeley (BS, MS EECS).

    ipoque blog - discover the latest news and trends in IP network analytics

    Sign up for the ipoque newsletter

    Stay informed about the latest advances and trends in
    deep packet inspection and network traffic visibility