Security Service Edge (SSE) and DPI: Converged security meets advanced traffic awareness

Tobias Roeder portrait

By Tobias Roeder
Published on: 13.09.2022

Reading time: ( words)
Categories: Network security

The pandemic gave rise to two major shifts across enterprise networks – the growth of the remote workforce and the increasing dependence on Cloud/SaaS. Mobility restrictions throughout the most critical months of the pandemic saw a large chunk of employees accessing their enterprise resources from outside of their enterprise network perimeter. The same restrictions saw employees turning to Cloud and SaaS applications instead of using on-premises applications which often require the use of office networks and devices due to lengthy validation processes and restricted privileges.

Admittedly, the pandemic gave millions of employees around the globe a taste of boundless working. It also introduced glimpses of a leaner network footprint for IT teams following the sudden drop in the use of enterprise-managed end devices, applications, workloads and network infrastructure. As the months passed, these temporary fixes became the norm. New models for managing dispersed users, devices and resources gave rise to Secure Access Service Edge (SASE) and more recently, to Security Service Edge (SSE).

SASE builds on top of SD-WAN by adding a layer of converged cloud-hosted security services. These services enable enterprises to filter and secure traffic flows to their Cloud and SaaS applications. They also filter and secure traffic flows which are headed to applications hosted and managed in their own data centers and offices.

These security services, collectively, allow enterprises to keep tabs on their remote workers while managing traffic flows to their Cloud and SaaS applications. As more employees and IT resources were relocated outside of the network perimeter, thinning out LAN and WAN traffic, these services became an offering in their own right. This led to SSE. In simple words, SSE is SASE without its networking services.

What's in SSE?

SSE comprises a suite of security services delivered from the cloud. Its essential components are the cloud access security broker (CASB), the secure web gateway (SWG) and the zero-trust network access (ZTNA). Other services include firewall-as-a-service (FWaaS), DNS security, data loss protection (DLP) and web application and API protection-as-a-service (WAAPaaS).

CASB is an API-based gateway solution that filters flows to enterprise Cloud and SaaS applications. It also monitors flows between SaaS applications and users within an enterprise network for visibility into shadow IT. CASB leverages access credentials and behavioral analysis to authorize access and prevent threats.

Traditionally, SWG is a perimeter-based solution that sits inline to filter remote user traffic moving in and out of an enterprise network. In SSE, SWG is delivered from the cloud to provide application access control, URL filtering and malware/virus protection for remote users connecting to enterprise resources.

ZTNA implements granular access control across different users based on their identities and attributes such as time and location.

Deep packet inspection for SSE

It is easy to see why deep packet inspection (DPI) is a crucial capability for SSE. All three key components of Security Service Edge – CASB, SWG and ZTNA – rely on real-time application awareness, i.e. the identification of the underlying traffic flows by type of application, application attribute and protocol. Our OEM DPI engine R&S®PACE 2 combines packet metadata with advanced statistical, behavioral and heuristic analysis to accurately and reliably classify applications and report their usage for any IP network use case – no matter if traffic is encrypted or obfuscated.

Monitoring everything at once

Application classification information from R&S®PACE 2 powers CASB with real-time insights on Cloud and SaaS application usage. This includes information on the applications being accessed, the type of services being used, total sessions and frequency of access, source URL, user location and the application's performance in terms of bandwidth, speeds, latency and jitter. With frequently updated signatures, R&S®PACE 2 is able to pinpoint the unofficial use of applications such as Slack, Zoom or Jira among employees by tracking traffic flows originating from the enterprise network.
R&S®PACE 2 equips SWG with insights on the use of on-premises applications and resources. It provides real-time information on the number of external users with access to the enterprise network and the consumption of network resources by different data centers, servers and applications.

The intelligent gatekeeper

Access control is SSE’s key functionality. Whether the CASB granting access to Cloud and SaaS apps or SWG allowing remote access to enterprise servers, application classification information by R&S®PACE 2 expedites and assures that access controls are met based on application and service types. For ZTNA, real-time identification of applications goes a step further to enable the matching of access privileges with networks, clouds, servers, applications and files across any number of internal and external users.
R&S®PACE 2 also brings additional layers of traffic intelligence to support more granular, customized access control policies within the SSE. For example, metadata provided by R&S®PACE 2 can be used to validate device IDs and source URLs for applications that only allow access from enterprise-managed devices and authorized network addresses. Network traffic analysis by R&S®PACE 2 also supports access rules based on specific traffic attributes such as concurrent user sessions, multiple log-ins, number of requests per minute, type of services/content that is being engaged, file transfer sizes, time of day and location.

360 Degree threat protection

Ultimately, the focus of Security Service Edge is to ensure the security of enterprise IT resources, regardless of where they are hosted or accessed from. With traditional boundaries removed and IT resources scattered across different clouds and offices, enterprise applications become increasingly susceptible to data loss, data breaches, DDoS attacks, malware infestation and many other forms of cyberattacks.
DPI software from ipoque is able to identify flows that are suspicious, anomalous or malicious in real time. This makes irregularities in application access and usage patterns immediately visible within the SSE ecosystem and helps alert CASBs and SWGs of potential hazards. With its encrypted traffic intelligence (ETI) drawn from advanced machine learning and deep learning techniques, our next-gen DPI provides complete visibility even across applications and threats that are encrypted, obfuscated or anonymized. In a unified, single-pass SSE architecture, the deployment of our DPI software creates a single, yet powerful point for network traffic inspection. The DPi engine R&S®PACE 2 equips CASB, SWG and other security tools such as FWaaS, DNS, DLP and WAAPaaS with the information necessary to filter traffic effectively, block malicious sites and restrict unauthorized data outflows.

Deep packet inspection for SSE market growth

As work-from-anywhere continues and more workloads are moved to the cloud, Security Service Edge provides a flexible yet scalable model for securing enterprises' IT resources and for implementing multi-layer, fine-grained access control. Deep packet inspection software such as R&S®PACE 2 and its vector packet processing (VPP)-based counterpart, R&S®vPACE, are tailored to handle unlimited application traffic flows across virtualized and containerized environments. This makes them a great complement to cloud-based SSE solutions. Vendors tapping into the relatively new, albeit very promising SSE market can leverage DPI software from ipoque to boost their value proposition by combining next-generation cloud-based security solutions with advanced application visibility.

Tobias Roeder portrait

Tobias Roeder

Contact me on LinkedIn

Tobias holds a degree in electrical engineering and has more than eight years of experience in product development. For a number of years, Tobias has been working as an application engineer for the deep packet inspection (DPI) software R&S®PACE 2 at ipoque, a subsidiary of the Rohde & Schwarz company. Tobias provides engineering services from the packet processing level up to the application level. In customer consulting, he identifies the optimal implementation to fulfill customer requirements and assists with the architectural decisions that go along with embedding DPI into network solutions. When he’s not at work, Tobias plays disc golf and enjoys doing CrossFit.

ipoque blog - discover the latest news and trends in IP network analytics

Sign up for the ipoque newsletter

Stay informed about the latest advances and trends in
deep packet inspection and network traffic visibility