DPI-powered application awareness for SASE

Merging agile networking with cloud-based secure access via SASE

Secure Access Service Edge (SASE) enables a plethora of remote employees connected on ISP networks and IoT devices connected on edge networks to seamlessly and securely access enterprise resources. It combines networking services such as routing, traffic shaping, VPN and CDN, and security capabilities such as CASB, secure web gateway (SWG), zero-trust network access (ZTNA), endpoint protection and WAF in a converged and highly integrated ‘as-a-service’ model delivered from the cloud. SASE makes it possible for organizations to scale their network security features across all endpoints through its cloud-delivered service.

DPI-based real-time identification of applications and sessions can greatly benefit SASE in validating and managing access requests across humans and ‘things’. DPI also provides the traffic information necessary for optimal routing and steering of these traffic flows within the enterprise WAN and across cloud and SaaS applications hosted on external domains. DPI additionally plays a key role in filtering out threats that may compromise the security of valuable enterprise resources.

How deep packet inspection supports the main components of SASE

Secure Access Service Edge migrates many network security functions. DPI engines can support each of the main components of your SASE solution by boosting application awareness and real-time traffic visibility.

Secure web gateway (SWG):

• SWG is a reliable agent to reduce web-based threats while at the same time enforcing company policies. As such, it is an important step towards application awareness and security. Combined with deep packet inspection, it is easier for SWG to protect and control apps as DPI helps identify applications and the actions performed in those apps.

Cloud Access Security Broker (CASB):

• A Cloud Access Security Broker, CASB in short, acts as a security point between cloud services and enterprises. A DPI-powered CASB supports this security structure by discovering shadow IT apps and helping the enterprise to control them.

Zero-trust network access (ZTNA):

• Unlike a VPN, a ZTNA does not enable access to networks, but realizes connections in the application layer. By using DPI on this structure, private apps as well as real-time signals or malicious behavior can be identified.

Software-defined WAN (SD-WAN):

• SD-WAN is a wide area network that uses software components to control network operations. It enhances real-time monitoring capabilities and easy extraction of metadata.

Context-aware networking and security for Cloud and SaaS applications

The DPI engines R&S®PACE 2 and R&S®vPACE by ipoque boast advanced traffic classification techniques which incorporate behavioral, statistical, and heuristic analysis as well as machine learning (ML) and deep learning (DL). This enables SASE providers to acquire real-time visibility into the type of applications and services accessed by remote users and ‘things’ via various third-party networks. The encrypted traffic intelligence (ETI) by ipoque leverages ML and DL algorithms such as k-NN, decision tree models, convolutional neural networks (CNN), recurrent neural networks (RNN) and long short-term memory (LSTM) to extend this visibility to flows that are encrypted, anonymized and obfuscated. This enables R&S®PACE 2 and R&S®vPACE to address the surge in encrypted, anonymized and obfuscated traffic. The AI framework of R&S®PACE 2 and R&S®vPACE allows them to rapidly build new detections, accelerating their ability to adapt to new threat environments. These advanced features enable traffic from IoT clusters and remote employees to be identified in real time, down to applications, services, device types, network types, and source addresses.

You will have access to information on frequency and patterns of application usage, alongside data on performance attributes such as speeds, latency, jitter and other metrics, down to each application and session across cloud, SaaS and enterprise applications. This data can be provided for each user and device in an edge and branch network, affording deep insights into traffic flows traversing SASE. By combining application awareness with historical flow information, R&S®PACE 2 and R&S®vPACE are able to identify traffic anomalies and malicious activities in the network, alongside potentially compromised applications, devices and users.

Traffic-awareness provided by DPI enables SASE to:

• Facilitate a single-pass architecture with accurate authentication of users based on user and device identification as well as analyses of usage patterns
• Assign the right privileges based on application access rules and policies to support zero-trust network access (ZTNA)
• Identify attempts of unauthorized network access and identify unauthorized users
• Allocate bandwidth and routes based on application priority and latency requirements
• Dynamically scale network resources to meet traffic demands using WAN optimization
• Implement application-aware content optimization policies such as caching and CDN
• Support sensitive data discovery to preserve data privacy and confidentiality
• Escalate traffic irregularities to UEBA and IDS/IPS for real-time investigation and diagnosis
• Block malicious behavior via IDS/IPS, NGFW and WAF/WAAP, and report affected devices and users