When Secure Access Service Edge (SASE) was first introduced, the aim was to converge networking and security technologies into a single cloud-delivered platform that would enable a secure and fast cloud transformation. While a number of fully unified SASE solutions are now available, some vendors have chosen to maintain a focus on just one side of the SASE security/networking coin: Software-Defined Wide Area Network (SD-WAN) edge infrastructure or Security Service Edge (SSE) services.
This doesn’t mean they no longer believe in the power of SASE to meet contemporary IT needs, but rather that they have decided to pursue a best-of-breed solution for one side or the other, which can then be integrated with a partner’s (or a vendor’s own) solution for the other side to create a full SASE solution. And SASE remains a great choice for today’s network managers. They want and need agile, secure access from a diverse universe of devices everywhere to resources everywhere, and a distributed cloud architecture offers an effective way to meet this demand.
But successful SASE solutions are challenging to develop, regardless of one’s focus. They require precise, automated orchestration of policies based on perfect real-time awareness of applications, services and transactions everywhere, regardless of the type of device in use. This extreme awareness is provided by next generation deep packet inspection (NG DPI). While it is a key technology for advanced functions on both sides of the SASE coin, my focus here is how it is used within the core components of SSE.
What is security service edge (SSE)?
The three core components of SSE are ZTNA, CASB and SWG:
- Zero trust network access (ZTNA) provides secure private app access for managed and unmanaged devices
- Secure web gateway (SWG) provides secure internet access for managed devices
- Cloud access security broker (CASB) provides secure SaaS and cloud app access for managed and unmanaged devices
Now let’s look at how NG DPI enables these critical functions. But first, let’s define NG DPI.
What is next generation deep packet inspection (NG DPI)?
DPI is a technology that is widely deployed to provide traffic visibility in networking and security solutions. Specifically, it is software that passively analyzes network traffic flows from Layer 2 (data link) to Layer 7 (applications and data) to identify the protocols, applications and services in use, and to extract additional information in the form of metadata to support specific networking and security functions.
DPI has evolved to Next Generation DPI (NG DPI) to meet 3 important challenges:
- The rise of encrypted traffic, which impacts the essential visibility required to properly manage and secure networks,
- The emergence of advanced, complex cyberattacks perpetrated by sophisticated criminal actors and nation-states, and
- The shift to cloud-based solutions, with significantly higher performance and scalability requirements.
How does NG DPI strengthen SSE?
NG DPI is used in all SSE components, from the network edge to the cloud core.
In the three pillars of SSE - ZTNA, CASB and SWG - NG DPI enables advanced functions that are of particular interest to security vendors.
ZTNA (Zero Trust Network Access)
The ZTNA model complements or replaces VPNs while strengthening overall network security. Based on the principle ‘trust no one and no thing’, ZTNA upends the old model of a user connecting to a network, to a user connecting to a resource thereby preventing lateral movement.
Examples of advanced ZTNA functions that NG DPI enables:
- Detect and block a user trying to connect with forbidden anonymizers like Cyberghost or Ultrasurf.
- Prevent domain fronting by revealing the use of routing schemes in Content Delivery Networks (CDNs) and other services that mask the intended destination of HTTPS traffic.
- Detect and block a user trying to connect with RDP or telnet from an unusual location, or to a resource not typically accessed by RDP (traffic that might otherwise be seen as just generic TCP traffic without NG DPI).
- Continuously evaluate trust by monitoring traffic to detect anomalies, such as the transfer of a file using a false MIME type (e.g., an executable masked as an image), or the presence of non-standard tunneling activities over legitimate protocols (such as DNS or ICMP), which may indicate unauthorized or illegal activities.
SWG (Secure Web Gateway)
SWGs prevent breaches that can occur when corporate devices are used to access non-corporate cloud apps, the Internet and the Web. Functions include application control, antivirus screening, intrusion detection/ protection, web filtering, sandboxing, SSL inspection and data loss prevention.
Examples of advanced SWG functions that NG DPI enables:
- Develop fine-grained application controls in line with company policies (e.g., prohibit access to Dropbox or all external file hosts; allow MS Teams but not Zoom).
- Allow full access for certain social networks like LinkedIn, but only partial access to others like Facebook, with a restriction on file uploads, and deny others altogether, like Instagram.
- Prohibit evasive traffic connections over HTTP/S, crypto mining pool traffic inherent to crypto jacking attacks, or P2P apps such as BitTorrent.
- Detect tunneling or obfuscation (protocols such as iodine, openvpn, psiphon, tor, etc.)...
CASB (Cloud Access Security Broker)
A CASB monitors and secures traffic between an organization’s approved cloud service providers (SaaS, IaaS, PaaS) and users connecting with managed or unmanaged devices. CASB is also used to ensure regulatory compliance for an organization’s use of cloud services.
Examples of advanced CASB functions that NG DPI enables:
- Add granularity to CASB policy, for example, transaction-based rules that allow users to access YouTube, but not upload any content to it.
- Deploy CASB agents on managed devices (or a data feed from NG DPI-powered SWG) to discover shadow IT apps that should be brought under CASB management. An example would be to add Dropbox as a sanctioned app (with appropriate rules) after discovering it is widely used within the organization.
- Use detailed NG DPI metadata to build behavioral profiles of users so that anomalous behavior can be detected and investigated.
- Use NG DPI output to build a highly compact audit trail of activities for forensic investigations (reduce storage by up to 150x compared to full packet capture).
Summary
Next generation DPI software embedded in SSE functions provides universal, real-time application awareness. SSE vendors benefit from stronger and differentiated solutions in the form of enhanced threat detection, more granular policies and rules, accurate detection of shadow IT, and precise application-level monitoring.
For more detailed information, see the technical white paper "How SSE Leaders Use Next Generation DPI for Market Success"
