New-Tech Europe Magazine | February 2018

the control and data plane are separated and network functions can be dynamically scaled up and down in virtualized instances. For the IoT, this offers the ability to deliver per- service quality parameters and deal in a flexible manner with the non- uniform and dynamic demands that are placed on network resources. DPI engines will be a key enabler of such an architecture when embedded in network probes and next-generation firewalls. Application classification can feed realtime information to SDN and NFV network management systems based on full Layer 4 to 7 packet capture from physical or virtual probes and appliances. This will mean that SDN/ NFV control decisions can be based on data that gives full visibility of the applications being served by the network. 4. DPI can also allay IoT network security fears Building a network with billions of new devices that are connected via a host of gateways, which, in turn, provide access to and from the network, means that you are introducing a new security structure to protect the network and the integrity of the data traversing the network against external threats. This requires a very different type of security, because many of the connected devices connect and disconnect only fleetingly. Therefore, load balancing and meeting demand becomes much more dynamic. Tracking individual devices on the network becomes more difficult. It simply will not be possible to react and respond to this dynamic world by deploying traditional firewalls at every gateway, provisioned to maximum demand and conditioned to meet only known threats. Instead, embedded DPI at the aggregation layer in the network can exist as

part of a security capability that can combine application-level intelligence with firewall-based solutions. 5. Performance does not have to be compromised The question ensues, surely with DPI analysis one would introduce performance payoffs in the network. Low memory consumption DPI engines are fully passive with a throughput of up to 9 Gigabits per second and physical thread, without impact on network performance. The advantage to having your network security architecture DPI-enabled is that you can add security in the wire. You can drop in added security by a DPI-enabled firewall without the need for changing the network. DPI-enabled solutions provided by Rhode & Schwarz Cybersecurity are the best performing in terms CPU and bandwidth utilization and can achieve tens of Gbps levels. 6. DPI leads to more efficient 5G and IoT by getting intelligence closer to the user The large increase in data usage driven by 5G speeds and IoT devices will place an absolute priority on the most efficient routing in the network. This will mean using application layer information to be able to make the best traffic optimization decisions and will result in a more efficient network. The drive to more intelligent decision- making in the network is also a good fit for embedded DPI functionality on the IoT gateway, and even on devices such WiFi access points, because it will be smarter to take some networking decisions as near to the user as possible to maximize Quality-of-Experience (QoE) and bandwith utilization. 7. But this will mean multi-layer security is a must, and we must design it now Yes, very small devices will require

very efficient solutions in terms of memory, utilizing access to cloud- based IOT analytics platforms and security capabilities higher in the network. But they will also require multi-layer security that can work even when any particular layer may be broken. The time to design this into the network is now. We are at an early stage in terms of standardization at the platform level, and network operational software is far from mature. This means that we must define security within 5G and IoT from the start, before network platforms are mature. We also have to pay special attention to the millions of brownfield environments that become connected to the internet and are not well prepared to deal with the security challenges associated with connected devices. DPI-enabled infrastructure that enables application layer decisions to be made around security, network management and optimization can contribute to jumpstarting the multi-layer, intelligent, secure network of the future. DPI allows network equipment to not just detect applications within network traffic but rather semantically understand the communication protocols in order to detect behavioral anomalies and hacking attempts.

Alexander Muller Product Manager for Deep packet Inspection at Rohde & Schwarz Cybersecurity

New-Tech Magazine Europe l 67