Realizing Effective DPI and Cloud Computing Security



New solutions for integrating hardware and software that meet the IoT era’s security demands are arriving.

Deep packet inspection (DPI) technology offers network traffic user, application, and location information for fine-tuned traffic control. Employing software-defined networking (SDN) technology makes it possible to implement programmable network traffic, redirect traffic, and configure automatic security policy. With network function virtualization (NFV), security resource pools can be established for collaborative deployment among computing and security assets.

Figure 1:  Key deployment points of unified DPI equipment. Sharing DPI equipment at key points of the telecom network, unified DPI reduces duplication of equipment deployment, allows DPI equipment and DPI applications to evolve independently of each other, and greatly enhances the ability to innovate DPI applications.

Figure 1: Key deployment points of unified DPI equipment. Sharing DPI equipment at key points of the telecom network, unified DPI reduces duplication of equipment deployment, allows DPI equipment and DPI applications to evolve independently of each other, and greatly enhances the ability to innovate DPI applications.

Slashing Inefficiency via Unified DPI

With the network traffic visualization DPI achieves, telecom operators can optimize their businesses for specific services, develop value-added services based on user identity, and handle security more effectively. DPI equipment has been tightly coupled with the corresponding DPI application. As the number of DPI applications increases, more and more DPI equipment must be deployed, leading to inefficiencies.

The unified DPI concept proposes to reduce inefficiency by enabling DPI equipment sharing. Unified DPI standardizes network traffic visualization. By coordinating DPI equipment deployment from a network-wide perspective, the DPI requirements are unified at key network locations, and DPI services are shared among multiple DPI applications through a suite of unified northbound API. This approach avoids the repeated deployment of DPI equipment (Figure 1).

The number of traffic types DPI equipment can identify, the foundation of all upper layer DPI application innovations, affects the equipment’s value. As do the analytic capabilities, which depend on software design and to a greater extent on DPI hardware platform computing performance. Performance must be powerful enough to identify more types of traffic in real time.

Rich and Flexible Network IO
To avoid coupling between upper layer DPI applications and lower layer DPI equipment, to allow a range of deployment locations, and to be compatible with different DPI application hardware, unified DPI specifies the requirements for hardware interface support. Depending on the deployment location in the telecom network, DPI equipment needs to support ingress/egress network traffic with 1G/10G WAN/LAN, 2.5G/10G POS networks or 100GbE. For DPI equipment that needs to be concatenated in the network, the required network interfaces must be implemented natively on the DPI equipment. Implementation by using external splitters, switches, or protocol convertors is disallowed, preventing the added devices from introducing extra failure risk. Therefore, in addition to sufficient ingress/egress ports and processing bandwidth, unified DPI equipment must also provide flexible network IO configuration, so the appropriate interface modules can be selected to adapt to different deployment locations.

Full Gamut of Innovation
Supporting various upper layer DPI applications calls for common protocol identification and statistical functions and strong flow control logic. To enable the fine-grained traffic control upper layer applications demand, the DPI equipment must support flow control based on the identified network traffic, including minimum bandwidth guarantee, maximum bandwidth limit, flow pass-through, and flow discarding.

Developing network security applications means DPI equipment must support white-list and black-list settings based on flow metadata such as source address, destination address, protocol number, source port, destination port, domain name, and user ID. If these functional requirements are implemented with traditional methods, functional implementation is not transparent, and available upgrade space is limited. SDN technology can be used to classify traffic flow based on multi-dimensional metadata and set different flow control strategies. Constructing DPI service logic based on SDN architecture enables the DPI analysis, statistics, control, multiplex, and security functions to be centralized and opens the possibility of a wide range of DPI application innovations.

High Availability and LAN Bypass
Unified DPI equipment must provide 99.999% high availability, with the main service components providing an appropriate hot-standby solution. Other system components, such as power supply unit and fan tray must provide appropriate redundancy and support online replacement when they experience a failure. DPI equipment that needs to be concatenated in the communication link needs a LAN bypass function. When DPI equipment suffers from a power loss or a self-test failure, it can switch the communication link from the main unit to the bypass unit automatically, ensuring continuity of service.

Modular and Scalable
Data communications begin at the user and go sequentially over the access network, metro network, provincial network, and backbone network. Therefore, an overview of network traffic conditions can be determined by deploying DPI equipment at key points along the route which the data traffic travels. According to the unified DPI specification from China Mobile, these key deployment points can be summarized as: PS side, IDC export, provincial network export, inter-provincial network export, and inter-backbone network export. The required external network interfaces are different at these key points, as is network traffic size, so a single device can’t meet the different requirements at all deployment points. However, to reduce TCO and reserve upgrade capacity for future use, most DPI service providers would prefer a single scalable platform that can deal with most deployment scenarios. Adopting modular design and supporting linear expansion for the computing units solves this dilemma.

Cloud Computing Security

Traditional network security uses firewalls, unified threat management (UTM), intrusion prevention systems (IPS) or other network security products to block attacks at the network entrance boundary. This network boundary forms when networks that have different security levels are connected together. For example, the private network of an enterprise has a higher security level requirement than the public internet, and the connection point between private network and public internet forms the natural security boundary. Once, preventing an intrusion from outside the enterprise network simply required establishing reliable security protection measures at the boundary.

But with the advent of cloud computing, enterprises are moving more of their operations to the public cloud. As a result, the network boundary between private and public networks is blurring. Relying on the traditional concept of the network security boundary is no longer viable. Cloud computing needs a new generation of network security equipment.

Security Cornerstone
In network security, DPI has played an increasingly important role, and it is becoming the cornerstone of cloud computing security in the IoT era. More end-user applications are using HTTP/HTTPS protocols to exchange data. If traditional matching techniques based on TCP/IP 5-tuples are used, most of the traffic flows belonging to other applications will be misidentified as normal Web surfing. Whether for business optimization, content review, or security, it is necessary to 1) know the identity of the traffic flow using DPI analysis, and 2) perform the appropriate control strategy based on protection needs. Because the working mode of DPI analytics engines is generally concatenated, the average computational workload will increase linearly as the number of application types to be identified increases. To guarantee a smooth implementation of DPI analytics, DPI equipment must be equipped with adequate computing power based on the application types to be identified and the traffic size to be handled.

Making Virtualization Viable
Cloud computing’s “resource allocation on demand” requires that computing, storage, and network resources be taken from resource pools as needed. Resource virtualization is the fundamental technology for achieving this goal. In cloud computing, a large number of virtual machines are continually created, migrated, and destroyed. As business requirements change, the resources needed for computing, storage, and networks will vary. Therefore, network security resources that serve the cloud must also be dynamic. Network security equipment for cloud computing must also support virtualization like other cloud computing resources. NFV technology can be used to shape network security equipment into a resource pool, enabling dynamic security allocation based on business changes. In order to better support NFV, network security equipment must abandon proprietary computing technology and be built based on open computing technology, allowing it to support virtualization more easily in order to achieve “security on demand.”

Boundaries Blurring
Traditional network security equipment is deployed at the physical security boundary, monitoring traffic flow that enters and leaves the security zone and then performing the required network security tasks. Cloud computing’s multi-tenant environment and frequent virtual machine migrations mean that a security zone with a physical boundary does not exist. Even the logical boundaries of the security zone will experience constant changes as virtual machines migrate, resulting in a significant challenge for cloud computing security.

As a virtual machine migration occurs, the network security policies configured for that virtual machine must also be adjusted. If the migration does not go beyond the protective scope of the current network security appliance, then the security policies related to that virtual machine can be adjusted. However, if the virtual machine migration extends beyond the scope of the current network security appliance, then the security policies related to that virtual machine must be migrated to the new network security appliance. The configurations of traditional network security appliances are often static, localized, and need human intervention, making it difficult to implement dynamic, globalized, and automated re-configuration on traditional network security platforms. The industry has been trying to introduce SDN technology to overcome the challenges brought by a blurred security boundary in a virtualized network environment. SDN can direct targeted network traffic flow to a virtualized network security appliance through flow diverting and aggregating. And when a virtual machine migrates, SDN, with its global perspective and flexible programmability, can help to achieve the automated migration of relevant network security policies.

Isolation Issues Tackled
In order to solve the security isolation issues of a multi-tenant virtualization environment, tunneling technologies such as Virtual eXtensible Local Area Network (VXLAN) can be used extensively. VXLAN is an encapsulation technology that repackages layer 2 packets in a layer 3 protocol and can help solve the limitations of MAC table size and VLAN ID space found in top-of-rack (TOR) switches. Because network security appliances are often concatenated in the communication link, they must support VXLAN to handle the network traffic flowing through them. Removing and adding VXLAN headers consumes significant CPU resources and noticeably lowers network security equipment overall performance, but using an extra hardware acceleration unit to assist in VXLAN processing helps.

Encryption technology is being used more extensively in cloud computing to enhance security. As with VXLAN, processing encrypted network traffic will also consume significant CPU resources and can be better managed with an additional hardware unit to assist in the encryption and decryption process. When the CPU is relieved of these resource intensive tasks, it can better focus on the key task of performing DPI more effectively and efficiently.

Figure_2A

Figure 2: The CSA-5100/5200 1U/2U rackmount network security platform addresses the needs of small and medium enterprises (SME) with a design targeting low- and mid-level security application scenarios. Through four IO expansion slots, up to 32 10G SFP+ ports can be provided on this platform.

Figure 2: The CSA-5100/5200 1U/2U rackmount network security platform addresses the needs of small and medium enterprises (SME) with a design targeting low- and mid-level security application scenarios. Through four IO expansion slots, up to 32 10G SFP+ ports can be provided on this platform.

Figure 3: The ADLINK CSA-7200 is designed to be a next generation network security appliance, featuring high-performance dual Intel® Xeon processor E5 v3 and up to 64x 10G SFP+ ports through eight Network Interface Modules (NIMs).

Figure 3: The ADLINK CSA-7200 is designed to be a next generation network security appliance, featuring high-performance dual Intel® Xeon processor E5 v3 and up to 64x 10G SFP+ ports through eight Network Interface Modules (NIMs).

Figure 4: The ADLINK CSA-7400 is a high-performance high-density computing platform supporting four dual-processor Intel® Xeon® processor E5 v3 computes nodes interconnected by dual redundant switch modules. The CSA-7400 ensures uninterrupted service delivery through hot-swappable compute nodes and switch modules. It is ideally suited for building next generation high-performance firewalls and virtualized telecom elements.

Figure 4: The ADLINK CSA-7400 is a high-performance high-density computing platform supporting four dual-processor Intel® Xeon® processor E5 v3 computes nodes interconnected by dual redundant switch modules. The CSA-7400 ensures uninterrupted service delivery through hot-swappable compute nodes and switch modules. It is ideally suited for building next generation high-performance firewalls and virtualized telecom elements.

Network Security Platforms

DPI equipment computing requirements are increasing, while SDN is expected to be supported on DPI equipment to enhance its functionality and adaptability. In addition, network security equipment is standardizing. To strengthen NFV, SDN, and big data technologies from open platforms, network security equipment is shifting from traditional proprietary computing platforms to open, COTS-based computing platforms. The Cyber Security Appliance (CSA) series of products from ADLINK Technology is designed and built to meet these trends and needs. By integrating the special requirements of next-generation network security appliances on open computing platforms, ADLINK’s CSA products can assist network security providers in constructing services that meet DPI and cloud computing security requirements in the IoT era (Table 1).

Table 1:  Rising to the needs of the IoT era, ADLINK CSA products feature high-density design to solve high-capacity and high-bandwidth network security demands. CSA solutions also introduce the latest computing and communication technologies from the open computing domain, ensuring a rich set of new features that allow users to easily meet network security challenges.

Table 1: Rising to the needs of the IoT era, ADLINK CSA products feature high-density design to solve high-capacity and high-bandwidth network security demands. CSA solutions also introduce the latest computing and communication technologies from the open computing domain, ensuring a rich set of new features that allow users to easily meet network security challenges.

Figure 5: CSA Application Ready Intelligent Platforms (ARiP) from ADLINK Technology

Figure 5: CSA Application Ready Intelligent Platforms (ARiP) from ADLINK Technology

Conclusion

ADLINK Technology has taken great efforts to fully understand the requirements of DPI and cloud computing security in the IoT era, and introduced the CSA series of computing platforms to meet these requirements. By integrating high-performance DPI processing capability and support for NFV, SDN and hardware acceleration units, the CSA series forms a solid foundation for developing the next generation of network security equipment. CSA platforms are designed with a modular concept in order to achieve maximum intercompatibility of components across the product line and reduce TCO. ADLINK has also developed and integrated the requisite software components and open source middleware, reducing development efforts required by customers. The growth of applications in cloud computing is accelerating at a faster pace as we enter the IoT era, bringing with it an increasing number of network security threats. ADLINK Technology is committed to providing high-performance, high-availability ARiP platforms that meet the requirements of network security for industrial IoT, and will continue to analyze new trends and challenges in the network security industry, listen to customer feedback, and provide the best network security platforms built on open computing technologies.


headshotQizhi Zhang is System Architect for the Network & Communication Business Center, ADLINK Technology, where he is responsible for product definition, architectural design, and technical consulting for the enterprise’s Network & Communication platforms. Dr. Zhang received his Ph.D. in Automation from Shanghai Jiao Tong University. With 10+ years’ working experience in telecom industry, he is equipped with solid expertise in system management, high availability systems, and network security devices.

Tags: