DPI-powered network packet brokers for data center networks

At the core of any network is the data center – hosting web, application and data storage servers that thousands of users access every day. Managing the constant stream of data that flows between these servers and users requires a plethora of network tools that route, filter, distribute, secure and manage all forms of traffic.

Better together: APCON and ipoque

With each wave of digital and cloud transformation, network tools such as analytics engines, SD-WAN accelerators and CDN switches become inundated with larger traffic volumes and an ever-expanding breadth of applications. This necessitates intelligent traffic processing, where dynamic policies are used to reduce overall traffic load and optimize flows. Low‑latency applications, for example, require dedicated routes that are shorter and faster, whereas standard web traffic is offloaded to default pathways.

Many of the routing and distribution decisions within data centers are executed via network packet brokers. An example of a network packet broker is the IntellaView platform from APCON. Boasting over 30 years of experience and presence in more than 40 countries, APCON is a US-based provider of network visibility and monitoring for enterprise data centers. Their customers span the telecommunications, banking, government, healthcare, education and IT sectors.

APCON’s IntellaView platform, which comprises IntellaView series switches and the HyperEngine blade, can undertake a number of tasks such as application filtering, traffic shaping, packet deduplication and NetFlow record generation. To execute these tasks, the IntellaView platform requires real-time application classification that enables policies to be assigned based on the underlying application or protocol. To ensure hyper speeds and the highest accuracy, APCON partners with third parties like ipoque to offer traffic identification capabilities to customers.

This led to a collaboration between APCON and ipoque where ipoque’s DPI engine R&S®PACE 2 is run on any of the HyperEngine’s six service engines. Application Filtering on the HyperEngine executes traffic filtering for Layers 2 to 7 at rapid speeds.

Shaping intelligent data center networks with next-gen DPI

R&S®PACE 2 delivers real-time traffic classification, covering Layer 7 protocols, such as RTP and HTTP; and applications, such as Gmail, Zoom and Netflix (including a detailed application service description such as video, file transfer or audio). R&S®PACE 2 also detects traffic that is malicious, suspicious and anomalous. It leverages a combination of classification methods which include pattern matching and statistical/behavioral/heuristics analysis as well as metadata extraction.

The next-gen DPI engine features fast performance with linear scalability – even in ranges of multiple terabytes – allowing it to match against today’s data center throughputs. Superior performance, complemented by a super-low memory footprint, enables R&S®PACE 2 to support the IntellaView HyperEngine’s combined throughput of 600Gbps across all of its six engines. Designed for traditional, virtualized and cloud-native environments, R&S®PACE 2 works perfectly within data centers to deliver comprehensive traffic analysis thus enabling an intelligent data center network.

Focusing on traffic that matters

By identifying traffic in real time, data centers have the ability to optimize processing, speed up traffic routing, and improve security. The IntellaView platform’s HyperEngine blade, for example, uses R&S®PACE 2-powered packet classification capabilities to split traffic flows into distinct streams. This allows the HyperEngine to route traffic intelligently to functions that correspond to each application or protocol (refer to Figure 1).

For instance, IntellaView HyperEngine users can specify Netflix and YouTube traffic to be channeled to a video analysis engine or a content compression server, while email applications are routed via a spam filter. Users can also configure low-risk and standard Internet apps to be redirected or sifted out. This reduces the processing load and overheads across various network tools.

Leaner data centers

There are also other benefits. Application visibility by R&S®PACE 2 enables real-time bandwidth adjustments for priority applications, as configured by users through the platform’s GUI. Identifying different applications in real time also improves regulatory compliance in terms of security and data protection, especially across highly-regulated industries, such as banking and healthcare. Additionally, filtered flows enable the IntellaView platform to improve predictive analysis across different applications and build this into network planning. Moreover, clean data flows require less storage space.

Data center solution providers such as APCON also draw significant efficiency gains by centralizing traffic inspection in a single platform. Integration of DPI insights into APCON’s IntellaView platform enables various other related services such as routers, IP probes and network performance monitoring engines to tap into the shared traffic intelligence, reducing the redundancies and resource wastage associated with local filtering.

BlackCat on the prowl

Security-wise, a single point of processing can ramp up threat detection rates. Processing the entire flow in a single instance makes malicious activity more visible to security tools. DNS attacks, such as DNS tunneling, DNS hijacking, DNS poisoning and DNS cache poisoning are common in data centers. So are DDoS and ransomware attacks.

An article by CSOonline^[1] earlier this year reported how Resecurity, a cybersecurity company, uncovered a malicious campaign that targeted data centers specifically, leading to stolen data center credentials involving some of the world’s largest corporations. In April, a ransomware attack on its Hawaiian data center saw American payments company, NCR, experiencing disruptions in its cloud-based hospitality applications, such as the Aloha Restaurant Guard^[2]. The attack was associated with a ‘ransomware-as-a-service’ threat actor, BlackCat, who has targeted more than 350 organizations to date^[3] and who leverages stolen credentials to control enterprise data and applications.

The role of next-gen DPI in securing data center traffic cannot be overstated. R&S®PACE 2 delivers threat intelligence that preempts data center firewalls and threat protection tools in a timely manner. This greatly improves application security and mitigates risks of data loss. With encrypted traffic intelligence (ETI), R&S®PACE 2 is able to classify traffic that is encrypted, anonymized or obfuscated. This includes encryption protocols such as TLS 1.3, TLS 1.3 0-RTT, DNS-over-X (DoX) and ESNI, and the use of VPNs, anonymizer tools and domain fronting.

Keeping the tenants happy

Data center operators providing public cloud services will be inundated with all types of traffic from the tenants they host. With R&S®PACE 2’s extensive signature library, which is updated weekly, and ipoque’s global traffic surveillance, APCON can ensure that tools such as IP probes and WAN accelerators have up-to-date information on the latest applications and version upgrades. R&S®PACE 2’s custom service classifier also allows data center solution vendors to add signatures of protocols and applications that are unique to their clients; for example, SCADA protocols, such as IEC104, or communication protocols for healthcare, such as HL7.

Partnership outcomes

The incorporation of our DPI engine R&S®PACE 2 in its application filtering engine allows APCON’s IntellaView HyperEngine to identify thousands of applications and protocols. This information arms APCON with deep traffic insights: from identifying P2P or illegal streaming services that quietly devour bandwidth, to keeping tabs on business-critical applications such as ERP and financial applications—whose performance indicates how well the network is performing. When it comes to issues and resolution, R&S®PACE 2 classification information enables faster troubleshooting and ensures cybersecurity tools become more effective in keeping attacks at bay.

More essentially, intelligent traffic filtering helps data centers shape their networks according to their traffic and deliver faster transit times and a superior application experience.

Want to learn more about the APCON-ipoque partnership? Check out our case study and find out how the deployment of the DPI engine R&S®PACE 2 in APCON’s IntellaView HyperEngine solves traffic visibility challenges and improves network performance and security.

Sources

[1] https://www.csoonline.com/article/3688909/cyberattacks-hit-data-centers-to-steal-information-from-global-companies.html
[2] https://www.securityweek.com/payments-giant-ncr-hit-by-ransomware/
[3] https://thehackernews.com/2023/06/improved-blackcat-ransomware-strikes.html