Deep Packet Inspection for Wireless Access Points Analyze

DEEP PACKET INSPECTIONINSPECTION

DEEP PACKET INSPECTION FOR WIRELESS ACCESS POINTS ANALYZE. CONTROL. SECURE. CONTENT

1. Introduction...... 3

2. WAP use and challenges...... 4

3. DPI in a nutshell...... 5

4. DPI benefits...... 6

5. Improving airport public WiFi QoE / QoS...... 7

6. Increasing corporate WiFi security and control...... 8

7. Application-aware customer premises equipment...... 9

8. Build or buy DPI...... 10

9. DPI at its best...... 11

10. Conclusion...... 11

2 ROHDE & SCHWARZ ◄ 1. INTRODUCTION

According to many market research analysts, the global wireless access point (WAP) market is anticipated to continue its upward trajectory and to grow at an impres- sive compound annual growth rate (CAGR) of approxi- mately 27 % through 20271. Many companies are using cloud-computing technology for cost-cutting purposes, eliminating investments required for storage hardware and other physical infrastructures. With significant growth expected in internet usage, particularly bandwidth-con- suming video traffic, WAP vendors need to enable their customers to monitor and improve device performance, improve end user experience and enhance security. These customers include companies that offer internet access to patrons like airports, hotels, retail / shopping centers and so on. These external internet access providers can differ- entiate themselves by offering optimum service through advanced network analytics, traffic shaping, application control, security capabilities and more.

WAPs are now used for in-depth network traffic and user analytics that allow companies to better understand internet communication such as web traffic or instant messag- ing. In addition, protocol and application classification with metadata extraction is becoming a fundamental tool to deliver the desired network traffic visibility and management.

All of this is achieved via deep packet inspection (DPI) technology embedded into the WAP platform. Implement- ing DPI software into WAPs creates an intelligent network infrastructure that can offer an opportunity to monetize new data services, improve quality of experience (QoE), strengthen network security measures and more. With exponential increases in both data rates and bandwidth demands, WAP vendors are unable to meet the requirements of quality of service (QoS), QoE and performance without proper IP traffic analytics capabilities provided by DPI technology. In short, DPI is a crucial prerequisite for the success of next generation WAPs.

1) https://www.strategyr.com/market-report-gigabit-wi-fi-access-points- forecasts-global-industry-analysts-inc.asp 3 2. WAP USE AND CHALLENGES

Wireless access points (WAPs) are special-purpose Companies and other WiFi service providers around the communication devices on wireless local area networks world are recognizing the need for in-building cellular / (WLANs). Serving as a central transmitter and receiver internet solutions that are easy to deploy and provide an of wireless radio signals, the network hardware allows a attractive total cost of ownership (TCO) while improving WiFi compliant device to connect to a wired network. The coverage and performance. There is a growing desire to WAP usually connects to a router (via a wired network) as optimize WiFi service and maximize customer / employee a standalone device, but it can also be an integral compo- coverage through implemented WAPs that enable the im- nent of the router itself. WAPs also enable WiFi hotspots. proved planning and use of resources via full visibility and These hotspots commonly deploy one or more WAPs to tracking of internet traffic. support the WiFi coverage area and traffic. Business networks also typically install WAPs throughout the office Enhanced WAPs can now monitor WiFi usage in real time areas. While most homes only require one wireless rout- and increase QoS based on dynamic network conditions. er (access point) to cover the physical space, companies In addition, WAPs improve security by enforcing usage may use many of them. Determining the optimal locations rules for personal devices once they are on the network. for where to install a set of WAPs can be challenging, even for network professionals, due to the need to cover All of this is achieved by embedding DPI technology onto areas with a reliable signal. the WAP platform, which was difficult in the past. WAP devices typically do not have the memory or computing The growing number of companies that offer WiFi ser- processing power to support DPI technology. Previous vices has led to significantly increased competition in the technology needed a significant amount of processing marketplace. Revenue is lagging, traffic is growing and power (CPU-load) and memory. But with the development users are increasingly demanding consistent, high-qual- of new, advanced DPI software with a low memory foot- ity service regardless of where they are or what device print, this is no longer an area of concern or difficulty. they are using. The need to stand out from competitors through QoS is critical. Enhancing user shopping, banking or leisure experience can attract customers and increase business and market share. Optimizing the performance of WAP networks through traffic management capabilities can save colleges/schools, hospitals, malls and other companies significant costs. These savings can be real- ized when IT managers do not need to purchase a larger (and more expensive) fixed broadband line through optimal management of existing capacity.

4 ROHDE & SCHWARZ ◄ 3. DPI IN A NUTSHELL

As services and applications become more integrated and Many DPI software solutions can identify packet flows, customized, knowledge of the internet protocol (IP) layer is allowing control actions based on accumulated flow infor- desirable. Enabling accurate network monitoring and ana- mation. DPI enables the extraction of WAP content and lytics requires technology with the intelligence to do more metadata as well as the reporting and handling of the ex- than just a high-level view of the data packets traversing tracted information from IP-based traffic. This extracted the network. As such, DPI goes beyond the IP header. DPI, data can be used for a wide range of use cases, including: also known as complete packet inspection, provides that visibility by analyzing up to Layer 7 of the packet, provid- Strengthen network security ing a finer control and more granular application identi ► Fine-grain application and access control fication than header-based classification. This requires ► Enforce usage rules for personal devices on maintaining a software library of thousands of protocols the network and applications and understanding patterns and beha ► Facilitate parental control viors for every new app and version. Otherwise, a packet can easily be classified incorrectly. A classified packet may Network optimization & planning be redirected, marked / tagged, blocked, rate-limited and, ► Measure WAP performance and user QoE of course, reported to a reporting agent in the network. ► Enable traffic shaping and management ► Prioritize key business traffic ► Enhance VoIP performance ► Enforce QoS based on dynamic network conditions DPI CAPABILITY CATEGORIES — EXAMPLES ► Reduce maintenance costs

Enhance marketing and grow revenue ► Increase revenue through tiered WiFi packages and real-time or post-event upsell Encrypted traffic ► Rate-based access control down to application layer Multiprocessing intelligence Classification with linear algorithms powered by scalability machine learning In addition, some DPI engines deliver modular functionality that can be tailored to meet customer WAP system requirements. Customized functionality can include: Protocol and Service type Custom application detection ► Configurable event reporting to improve performance extensions (chat, video, file classification ► Signature updates on runtime with no service transfer, etc.) in real time interruption ► Support for VoIP, audio & video KPIs such as throughput, latency, jitter Client-server- NAT/tethering ► Application attributes separate different application indication transparency Statistical usage types (e.g. Skype audio & Skype video calls) metadata to determine application performance and QoS for extraction VoIP and video as well as to protect against network for QoS/QoE security threats. metrics

As external internet access providers seek to improve the QoE by making their networks application-aware and adaptive, there is a corresponding opportunity for network equipment and solution suppliers to provide offerings that enable more intelligent networks. This, in turn, is driving demand for embedded DPI.

5 4. DPI BENEFITS

Traffic monitoring through implemented DPI technology low-latency (voice), guaranteed-latency (web traffic), plays an important role in network management, network guaranteed-delivery (application traffic) and best-effort optimization and planning. Internet access providers are delivery applications (file sharing). Using these classifi- typically only aware of general characteristics of the web cations, internet access providers can better optimize traffic. When embedded into new and existing WAP sys- resources for mission-critical traffic and police the use of tems, DPI can help network professionals to dive deeper noncritical traffic. into the user activity data. DPI provides intelligence about user traffic, application use, content communicated and DPI-empowered WAPs can distinguish between specif- anomalous patterns. As a result, they can prevent WiFi ic applications, for instance, Hulu versus Salesforce, and network congestion and ensure WiFi service availability to then apply policies based on business rules. Enabling a all customers by monitoring traffic patterns and bandwidth WAP to enforce usage rules for business and person- needs, thus increasing customer satisfaction. al devices once they are on the network is increasingly valuable. Not only does this strengthen network security Gaining business intelligence from WAP network and user by limiting potential threats / attacks, it also prioritizes key data is a fast growing area, as external internet access business traffic. providers recognize that they cannot only increase the efficiency of their network but also generate additional reve- DPI technology goes beyond security protocols to offer a nue through tiered WiFi packages as well as real-time and suite of capabilities that include analyzing the payload of post-event upsell. the packet and extracting content level information such as malware, specific data and application types that are With the huge growth in IP network traffic using web otherwise unavailable. This enables companies and cor- protocols, internet access providers need to be able to porations to better manage their network in case they are identify applications to distinguish between traffic. increasingly dependent on the efficiency of their networks DPI can be used to separate traffic into classes such as and the applications running on them.

TOP DPI BENEFITS

Reduce total cost of ownership Improve QoS and QoE for WAP operators Increase revenue

Increase network security Reduce time to market by Monetize new business services sourcing DPI

6 ROHDE & SCHWARZ ◄ 5. IMPROVING AIRPORT PUBLIC WIFI QOE / QOS

Traffic shaping is the practice of regulating network data ► Which applications are patrons using? transfer to ensure a high QoS or ROI. This involves delay- ► Which devices are connecting and on which operating ing the flow of less relevant packets. Regulating the pack- system, browser and manufacturer? et flow within a network is called bandwidth throttling. ► Which are the customer’s preferences, including Traffic shaping is vital for WiFi hotspots in airports to lower language settings, demographics and interests? the WAP operators TCO by improving link utilization. Rea- sons for traffic shaping include: As such, airports are likely to see Netflix, Hulu or Spotify ► Prioritized, time-sensitive data such as real-time flight used significantly and can specify peak Mbit / s for each updates or concession recommendations. application, ensuring optimum connectivity to accommo- ► Frequent flyer airport lounges that can be given date these applications. For example, Netflix, Hulu and priority over other traffic. Spotify all currently recommend different bandwidth re- ► An ISP that may limit bandwidth consumption for quirements to maximize HD quality. Additional WiFi oper- certain applications to reduce costs and to create the ational insights address how much data is consumed, the capacity to take on additional subscribers. length of user connects and the network load by defined locations like a terminal, gate or restaurant / bar. Geo-plot- The era of big data has brought about an entirely new ting multi-dimensional attributes allows the company to way of understanding customers. Airport WAPs with DPI pinpoint where users are congregating, whether it’s a pop- technology can deliver advanced network analytics that ular concession stand, busy gate or check-in kiosk. This uncover passenger behavior and preferences. This permits level of knowledge can be crucial for operation teams, as it data-driven decision-making critical to business operations helps your network planning team ensure the airport has a and key for uncovering new opportunities. The data can be dense wireless infrastructure that can handle high passen- used as marketing input, including: ger traffic with the right coverage.

7 6. INCREASING CORPORATE WIFI SECURITY AND CONTROL

Protecting networks requires flexible network architec- current authorization and control tools, WAPs with fine- tures,constant observation and active handling of iden- grained application control offer greater flexibility, accura- tified issues. Threats can be brought in unknowingly cy, and security. through BYOD (bring your own device), IoT, file download permissions and automatic software upgrades that all Besides increasing security and control, DPI-enhanced contribute to malware infection. WAPs with embedded WAPs enable a holistic approach to traffic management DPI provide high-grade security policies via layer 7-aware when combined with existing SD-WAN solutions. By im- classification and metadata extraction. WAP analytics help plementing traffic management on multiple points with- companies recognize irregular behavior from a network in the network, companies can optimize traffic flow and security breach and identify the issue. bandwidth usage over the whole corporate network in- stead of focusing on WAN optimization only. As more and more devices connect to BYOD networks and some of them become infected easily, policy enforce- By facilitating advanced fine-grained application control ment is challenging, especially due to widely used encryp- and metadata extraction, DPI technology creates leading- tion and obfuscation techniques. First-level approaches -edge products that: to network protection usually involve website / application ► Blacklist file sharing services like BitTorrent or other blacklisting and role-based access management. WAPs types of applications often abused with DPI technology simplify this task. ► Filter possible threats such as e-mail attachments, URLs, filenames and other types of suspicious payload DPI technology provides fine-grained application control, ► Classify critical apps that hide and obfuscate traffic delivering efficiency and high-level security. It enables pre- such as anonymizers, VPNs, Tor and P2P clients cise policy implementation, including access to specific ► Investigate encryption quality and parameters by websites, apps or servers / files. Managers can quickly and providing detailed metrics such as TLS / SSL ciphers, easily restrict users based on specific attributes. Unlike sessions and certificates used

8 ROHDE & SCHWARZ ◄ 7. APPLICATION-AWARE CUSTOMER PREMISES EQUIPMENT

Customer premises equipment (CPE) providers have lim- DPI technology creates an opportunity for WAP vendors ited solution offerings because traffic visibility is restrict- to offer customers new value-added services like smart ed to Layers 1 to 4. The value of security protocols, QoS, homes. With the vast amount of new connected IoT de- service chaining and reporting are greatly enhanced by vices and services, it becomes mandatory for WAPs to leveraging the complete data spectrum of Layers 1 to 7. manage the available bandwidth efficiently while optimi DPI technology is easily embedded into WAPs to provide zing the QoE for users. It has to be ensured that important IP classification up to Layer 7, delivering real-time applica- signals and messages like those needed for controlling tion and user information that permit advanced control of alarm systems and home automation have priority over en- application access. tertainment-related or web surfing traffic.

For example, WAPs with DPI technology can control Embedded DPI technology enables WAP vendors to clas- access to certain services based on the time of day or sify a variety of IoT protocols, applications and services frequency of visits. Parents can control the time that chil- in order to create fine-granular traffic management and dren are allowed to use certain applications, for example, security policies. DPI-enabled residential CPEs help users by restricting Netflix after 10 pm. DPI technology can also reduce costs, maximize link utilization and enable superior limit access to online gaming platforms based on the fre- QoE. quency of visits, enabling to limit the number of times per day or week that a child can join the World of Warcraft gaming community, for example. In addition, WAPs with DPI technology can be set to prioritize video streaming over other web traffic to ensure a higher QoE.

9 8. BUILD OR BUY DPI

When a device needs DPI application awareness as a key Vendors may consider open-source DPI with the idea that enabling feature, the choice between building in-house it is free to use. However, there are some important con- DPI libraries and licensing software from a DPI special- siderations — both pro and con — to adopting an open- ist can be difficult. Whether an application requires soft- source DPI library. Open-source software often ends up ware-defined networks to support policy control and not being for free, because it still requires in-house devel- critical traffic steering, protect corporate networks from opers to learn about the software and, more importantly, malicious attacks or deliver metadata on network traffic to customize it. Frequently, this requires working with a and subscriber analytics, selecting the right DPI solution is third-party vendor to manage and add new features. becoming a more strategic and challenging decision. Most WAP vendors simply do not have the in-house re- A big challenge for WAP vendors and internet access sources to track and classify the latest apps and protocols. providers trying to build in-house DPI would be the need In a typical integration, the WAP application use data is to continually update the software with the latest applica- linked directly to third-party analytics systems that deliver tions and protocols so that the security product is effective reports on and dashboards of data consumption. Ready- in managing threats and malware. A DPI engine is only as to-use software libraries reduce costs and risks associated effective as its creators design it. The evolution of network with developing and maintaining a highly complex techno traffic means that DPI software is never complete, with logy internally. new applications and protocols continually appearing. DPI software companies have dedicated DPI experts ad ding new application signatures on a weekly basis. This ensures that a high percentage of network traffic can be reliably classified, which is critical in the case of security and network management vendors that need to make accurate decisions on reliably classified traffic. As a result of ongoing performance and reliability testing, regular im- provements can be made to the software to ensure that all applications are detected.

ROHDE & SCHWARZ ENSURES UP-TO-DATE SIGNATURES

SIGNATURE MONITORING UP TO DATE CHANGES

GOAL COSTS The goal of DPI maintenance is to reduce the cycle Besides the initial R&D costs for developing a DPI time of signature updates as much as possible. engine, the main cost factor is maintaining the DPI. CHANGE ROLLOUT R&S®PACE 2 signature updates are usually done in An extensive testing setup is needed to ensure that DETECTED weekly cycles. application and protocol changes are detected early in order to provide signature updates.

SIGNATURE SIGNATURE VERIFIED ADOPTED

10 ROHDE & SCHWARZ ◄ 9. DPI AT ITS BEST

WAP vendors need to deliver behavioral, heuristic and R&S®PACE 2 REQUIRES ONLY 410 BYTES PER FLOW statistical analysis to reliably detect network protocols and applications and extract metadata in real time. The Rohde & Schwarz DPI solution for WAP applications 2000 bytes is the easiest to integrate with both new and legacy products. The protocol and application classification engine R&S®PACE 2 offers the industry’s most efficient memory and CPU utilization. Featuring the smallest processing footprint, this engine is ideal for low-power equipment, including next-generation and legacy WAPs. R&S®PACE 2 only requires 410 bytes per flow, while using very little processing power (CPU-load) and no memory allocation 410 bytes during runtime.

R&S®PACE 2 can be implemented in the user space or in the kernel space of the processor, reducing the im- R&S®PACE 2 Competitors pact on processing performance. This is of particular importance in legacy WAPs. The backwards-compatible R&S®PACE 2 software is an intuitive, highly flexible and platform-agnostic application programming interface (API) that speeds up integration and has no external dependen- cies. R&S®PACE 2 also simplifies upgrades by enabling automatic weekly signature updates without rebooting.

R&S®PACE 2 supports a wide range of operating systems and hardware architectures: 10. CONCLUSION ► Intel x86 (Linux, Solaris, FreeBSD, Windows) ► ARM (Linux, Android, BSD) ► Cavium Octeon (SE, BSD, Linux, HFA) ► PowerPC (Linux, BSD) Today’s WAPs must offer high-performance wireless connectivity tailored to fit customer needs. Through DPI R&S®PACE 2 accurately identifies applications up to Layer technology, WAP vendors can now deliver company-class 7 and provides the ability to manage network and applica- WiFi with the highest levels of performance and en- tion performance in real time. By integrating R&S®PACE 2, hanced reporting capability. The flexible and customizable WAP vendors can keep up with the dynamic changes in R&S®PACE 2 software simplifies integration of both new protocols and applications, which ensures a high rate of and legacy products. The DPI software allows WAP pro- detection for traffic management. viders to monetize WiFi networks via enhanced real-time monitoring capabilities that enforce QoS based on dynam- R&S®PACE 2 makes WAP metadata extraction, reporting ic network conditions to prevent WiFi congestion, enforce and handling of information in real time easy. The modular usage rules for personal devices once they are on the DPI engine can be tailored to meet customer WAP sys- network and strengthen network security measures. The tem requirements, including configurable event reporting software is easy to implement and requires no in-house re- to improve performance and customizable analysis that sources to track and classify the latest apps and protocols, saves time and effort. simplifying the extraction of valuable metadata.

11 www.ipoque.com Email: [email protected] Info: +49(0)341594030 Augustusplatz 9|04109Leipzig,Germany ipoque GmbH www.rohde-schwarz.com KG GmbH &Co. Rohde &Schwarz service network inmorethan70countries. the independentcompanyhasanextensive salesand market segments.Founded morethan80years ago, address manydifferentindustryandgovernment-sector cations andmonitoringnetwork testing,areasthat broa Rohde nications technologyproductsforprofessionalusers. duces andmarkets innovative informationandcommu- The Rohde Rohde &Schwarz we take advantageofpotentialsynergies. into intelligence.AsasubsidiaryofRohde solutions thatempower ourcustomers totransformdata our deepdomainexpertise tocreatecustomizedsoftware in theworld ofnetwork analytics software. We leverage ipoque, aRohde ipoque © 2021ipoqueGmbH |04109Leipzig,Germany © 2021Rohde Data withouttolerancelimitsisnotbinding |Subjecttochange White paper|DeepPacket InspectionforWireless AccessPoints PD 5215.3985.62|Version 02.00| February 2021 Trade namesaretrademarksofthe owners R&S® isaregisteredtrademarkofRohde dcast andmedia,cybersecurity, securecommuni- & Schwarz focusesontestandmeasurement, & & Schwarz GmbH Schwarz technologygroupdevelops, pro- & Schwarz company, isagloballeader & Co. KG|81671Munich, Germany & Schwarz GmbH & Co. KG & Schwarz,

5215.3985.62 02.00 PDP 1 en 5215398562