Carl Weinschenk spoke with Elan Amir, president and CEO, Bivio Networks.
Weinschenk: What is deep packet inspection?
Amir: Deep packet inspection is the discipline or technology of looking at network traffic and data beyond just the header information. Deep packet inspection is concerned with taking action based on the payload or content, including anything from application-level data to user-level data to subscriber-level data. It is used for security, access control, traffic management and monitoring. Collectively, that whole technology behind just the header is deep packet inspection.
Weinschenk: What is DPI used for?
Amir: It depends on the market segment you are looking at. It's fair to say the dominant use of deep packet inspection today [for the enterprise] is in the security space and various aspects of it. These include application segments like intrusion detection, antivirus protections and bot protection. Access control is adjacent; it is fundamentally a security function. All are DPI applications. On the service provider side they really are less concerned with security - though obviously security needs are there. It is a lot more concerned with monetization of investment in the pipeline. That means increasing capacity using traffic management techniques. It's applications like differentiated services, differentiating billing and tiered services. All these technologies have in common is the implementation of a technology that allows visibility and control of traffic over the network to allow more monetization. At the end of the day, that's DPI. Whether people call it DPI or not, DPI is where the bulk of expenditures on enterprises and the service provider side will be in the next three to five years.
Weinschenk: Why is DPI growing in the security area?
Amir: Up until probably three or four years ago, security was just a perimeter discipline. IT was simpler; there was less prevalence of Internet use. It was about keeping the bad guys out, and the good guys shielded from the outside world. [The major security tool] was a firewall. It only let access from the outside world to a specific set of destinations, a specific set of server that was relatively easily defined. [Now] the Internet is a lot more complex, vulnerabilities exist at layers that are not visible to that type of security. The whole concept of the perimeter has gotten somewhat ambiguous. In the case of a laptop, where is the perimeter?
Weinschenk: What else has happened?
Amir: The second thing is that the threats are more complex. They come in the form of viruses in e-mail or perfectly legitimate access applications coupled with illegitimate use of those applications. On the other hand, what the application actually is doing may be illegitimate. In order to be able to detect those kinds of threats [and others], you need to go beyond header information. That was where deep packet inspection came in. DPI enables IT administrators and security officials to be able to get visibility into what is going on in the application and user layer.
Weinschenk: Is this an important transition?
Amir: The interesting thing about DPI is that it is a fundamental change in the way networking is done. Networking until DPI really was all about connectivity. It was solely concerned with getting packets from here to there. It was fundamentally a hardware discipline. Switches and routers are built with relatively little software. So the fundamental paradigm, the shift when DPI is introduced into the network, is that DPI is a software discipline. The technology needed to do DPI is software defined. The challenge is that [DPI is] software-intensive, but it's operating in a networking discipline. It's not software on a desktop but in the network. It still needs to get bits and bytes from here to there. A big technical problem is that networks are full of switches and routers, and we need to run [DPI] software. What are we going to run it on? So the question is whether there should be a new networking device that runs at wire speed, and as a byproduct enable this very important DPI function.
Weinschenk: So it raises significant challenges.
Amir: The actual question is what is the infrastructure in the network that is going to run software at networking speeds, and be able to do so without slowing down the network in a way that essentially makes the introduction of that software into the network a network breaker? There is a whole world of servers with software, a world of switches and routers which are hardware. They are colliding. What is missing is a new type of technology that exists at multiple layers. We started solving the problem with Bivio.
Weinschenk: How important is DPI?
Amir: The statement that [for an enterprise DPI] is a no-brainer probably is true. Ignoring DPI is literally ignoring the reality of IP-based communications, that you have to know what is running on your network. You have to know what is running if you want control, if you are going to manage the network. That knowledge doesn't stop at the packet header. It extends to the payload, to the application level, and to the user information.
Weinschenk: Are all enterprises using DPI and, if so, how widely?
Amir: It would be surprising if any large enterprise had no DPI in their network. I am not so sure how widely. Their understanding of the need for DPI probably is evolving right now.
Weinschenk: What about service providers?
Amir: On the service provider side, my sense is that they are all looking at DPI technology, but I don't know if they've all deployed it. Service providers are different. It's not [just] about security; it's about ROI. Those things take a little longer. I think in the next couple of years, all service providers will have DPI installed. I think we are at the beginning of use of DPI in service providers' networks.