In today’s competitive networking equipment and software market, one certainty is that more technology will fit in a composed platform and be sold for less money.
This “technology collapse,” or the inclusion of more capabilities in an increasingly simplified and smaller footprint, presents some significant challenges; yesterday’s “special sauce” is today’s table stakes requirement. Exerting rare resources on that which is more readily—and inexpensively--subscribed to can bust a budget. Worse, it lengthens time-to-market and leads to missed opportunities.
The Secure Web Gateway (SWG) category has certainly been subject to this dynamic. Long gone are the days when Network Managers deployed best-in-class, purpose-built, multi-appliance architectures. Indeed, the growth in cloud-based SWGs and away from premise-based solutions all together, while nascent, illustrates this shift further. Inclusion of a broad array of functions and features within any offer is a must.
The pressure to expand and maintain feature sets beyond things like sandbox testing, reputation review, data-loss protection, browser emulation, social media controls and policy application for BYOD is intense. There is no near-term prospect for this to abate either. While hybrid premise-cloud, as well as cloud-based solutions, alleviate deployment issues and provide some relief for currency, they are hardly a cure-all for all the requirements. The to-do list continues to grow longer and matching resources to that can be challenging at best—and a Product Manager’s worst nightmare in the harshest light.
One key area for relief is in Deep Packet Inspection (DPI), a foundational technology that many SWG functions make use of. The ability to hire expertise in this area can pay tremendous dividends and relieve overworked staff from maintaining knowledge in an increasingly arcane discipline. Protocol deconstruction can be best left to experts in the field.
The more complex aspects of detecting applications can take years to learn and apply. With each new release of an application, detection schemes that may have worked previously are rendered completely ineffective. Encyclopedic knowledge of the many different evasion and obfuscation techniques used by all protocols is required to solve those presented by a new release of a certain application or anonymizing client, as an example.
Of course the path to product selection involves choices and trade-offs. One thing that cannot be compromised in selection of DPI engines is performance. The growth in data traveling across networks is constant. So, a DPI engine optimized for linear performance over deployed CPUs enables the highest available performance.
Accurate coverage and predictable release cadence are also important success factors in the selection of DPI software. As it relates to SWGs, these attributes are critically important. Decisions to exercise security policy are directly tied to the classification results provided by the DPI engine. An error causes the right traffic to be impeded, while the wrong traffic might be afforded passage. In either case, unpredictable results may occur and good security is dependent on consistency and predictability.
The ability to create and release accurate, dependable DPI signatures in short order can be a game-changing capability – often meaning the difference between a vulnerability that is patched in days or lingers for weeks and even months. With most SWG products, fast response to new threats is extremely important and a vendor of DPI software must have experience in the crucible as it relates to rapid signature deployment.
At Procera, we have over 16 years of experience developing application signatures for DPI. Our leadership position with all our products, PacketLogic for premise-based solutions and NAVL for OEM integration partners, exposes Procera to some of the most demanding requirements in the business. While the plane of reference for our competition is limited, Procera sees these problems from a global perspective and from a more complete set of viewpoints. When hiring experts, it is critical to choose a company whose rich heritage and indeed focus, is on the area that matters most—not the tangential aspects that matter not at all. Procera is truly that company with expertise in signature development and a worthy selection for anyone looking to hire a true expert.
Read the article as seen on page 29 of the latest Cyber Defense magazine here.