First Packet Advantage: A New Approach to First Packet Classification for SD-WAN and SASE
What is First Packet Processing?
First packet processing is a technique for identifying applications and services in network traffic from the very first packet in a flow. This enables the instantaneous execution of application-specific rules, such as those related to unique bandwidth, latency, or security requirements.
The Challenge with First Packet Processing
First packet processing is beneficial for high-throughput networking and security solutions like SD-WAN and SASE. However, most first packet processing techniques score poorly on accuracy and granularity. This leaves vendors with an unfortunate choice between passing more traffic through DPI – limiting the performance advantage of first packet processing, or executing immediate traffic steering or security policies based on limited – or even erroneous – information.
The Enea Solution
Enea’s First Packet Advantage addresses these accuracy, granularity and performance challenges to unleash the full power of first packet processing. It improves on conventional cache-based first packet processing through two innovative features:
- Cascading Cache Structure: First Packet Advantage replaces conventional single-pass cache lookups of previously classified traffic with a cascading, multi-criteria lookup structure that leverages internal session prediction caches and known IP addresses. This boosts accuracy and significantly reduces the amount of traffic that requires immediate DPI processing.
- Internet Protocol Database (IPDB): First Packet Advantage expands the IP addresses used in its prior cascaded cache from hundreds of IP addresses to millions of rigorously verified addresses. These IP addresses are derived from the fully qualified domain names (FQDN) of the top 1 million most popular Internet domains. To maintain accuracy, the FQDNs and associated IP addresses are continuously run through a multi-step validation process as part of the “Evergreen” program in the Enea Labs.
In addition, First Packet Advantage applies service categories to Office 365 traffic based on first packet data alone, enabling ultra-efficient, category-based management of this widely used software suite.
First Packet Advantage is available as a standard feature in Enea’s Qosmos ixEngine and Qosmos Probe (a software sensor which embeds ixEngine). It delivers an immediate performance advantage for SD-WAN and for Secure Access Service Edge (SASE) solutions, which provide integrated SD-WAN and security functions as a cloud service. It also enables vendors of these solutions to better position themselves for major industry changes, including fully encrypted environments and Artificial Intelligence (AI)-driven orchestration and analytics.
Performance + Innovation for SD-WAN & SASE
Paving the Way for Artificial Intelligence
This new approach translates to an immediate performance boost for today’s SD-WAN and SASE solutions. Beyond this performance boost, First Packet Advantage also delivers the data precision and lightning-fast processing required for AI-powered orchestration in the SD-WAN market, and AI-based security operations management and threat analytics in SASE solutions.
Supporting the SD-WAN to SASE Evolution
First Packet Advantage is also unique in its ability to deliver robust security-related information in addition to application and service classification. This enhances existing security capabilities for SASE vendors and supports product evolution for SD-WAN vendors. Specifically, the security-related data enables SD-WAN vendors to enhance their offer with new security rules, to develop firewalls and other key security components as part of a Secure SD-WAN solution, or to evolve their offer into complete, cloud-based SASE solutions.
Providing a Visibility Safeguard for Fully Encrypted Environments
In addition, the unique IP-based traffic classification system (IPDB) within Qosmos ixEngine will be especially valuable as stronger, more rigorous encryption standards are adopted. This change in encryption practices will expand the situations in which proxies cannot be deployed to decrypt and inspect traffic, or in which doing so will become undesirable for performance.
In such environments, IPDB will provide an important alternative method of accurately identifying protocols, applications and services. Furthermore, Enea Labs research has shown that machine learning combined with IP-based classification can help restore some of the vital granularity that is typically lost with IP-based classification.