Let There Be Light: Virtualized Network Management in the Age of Encryption

Cloud Management

Let There Be Light: Virtualized Network Management in the Age of Encryption

By Special Guest
Cam Cullen, VP of global marketing at Procera Networks
  |  March 08, 2017

There’s no escaping encryption.

HTTPS and SSL traffic has risen dramatically in recent years. And it’s showing no signs of slowing down.

Encryption is understandably necessary in today’s world and it’s very important for our collective privacy. But it also presents a major challenge for broadband network operators when it comes to traffic visibility and identification.

Traffic visibility is essential for the use of modern security tools and the services needed to manage today’s advanced networks. Yet encryption, despite its countless benefits, is making this difficult.

It’s threatening operator efforts to protect the subscriber experience, resulting in a far more difficult environment for identifying the applications behind high volumes of traffic. This has presented a stumbling block for operators around CEM and QoE management. Encryption already has had a tremendous impact on the tools traditionally used to address this problem, and the increased adoption of network virtualization has only amplified this issue further. But now there’s light at the end of the tunnel.

Before we can understand exactly how this issue is being addressed, however, we must first consider the current network landscape and the significant QoE challenges presented by the age of widespread data encryption.

The Data Challenge

According to Google’s (News - Alert) most recent Transparency Report, anywhere from 50 to 90 percent of traffic on a typical broadband network is now encrypted. This figure will only continue to rise as, in the post-Snowden era, application vendors and content providers implement encryption techniques to protect consumer privacy, thereby safeguarding vital information like credit card numbers, passwords, and other personal data from anyone who gains unauthorized access to their network traffic.

Encrypted HTTPS traffic is logical for this reason and doesn’t pose a significant problem to network management. The challenge for operators begins when data-hungry services such as Netflix start to encrypt their content. Without being able to effectively label this type of encrypted data, an operator may only be able to correctly identify this traffic as SSL. However, this broad category is largely unhelpful as widespread encryption means this particular classification will often group several data sources together, including anything from VoIP to video streaming.

For operators, this evidently poses a major challenge in how to prioritize certain traffic to ensure a consistent and reliable network experience for their subscribers – for example those who are making a VoIP call in a congested area. Rising traffic levels also have put operators under additional pressure. These issues have further amplified the challenges associated with encryption and the importance of addressing this problem for an operator’s bottom-line.

Addressing the Encryption Issue

Tackling this problem depends on several factors. First and foremost, operators need end-to-end visibility into all new services and content platforms likely to cause a surge in demand on their networks, as it’s widely accepted that poor network performance is linked to an increase in subscriber churn.

Yet it is also important for operators to know when and where a network surge is likely to occur, which comes back to the pressing need to be able to identify specific applications behind encrypted network traffic. After all, it’s only by having this powerful level of actionable data that they will be able to start meeting the needs of today’s subscribers en masse rather than simply serving a small heavy data usage subset of their overall user base.

Network intelligence and traffic management tools, supported by deep packet inspection, are therefore vital for operators to reduce churn and, in turn, better target different user sets. Not only will these tools help to meet this goal, they will also be key for unlocking the data needed to make it a reality. By using DPI tools, operators can identify what data is flowing across their networks in real time, prioritizing traffic where appropriate, and also identifying where the network is congested so they can take steps to address it.

Virtualized Networks, Real Problems

Yet DPI in its current form can only go so far. Although the challenge posed by encryption is currently being addressed without impacting on the protective benefits it holds for privacy, new problems are on the horizon. Increasing support and reliance on virtualized networks and NFV have renewed the challenge operators face around encryption, presenting yet another hurdle for them to overcome.

NFV is rapidly becoming the architecture of choice for broadband operators of all types. This introduces further application identification concerns, as NFV networks can be highly distributed and can dynamically change their behavior and traffic routing protocols based on current network conditions. Virtualized networks are also typically deployed on COTS hardware, presenting a fresh set of issues for packet processing.

Both of these trends fundamentally change how DPI engines must operate to successfully deliver their core function of application identification. Fundamentally, to maintain the same level of end-to-end network visibility required for application identification to function, DPI tools must also be virtualized to have the same level of speed and efficiency as the virtualized network on which they are deployed.

Once network visibility is returned, operators need to partner with a DPI vendor that is constantly updating the signatures database to ensure traffic can be accurately identified. Applications evolve quickly in the internet economy, and a change made by a major application (Netflix, YouTube (News - Alert), Skype, etc.) could cause huge inaccuracies in analytics or a major blow to QoE management if network traffic associated with that application isn’t appropriately classified.

Moving Beyond Encryption

Unlocking encrypted data traffic is only scratching the surface of what’s possible with DPI. Once the fundamental application identification challenges have been solved, use cases become the proof points in how DPI-enabled solutions can adapt to the encrypted internet.

Operators can act on this information to prioritize decisions around capex and opex investments. The network visibility afforded by DPI also can allow engineers to analyze the usage on different parts of the network to manage future expansion, and marketing teams can differentiate which services the operator is particularly strong in delivering.

With the increasing adoption of NFV, measuring the needs of new applications and providing a detailed assessment of a network can become a competitive differentiator. End-to-end visibility across a network allows operators to prioritize their investments into new technologies and expansion, achieving maximum ROI by identifying what changes will have the biggest positive impact on the overall subscriber experience.

The challenges posed to DPI by encryption and NFV are not insurmountable. By reconsidering the role of DPI and working with a vendor that can deliver virtualized solutions that keep pace with demand, networks need not remain in the dark.

Cam Cullen (News - Alert) is vice president of global marketing at Procera Networks.

Edited by Alicia Young
Get stories like this delivered straight to your inbox. [Free eNews Subscription]