Slides from the recorded webinar hosted by our VP of Marketing, Cam Cullen, on the Procera Solution - where he outlines how Procera can help you navigate your way through difficulties incurred by your broadband, network, hosting, business or servicing platforms.
6. Encrypted Traffic Dominates Networks Worldwide
Service Upstream %
SSL v3 16.12%
WebDAV 7.83%
Netflix 5.65%
HTTP 5.52%
HTTP media stream 5.41%
Raw MPEG-TS 4.85%
BitTorrent transfer 4.85%
uTP 4.65%
BitTorrent KRPC 3.70%
Google 3.40%
YouTube 2.04%
RTP 1.73%
HTTP download 1.44%
Facebook 1.44%
BitTorrent encrypted transfer 1.39%
Procera Networks Data - December 2016
Service Downstream %
Netflix 19.27%
HTTP media stream 16.39%
SSL v3 9.63%
YouTube 8.96%
HTTP 4.47%
Raw MPEG-TS 4.08%
HTTP download 3.42%
Facebook 3.19%
QUIC 1.86%
Xbox Live update 1.49%
Instagram 1.46%
Playstation.net download 1.16%
uTP 1.09%
BitTorrent transfer 1.05%
HTTP2 over TLS 1.00%
7. Regional Popularity
December 2016
Service DS% US%
Netflix 22.51% 9.04%
HTTP media stream 17.64% 6.84%
SSL v3 8.66%18.98%
Raw MPEG-TS 7.79% 8.48%
YouTube 5.35% 2.05%
Service DS% US%
HTTP media stream 21.54% 2.77%
SSL v3 8.06% 8.17%
YouTube 7.23% .86%
HTTP 5.17% 3.9%
BitTorrent KPRC 5.13%25.68%
Service DS% US%
HTTP media stream 13.06% 2.72%
Netflix 11.90% 1.81%
SSL v3 8.78%14.88%
Facebook 7.75% 1.80%
YouTube 7.04% 2.22%
8. Worldwide Application Growth (By Volume)
2016 Growth in Key Services – Heavy on Encrypted Applications
Service Upstream
Netflix 30.93%
YouTube 61.01%
SSL v3 47.45%
HTTP 63.65%
Facebook 88.57%
Amazon Prime 257.64%
Instagram 119.20%
uTP 58.37%
Twitch 82.60%
Twitter 93.26%
Service Downstream
Netflix 93.55%
YouTube 67.61%
SSL v3 140.25%
HTTP 80.71%
Facebook 76.72%
Amazon Prime 217.23%
Instagram 145.64%
uTP 69.09%
Twitch 175.47%
Twitter 136.21%
9. What do we mean by encryption
Three categories
Obfuscation Proxies Encryption
PROXIES ENCRYPTION
VPN
10. Encryption Scenarios Going Forward
10
HTTP HTTPS
(TLS 1.1/1.2)
Full URL
Hostname
User Agent
Content Type
File Size
Other HTTP/HTML
Full URL
Hostname (direct)
User Agent
Content Type
File Size
Other HTTP/HTML
1 TLS 1.3
SNI Clear
TLS 1.3
SNI Encrypted
DNS
Encrypted
2 3 4
1 Happening 2015 and 2016
Will happen in 2017
May happen as part of TLS1.3 in 12-18 months
May happen in 24-36 months
2
3
4
Full URL
Hostname (direct)
User Agent
Content Type
File Size
Other HTTP/HTML
Full URL
Hostname (inferred)
User Agent
Content Type
File Size
Other HTTP/HTML
Full URL
Hostname (inferred)
User Agent
Content Type
File Size
Other HTTP/HTML
HTTP
23%
non-
HTTP
77%
12. Weekly Signature Updates
Industry-leading Agility and Speed to Keep Pace with the Internet Age
2775 signatures
Average of
16 updates or
additions per
week over the
past year
13. Multiple Application Detection Techniques
•Expression matches: Patterns on payload
•Analyzers: Virtual Services
•Control/Data protocols: Port tainted
•TLS detection: SNI tracking
•Heuristics mechanisms: Flow behavioral
analysis
— Randomness
— Metrics
— VoIP flag
Sample of DRDL techniques for Application Identification
14. Sophisticated Tools to Accelerate Development
Highly Automated Signatures Lab Solves Major Challenges
Assessing Regional
Dependencies
Automated Update
Tracking
The Device Matters
17. Impact of Encryption on Use Cases
And leveraging virtualization
SecurityIT Analytics Traffic
Management
Policy &
Charging
to
Regulatory
Compliance
to
eVolution eVolution
eVolution
18. •Customer Shifted from a
traditional probe to
Procera due to reduced
visibility
• Supporting Tens of Millions
of Mobile subscribers
• Over 20 virtual systems
running >40Gbps of capacity
streaming IPFix to HP Big
Data system
•Executives get weekly
reports leveraging
Procera’s Unique
Network, Subscriber,
and Service Intelligence
Virtualization: LTE Analytics Use Cases
Executive Decisioning with Carrier-Scale Big Data Deployment
PSM
LTE
Packet Core
Core Router
IPFix
IPFix
eVolution
Provisioning
LiveView
HP Data
Warehouse
Sample Use Cases
OTT
Trending
Revenue
Assurance
IoT
Analytics
Network Forensics
Service
Planning
Performance
Monitoring
19. Encryption: In-Line Policy Enforcement Use Cases
High Profile Application Aware Services and Regulatory Compliance
Real-time
Visibility
Real-time forensics
with topology
awareness
Traffic Mgmt
Sophisticated
queuing to enhance
subscriber QoE and
manage P2P shaping
Regulatory
Compliance
OTT VOIP Blocking
and VPN detection
Analytics
Subscriber,
application, location
and device reporting
and forecasting
Customer Care
Customer Care
Insights for real-time
problem resolution
Intelligent
Charging
Differentiated billing
based on subscriber
intelligence using Gy
Tiered Services
Service plans
enhancing customer
value using Gx
Peering
BGP Peering
analytics and
management
WiFi Services
PCEF for the WiFi
Network using Gx
and Gy
URL
Categorization
URL categorization
based on a set of
predefined rules
OTT Partnerships
Zero-rating and/or
revenue sharing
partnerships with
OTT players
IPFix Data Feed
For use with
sixthsense media
services
40G
per
system
80G
per
system
Internet
.
.
.
x9
.
.
. x4
20. Big Data: Analytics Use Cases
Data Scientists + Procera Data = $$$M in Additional Revenue Generated in 2016
PRE PL 8960
PSM Cluster
for Enrichment
6 Collection Sites
StreamMediation
.
.
.
.
PIC
COLLECTOR
IPFIX
CDR
Data
Analytics
Visualisation
Campaign
Management
Billing
IN
CRM
Network
TV Log
Sample Use Cases
Revenue
Assurance
Campaign
Demographics
Network Forensics
Service
Planning
QoE
Monitoring
Trend
Monitoring
21.
22. Thank you
Download the whitepaper at:
https://www.proceranetworks.com/lp-
procera-spotlights-encryption
Notes de l'éditeur
This is a statement we have listened many times for the last year. Is it true? Are we going dark? Is it the end of DPI?
What it does mean: More privacy for the end user. Good for all of us, as Internet users.
What it doesn´t mean: Encryption does not make services undetectable, but it only makes us, as DPI company, to apply smarter techniques to detect the services. Some granularity is lost, but the main service will be available. Just as an example, 3 years ago we were able to see the videos seen in youtube looking at the URL, and this is not possible anymore.
What is common between bird-watching and traffic detection?
When we talk about DPI, how it is today and how it will work in the future, the analogy between DPI and Bird-watching is very powerful. Let´s call it packet-watching
Every birds have their own body shape and profile. The shape, size, colour and feature of legs, feathers, skin, beak. This is a starling
Today for DPI we look into specific details of a packet, which is written in clear text, like the hostname, or which hexadecimal pattern we can find in that packet.
This is going to change, the same way that in bird-watching you have to deal with a flock.
Between 50% and 70% of traffic volume is encrypted nowadays.
The trend keeps growing. This tweet by Josh Aas is the Head of Let´s Encrypt, former Mozilla employee, represents the importance of HTTPS for web browsing.
For the first time, in October more than 50% page loads done in Firefox were HTTPS.
Let´s Encrypt is an open certificate authority and gives free certificates to web sites.
Netflix, with its global expansion taking hold, is the overall leader in downstream worldwide, followed closely by HTTP Media streaming, which is used by many other video streaming services from content providers.
Regionally, Netflix is King in North America and a close 2nd in APAC, but not a force in Europe yet, with other streaming video services being major contributors throughout the regions as well. SSL v3 and HTTP represent the share of traffic to pure web browsing, and Bittorrent is still a big contributor in Europe to upstream traffic (which usually tracks where Netflix is popular).
Netflix has grown substantially in 2016 due to it’s worldwide expansion, and both Amazon Prime and Twitch had major jumps in contribution in 2016. SSL continues to grow fast as encryption becomes more widespread. Filesharing traffic is still growing (as seen in the European traffic trends), but far slower than other traffic types.
When we talk about encryption, we really refer to different kind of transport techniques that ensures privacy in the communication. Let’s see one by one.
Obfuscation: The main purpose is to hide the traffic send, many times, like in the case of Tor, anonymizing the sender. Their main purpose is to not being detected. Using Tor gives worst performance. Other obfuscated services are Viber and Bitorrent.
- Proxies: They are intermediate devices to access web content. For the web server the originator of the request is the proxy server, not the local computer.
In the figure ProxyServer app, Opera turbo
Encryption: We talk about keeping the payload private. There are different mechanisms:
VPN: It tunnels the traffic in an extra layer towards a VPN server, but information is keept private. You usually have to pay for it. In the figure openVPN Connect app
QUIC Crypto (over UDP), TLS (over TCP) are protocols which implementation is open and well described, that use certificates to keep the connection secured.
If you remember from a previous presentation, this is the forecast we did in early 2016 about how encryption will evolve.
In our current state, number 1, the prediction was that during 2017 we were going to see the introduction of TLS 1.3. How is this prediction going?
TLS is not new. First TLS 1.0 RFC came in 1999 (SSL 3.0 was the original name, owned by Netscape). TLS 1.1 standard released in 2006 and TLS 1.2 was released in 2008. TLS 1.3 is still a draft. DNS over HTTPS is being under development by Google: https://developers.google.com/speed/public-dns/docs/dns-over-https
If we move forward to the next slide, here we have a graph with the last bundles updates and additions.
What is a signature? A Signatures is a service or application (from all supported devices), some of them split into different kind of traffic (for example control and data, or regular traffic and VoIP.
What I would like you to highlight when you meet our customers one of our strengths compared with the competitors is not only the total amount of applications we support, but also the average number of updates we have.
Number of signatures in last bundle available in http://sigdev.int.prnw.net/frontpage/
Real-Time Endpoint Classification: Currently we can retrieve the mapping hostname-IP address using lookup on URL or SNI. Instead, we will use a Endpoint Database will give us the mapping service-IP address that won’t be possible when TLS 1-3 with 0-RTT is deployed.
Bin code detectors in signature bundle: this will provide more rich detection capabilities, beyond pure signatures, available each week, without the need of waiting for a full software upgrade. Including in the RAHE is the Evolving Flow Behavior Analysis for encrypted apps. This means more metrics to improve detection. Procera has used XFB, aka behavioral classification, for over 10 years (Active, Asymmetric, Beginning, Initial flag, Bulky, CBR Streaming, Client is Local, Download, Established, Flowsynced, Inbound, Initial, Interactive, Outbound, Pseudo , Random, Server is Local, Streaming, Unidirectional, Untracked, and VoIP-like are existing behavior flags) Extended to cover encrypted VoIP and Encrypted Video detection.
Device detection: Possibility of extract the device from encrypted traffic
Over 30 solutions and 150 use cases
Over 30 solutions and 150 use cases
But they don’t’ get there by just buying a few boxes form us. It’s a large operation, they need additional Infrastructure such as an Hadoop Data lake, mediation systems, campaign management platforms for taking action, and machine learning technologies in order to analyze the data.
You need people with specific skills, who are intelligence and high educated and also understand your business. These don’t exist (enough), Dr. Bob admitted they with in tight teams for this purpose so people complement each other – and a lot of time is spend on training. Understanding the data, researching algorithms and skilling up on Tools.
Procera is a Subscriber, Service, and Network Intelligence software provider for network operators, with over 360M subscribers across more than 60 Tier 1 operators in 88 countries worldwide. Our customers include some of the largest and most prestigious and innovative operators in the world – Softbank in Japan, British Telecom, and Boingo Wireless t oname a few. Our solutions are based on Deep Packet Inspection, and provide real-time visibility into100% of the traffic flowing through broadband networks – regardless of the access type and at any volume of traffic. We decorate the application data with a wealth of subscriber attributes, including location, service plan, network quality, and many more. Our Headquarters is in Silicon Valley in the US, but we have engineering locations in Sweden and Canada, and regional offices in Japan, Malaysia, and Dubai. Procera employs ~219 employees worldwide, with 37% of our headcount in sales and marketing, and 32% in R&D.