Until recently, an organization that wanted to do high-performance deep packet inspection (DPI) had to turn to specialized, dedicated hardware known as Network Processing Units (NPUs). This created a number of difficulties for those organizations, because NPUs required extraordinary programming models, and rarely had their processors upgraded. Today, however, OEMs can overcome the challenges presented by NPUs with an optimized platform from Intel®. The Intel® Platform for Communications Infrastructure (formerly called ‘Crystal Forest’) uses multiple-core Intel® architecture (IA) deep packet inspection on standard server platforms, with a new encryption algorithm and compression hardware acceleration. The optimized platform offers network security performance at multi-gigabit speeds without the need for NPUs.
With the new platform from Intel®, developers have the ability to scale their solutions from single-core, low power, low cost designs with less than 1 Gbps of encryption capability and 2 channels of DDR3 memory to an upper end of 16-core designs with over 80 Gbps of encryption capability and 8 channels of DDR3 memory. For independent software vendors (ISVs), this means they can develop a solution one time and scale it up to meet a variety of performance and pricing levels, thus allowing their platforms to evolve in sync with Intel’s product cycle. On top of that, both ISVs and OEMs can take advantage of products and services from members of the Intel® Intelligent Systems Alliance like NEI, to enhance product development and get to market first with new innovations.
The need for deep packet inspection continues to grow each year as more and more mobile devices get upgraded with 4G capabilities, cloud computing and storage usage increases, and the volume of streaming video rises. These demands push networks to the edge, forcing operators to make the most efficient use of their limited resources. By utilizing DPI, operators can look at the data moving on their networks and control how each packet of information is handled. Operators who can inspect each data packet in real time can enforce content rules more accurately, identify and isolate security threats, prioritize traffic within the network, and collect usage data.
As an example, take a company whose corporate IT policy prohibits streaming video over the enterprise network. Without deep packet inspection capabilities, the existing firewall and policy security tool only allow the IT administrator to block specific sites like YouTube, and block the TCP ports typically used for video streaming. When DPI is added, the policy security tool is able to look at the packet structure down to the application level, and detect and block video streams regardless of the port or website they enter on.
Deep packet inspection is valuable for Video on Demand (VoD) services, where a session needs to stay with its original processing server until the session is complete. It is also widely used for network security, where data streams must be inspected in real time for worms, viruses, and spyware. As more mobile devices connect to corporate networks via VPN services, it becomes easier to infect the network directly if the threat is not discovered first. A more robust security solution is possible if deep packet inspection is included in security policy enforcement.
As the data plane load from mobile devices, cloud storage, and cloud computing increases on network servers, the need for deep packet inspection also increases as a means of providing encrypted data security for all information passing across a network. Data encryption is now an important part of people’s everyday lives at home and at work, whether it’s a family member backing up information from a personal laptop to a cloud storage system or an IT administrator remotely accessing a corporate server from a tablet. With the enormous growth in encryption-driven network services like these, deep packet inspection and data encryption are typically linked together. DPI is used to encrypt and decrypt data in real time on the network to analyze packet contents and determine the appropriate routing based on intelligent traffic and security rules.
In the past, the only way to do high-performance deep packet inspection and encryption was to use Network Processing Units (NPUs) that were designed specifically for this purpose. NPUs are commonly found in network devices ranging from network monitoring systems and session border controllers to intrusion detection and prevention systems (IDPS). On top of one or more NPUs, many platforms also provide complete system-level functionality for the control plane by incorporating CPU-based server hardware.
NPUs have certain advantages when performing deep packet inspection and encryption, but they also have several important disadvantages. Primarily, NPUs incorporate proprietary architecture that makes programming the devices difficult, requiring specialized skills. In addition, the code required for NPU programming is not typically compatible with networking hardware code, which dramatically decreases system flexibility and means that two separate programming teams are required any time these systems must be commissioned or modified – one for the NPU software and another for the CPU software. Coordinating these two unique teams can pose a real challenge to system owners and operators.
Beyond the software disparities, the hardware itself can also be a disadvantage. NPUs complicate the design of hardware systems and significantly increase the cost. Plus, NPU hardware goes longer between silicon refreshes than other processors and peripherals, meaning that OEMs often find themselves stuck with comparatively antiquated technology. Because of the recent innovations in server hardware design, however, OEMs can now perform deep packet inspection at multi-gigabit speeds without the need for costly, specialized NPUs.