by Austin Hipes, Director of Field Engineering for NEI.
Until recently, an organization that wanted to do high-performance deep packet inspection (DPI) had to turn to specialized, dedicated hardware known as Network Processing Units (NPUs). This created a number of difficulties for those organizations, because NPUs required extraordinary programming models, and rarely had their processors upgraded. Today, however, OEMs can overcome the challenges presented by NPUs with an optimized platform from Intel®. The Intel® Platform for Communications Infrastructure (formerly called ‘Crystal Forest’) uses multiple-core Intel® architecture (IA) deep packet inspection on standard server platforms, with a new encryption algorithm and compression hardware acceleration. The optimized platform offers network security performance at multi-gigabit speeds without the need for NPUs.
With the new platform from Intel®, developers have the ability to scale their solutions from single-core, low power, low cost designs with less than 1 Gbps of encryption capability and 2 channels of DDR3 memory to an upper end of 16-core designs with over 80 Gbps of encryption capability and 8 channels of DDR3 memory. For independent software vendors (ISVs), this means they can develop a solution one time and scale it up to meet a variety of performance and pricing levels, thus allowing their platforms to evolve in sync with Intel’s product cycle. On top of that, both ISVs and OEMs can take advantage of products and services from members of the Intel® Intelligent Systems Alliance like NEI, to enhance product development and get to market first with new innovations.
The need for deep packet inspection continues to grow each year as more and more mobile devices get upgraded with 4G capabilities, cloud computing and storage usage increases, and the volume of streaming video rises. These demands push networks to the edge, forcing operators to make the most efficient use of their limited resources. By utilizing DPI, operators can look at the data moving on their networks and control how each packet of information is handled. Operators who can inspect each data packet in real time can enforce content rules more accurately, identify and isolate security threats, prioritize traffic within the network, and collect usage data.
As an example, take a company whose corporate IT policy prohibits streaming video over the enterprise network. Without deep packet inspection capabilities, the existing firewall and policy security tool only allow the IT administrator to block specific sites like YouTube, and block the TCP ports typically used for video streaming. When DPI is added, the policy security tool is able to look at the packet structure down to the application level, and detect and block video streams regardless of the port or website they enter on.
Deep packet inspection is valuable for Video on Demand (VoD) services, where a session needs to stay with its original processing server until the session is complete. It is also widely used for network security, where data streams must be inspected in real time for worms, viruses, and spyware. As more mobile devices connect to corporate networks via VPN services, it becomes easier to infect the network directly if the threat is not discovered first. A more robust security solution is possible if deep packet inspection is included in security policy enforcement.
[Excerpted from the whitepaper entitled Accelerating Deep Packet Inspection with Latest Intel® Server Technologies. Download the full white paper.]