What is First Packet Processing?
First packet processing is a technique for identifying applications and services in network traffic from the very first packet in a flow. This enables the instantaneous execution of application-specific rules, such as those related to unique bandwidth, latency, or security requirements.
The Challenge with First Packet Processing
First packet processing is beneficial for high-throughput networking and security solutions like Software-Defined Wide-Area Networking (SD-WAN) and Secure Access Service Edge (SASE). However, most first packet processing techniques score poorly on accuracy and granularity.
This leaves vendors with an unfortunate choice between passing more traffic through DPI – limiting the performance advantage of first packet processing, or executing immediate traffic steering or security policies based on limited – or even erroneous – information.
The Enea Solution: First Packet Advantage (FPA)
Enea’s First Packet Advantage (FPA) addresses these accuracy, granularity and performance challenges to unleash the full power of first packet processing. It improves on conventional cache-based first packet processing through two innovative features:
- Cascading Cache Structure: First Packet Advantage replaces conventional single-pass cache lookups of previously classified traffic with a cascading, multi-criteria lookup structure that leverages internal session prediction caches and known IP addresses. This boosts accuracy and significantly reduces the amount of traffic that requires immediate DPI processing.
- Internet Protocol Database (IPDB): First Packet Advantage expands the IP addresses used in its prior cascaded cache from hundreds of IP addresses to millions of rigorously verified addresses. These IP addresses are derived from the fully qualified domain names (FQDN) of the top 1 million most popular Internet domains. To maintain accuracy, the FQDNs and associated IP addresses are continuously run through a multi-step validation process as part of the “Evergreen” program in the Enea Labs.
In addition, First Packet Advantage applies service categories to Office 365 traffic based on first packet data alone, enabling ultra-efficient, category-based management of this widely used software suite.
First Packet Advantage is available as a standard feature in Enea Qosmos ixEngine®, and Enea Qosmos Probe (a software sensor that embeds Enea Qosmos ixEngine). It delivers an immediate performance advantage for SD-WAN and for SASE solutions, that provide integrated SD-WAN and security functions as a cloud service. It also enables vendors of these solutions to better position themselves for major industry changes, including fully encrypted environments and Artificial Intelligence (AI)-driven orchestration and analytics.
“Application awareness is essential for SD-WAN and SASE solutions, but many conventional traffic classification engines score poorly in accuracy, granularity, and performance. A solution like Enea’s First Packet Advantage that operates with high accuracy in first packet mode, brings improved protection and performance to vendors and end-customers.”
Roy Chua, Founder and Principal, AvidThinkFPA = Performance + Innovation for SD-WAN and SASE
Supporting the SD-WAN to SASE Evolution
First Packet Advantage is unique in its ability to deliver robust security-related information in addition to application and service classification. This enhances existing security capabilities for SASE vendors and supports product evolution for SD-WAN vendors. Specifically, the security-related data enables SD-WAN vendors to enhance their offer with new security rules, to develop firewalls and other key security components as part of a Secure SD-WAN solution, or to evolve their offer into complete, cloud-based SASE solutions.
Providing a Visibility Safeguard for Fully Encrypted Environments
In addition, the unique IP-based traffic classification system (IPDB) within Enea Qosmos ixEngine will be especially valuable as stronger, more rigorous encryption standards are adopted (e.g. TLS 1.3 ECH). This change in encryption practices will expand the situations in which proxies cannot be deployed to decrypt and inspect traffic, or in which doing so will become undesirable for performance.
In these situations, the IPDB used in FPA can provide an important resource for safeguarding essential visibility into network traffic. Furthermore, the Enea Labs team has successfully demonstrated that combining machine learning with IP-based classification can help restore some of the vital granularity that is typically lost when traffic is encrypted with technologies such as TLS 1.3 ECH.
For more information on encryption and Enea technology for traffic identification and classification, visit our encryption resource hub.
Recommended Resources