Layer 7 visibility, roaming, and encryption questions.

  • 1
  • Question
  • Updated 5 years ago
  • Answered
I'm curious what happens during a roam when you are doing layer 7 visibility? For example if someone roams mid layer 2 roam, does classification get any less accurate?

Can you identify encrypted traffic with layer 7 visibility? Are there any restrictions around that? I.E. can a user simply circumvent the layer 7 application visibility by encrypting their traffic.Are there any limitations around that where maybe only certain encprypted traffic can be recognized by certificate or something?
Photo of KFern

KFern

  • 3 Posts
  • 0 Reply Likes

Posted 5 years ago

  • 1
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
> I'm curious what happens during a roam when you are doing layer 7 visibility?
> For example if someone roams mid layer 2 roam, does classification get any
> less accurate?

At all times you are associated to one access point or another (assuming you are associated at all). Therefore, the access point you are currently associated to will do the layer seven inspection.

> Can you identify encrypted traffic with layer 7 visibility? Are there any restrictions
> around that? I.E. can a user simply circumvent the layer 7 application visibility by
> encrypting their traffic.Are there any limitations around that where maybe only
> certain encprypted traffic can be recognized by certificate or something?

When data is encrypted the access point's packet inspection will see the encrypted payload but not the original data. Therefore, if you allow a user to VPN through your wireless network, for example, you lose visibility of the data they are transmitting.

If you want to stop this happening then you need to block the VPN or encryption software during initialization.
Photo of KFern

KFern

  • 3 Posts
  • 0 Reply Likes
"At all times you are associated to one access point or another (assuming you are associated at all). Therefore, the access point you are currently associated to will do the layer seven inspection."

What I have heard from other WLAN vendors (Meraki) is that you need the first couple of packets to be most accurate with DPI. I have heard if you roam from 1 AP to another and your first few packets of an application flow were transmitted on the first AP, and the rest on the 2nd AP, that accuracy goes down to something like 15%. This is because the dpi happens on the AP you are currently associated to and that AP didn't happen to see the first few packets in the flow. Would this be the same with Aerohive or have you overcome this with some type of session sync or something?

"When data is encrypted the access point's packet inspection will see the encrypted payload but not the original data. Therefore, if you allow a user to VPN through your wireless network, for example, you lose visibility of the data they are transmitting."

What about bit-torrent just as an example. One can set bit-torrent to be encrypted. Can aerohive see the encrypted bit-torrent? What about other encrypted applications like say dropbox? Other vendors (Meraki) claim they can still recognize the application by looking at the certificate and such. Can Aerohive do the same?
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
Ask five different firewall vendors what is the best way to do deep packet inspection and you will get five different answers :-)

Good question about the layer two roam though. Aerohive use Co-Operative Control Protocols so their access points work under slightly different rules to controller based access points, such as used by Meraki. Maybe somebody from Aerohive could answer how the access points handle deep packet inspection with a roaming client?

An interesting answer from Meraki (Cisco) as Enterprise wireless vendors who utilise wireless LAN controllers traditionally have the wireless LAN controller manage the deep packet inspection rather than the access point so it doesn't matter which access point the data is sent to as the access point just tunnels it back to the wireless LAN controller for processing. Meraki must be running a hybrid design where the access points are still controlled by the wireless LAN controller (a cloud based controller in Meraki's case) but the access point is doing the deep packet inspection and not forwarding the deep packet inspection data during a roam.

> What about bit-torrent just as an example. One can set bit-torrent to be
> encrypted. Can Aerohive see the encrypted bit-torrent?

Aerohive will see the BitTorrent protocol initiate and should drop it then. Therefore, the encryption never occurs and no data is transmitted.

I always use the term "should" with security style questions as applications like BitTorrent are always being updated to try and get around network security. So just because something works today does not mean it will work tomorrow.
Photo of Mike Kouri

Mike Kouri, Official Rep

  • 1030 Posts
  • 271 Reply Likes
Crowdie is a star - I step away for a few days and when I come back I see he's answering things as well or better than I.

Coming from a security and DPI background, I agree in general with what Meraki said to Kfern about observing the session initiation is critical to correctly determining the application.

Crowdie is right that our cooperative control protocols do exchange identity and session information between APs, so that we should continue to correctly process and count traffic after a user roams between APs.