DPI and Content Filtering

Protect your users with traffic filter

You can’t eradicate threats from the web, but, as an operator, you can protect your users from unwanted content

The risk of children being exposed to malicious content on the internet has increased manifold in recent times as families have started turning to online solutions for their education. Corporates, too, face challenges protecting employees from phishing and managing access to inappropriate content with the rise in homeworking. New encryption protocols threaten to derail all existing solutions.

However this also provides a monetization opportunity to forward-thinking Mobile Network Operators (MNOs) and ISPs to protect users with control or network traffic filtering solutions.

Enea Openwave Traffic Filter enables MNOs and ISPs to design domain and content filtering use cases for enterprises and retail subscribers. Management of new encryption protocols is built into our roadmap (see below). Use cases include:

  • Parental control - where access to adult and malicious content is restricted for minors to keep them safe online and empower parents and educational institutions to regulate web browsing.
  • Regulatory compliance - based on policies defined by the regulatory authority, such as
    - CIPA, a US regulation that mandates K-12 schools and libraries to use Internet filters and other measures to protect children
    - BBFC (British Board of Film Classification), a non-governmental organization responsible for content classification in the UK
  • Enterprise use cases such as restricting access to social media, gaming and streaming to improve productivity and reduce distraction

Deployment

Our solution can be deployed on the SGi interface on COTS x86/ia64 hardware or as a Virtual Network Function (VNF) using OpenStack and VMware/vCD virtual environment, in line with all IP (or DNS) traffic in the network or from selected subscribers.

Traffic Filter includes:

  • Ultra-Efficient Inline Packet Processing Engine
  • Inline Encrypted Traffic Analysis and Categorization
  • Out-of-Band Domain-Based Analysis and Categorization
  • Policy Breach Redirection for Encrypted Traffic
  • DNS Request Redirection
  • Safe Search Support
  • Policy-Based Selective Service Orchestration
  • Policy and Subscriber Interfaces
  • Support for Group Policies
  • Extensible Content Categorization Database
  • Custom Content Categories
  • Support for Whitelists
  • Daily Database Updates
  • Learning Mechanism
  • Domain Live Checker
  • Rich Dashboard with Reports
  • ICAP Server
  • Subscriber Data Repository
  • REST Interface for Subscriber and Policy Provisioning
  • Third-party Portal Integration
  • Offline Tracing
cipa
iwf
03 DNS

Filtering policy can be a combination of -

Subscriber (MSISDN)
Subscriber profile and group
Incoming/outgoing IP address or range
Incoming/outgoing port number or range
Content classification
Requested URL/domain
Roaming status
Bearer used to access the service
APN
Cell-ID
Time of the day
Day of the week

Interface used to transmit the request/response

In-depth Reporting

Content filtering is complemented by advanced analytics around protocol and app, behavior, and to see how specific policies are working. This also creates a positive proactive feedback loop for the operations and business teams.

Support for Extended Encryption in Internet Protocols

There is a far greater depth of encryption emerging via the Internet Engineering Task Force (IETF) and being driven by industry players including hyperscalers and Operating System (OS) & browser vendors, along with Domain Name Server (DNS) solution providers. They offer users a higher degree of privacy, but once again threaten to impede the operator’s ability to manage traffic and perform essential value-added services such as parental controls.

IETF is working on TLS 1.3 extensions that include the encryption of the SNI (eSNI) and more recently, an update to the eSNI draft to consider encrypting the entire Client Hello (ECH). This will ensure that the target domain information is not visible in the TLS handshake.

In addition to the above, IETF has published a document that defines the DoH protocol for sending DNS queries and responses over HTTP and TLS (HTTPS). DoH will impact all traffic filtering solutions that rely on DNS inspection / classification – of which there are many currently in use in Tier-1 and Tier-2 networks from big-name vendors. All of these will be rendered ineffective as these solutions will not be able to view the details within a DNS flow, and thus cannot classify that traffic. Solutions that perform “in-line” inspection however will not be impacted by DOH.

So, take the time now to ensure that your vendor’s roadmap includes a convincing solution for tracking these events and for how they will manage, not just DOH, but eSNI.

To know more about these challenges, download our e-brief “Content Filtering and Parental Controls in a Post Pandemic World”

Traffic Filtering cover

DATASHEET

IP TRAFFIC FILTERING

Want to know more?