Enterprises have seen an explosion of new applications, devices and classes of users on their LANs, which makes it harder than ever for IT to ensure network performance, secure corporate assets and comply with regulations. In response, next-generation intelligent LAN switches are emerging that are designed to provide stateful, deep-packet inspection up through Layer 7, providing granular user- and application-level controls.
Other network devices that have already "moved up" the protocol stack include WAN-acceleration platforms and load-balancing switches. Now, by maintaining state information, intelligent switches can forward based on flows instead of packets. Advanced deep-packet inspection provides user identity and L7 application detail in classifying flows, enabling IT to apply access and QoS policies far beyond the virtual LAN/ACL controls that traditional L3/L4 switches support.
Intelligent switches with L7 deep-packet inspection and stateful flow analysis can correlate user, device, application, destination and other information to continuously monitor and control LAN traffic, which greatly simplifies troubleshooting, compliance, security provisioning and other IT tasks.
Stateful inspection savvy
Like a stateful firewall, a stateful switch holds in memory key attributes of each flow or connection, such as user identity, IP addresses and ports involved in the connection, application and underlying protocols and flows in use, and the specific content accessed. These attributes, which are referred to as the state of the connection, are maintained through the life of the flow and aid in policy enforcement and visualization.
The most CPU-intensive checking is performed at the connection setup, with subsequent packets monitored at rapid rates. Some intelligent switches also learn the user's identity -- including username and organizational role -- at connection setup, and tie this information to the source media access control and IP addresses. Consequently, IT can intelligently control traffic flows and maintain traffic logs based on username and role as well as the application type.
Many LAN devices attempt to glean application information by reading L4 details and deducing the application based on well-known port numbers. In contrast, an intelligent switch with stateful deep-packet inspection can be programmed to watch for unique application behavior.
For example, SSH follows a predictable pattern and can be identified regardless of the L4 port used, alerting IT that this encrypted traffic is going to external destinations over non-standard ports. Intelligent switches can also distinguish between protocols that operate over port 80, and understand different traffic types running over HTTP. L7 analysis can even yield application detail such as the name of a file in use or the URL a user is attempting to reach. Achieving this level of intelligence requires a new switch architecture and operating system design.