1

FEBRUARY 2021

TRAFFIC

INTELLIGENCE

WWW.ENEA.COM

QOSMOS LIBDEVICE 2.0A NEW WAY TO BRING DEVICE AWARENESS TO ACCESS NETWORK MANAGEMENT & SECURITY

SOLUTION BRIEF

22TRAFFIC INTELLIGENCE

WWW.ENEA.COM

The number of devices connected to IP networks will be more than three times the global population by 2023.

Many of those connections will pass through enterprise networks as workforce mobility, bring your own device (BYOD) practices, cloud and edge computing, and the Internet of Things (IoT) redefine the boundaries of the digital enterprise.

Managing the volume, variety, and transience of connected devices today requires automation, virtualization, and the distribution of connectivity and computing

resources. This in turn requires universal, real-time device visibility.

?

?

?

??

?

?

33TRAFFIC INTELLIGENCE

WWW.ENEA.COM

QOSMOS LIBDEVICE 2.0 100% Agentless & Passive Safe, high-performance use in all access networks

Best-in-Class Coverage & AccuracyGranular, accurate identification of 50K+ types of consumer, enterprise, and industrial devices

Embedded Software (SDK+API)Maximum product flexibility and revenue potential

Single-Source SolutionOne supplier for traffic and device classification for fast time-to-market and offloaded development and maintenance

The LibDevice 2.0 software module helps vendors achieve global visibility by identifying devices traditional solutions either can’t classify, or can’t classify with the level of performance, safety, accuracy or granularity that networking and security solutions require.

Available as an optional module with the Qosmos ixEngine® and Qosmos® Probe, LibDevice 2.0 is an agentless, passive

solution that delivers precise, detailed profiles of around 50K+ types of consumer, enterprise, and industrial devices.LibDevice 2.0 combines breadth of coverage, embedded deployment, and non-intrusive technology, making it the

ideal tool for boosting the device recognition capabilities of existing products, or creating entirely new device-awareproducts—quickly, easily and profitably.

To better understand the solution and how it can benefit your products, we will look at the challenges of current device classification methodologies, then help you to determine if a passive, agentless method is right for your product, and, finally, we will explain how LibDevice 2.0 works.

44TRAFFIC INTELLIGENCE

WWW.ENEA.COM

Install software agents and certificates on devices

Agent & 802.1X

Ping, poll, scan or query infrastructure and/or connected devices

Agentless & Active

Qosmos LibDevice 2.0

Use device fingerprints extracted from traffic flows to classify devices

Agentless & Passive

DEVICE CLASSIFICATION METHODS

55TRAFFIC INTELLIGENCE

WWW.ENEA.COM

VISIBILITY GAPS WITH AGENT & 802.1X METHODSIn traditional, fully managed environments, the conventional method of classifying endpoints connecting to LANs and WLANs has been to install software agents on devices, or to use hardware tokens, digital certificates or login credentials within an 802.1X device authentication system. Today, these methods alone are insufficient.

New Visibility GapsThe new network is hybrid, composed of on-premise, edge and cloud resources connecting a wide variety of personal, guest and

corporate IT, OT and IoT devices. In this context, conventional classification methods can be impractical, insecure or simply impossible. This leaves significant visibility gaps in device awareness.

Longstanding GapsIn fact, visibility gaps have always been a problem with conventional methods because agents, tokens and certificates can be missing, misconfigured, or outdated, or login credentials and

authentication protocols compromised. One way to fill these gaps is to use either agentless active or passive methods.

What level of risk do you feel is posed by a lack of visibility into the devices on your network?

Very High High

LowMedium

Unknown/UnsureVery Low

7.3%

29.8%43.9%

2.0% 2.0%

15.1%

2020 SANS Network Visibility & Threat Detection Survey

66TRAFFIC INTELLIGENCE

WWW.ENEA.COM

Agentless active methodologies used in combination with other classification methods can yield detailed and accurate device profiles.

However, they can be resource-intensive and impact performance. They can also trigger false alarms in threat detection and response systems. This is why many end

point solution vendors now block polling, port-scanning and similar network requests.Other active methods require access credentials for numerous security and management solutions in order to

function. And these too are restricted or prohibited in many networks, especially in critical networks and hybrid IT/IoT/OT networks.

In these scenarios, a 100% passive, agentless method is needed.

WEAKNESSES OF AGENTLESS ACTIVE METHODOLOGIES

Agentless active methodologies include:

Polling network infrastructure (e.g., switches and controllers) using Nmap and other network scanning tools.

Querying third party resources like directory services, endpoint security agents or databases for device information.

Inspecting end devices directly using SSH, Nmap scans, SNMP queries, or remote procedure protocols like MS-RPC and MS-SMB.

?

7

WWW.ENEA.COM

TRAFFIC INTELLIGENCE

THE VALUE OF PASSIVE, AGENTLESS CLASSIFICATION

Correlating multi-layer, L2 to L7 fingerprints boosts profile granularity and accuracy, which enables more effective security and traffic management policies, and improved threat detection and incident analysis

Phone, Tablet or Wearable > Phone > Apple iPhone > iPhone 7 > Apple iOS > iOS 14

Laptop > Lenovo > Thinkpad > Thinkpad T41 > Window XP > SMB v1

Gaming Console > Nintendo Gaming Console > Nintendo Switch

Industrial Automation/Siemens Industrial Automation/Siemens Climatix Controller/Siemens POL908

Audio, Imaging or Video Equipment/Camera/Surveillance Camera/ABUS IP Camera/ABUS TVIP61560

Passive, agentless device classification uses access network traffic as a source of intelligence about devices. It uses passive monitoring of packet flows via SPANs or TAPs and, with or without decryption and deep packet inspection, it extracts and computes the device metadata (fingerprints) needed to build device profiles. It then compares the device profiles against known fingerprints for accurate identification.

This makes this method a good choice for closing the device visibility gaps in agent-based systems, and for networks in which active agentless methods are undesirable or prohibited.

All Passive Methods Are Not Equal. Most passive, agentless solutions use data from limited layers in the network stack. This inevitably causes the generality of

classifications to increase (i.e., reduced granularity), and confidence scores to decline.

But, if one correlates multiple, diverse device fingerprints across the full L2 to L7 stack, accuracy and granularity improve dramatically. This is the methodology used by LibDevice 2.0.

8

WWW.ENEA.COM

8TRAFFIC INTELLIGENCE

”“IS THE PASSIVE, AGENTLESS

METHOD RIGHT FOR YOU?A Complementary or Primary Rolein Access Networks

If your product currently uses agents or 802.1X methods or data, and your goal is to close device visibility gaps, then both passive and active agentless classification can be effective complements.

However, if 1) active methods are forbidden, or 2) you need maximum performance, or 3) security concerns are paramount, as in critical networks or hybrid IT/OT environments, then a 100%

passive, agentless method is the best complement.If your product does not currently use agents or 802.1X methods or data, and your goal is simply to create new device-aware policies or enhance analytics, then a 100% passive, agentless approach is likely

all your product needs.

No Role or a Complementary Rolein Cloud & WAN Environments

If you must have precise device identification outside of access networks (for example, in direct-to-cloud connections), you should keep agent-based and/or active classification techniques in your toolbox. However, an agentless, passive tool still plays a vital role in solutions that integrate data across

hybrid environments.

For example, if you are a provider of cloud-based networking and security products, or a provider of SIEM or SOAR platforms, you can ingest passive device classification generated in access networks, and correlate it with device data gathered through other methods in order to reduce visibility gaps and improve analytics and policy development.

Agentless methods fill critical device visibility gaps, with product requirements and network characteristics determining whether passive and active methods should be used alone or together.

9TRAFFIC INTELLIGENCE

WWW.ENEA.COM

Use with Qosmos ixEngine to enhance: Next Generation Firewalls

SD-WAN Solutions

Data Loss Prevention Products

LAN/WLAN/EDGE Routers & Switches

Identity and Access Management Products

Endpoint Management & Security Solutions

Threat Detection and Response Solutions

QOSMOS IXENGINETHE LIBDEVICE 2.0 SOFTWARE MODULE: 100% PASSIVE, AGENTLESS, L2-L7 DEVICE FINGERPRINTING

Network Flow: Physical, Virtual, Cloud, Mobile, Enterprise

Copies of Raw Packets

Physical or Virtual Appliances

Qosmos ixEngine

Policy EnforcementLibDevice 2.0

Analytics

10TRAFFIC INTELLIGENCE

WWW.ENEA.COM

Use with Qosmos Probe to enhance: Network Traffic Analysis

User and Entity Behavior Analytics

Intrusion Detection

Security Information Event Management Systems

Security Orchestration, Automation and Response Platforms

Endpoint Threat Detection

THE LIBDEVICE 2.0 SOFTWARE MODULE: 100% PASSIVE, AGENTLESS, L2-L7 DEVICE FINGERPRINTING

QOSMOS PROBE

Cybersecurity Analytics & SecOps

Network Flow: Physical, Virtual, Cloud, Mobile, Enterprise

Copies of Raw Packets

Qosmos ixEngine

Qosmos SW Probes(Sensors)

Policy Enforcement

Cybersecurity Applications

LibDevice 2.0

1111TRAFFIC INTELLIGENCE

WWW.ENEA.COM

The LibDevice 2.0 module is an optional software library (SDK) available with the Qosmos ixEngine® or Qosmos® Probe.Qosmos ixEngine extracts device metadata (a.k.a. fingerprints) from network traffic flows, and provides this data to the LibDevice module for device identification. If the device matches the profile of known devices stored in the local LibDevice look-up table, the device classification is then shared with the relevant networking or cybersecurity solution.

If the device is new or unknown, the data is sent via a REST API to a cloud fingerprint repository for identification. The device classification (along with a confidence score for the identification) is then returned via the API. This classification data is then provided to the appropriate networking or security solution, and added to the local device look-up table.

THE LIBDEVICE 2.0 SOFTWARE MODULE: HOW IT WORKS

Device Key(e.g., MAC) &

Metadata Extracted

from NetworkLocal DeviceLookup Table

Device Profile Sent to

Network or Security Solution

DeviceResolved?

DeviceFound?

Classification Database

Rest API

No

Yes

Yes

12

WWW.ENEA.COM

12TRAFFIC INTELLIGENCE

Networking and cybersecurity solutions use this device classification data to:

Aid network discovery and planning

Improve real-time orchestration of network services

Gain insights into anomalous device behavior

Improve detection of advanced persistent threats

Aid in the development of device-based rules for policy enforcement engines

Deliver essential contextual data for threat analytics and forensics

Facilitate network segmentation and zero-trust controls

Ensure compliance with internal guidelines and external regulations

ACQUIRING THE QOSMOS LIBDEVICE 2.0 MODULE

If you already embed the Qosmos ixEngine or Qosmos Probe in your solution, adding the LibDevice 2.0 module provides a fast and easy way to enhance or extend your offer with state-of-the-art device classification.

Integrating the Qosmos ixEngine or Qosmos Probe with LibDevice 2.0 into your solution will help you enrich and extend your portfolio with high-value context about devices, applications, services, users, data and behaviors.

I’m already an Enea Qosmos customer: I am not yet an Enea Qosmos customer:

BENEFITS 100% passive &

agentless

Fast time to market

Easy, outsourced management & maintenance

High performance

Comprehensive, accurate, granular results

To learn more, download the LibDevice 2.0 datasheet, or contact us to request a product demo

13

TRAFFIC

INTELLIGENCE

WWW.ENEA.COM

Enea is the world-leading supplier of innovative software components for telecommunications, networking and cybersecurity. Focus areas are cloud-native, 5G-ready products for mobile core, network virtualization, and traffic intelligence. More than 3 billion people rely on Enea technologies in their daily lives. Enea is listed on Nasdaq Stockholm. For more information: www.enea.com

Enea’s embedded traffic intelligence products classify traffic in real-time and provide granular information about network activities. The portfolio includes the Enea Qosmos ixEngine and the Enea Qosmos Probe. The products support a wide range of protocols and are delivered as software development kits or standalone network sensors to network equipment manufacturers, telecom suppliers, and vendors ofcybersecurity software.