There is a staggering growth of endpoint mobile devices in enterprises. With this influx, Information Technology (IT) administrators can no longer ignore these mobile devices as simply outside their scope of responsibility. Correspondingly, there has been an unprecedented growth in the cloud services that are made available by an enterprise to its employees. Traditionally, enterprises have deployed one secure application for each service for each platform, but this has eventually failed to scale with the growth of mobility in IT. There are myriad numbers of cloud-based services that are being accessed from unmanaged endpoint mobile devices across diverse operating systems, uncontrolled network topologies and vaguely understood mobile geographies. Typically, enterprises have deployed applications for a specific service, applications to access corporate resources that themselves vary for different network conditions, and applications to secure the endpoints itself.
Normally, in order to securely access multiple network resources concurrently, the end user has to connect to multiple applications, such as a corporate VPN for accessing enterprise's internal resources (intranet) and a private VPN or a network filtering application for accessing internet resources. This is not only perplexing for the end users but also poses several performance challenges and operational constraints for IT administrators. Several compatibility issues arise between different applications which compete for network access at different layers of networking. For instance, the service of a Virtual Private Network (VPN) application to securely connect to an enterprise network is affected by a web security firewall application running on the device which monitors and forbids any network interface changes. The situation is further exacerbated by the fact that the user needs to reconfigure each application depending upon the changes in network conditions such as moving from one subnet to another and that there is no indication to the user to perform such a change. All such service transitions must then be performed manually by the user with every network change. This is analogous to the situation where a user must statically configure Internet Protocol (IP) address configuration on a network interface for every network change. This problem was overcome by Dynamic Host Configuration Protocol (DHCP) that discovers configuration for the interface such as IP Address, Subnet Mask, Default Gateways and Domain Name System (DNS) servers. With the advent of mobility and explosion in the number of cloud services and mobile applications, there is a strong need for unified service discovery and secure availability that can efficiently scale to humongous mobile traffic.
This growth of endpoint mobile devices has opened up several new avenues for targeted cyberattacks against enterprises. Again, traditionally, enterprises deployed Secure Sockets Layer (SSL) VPNs/Web Proxies as a way to steer traffic from mobile devices to a centralized secure gateway that was used to process all user traffic. However, with growing demands of mobile users as well as increased adoption of cloud-based applications, traditional ways of steering network traffic have miserably failed to scale. Backhauling traffic to corporate datacenter through a traditional VPN has several performance constraints and does not scale well for different services in mobile traffic. Further conventional VPNs achieve split tunneling only at the IP layer, i.e., all intranet traffic destined to private subnet (RFC 1918) should go direct whereas all Internet traffic should be tunneled, thus failing to take into account service and application layers. In the existing approach, network traffic can be segmented only by destination IP address. This poses significant problems as the demands of different protocols are significantly unique. For instance, Voice over IP (VOIP) over User Datagram Protocol (UDP) traffic has entirely different needs than Hypertext Transfer Protocol (HTTP) over Transmission Control Protocol (TCP) traffic and sending all the traffic over a single tunnel significantly compromises the quality of services. Another class of VPNs, ‘PerAppVPN’ try to achieve segmentation at the source application layer, i.e., traffic from one App gets tunneled while from another app goes direct. Although useful, this still does not take into account the quality and demands of different services. Further, today's enterprise applications do not reside at a same location in a data center but are increasingly fragmented across different cloud service providers which do even not provide a fixed destination IP address for hosted services. This poses unique challenges for enterprise IT administrators as they want to bypass particular protocol traffic but not all which happens to be going to the same destination address. For instance, an IT admin may choose to allow Secure Shell (SSH) to a cloud provider such as Amazon Web Services (AWS) directly, but may opt for doing HTTP traffic inspection for all outbound traffic.