Allot Network Intelligence Tomás Gómez de Acuña [email protected].
-
Upload
maya-peterson -
Category
Documents
-
view
258 -
download
22
Transcript of Allot Network Intelligence Tomás Gómez de Acuña [email protected].
2
Allot–At-A-Glance
Public company traded on NASDAQ [ALLT]Company StatusCompany Status
250EmployeesEmployees
Israel, Hod HasharonR&D and OperationsR&D and Operations
Americas: MN, CA, NY, TX, AZ, BrazilEurope: France, UK, Germany, Italy, Spain, Scandinavia Asia/Pac.: Singapore, Japan, Australia
WW Sales and SupportWW Sales and Support
1997FoundedFounded
More than 9000 units sold in 118 countriesMore than 700 service providersMore than 2060 enterprises and educational inst.
Track RecordTrack Record
3
Allot Network Intelligence Solution
WAN
RED LAN / CORE
Internet AccessInternet
VPN/Leased Line/
MPLS
Web, Email, Citrix Servers
Video
Citrix Clients
SAP/CitrixOracle
VoIP GW
PBX
Data Center
London Office
VoIP
Paris Office
VoIP
Tokyo Office
VoIP
Service Protector
Service Protector
SMP Server
NetXplorerServer
GUI Client
NetEnforcer
NetEnforcer
NetEnforcer
NetEnforcer
4
Network Intelligence Solution – Main Features
Network visibility & Network Intelligence Network troubleshooting Layer 7 Firewall
Signature Base, DPI (Deep Packet Inspection) Connection Control
Connection limitation per rule Badwidth assignment per connection Data center protection / DoS protection
DDoS and Malicious Traffic Control (Service Protector) P2P Control Application Control QoS Bandwidth Management Video Caching (MediaSwift) Block of Illegal Webside URLs (Websafe) Managed Services. Virtual Traffic Control Subscriber Management. Traffic Control per Subscriber Accounting and Billing
5
Allot Product Family
Subscriber Management Platform (SMP)Subscriber Management Platform (SMP)
NetEnforcerNetEnforcer
NetXplorer & NetXplorer ProvisionerNetXplorer & NetXplorer Provisioner
Service ProtectorService Protector
WebSafeWebSafe
6
NetEnforcer Products
AC-400 AC-800 AC-1000 AC-2500
An
ch
o
De
Ba
nd
a
An
ch
o
De
Ba
nd
aC
lien
tes
Cli
ente
s Internet Access,Local ISPs
Pymes y
SMB
Tier 2-3 Carriers,ISPs,
EnterpriseUniversidades
Tier 1, 2Carriers, ISPs,
EnterpriseUniversidades
EnterpriseISPs
Universidades
2 a 100 Mb 45 a 310 Mb 155 Mb a 1 Gb 310 Mb a 2,5 Gb
Po
liti
cas
Po
liti
cas
4.000 28.000 80.000 80.000
NetXplorer
SMP
Service Gateway
Tier 1, 2Carriers,
ISPs
5 Gb a 40Gb
400.000
4 Gb to 20 Gb
400.000
Tier 1, 2Carriers, ISPs,
EnterpriseUniversidades
AC-10000
7
NetEnforcer: Enterprise / Medium SP Platform
Model Bandwidth Pipes VCsManaged
Links
AC-40X Monitoring Only 100 Mbps 1 024 4,096 1 - 2
AC-40X/2M 2 Mbps 1 024 4,096 1 - 2
AC-40X/6M 6 Mbps 1 024 4,096 1 - 2
AC-40X/10M 10 Mbps 1 024 4,096 1 - 2
AC-40X/45M 45 Mbps 1 024 4,096 1 - 2
AC-40X/100M 100 Mbps 1 024 4,096 1 - 2
AC-80X Monitoring Only 310 Mbps 4,096 28,672 1 - 2 - 4
AC-80X-C&F 45 Mbps 4,096 28,672 1 - 2 - 4
AC-80X-C&F 100 Mbps 4,096 28,672 1 - 2 - 4
AC-80X-C&F 155 Mbps 4,096 28,672 1 - 2 - 4
AC-80X-C&F 310 Mbps 4,096 28,672 1 - 2 - 4
8
NetEnforcer: SP & Carrier Platform
ModelBandwidth
Full DuplexPipes VCs
Managed Links
AC-10X0-Monitoring Only 1000 Mbps 10,000 80,000 1-2
AC-10X0-155M 155 Mbps 10,000 80,000 1-2
AC-10X0-310M 310 Mbps 10,000 80,000 1-2
AC-10X0-620M 620 Mbps 10,000 80,000 1-2
AC-10X0-1000M 1000 Mbps 10,000 80,000 1-2
AC-25X0- Monitoring Only 2500 Mbps 40,000 80,000 1-2-4
AC-25X0-310M 310 Mbps 40,000 80,000 1-2-4
AC-25X0-620M 620 Mbps 40,000 80,000 1-2-4
AC-25X0-1000M 1000 Mbps 40,000 80,000 1-2-4
AC-25X0-2500M 2500 Mbps 40,000 80,000 1-2-4
9 April 10, 2023
AC10000
Component / Feature Description
Hardware Blade ATCA Chassis
Management interface 10/100/1000T
Traffic Interface 2 x 10 GE
4 x 10 GE
8 x 1GE
High Availability 1+1 Active Redundancy
External Bypass 1 per Traffic card
Component redundancy Inherent redundancy of every component
Hot Swapable Yes
Redundant power Supply Yes
Trhoghput Up to 20 Gbps
Subscribers 800.000
Policy Size Up to 200k Pipes and 400k VCs
Concurrent Connections Up to 10M connections (20M flows)
New Connections per sec Up to 200k new connections per sec (400k new flows)
10 April 10, 2023
Service Gateway
Component / Feature Description
Hardware Blade ATCA Chassis
Management interface 10/100/1000T
Traffic Interface 2 x 10 GE
4 x 10 GE
8 X 10 GE
16 x 1 GE
High Availability N+1 Redundancy
Internal Bypass 1 per Traffic card
Component redundancy Inherent redundancy of every component
Hot Swapable Yes
Redundant power Supply Yes
Trhoghput Up to 40 Gbps
Subscribers 800.000
Policy Size Up to 200k Pipes and 400k VCs
Concurrent Connections Up to 10M connections (20M flows)
New Connections per sec Up to 200k new connections per sec (400k new flows)
11 April 10, 2023
The Service Gateway Vision
DPI Engine
Malicious traffic control
MonitoringQoS
ControlURL
FilteringContent Caching
3rd PartyServices
FutureService ...
Open platform enabling integrationof best-in-class services
Open platform enabling integrationof best-in-class services
Network + Subscriber Management
12
Service Gateway Redirecction
Internet Access
• Caching
• URL Filtering
• IDS
• Firewall
• Contect Inspection
• Reponse Time System
Third Party Product
RED LAN / CORE Centralized DPI System
• Reduce System Investment
• Better Traffic Control
• Really Intelligent (L7) Forward
13
1 & 2 links Topologies
10/100 Ethernet: NE 402/802 1 Giga: NE 802/1010
10 Giga: NE 10100 / SG
10/100 Ethernet: NE 402/802 1 Giga: NE 802/1010
10 Giga: NE 10100 / SG
Internet
NetEnforcer
Router
Firewall
LAN Switch DMZ
NetEnforcer
Internet
Router
Firewall
LAN Switch DMZ
LAN DMZWAN
NetEnforcer
One linkOne link Two Links.
Redundant Configuration
Two Links.
Redundant Configuration
Two Links.
Different Networks
Two Links.
Different Networks
10/100 Ethernet: NE 404/804 1 Giga: NE 804/1020/2520 10 Giga: NE 10200 / SG
10/100 Ethernet: NE 404/804 1 Giga: NE 804/1020/2520 10 Giga: NE 10200 / SG
10/100 Ethernet: NE 404/804 1 Giga: NE 804/1020/2520 10 Giga: NE 10200 / SG
10/100 Ethernet: NE 404/804 1 Giga: NE 804/1020/2520 10 Giga: NE 10200 / SG
14
4 links Topologies
NetEnforcer
10/100 Ethernet: NE 808 1 Giga: NE 808/2540 10 Giga: SG 8 x 10G
10/100 Ethernet: NE 808 1 Giga: NE 808/2540 10 Giga: SG 8 x 10G
Four Links.
Redundant Configuration.
Fully Meshed
Four Links.
Redundant Configuration.
Fully Meshed
FourLinks.
Different Networks.
FourLinks.
Different Networks.
10/100 Ethernet: NE 808 1 Giga: NE 808/2540 10 Giga: SG 8 x 10G
10/100 Ethernet: NE 808 1 Giga: NE 808/2540 10 Giga: SG 8 x 10G
15
8 links Topologies
Eight Links.
Different Networks
Eight Links.
Different Networks
Service Gateway: 8 links of 1 gigaService Gateway: 8 links of 1 giga
16
High Availability
ActiveRedundancy
Link
RedundancySupport
Link
Router
Internet
Secondary
Normal ScenarioPrimary Active
Primary
Primary BypassActive Mode
Secondary BypassBypass Mode
17
SMP Arquitecture
18
SMP Features
Subscriber MonitoringSubscriber Monitoring Tiered ServicesTiered Services
Quota ManagementQuota Management
PortalPortal
• Time Based
• Volume Based
19
NetXplorer Provisioner Arquitecture
NetEnforcer
NetXplorer Server RADIUS
Server
NetXplorer Provisioner
Network Operator
Users
Authentication
Policy Modifications and Data Collection
Front-end Provisioning and Monitoring
Back-end control
Internet
Users
Managed Services: Virtual Traffic & Network IntelligenceManaged Services: Virtual Traffic & Network Intelligence
20
NetXplorer Provisioner (NPP)
21
NetXplorer & SMP Arquitecture
April 10, 2023
NetXplorer DataCollector
GUI Client
NetXplorer Server
GUI Client
Subscriber Management
OSS RADIUS/DHCP
NetXplorer DataCollector
Mediation / Billing
NetXplorer DataCollector
22
Netxplorer Features
Main FeaturesMain Features
Network VisibilityReal Time Monitoring
Long Term Monitoring
Auto Application Discovery
Centralized Policy ManagementQoS definition
L7 Firewalling
Port Redirection
DoS control
Reports Creation
Reports Scheduling
Events & Alarms
Netxplorer Drill Down Capability
23
24
Rich Set of Graphs
Statistics
Utilization
Distribution Graphs NetEnforcers
Lines / Pipes / VCs
Protocols
Hosts / Int / Ext /
Conversations
Subscribers
Average Protocol Popularity
Typical Time
25
NetXplorer Most Active Graphs
Reports Top NAvailable for:Netenforcer
Lines, Pipes, Virtual Channels
Protocolos
Hosts
Internal Host
External Host
Conversations
Three Dimensional GraphsThree Dimensional Graphs
26
NetXplorer Data Selection
Date & Time RangeDate & Time Range
27
NetXplorer Report Creation
Multiple Format Output ReportsMultiple Format Output Reports
28
NetXplorer Report Scheduling
29
Events & Alarms
30
QoS Optimization & Control
Unmanaged
With AllotWith AllotWithout AllotWithout Allot
Allot NetEnforcer
Visible and Managed
P2P UploadP2P
Download
VoIPWebTVVideo
ConferencingGamingemail
31
NetXplorer Policy Definition
ActionsPolicy Name Conditions
Superior DPI technology
32
New dedicated H/W offers scalability & upgradability
Based on Allot’s Next Generation DPI engine S/W with native APU (Allot Protocol Updates) support
Advanced Proactive Learning System for finer identification of sophisticated P2P Apps
Leader in real time and internet protocols
33
Service Catalog
Improvement of QoS features
3-level policy control
• LINE, PIPE & Virtual Channel
Expedited Forwarding for real time applications
Assured Forwarding for video streaming
Drop Precedence for effective BW management (short term peak traffic)
Tailored QoS behavior per Application
Per Flow Queuing mechanism
34
35
QoS Catalog
36
DoS & Connection Control
DoS Control
Connection Control
ServiceProtector
Protects against DDoS attacks; network attacks; worms; subscriber zombies; spambots
Behavior-based ADS (Anomaly Detection System)
Facilitates surgical isolation at the network or subscriber level
KEY BENEFITS
Reduce customer complaints
Reduce OPEX
Avoid email blacklisting
Enhance network mgmt
Improve network stability
Protect key customers
Protect revenue streams
37 April 10, 2023
38 April 10, 2023
ServiceProtector’s Main Features
Signature free DDoS, Spam and Zombie detection 0 day detection Fully based on traffic behavior <5% false positives, >95% rate true positives Fast attack identification. Normally less than 5 min from begin to
mitigation “On-Fly” attack signature creation
For Mitigating the attacks Easy and transparent installation Distributed system
Multiples sensors with one management console Independent solution
No help needed from routers Fully integrated with NetXplorer’s Network Intelligent System
External server or a ATCA blade Up to 10Gbits real-time detection per sensor
Network Behavior Anomaly Detection (NBAD)
Uses TCP/IP statistics to build behavioral models
Identifies disruptions in absolute and relative network statistics
Connectionless, sessionless, stateless
Detection speed inversely proportional to magnitude of attack
Invariant to normal peaks and troughs
Sensitive to attacks
39 April 10, 2023
•Network attacks disrupt network behavior and the normal relationship between network statistics
Deployment
40 April 10, 2023
•Access
•DSL Subscribers
•NetEnforcer
•Service Gateway
•Hosting Services•DDoS protection
•International/local•peering partners
•Cable Subscribers
•NetXplorer
•Access
•Service Gateway
•SP-Controller
•SP-Sensor
•SP-Sensor•SP-Sensor blade*
•SP-Sensor blade*
•* Availability of Service Protector blade to be announced – expect mid-late ‘08
MediaSwift
Intelligent Media Caching maximizes network efficiency
Accelerates content delivery and provides highest QoE
Reduce delivery costs and improve service quality
KEY BENEFITS
Transparent caching of all
bandwidth-intensive protocols
Reduce OPEX
Reduction of upstream
bandwidth
Wire speed data delivery
Preserves functionality for all
Internet services
Scalable multi-gigabit bandwidth
generation
41 April 10, 2023
April 10, 2023
42
MediaSwift
Bandwidth Control & Media Acceleration
HTTP Video P2P Peer VoIP Email, HTTP
HTTP Traffic
P2P Traffic
•Manages traffic and BW growth•Produces BW savings•Fastest downloads possible•Best Quality of Experience (QoE)•Satisfy user demand for media•Competitive advantage over other ISPs
Internet
SubscribersISP Access Network
ISP Core Network
April 10, 202343
How it Works
InternetAccess
ISP User Internet User
MediaSwift Blade
File Request File Request
Requested file is in the storage
File DownloadFile Download
SG-Sigma
Stopped!
File is downloaded from storage
SG redirects multimedia traffic to/from blade
Connection with peer is maintained
Keep Alive
WebSafe
An add-on service for Allot Service Gateway Sigma
Supports encrypted URL blacklists
up to 50,000 entries
Supports Whitelist
Overrides Blacklist in case of over-blocking
Up to 10,000 entries
Multiple enforcement actions:
Redirect or block user
April 10, 2023
44
Network-based illegal content filtering solution
45
Referencias
Administración Pública Turespaña Catastro Servicio Andaluz de Salud Oficina de Patentes Forum de Barcelona Principado de Asturias Gobierno de La Rioja Gobierno de Canarias Gobierno de Navarra Gobierno de Cantabria Ayuntamiento de Gijón Ayuntamiento de Rivas Ayuntamiento Laguna de
Duero Ayntamiento de Torre Pacheco Parlamento de Cataluña Informática Comunidad de
Madrid Estrada Dixital Hospital Marqués de Valdecilla Sescam Xunta de Galicia Ayunt. Quitanadueñas Ayunt. de Barcelona
Banca y Seguros BBVA Banco Sabadell Santa Lucia Caixanova Rural Servicios
Informáticos Agroseguro BBK Ibercaja Cajasegovia Aseval Caja Laboral
Ministero de Sanidad Ministerio de Agricultura Ministerio de Economía (IGAE) Marina Mercante Generalitat Valenciana Ayuntamiento de Lloret Dirección General de Aragón
(DGA) Sadesi (Junta de Andalucía) Junta de Extremadura Consejería Educación Junta de
Andalucía Parlamento de Vasco Osakidetza (Servicio Vasco de
Salud) IKT (Gobierno Vasco) Autoridad Portuaria de
Valencia Dirección Gral de la Policia Ministerio de Defensa Ministerio del Interior Gobierno de Murcia (F. Integra) Colegio de Registradores CNMV
46
Referencias
Operadores Unión Fenosa Telecomunicaciones Comunitel Neo Sky Fujitsu ASP BT Telecable R PTVTelecom Mcctelecom CableMutua Riosat Everbit Gemytel Más de 10 operadores de Cable regionales WifiOnline Axartel Novatelefonia Cable Sur Epresa Cable Melilla AWA Acorde Telecom Castilla La Mancha
Universidades Universidad de Oviedo Universidad de Las Palmas Universidad de Málaga Universidad de Burgos Universidad de Cantabria Universidad de León Universidad Alfonso X el Sabio Universidad Miguel Hernández Universidad de Murcia Universidad de Barcelona Oxford University Press Universidad Pública de Navarra Universidad de La Rioja Escuela universitaria Galileo Galilei Universidad de Jaen Universidad de Huelva Universidad Politécnica de Madrid Universidad de Granada
47
Referencias
Industria y Empresa Iron Montain ENCE Barceló Viajes Garden Hotel Praxair RTVE Turespaña Agroseguro DHL Tectotrans Marmedsa Mundo Social Viajes Marsans Dorna Telemadrid Unión Española de
Explosivos Arias La Cope MediaPro – La sexta Museo del prado Metro de Madrid Polaris World
Cementos Rohe Prosegur Algeposa Global Interlink Azertia Garden Group Puleva Albatros Almirall Torraspapel Iberdrola OHL Telefónica Soluciones Blanco Diagomoda AENA Radio Televisión Valenciana Transportes AZKAR Marítima Bergé Torraspapel Singular Kitchen ABC-Vocento Ibermática
Redcom Spainrep Clar Roboticker Ciudad de La Luz Detinsa Estrella de Galicia Plásticos Ferro Forum de Barcelona Grupo Urvasco Grupo Boluda Armillar Pipeline Sofware Punto Acceso Rodio Cimentaciones Mtorres Schneider Electric Trentinort Unisono ACS/dragados Telepizza
48