Allot Network Intelligence

Tomás Gómez de Acuña

tgomez@allot.com

2

Allot–At-A-Glance

Public company traded on NASDAQ [ALLT]Company StatusCompany Status

250EmployeesEmployees

Israel, Hod HasharonR&D and OperationsR&D and Operations

Americas: MN, CA, NY, TX, AZ, BrazilEurope: France, UK, Germany, Italy, Spain, Scandinavia Asia/Pac.: Singapore, Japan, Australia

WW Sales and SupportWW Sales and Support

1997FoundedFounded

More than 9000 units sold in 118 countriesMore than 700 service providersMore than 2060 enterprises and educational inst.

Track RecordTrack Record

3

Allot Network Intelligence Solution

WAN

RED LAN / CORE

Internet AccessInternet

VPN/Leased Line/

MPLS

Web, Email, Citrix Servers

Video

Citrix Clients

SAP/CitrixOracle

VoIP GW

PBX

Data Center

London Office

VoIP

Paris Office

VoIP

Tokyo Office

VoIP

Service Protector

Service Protector

SMP Server

NetXplorerServer

GUI Client

NetEnforcer

NetEnforcer

NetEnforcer

NetEnforcer

4

Network Intelligence Solution – Main Features

Network visibility & Network Intelligence Network troubleshooting Layer 7 Firewall

Signature Base, DPI (Deep Packet Inspection) Connection Control

Connection limitation per rule Badwidth assignment per connection Data center protection / DoS protection

DDoS and Malicious Traffic Control (Service Protector) P2P Control Application Control QoS Bandwidth Management Video Caching (MediaSwift) Block of Illegal Webside URLs (Websafe) Managed Services. Virtual Traffic Control Subscriber Management. Traffic Control per Subscriber Accounting and Billing

5

Allot Product Family

Subscriber Management Platform (SMP)Subscriber Management Platform (SMP)

NetEnforcerNetEnforcer

NetXplorer & NetXplorer ProvisionerNetXplorer & NetXplorer Provisioner

Service ProtectorService Protector

WebSafeWebSafe

6

NetEnforcer Products

AC-400 AC-800 AC-1000 AC-2500

An

ch

o

De

Ba

nd

a

An

ch

o

De

Ba

nd

aC

lien

tes

Cli

ente

s Internet Access,Local ISPs

Pymes y

SMB

Tier 2-3 Carriers,ISPs,

EnterpriseUniversidades

Tier 1, 2Carriers, ISPs,

EnterpriseUniversidades

EnterpriseISPs

Universidades

2 a 100 Mb 45 a 310 Mb 155 Mb a 1 Gb 310 Mb a 2,5 Gb

Po

liti

cas

Po

liti

cas

4.000 28.000 80.000 80.000

NetXplorer

SMP

Service Gateway

Tier 1, 2Carriers,

ISPs

5 Gb a 40Gb

400.000

4 Gb to 20 Gb

400.000

Tier 1, 2Carriers, ISPs,

EnterpriseUniversidades

AC-10000

7

NetEnforcer: Enterprise / Medium SP Platform

Model Bandwidth Pipes VCsManaged

Links

AC-40X Monitoring Only 100 Mbps 1 024 4,096 1 - 2

AC-40X/2M 2 Mbps 1 024 4,096 1 - 2

AC-40X/6M 6 Mbps 1 024 4,096 1 - 2

AC-40X/10M 10 Mbps 1 024 4,096 1 - 2

AC-40X/45M 45 Mbps 1 024 4,096 1 - 2

AC-40X/100M 100 Mbps 1 024 4,096 1 - 2

AC-80X Monitoring Only 310 Mbps 4,096 28,672 1 - 2 - 4

AC-80X-C&F 45 Mbps 4,096 28,672 1 - 2 - 4

AC-80X-C&F 100 Mbps 4,096 28,672 1 - 2 - 4

AC-80X-C&F 155 Mbps 4,096 28,672 1 - 2 - 4

AC-80X-C&F 310 Mbps 4,096 28,672 1 - 2 - 4

8

NetEnforcer: SP & Carrier Platform

ModelBandwidth

Full DuplexPipes VCs

Managed Links

AC-10X0-Monitoring Only 1000 Mbps 10,000 80,000 1-2

AC-10X0-155M 155 Mbps 10,000 80,000 1-2

AC-10X0-310M 310 Mbps 10,000 80,000 1-2

AC-10X0-620M 620 Mbps 10,000 80,000 1-2

AC-10X0-1000M 1000 Mbps 10,000 80,000 1-2

AC-25X0- Monitoring Only 2500 Mbps 40,000 80,000 1-2-4

AC-25X0-310M 310 Mbps 40,000 80,000 1-2-4

AC-25X0-620M 620 Mbps 40,000 80,000 1-2-4

AC-25X0-1000M 1000 Mbps 40,000 80,000 1-2-4

AC-25X0-2500M 2500 Mbps 40,000 80,000 1-2-4

9 April 10, 2023

AC10000

Component / Feature Description

Hardware Blade ATCA Chassis

Management interface 10/100/1000T

Traffic Interface 2 x 10 GE

4 x 10 GE

8 x 1GE

High Availability 1+1 Active Redundancy

External Bypass 1 per Traffic card

Component redundancy Inherent redundancy of every component

Hot Swapable Yes

Redundant power Supply Yes

Trhoghput Up to 20 Gbps

Subscribers 800.000

Policy Size Up to 200k Pipes and 400k VCs

Concurrent Connections Up to 10M connections (20M flows)

New Connections per sec Up to 200k new connections per sec (400k new flows)

10 April 10, 2023

Service Gateway

Component / Feature Description

Hardware Blade ATCA Chassis

Management interface 10/100/1000T

Traffic Interface 2 x 10 GE

4 x 10 GE

8 X 10 GE

16 x 1 GE

High Availability N+1 Redundancy

Internal Bypass 1 per Traffic card

Component redundancy Inherent redundancy of every component

Hot Swapable Yes

Redundant power Supply Yes

Trhoghput Up to 40 Gbps

Subscribers 800.000

Policy Size Up to 200k Pipes and 400k VCs

Concurrent Connections Up to 10M connections (20M flows)

New Connections per sec Up to 200k new connections per sec (400k new flows)

11 April 10, 2023

The Service Gateway Vision

DPI Engine

Malicious traffic control

MonitoringQoS

ControlURL

FilteringContent Caching

3rd PartyServices

FutureService ...

Open platform enabling integrationof best-in-class services

Open platform enabling integrationof best-in-class services

Network + Subscriber Management

12

Service Gateway Redirecction

Internet Access

• Caching

• URL Filtering

• IDS

• Firewall

• Contect Inspection

• Reponse Time System

Third Party Product

RED LAN / CORE Centralized DPI System

• Reduce System Investment

• Better Traffic Control

• Really Intelligent (L7) Forward

13

1 & 2 links Topologies

10/100 Ethernet: NE 402/802 1 Giga: NE 802/1010

10 Giga: NE 10100 / SG

10/100 Ethernet: NE 402/802 1 Giga: NE 802/1010

10 Giga: NE 10100 / SG

Internet

NetEnforcer

Router

Firewall

LAN Switch DMZ

NetEnforcer

Internet

Router

Firewall

LAN Switch DMZ

LAN DMZWAN

NetEnforcer

One linkOne link Two Links.

Redundant Configuration

Two Links.

Redundant Configuration

Two Links.

Different Networks

Two Links.

Different Networks

10/100 Ethernet: NE 404/804 1 Giga: NE 804/1020/2520 10 Giga: NE 10200 / SG

10/100 Ethernet: NE 404/804 1 Giga: NE 804/1020/2520 10 Giga: NE 10200 / SG

10/100 Ethernet: NE 404/804 1 Giga: NE 804/1020/2520 10 Giga: NE 10200 / SG

10/100 Ethernet: NE 404/804 1 Giga: NE 804/1020/2520 10 Giga: NE 10200 / SG

14

4 links Topologies

NetEnforcer

10/100 Ethernet: NE 808 1 Giga: NE 808/2540 10 Giga: SG 8 x 10G

10/100 Ethernet: NE 808 1 Giga: NE 808/2540 10 Giga: SG 8 x 10G

Four Links.

Redundant Configuration.

Fully Meshed

Four Links.

Redundant Configuration.

Fully Meshed

FourLinks.

Different Networks.

FourLinks.

Different Networks.

10/100 Ethernet: NE 808 1 Giga: NE 808/2540 10 Giga: SG 8 x 10G

10/100 Ethernet: NE 808 1 Giga: NE 808/2540 10 Giga: SG 8 x 10G

15

8 links Topologies

Eight Links.

Different Networks

Eight Links.

Different Networks

Service Gateway: 8 links of 1 gigaService Gateway: 8 links of 1 giga

16

High Availability

ActiveRedundancy

Link

RedundancySupport

Link

Router

Internet

Secondary

Normal ScenarioPrimary Active

Primary

Primary BypassActive Mode

Secondary BypassBypass Mode

17

SMP Arquitecture

18

SMP Features

Subscriber MonitoringSubscriber Monitoring Tiered ServicesTiered Services

Quota ManagementQuota Management

PortalPortal

• Time Based

• Volume Based

19

NetXplorer Provisioner Arquitecture

NetEnforcer

NetXplorer Server RADIUS

Server

NetXplorer Provisioner

Network Operator

Users

Authentication

Policy Modifications and Data Collection

Front-end Provisioning and Monitoring

Back-end control

Internet

Users

Managed Services: Virtual Traffic & Network IntelligenceManaged Services: Virtual Traffic & Network Intelligence

20

NetXplorer Provisioner (NPP)

21

NetXplorer & SMP Arquitecture

April 10, 2023

NetXplorer DataCollector

GUI Client

NetXplorer Server

GUI Client

Subscriber Management

OSS RADIUS/DHCP

NetXplorer DataCollector

Mediation / Billing

NetXplorer DataCollector

22

Netxplorer Features

Main FeaturesMain Features

Network VisibilityReal Time Monitoring

Long Term Monitoring

Auto Application Discovery

Centralized Policy ManagementQoS definition

L7 Firewalling

Port Redirection

DoS control

Reports Creation

Reports Scheduling

Events & Alarms

Netxplorer Drill Down Capability

23

24

Rich Set of Graphs

Statistics

Utilization

Distribution Graphs NetEnforcers

Lines / Pipes / VCs

Protocols

Hosts / Int / Ext /

Conversations

Subscribers

Average Protocol Popularity

Typical Time

25

NetXplorer Most Active Graphs

Reports Top NAvailable for:Netenforcer

Lines, Pipes, Virtual Channels

Protocolos

Hosts

Internal Host

External Host

Conversations

Three Dimensional GraphsThree Dimensional Graphs

26

NetXplorer Data Selection

Date & Time RangeDate & Time Range

27

NetXplorer Report Creation

Multiple Format Output ReportsMultiple Format Output Reports

28

NetXplorer Report Scheduling

29

Events & Alarms

30

QoS Optimization & Control

Unmanaged

With AllotWith AllotWithout AllotWithout Allot

Allot NetEnforcer

Visible and Managed

P2P UploadP2P

Download

VoIPWebTVVideo

ConferencingGamingemail

31

NetXplorer Policy Definition

ActionsPolicy Name Conditions

Superior DPI technology

32

New dedicated H/W offers scalability & upgradability

Based on Allot’s Next Generation DPI engine S/W with native APU (Allot Protocol Updates) support

Advanced Proactive Learning System for finer identification of sophisticated P2P Apps

Leader in real time and internet protocols

33

Service Catalog

Improvement of QoS features

3-level policy control

• LINE, PIPE & Virtual Channel

Expedited Forwarding for real time applications

Assured Forwarding for video streaming

Drop Precedence for effective BW management (short term peak traffic)

Tailored QoS behavior per Application

Per Flow Queuing mechanism

34

35

QoS Catalog

36

DoS & Connection Control

DoS Control

Connection Control

ServiceProtector

Protects against DDoS attacks; network attacks; worms; subscriber zombies; spambots

Behavior-based ADS (Anomaly Detection System)

Facilitates surgical isolation at the network or subscriber level

KEY BENEFITS

Reduce customer complaints

Reduce OPEX

Avoid email blacklisting

Enhance network mgmt

Improve network stability

Protect key customers

Protect revenue streams

37 April 10, 2023

38 April 10, 2023

ServiceProtector’s Main Features

Signature free DDoS, Spam and Zombie detection 0 day detection Fully based on traffic behavior <5% false positives, >95% rate true positives Fast attack identification. Normally less than 5 min from begin to

mitigation “On-Fly” attack signature creation

For Mitigating the attacks Easy and transparent installation Distributed system

Multiples sensors with one management console Independent solution

No help needed from routers Fully integrated with NetXplorer’s Network Intelligent System

External server or a ATCA blade Up to 10Gbits real-time detection per sensor

Network Behavior Anomaly Detection (NBAD)

Uses TCP/IP statistics to build behavioral models

Identifies disruptions in absolute and relative network statistics

Connectionless, sessionless, stateless

Detection speed inversely proportional to magnitude of attack

Invariant to normal peaks and troughs

Sensitive to attacks

39 April 10, 2023

•Network attacks disrupt network behavior and the normal relationship between network statistics

Deployment

40 April 10, 2023

•Access

•DSL Subscribers

•NetEnforcer

•Service Gateway

•Hosting Services•DDoS protection

•International/local•peering partners

•Cable Subscribers

•NetXplorer

•Access

•Service Gateway

•SP-Controller

•SP-Sensor

•SP-Sensor•SP-Sensor blade*

•SP-Sensor blade*

•* Availability of Service Protector blade to be announced – expect mid-late ‘08

MediaSwift

Intelligent Media Caching maximizes network efficiency

Accelerates content delivery and provides highest QoE

Reduce delivery costs and improve service quality

KEY BENEFITS

Transparent caching of all

bandwidth-intensive protocols

Reduce OPEX

Reduction of upstream

bandwidth

Wire speed data delivery

Preserves functionality for all

Internet services

Scalable multi-gigabit bandwidth

generation

41 April 10, 2023

April 10, 2023

42

MediaSwift

Bandwidth Control & Media Acceleration

HTTP Video P2P Peer VoIP Email, HTTP

HTTP Traffic

P2P Traffic

•Manages traffic and BW growth•Produces BW savings•Fastest downloads possible•Best Quality of Experience (QoE)•Satisfy user demand for media•Competitive advantage over other ISPs

Internet

SubscribersISP Access Network

ISP Core Network

April 10, 202343

How it Works

InternetAccess

ISP User Internet User

MediaSwift Blade

File Request File Request

Requested file is in the storage

File DownloadFile Download

SG-Sigma

Stopped!

File is downloaded from storage

SG redirects multimedia traffic to/from blade

Connection with peer is maintained

Keep Alive

WebSafe

An add-on service for Allot Service Gateway Sigma

Supports encrypted URL blacklists

up to 50,000 entries

Supports Whitelist

Overrides Blacklist in case of over-blocking

Up to 10,000 entries

Multiple enforcement actions:

Redirect or block user

April 10, 2023

44

Network-based illegal content filtering solution

45

Referencias

Administración Pública Turespaña Catastro Servicio Andaluz de Salud Oficina de Patentes Forum de Barcelona Principado de Asturias Gobierno de La Rioja Gobierno de Canarias Gobierno de Navarra Gobierno de Cantabria Ayuntamiento de Gijón Ayuntamiento de Rivas Ayuntamiento Laguna de

Duero Ayntamiento de Torre Pacheco Parlamento de Cataluña Informática Comunidad de

Madrid Estrada Dixital Hospital Marqués de Valdecilla Sescam Xunta de Galicia Ayunt. Quitanadueñas Ayunt. de Barcelona

Banca y Seguros BBVA Banco Sabadell Santa Lucia Caixanova Rural Servicios

Informáticos Agroseguro BBK Ibercaja Cajasegovia Aseval Caja Laboral

Ministero de Sanidad Ministerio de Agricultura Ministerio de Economía (IGAE) Marina Mercante Generalitat Valenciana Ayuntamiento de Lloret Dirección General de Aragón

(DGA) Sadesi (Junta de Andalucía) Junta de Extremadura Consejería Educación Junta de

Andalucía Parlamento de Vasco Osakidetza (Servicio Vasco de

Salud) IKT (Gobierno Vasco) Autoridad Portuaria de

Valencia Dirección Gral de la Policia Ministerio de Defensa Ministerio del Interior Gobierno de Murcia (F. Integra) Colegio de Registradores CNMV

46

Referencias

Operadores Unión Fenosa Telecomunicaciones Comunitel Neo Sky Fujitsu ASP BT Telecable R PTVTelecom Mcctelecom CableMutua Riosat Everbit Gemytel Más de 10 operadores de Cable regionales WifiOnline Axartel Novatelefonia Cable Sur Epresa Cable Melilla AWA Acorde Telecom Castilla La Mancha

Universidades Universidad de Oviedo Universidad de Las Palmas Universidad de Málaga Universidad de Burgos Universidad de Cantabria Universidad de León Universidad Alfonso X el Sabio Universidad Miguel Hernández Universidad de Murcia Universidad de Barcelona Oxford University Press Universidad Pública de Navarra Universidad de La Rioja Escuela universitaria Galileo Galilei Universidad de Jaen Universidad de Huelva Universidad Politécnica de Madrid Universidad de Granada

47

Referencias

Industria y Empresa Iron Montain ENCE Barceló Viajes Garden Hotel Praxair RTVE Turespaña Agroseguro DHL Tectotrans Marmedsa Mundo Social Viajes Marsans Dorna Telemadrid Unión Española de

Explosivos Arias La Cope MediaPro – La sexta Museo del prado Metro de Madrid Polaris World

Cementos Rohe Prosegur Algeposa Global Interlink Azertia Garden Group Puleva Albatros Almirall Torraspapel Iberdrola OHL Telefónica Soluciones Blanco Diagomoda AENA Radio Televisión Valenciana Transportes AZKAR Marítima Bergé Torraspapel Singular Kitchen ABC-Vocento Ibermática

Redcom Spainrep Clar Roboticker Ciudad de La Luz Detinsa Estrella de Galicia Plásticos Ferro Forum de Barcelona Grupo Urvasco Grupo Boluda Armillar Pipeline Sofware Punto Acceso Rodio Cimentaciones Mtorres Schneider Electric Trentinort Unisono ACS/dragados Telepizza

48