Allot Original

RFI Response – Allot Communications

Allot Communications page - 1 / 38 6/2/2003

Allot Communications

Response to RFI issued by the Joint Committee of the Higher Education And Entertainment

Communities Technology Task Force

Technology Opportunities for Addressing Issues Associated with Peer-to-Peer File Sharing on

the University and College Campus

http://www.allot.com

Allot Communcations Allot Pricing Page 1 of 1

USA Price List

Part # Name Description List Price (US$)Support ***Important: See notes below.***Training and Professional ServicesG001008 ABPT - Allot Basic Policy

Training Two days of basic NetEnforcer and policy enforcement training at an Allot Communications Training Center.

$1,300

G001009 AAPT - Allot Advanced Policy Training

Two days of advanced NetEnforcer and policy enforcement training, including troubleshooting, at an Allot Communications Training Center.

$1,800

G001010 ACOT - Allot Custom On-site Training

Two days of customized NetEnforcer and policy enforcement training at the customer’s site (up to 10 participants).

$6,000

G001007 CNS Professional services, bandwidth allocation network audit, requirement analysis, and configuration.

$1,500/day + expenses

Maintenance & Support G001115 Gold Support Plan 12-month hardware warranty with expedited product

replacement; software updates including major upgrades; 24-hour worldwide Hotline/Web/email priority backup to reseller/distributor support with maximum 4-hour response time (maximum 24-hour response time on weekends); access to Knowledge Base.

15% of list price(see notes below)

G001136 Platinum Support Plan 36-month hardware warranty with expedited product replacement; software updates including major upgrades; 24-hour worldwide Hotline/Web/email priority backup to reseller/distributor support with maximum 4-hour response time (maximum 24-hour response time on weekends); access to Knowledge Base.

35% of list price(see notes below)

Pric

e Li

st 2

003-

3

Notes:1. "List price” for support plans is the price of the purchased Allot product with all add-on software. See product listings for policy pricing per product.2. Receive an additional three-months of coverage for free when purchasing an annual support plan at the time of product purchase (15-months total coverage).3. There is a 100% surcharge if you purchase a support plan after product purchase or after your current support plan has expired.4. For Support information regarding the NetReality WiseWan product line, please see the "NetReality" page of the Price List.

Training +Support Confidential www.allot.com



Founded : 1997

http://www.allot.com/html/company_about.shtm

Employees : 130

Headquarters :

North America Headquarters 250 Prairie Center Drive, #335 Eden Prairie, MN 55344 Tel : +1 (952) 944-3100 Fax : +1 (952) 944-3555 Europe Headquarters NCI - Les Centres d'Affaires Village d'Entreprises "Green Side" Batiment 1B 400 Avenue Roumanille BP309 06906 Sophia Antipolis Cedex France Tel : +33 (0) 4 9300-1167 Fax : +33 (0) 4 9300-1165 Asia Pacific Headquarters 9 Raffles Place, #27-01 Republic Plaza Singapore 048619 Tel : +65 6832-5663 Fax : +65 6832-5662 Middle East and Africa Headquarters 5 Hanagar Street Industrial Zone B Hod-Hasharon, 45800 Israel Tel : +972 9 761-9200 Fax : +972 9 744-3626 R&D center :

5 Hanagar Street Industrial Zone B Hod-Hasharon, 45800 Israel Tel: +972 9 761-9200 Fax: +972 9 744-3626

--------------------- Check out : http://www.allot.com/html/company_contact.shtm

Contacts :

Allot Communications was founded by Yigal Jacoby and Michael Shurman, and is headed by a management team from leading networking, internet and network management companies.

------------------

Yigal Jacoby, CEO & Chairman of the Board [email protected], +972 9 761 9200 x 201 Eran Ziv, President [email protected], +972 9 761 9200 x 222 PG Narayanan, CEO of Allot Americas [email protected], +1 952 944 3100 Azi Ronen, Executive VP Technology and Marketing [email protected], +972 9 761 9200 x 205 Menashe Mukhtar, VP International Sales [email protected], +972 9 761 9200 x 230 Michael Frank, VP R&D [email protected], +972 9 761 9200 x 212 Ramy Moriah, VP Operations & Customer Care [email protected], +972 9 761 9200 x 250

---------------------- Check out : http://www.allot.com/html/company_management.shtm

General Information: [email protected] General Sales Inquiries: [email protected] Customer Support: [email protected]



TABLE OF CONTENTS

1. About Allot ________________________________________________________________ 3

2. At a glance ________________________________________________________________ 3 Overview __________________________________________________________________________ 3

2.1.1 System-Network Interaction__________________________________________________________ 3 2.1.2 General presentation________________________________________________________________ 3 2.1.3 NetEnforcer Details ________________________________________________________________ 3

3. The NetEnforcer Description _________________________________________________ 3 Hardware Description _______________________________________________________________ 3 Policy Definitions ___________________________________________________________________ 3

3.1.1 Classification _____________________________________________________________________ 3 3.1.2 Pipe_____________________________________________________________________________ 3 3.1.3 Virtual Channel ___________________________________________________________________ 3 3.1.4 Rules____________________________________________________________________________ 3 3.1.5 Templates ________________________________________________________________________ 3

Classification Criteria _______________________________________________________________ 3 Actions ____________________________________________________________________________ 3

3.1.6 Access Control ____________________________________________________________________ 3 3.1.7 Quality of Service _________________________________________________________________ 3 3.1.8 Connections Control________________________________________________________________ 3

Real-time Monitoring ________________________________________________________________ 3 Accounting/Reporting _______________________________________________________________ 3 Event notification system _____________________________________________________________ 3 Virtual Bandwidth Manager (VBM) ___________________________________________________ 3 Scalability _________________________________________________________________________ 3 Redundancy________________________________________________________________________ 3

3.1.9 Management Port __________________________________________________________________ 3 3.1.10 Fail Safe Features _______________________________________________________________ 3

3.1.10.1 Bypass Feature _______________________________________________________________ 3 3.1.10.2 Full Redundancy Feature _______________________________________________________ 3

Security ___________________________________________________________________________ 3 About the NetEnforcerAC-1000 _______________________________________________________ 3

4. This Section Intentionally Omitted _____________________________________________ 3

5. Detailed answers to the RFI Items _____________________________________________ 3 5.1.1 Network Architecture_______________________________________________________________ 3 • Bandwidth Shaping___________________________________________________________________ 3 • Data/File Sharing Blocking_____________________________________________________________ 3 • Matching, Screening and Filtering _______________________________________________________ 3 • Network Performance _________________________________________________________________ 3 5.1.2 Scalability________________________________________________________________________ 3 5.1.3 Protocol Identification ______________________________________________________________ 3 5.1.4 Granularity of Protocols_____________________________________________________________ 3 5.1.5 Content Identification_______________________________________________________________ 3 5.1.6 Examination of Network Packets or File Content _________________________________________ 3 5.1.7 Distribution System ________________________________________________________________ 3 5.1.8 Resilience of the Technology to Countermeasures ________________________________________ 3



5.1.9 Testing and Installed Base ___________________________________________________________ 3 5.1.9.1 Testing _____________________________________________________________________ 3 5.1.9.2 Installed Base ________________________________________________________________ 3

5.1.10 Competitive Approaches __________________________________________________________ 3 5.2 Intellectual Property __________________________________________________________ 3 5.3 Corporate Characteristics and Resources ________________________________________ 3 5.4 Pilot Testing _________________________________________________________________ 3 5.5 Commercial Terms ___________________________________________________________ 3

Maintenance & Support ____________________________________________________________________ 3 Pricing _________________________________________________________________________________ 3 Payment Terms___________________________________________________________________________ 3 Discounts _______________________________________________________________________________ 3

5.6 Additional Information/Summary_______________________________________________ 3 6. Contact Details _____________________________________________________________ 3



1. About Allot

Allot Communications is a world leader in delivering technologies that dramatically improve the performance of networks and the applications that use those networks. By allowing network administrators to establish network policies and traffic priorities that reflect the goals of the business, Allot’s policy-based networking solutions empower a new level of intelligence designed to align network resources with critical business priorities. In a university setting, for instance, policies and priorities can be easily implemented that empower managers to balance the networking needs of administrators and office personnel, faculty, students, research and network managers. Further, it enables the university to meet business goals and enforce university policies by: 1) allocating bandwidth to high-priority users, departments, applications & protocols, 2) blocking, controlling or prioritizing certain applications or protocols (such as P2P), or 3) an almost infinite combination of these two techniques.

Founded in 1997, Allot has been on the leading-edge of QoS and various traffic management technologies since these concepts were originally conceptualized as a component of services such as ISDN, Frame Relay and other packet-based technologies. Since that time, Allot has been working hand-in-hand with forward-thinking companies from around the world to make the QoS concept into a reality. Allot’s solutions have found a home in thousands of networks around the globe, including: major colleges and universities, Fortune 500 enterprises, Tier 1 carrier networks, governments, wireline and wireless ISP, cable networks/MSOs, and many others.

Allot also offers state-of-the-art, artificial intelligence-based content filtering technologies designed to keep students/users/employees from accessing Internet materials that violate business policies. These policy-based solutions are designed to work in concert with Allot’s related bandwidth management technologies to deliver a seamless and comprehensive total traffic management solution.

2. At a glance

Overview

2.1.1 System-Network Interaction

The Allot Communications solution consists of:

• The NetEnforcer® (NE) - Policy Enforcement Device.

The NE is located at strategic points in the network architecture and implements the policies which are defined by the network administrator. It also collects the information (both real-time and long-term) for monitoring, reporting and service level agreement (SLA) management purposes.

• NetPolicy Server (NP) – Central Policy Management, Monitoring and Reporting Server.

The NP provides a single point of control for all policy management activities. The NP supports both multiple Enforcement devices and multiple interface users. The NP server is accessed through a Java-based GUI that will run on a PC or a Sun workstation.



Note that the NetEnforcer can also be managed as a standalone device, using a standard web-browser.

Allot solution offers a variety of tools that can be mapped to four of the tool classes outlined in the RFI:

• Bandwidth Shaping.

• Data/File Sharing blocking.

• Matching, Screening and Filtering.

• Network Performance.

Further details about Allot’s capabilities for each class of tools can be found in Sections 3 & 5.

From a network point of view, the NetEnforcer passes traffic from the internal interface (LAN side) to the external interface (WAN side), making this appliance transparent as a bridge (no subnet modification, no routing between the two active interfaces).

Figure 1: NetEnforcer Placement

The NetEnforcer requires only an IP address to be managed (via NetPolicy or a Web browser). The NetEnforcer interacts with all the IP flows and sessions which are crossing it, but doesn’t have to interact with any other components on the network.

2.1.2 General presentation

1.3. System Overview

Allot Communications’ policy-based platform enables a company to design, implement and monitor a business-aware network. Allot Communications provides a complete set of Bandwidth Management and Reporting tools, integrated into a single appliance, for:

• Automatic discovery and classifications of flows, up to Layer 7 (and even higher using an “application signature” technique).

• Dynamic shaping and ToS (type of service) tagging of the above-mentioned flows (bandwidth management, guaranteeing mission-critical applications in the enterprise),

• Real time flow monitoring for fine tuning, troubleshooting and on-line SLA management,



• Long term statistical storage for SLA enforcement, capacity planning and volume/usage billing requirements,

• Usage based accounting.

• Advanced traffic engineering functions like:

o Automatic activation of fairness per user,

o Oversubscription management based on a 0 to 10 priority scale,

o Alarm management based on usage and number of active connections, allowing in particular Denial of Service (DoS) attack prevention,

o Activation/provisioning of tiered bandwidth services for ISPs’ subscribers.

2.1.3 NetEnforcer Details

Allot Communications offers a wide range of NetEnforcer enforcement devices. The AC102-AC402 are Standard 1U by 19-inch, rack mountable devices. These models have 3 standard 10/100 Ethernet RJ45 Interfaces. The upper range models, the AC602-AC1000 are Standard 2U by 19-inch rack mountable devices. These modules have a combination of 10/100/1000 Ethernet copper/fiber interfaces.

Figure 2: The NetEnforcer (From Top to Bottom) AC-402; AC702-Copper; AC802-Fiber

The bandwidth throughput and performances for each model are displayed in the following table:



Enterprise Product range Product Managed

Bandwidth Pipes

(Total) VCs

(Total) Concurrent

Connections

Interfaces

AC102/128K 128 Kbps 64 1024 6,000 10/100BaseT

AC102/512K 512 Kbps 128 1024 6,000 10/100BaseT

AC202/2M 2 Mbps 256 2048 12,000 10/100BaseT

AC202/10M 10 Mbps 256 2048 12,000 10/100BaseT

AC302 45 Mbps 1024 4096 64,000 10/100BaseT

AC402 100 Mbps 1024 4096 96,000 10/100BaseT

AC602 100 Mbps 2048 8192 128,000 10/100BaseT

AC702-C 155 Mbps 2048 8192 128,000 10/100/1000BaseT Copper

AC702-F 155 Mbps 2048 8192 128,000 1000 Fiber

AC802-C 310 Mbps 2048 8192 128,000 10/100/1000BaseT Copper

AC802-F 310 Mbps 2048 8192 128,000 1000 Fiber

AC1000 310M SP 310 Mbps 2048 8192 128,000 GBIC (copper and fiber)

AC1000 620M SP 620 Mbps 2048 8192 256,000 GBIC (copper and fiber) AC1000 1000M SP 1 000 Mbps 2048 8192 256,000 GBIC (copper and fiber)

ISP-Carrier Class Product range

Product Managed Bandwidth

Pipes (Total)

VCs (Total)

Concurrent

Connections

Interfaces

AC602SP 100 Mbps 4096 28,000 256,000 10/100/1000BaseT Copper

AC702 SP-C 155 Mbps 4096 28,000 256,000 10/100/1000BaseT Copper

AC702 SP-F 155 Mbps 4096 28,000 256,000 1000 Fiber

AC802 SP-C 310 Mbps 4096 28,000 256,000 10/100/1000BaseT Copper

AC802 SP-F 310 Mbps 4096 28,000 256,000 1000 Fiber

AC1000 310M SP 310 Mbps 10,000 80,000 500,000 GBIC (copper and fiber)

AC1000 620M SP 620 Mbps 10,000 80,000 500,000 GBIC (copper and fiber) AC1000 1000M SP 1000 Mbps 10,000 80,000 500,000 GBIC (copper and fiber)

Figure 3- NetEnforcer Models



3. The NetEnforcer Description

Hardware Description

The NetEnforcer ranges from AC102/128K to AC1000. As described in the tables presented in Section 2, differences are not in the software features but in the active throughput, the number of supported policies and the number of active simultaneous connections.

Figure 4: NetEnforcerAC-802 / AC-702

• Interfaces

o AC102-AC402 - 10/100 standard Ethernet connectors/interfaces.

o AC602-AC802 – 10/100/1000 standard Ethernet connectors/interfaces. And 1Gbps fiber interfaces (SX/LX).

o AC1000 – GBIC interfaces (supports both 1Gbps fiber interfaces and copper interfaces).

All models include one 10/100Base-T port for out-of-band management access and an additional console port.

• Redundancy

Fully functional redundancy is available via implementation of two separate NetEnforcer systems, connected with a backup cable leaving no single point of failure.

Control link via backup connector for rapid remote system sensing.

All systems include fail-over protection via a hardware bypass for uninterrupted traffic flow in the event of system or power failure.

The AC-702/SP &AC-802/SP include dual 200W hot-swappable power supplies and power feeds.

Please refer to Section 5 for additional details.

• Mechanical

o AC102-AC402 - Rack mounted 19” x 1U.



o AC602-AC802 & AC-1000 – Rack mounted 19” x 2U

Network connections, console, display, keypad, and backup connections are all located on the front side on the unit.

Power supplies and connectors located on the back of the unit (in AC-1000 it is located on the front side).

Policy Definitions

Allot provides an intuitive Policy Definition Table for application of specific Quality of Service (QoS) policies to your traffic.



Figure 5: Policy Definition Table

Policy definitions consist of two sections; Classification and QoS Actions.

3.1.1 Classification

Classification is the process of categorizing the traffic based on certain criteria. There are two levels of classification – Pipe and Virtual Channel. The NetEnforcer enables traffic classification and enforcement of Quality of Service according to high-level, easy-to-understand concepts. Traffic can be logically grouped into categories such as Mission Critical, Timing Critical, or Low Priority. These result in the desired network actions when matched to network traffic. QoS policy consists of a set of conditions (rules) and a set of actions that apply as a consequence of the conditions being satisfied. Traffic is classified using Pipes and Virtual Channels. A Pipe and a Virtual Channel are defined by one or more rules and a set of actions. A Pipe includes one or more Virtual Channels.

1st Classification level « PIPE »

2nd Classification level «Virtual Channel»

Actions

Acces control

QoS Attribute

Re-direction

Policies names

« Pipes »

and

« Virtual Channel »

Classification

Source

Destination

Service (including P2P applications)

Time

TOS-Diffserv

VLAN



3.1.2 Pipe

A Pipe provides a way of classifying traffic that enables administrators to subdivide the total bandwidth and then manage every Pipe as if it was an independent link. A Pipe consists of one or more sets of conditions (rules) and a set of actions that apply when any of the rules are met. A Pipe can aggregate several Virtual Channels, acting like a container of Virtual Channels from a QoS point of view. When a new Pipe is added, it always includes at least one Virtual Channel - the Fallback Virtual Channel. The rule for the Fallback Virtual Channel cannot be modified or deleted. A connection coming into the NetEnforcer is matched to a Pipe according to whether the characteristics of the connection match any of the rules of the Pipe. The connection is then further matched to the rules of a Virtual Channel under the Pipe. The actions defined for the Pipe influence all the Virtual Channels under the Pipe. The actions defined for a Virtual Channel are enforced together with the actions of the Pipe. The Pipe can represent either a physical WAN link or it maybe used to represent a customer (in a Service Provider environment). It is usually defined by the remote locations’ IP Subnet, but any of the classification variables may be used. See classification criteria below.

Figure 6: Classification - the Pipe

3.1.3 Virtual Channel

A Virtual Channel provides a way of classifying traffic and consists of one or more sets of conditions (rules) and a set of actions that apply when any of the rules are satisfied. A Virtual Channel is defined within a Pipe. A connection matched to a Pipe is further matched to a Virtual Channel according to whether the characteristics of the connection match any of the rules of the Virtual Channel.

3.1.4 Rules

A rule is a set of five conditions. Rules can be defined at the Pipe level or Virtual Channel level. NetEnforcer matches connections to rules, first at the Pipe level and then at Virtual Channel level within a Pipe.

3.1.5 Templates

“Templates” enable you to create a "master" Pipe or Virtual Channel that upon saving will create multiple Pipes or Virtual Channels very similar to each other. Templates work with host group



entries and LDAP-based host entries defined in the Host Catalog. For example, if you had a host group entry in the Host Catalog called “Gold Customers” that consisted of Company X, Company Y and Company Z, you could define a Pipe template to be expanded for Gold Customers. This would result in Pipes being created for Company X, Company Y and Company Z when the Policy Editor is saved.

A Pipe or Virtual Channel template enables the fast creation of Pipes and Virtual Channels based on source/destination. This means that you do not need to define similar Pipes and Virtual Channels when the only difference between them is the IP address in the source or destination.

Classification Criteria

• Connection Source: Defines the source of the traffic. For example, specific IPs or MAC addresses, a range of IP addresses, IP Subnet addresses, or host names. The default value is “Any” which covers traffic from any source.

• Connection Destination: Defines the destination of the traffic. For example, specific IPs or MAC addresses, a range of IP addresses, IP Subnet addresses, or host names. The default value is “Any” which covers traffic to any destination.

• Service: Defines the protocols and applications relevant to a connection. A service can be:

o A non-IP protocol.

o Any IP protocol.

o Any TCP and UDP port numbers.

o Applications that utilize port hopping techniques to avoid detection. These applications will be identified by the application signature (P2P applications such as KaZaA, Gnutella, WinMX, eDonkey and standard applications such as HTTP, FTP Oracle and more).

o An application with a specific content. For example:

For HTTP you can further classify by URL, Mime type, Method, host.

For Citrix you can further classify by ‘published application’ and user name or separate Citrix print traffic from the application traffic.

Classify Oracle traffic by database name and user name.

For FTP you can further classify you can further classify by file name or file extension.

For SMTP (e-mail protocol) by the sender (specific sender or the domain).

Classify between uploads and downloads in P2P applications.

• TOS: Defines the TOS byte contained in the IP headers of the traffic. The default value is “Any” which covers any TOS value.



• VLAN: Defines VLAN traffic classification according to VLAN ID (VLAN Identifier) tags, consisting of 12 bits, and according to tagging priority bits, consisting of three bits.

• Time: Defines the time period during which the traffic is received. For example daily between 8.00 AM and 6.00 PM, Sundays between 12.00 AM and 12.00 PM or on the 1st and 15th of the month. The default value is “Always” which covers traffic at any time.

When a new Pipe or Virtual Channel is created, it is assigned a default rule with default values for each condition. These values may be modified as required.

The possible values for each condition are defined in the Catalog entries in the Catalog Editor. A Catalog Editor enables administrators to give a logical name to a comprehensive set of parameters (a Catalog entry). This logical name then becomes a possible value for a condition.

Figure 7: Host catalog Editor



Figure 8: Host Group catalog Edition

Figure 9: Host Catalog “gold” linked to LDAP server



Figure 10: LDAP «Fetch & view contents» result

Figure 11: Service Catalog Editor



Figure 12: ToS field catalog Editor

Figure 13: VLAN fields catalog Editor



Figure 14: Time catalog Editor



Actions

Pipes and Virtual Channels include a set of actions that are assigned to traffic once it meets any of the rules defined for a Pipe or Virtual Channel. There are two actions that can be defined for a Pipe: Access Control and Quality of Service, and three actions that can be defined for a Virtual Channel: Access Control, Quality of Service and Connection Control. Only if Access Control is set to Accept may the other actions apply.

3.1.6 Access Control

This action determines the access given to traffic. The possible values are as follows:

• Accept: The connection is accepted and traffic is granted access. This is the default value.

• Drop: All packets are dropped. In TCP traffic, an RST packet is sent to the client and the user may see the message Connection Closed by Server.

• Reject: All packets are dropped. The user is disconnected and may see the message Connection timed-out.

If the Access Control for a Pipe or Virtual Channel is specified as Reject or Drop, all traffic meeting the rules of the Pipe or Virtual Channel is dropped and no other Quality of Service or Connection Control actions are applied.

3.1.7 Quality of Service

This action determines the QoS given to traffic. The QoS specified can include the following:

• Priority per Pipe/Virtual Channel

• Priority per connection (Virtual Channel only)

• Minimum and maximum bandwidth per Pipe/Virtual Channel

• Minimum and maximum bandwidth per connection (Virtual Channels only)

• Guaranteed bandwidth per connection (Virtual Channels only)

• Traffic shaping by enforcing Constant Bit Rate (CBR) or Burst level (Virtual Channels only)

• TOS marking per channel

• Admission Control (number of connections)

• Reserve on Demand (Pipes only)

• Conditional Admission

The default Quality of Service action for Pipes or Virtual Channels is Normal Priority, which has Level 4 priority, no bandwidth definitions, no TOS marking and no connection limitations. The



possible values for the Quality of Service action are defined in a Catalog entry in the Quality of Service Catalog Editor. A Catalog Editor enables you to assign a logical name to a comprehensive set of parameters. This logical name then becomes a possible value for an action.

Figure 15: QoS Pipe catalog Editor



Figure 16: QoS Virtual Channel catalog Editor

3.1.8 Connections Control

The CacheEnforcer® and the NetBalancer® software add-ons enhance network performance by controlling traffic flows. The CacheEnforcer reduces WAN bandwidth consumption and simplifies caching administration in a single layout to manage multiple cache servers. The NetBalancer goes beyond traditional load balancing equipment by allowing the definition of policies that control both the prioritization of applications on the network and the distribution of those applications to servers.

Real-time Monitoring

The key factor to implement relevant policies on the network is to understand flows and patterns. The NetEnforcer provides an overall real-time view of the network from a single screen. The color coded indicators provide an easy-to-read display of the entire system, enabling rapid identification of application behavior, link activity and network status.

In order to control the ever-changing network, real-time information is required. The real-time information that the NetEnforcer provides allows users to make well-informed decisions about their network.



Figure 17: Real-time Monitoring (Top-down approach)

Pipe Selection

Virtual Channel Selection



Accounting/Reporting

The Accounting module provides NetEnforcer's application performance management and SLA/QoS enforcement capabilities with accurate network accounting, analysis and reporting. The NetAccountant module has an integrated reporting tool that delivers a complete graphical and textual system for tracking network usage. Additionally, the traffic information collected by the NetAccountant Module can be readily exported to a billing system for the seamless creation of customer/user bills/reports.



Figure 18- Multidimensional Reports

Discover Under- and Over-Utilized Links and Resources

Use NetAccountant to create protocol and bandwidth distribution reports on specific problem areas in your network. After pinpointing understand over-utilized links and resources that prevent maximum network and application performance, adjust your network policies to reallocate bandwidth

Intuitive Report Wizard

NetAccountant reporting system offers an intuitive Report Wizard that speeds report creation. The wizard removes the complexity of working directly with the SQL databases or the need to master Crystal Reports in order to create graphical reports. Quickly create meaningful reports in just a few steps using radio buttons and drop-down menus.

Enable Usage-Based and Tiered Services Billing

Universities can use the NetAccountant to measure specific customer usage of bandwidth and resources. This information enables billing of users, departments or locations for actual bandwidth used or actual traffic transmitted.

Event notification system

(available from version 5.1)

The NetEnforcer’s intelligent alerting and event notification system can inform by email, pager or cellular phone when one of the configurable events is triggered. This enables the network manager to take corrective actions before problems becomes costly. It provides for greater control of the network by setting threshold levels triggering alerts. In addition, the network reactions to specific events or alarms can be automated by selecting a program or script, predefined or customized, to be triggered and run under predefined event conditions.



Figure 19: Defining events and thresholds in the Alert module

Figure 20: Viewing Alerts in the alert log window



Virtual Bandwidth Manager (VBM)

The Virtual Bandwidth Manager enables students, departments, locations (or other user groups) to securely view and manage their own bandwidth usage—without installing on-site networking equipment. By browsing to the VBM Web server, students or departments can view their own hourly, daily, weekly, monthly and yearly bandwidth consumption.

Scalability

Allot Communications offers the broadest and most comprehensive family of bandwidth management devices in the world, and prospective users are encouraged to verify that Allot’s cost/Mbps of throughput is the most competitive on the market. The NetEnforcer modules are distinguished by the bandwidth, number of policies and number of connections. The NetEnforcer product line ranges from 128K throughput with 6,000 simultaneous connections, up to 1Gbps full duplex throughput and 500,000 simultaneous connections:

NetEnforcer Product Line

0.128 0.512 2 10 45100 100

155

310 310

620

1000

0

200

400

600

800

1000

1200

AC102

AC102

AC202

AC202

AC302

AC402

AC602

AC702

AC802

AC1000

AC1000

AC1000

Thro

ughp

ut (M

bps)

Figure 21: NetEnforcer Product Line

Certain models may be easily upgraded to a more powerful specification by simply purchasing and activating a simple software key.



Redundancy

The range of NetEnforcers, from AC102 to AC402, offers classic Enterprise MTBF.

The AC602/702/802 series offers a carrier-grade platform and MTBF, including dual CPUs and dual hot-swappable power supplies.

The newly designed AC-1000 relies on the IBM Network processor technology (Pico-processors matrix). It also offers high availability via dual-load-sharing hot-swappable power supply with dual power feed. A 48VDC power supply is also available.

3.1.9 Management Port

All NetEnforcer models are equipped with a management port. The management port is an additional RJ45 Ethernet port designed to provide out-of-band management for the NetEnforcer device. If the management port is activated, access to the device (as opposed to through the device) can only take place via the management port. It is also important to note that all of the IP-related settings on the device are for management purposes only. The device is a genuine bridge and does not provide any layer-3 routing. In addition to providing an essential security role, it can also be used to off-load monitoring, reporting and billing information from the main network segment to a dedicated link, hence saving additional bandwidth overhead.

3.1.10 Fail Safe Features

Allot NetEnforcers™ have two fail-safe features that ensure proper and continuous network function: Bypass and Full Redundancy.

3.1.10.1 Bypass Feature

All NetEnforcers™ contain a Bypass element that connects the Internal connector to the External connector in the case of a subsystem failure in the NetEnforcer or a power loss.

This mechanism ensures that traffic continues to pass through the passive elements of the NetEnforcer should any hardware or software problem occur. The Bypass is an internal element on all models except the upper range models, where it is implemented as an external Bypass module.

The Bypass is a mission-critical sub-system designed to handle the failure of a network device and still ensure that the network functions properly. The Bypass provides "connectivity insurance" in the event of a NetEnforcer subsystems failure. The NetEnforcer is factory configured, to ensure normal network operation during power loss and other critical hardware and software failure. When the system goes into Bypass mode, it is immediately indicated by the status indicators.

3.1.10.2 Full Redundancy Feature

Full Redundancy is a backup mechanism that handles the failure of a network device, and ensures the network continues to function. Full Redundancy is provided by connecting two NetEnforcers in parallel (see figure 4 below). The Primary NetEnforcer handles the traffic and the Secondary NetEnforcer is designed to be in Standby mode as long as the Primary NetEnforcer is active. If for any reason the Primary NetEnforcer is not able to function properly, the secondary NetEnforcer becomes active.



Figure 22: Redundant NetEnforcers

Additionally, the Spanning Tree IEEE 802.1 protocol maybe used to provide Full Redundancy. Using the Spanning Tree algorithm, one NetEnforcer serves as the Primary system and passes through all traffic. The second NetEnforcer serves as the backup system and remains idle, except for sending messages periodically to the Primary unit. If the backup NetEnforcer determines that the Primary NetEnforcer has failed, it takes over responsibility for passing all traffic and applying the correct policies.

Security

Security of the NetEnforcer management interface includes:

• User ID and Password ( administrator / root / monitor profile ), • IP Access List, • Additional Out-band management port, • Hardware and Software bypass, redundant NetEnforcers • Dual-hot swappable power supply on the top of the range.

About the NetEnforcerAC-1000

The NetEnforcer AC-1000 is Allot Communications’ next generation bandwidth management appliance. It deserves a specific description as it is based on a totally new hardware, offering true Gigabit throughput controlled by IBM network processors. It is designed to enable carriers and large ISPs better control of their existing services and offer new ones.

The AC-1000 is carrier-grade design with redundant and hot-swappable components. It supports bi-directional Gigabit throughput and wide variety of network interfaces.

Its carrier-grade features include hot-swappable, redundant power supplies with dual power feeds including –48V feed.

The AC-1000 is designed to meet NEBS and ETSI standards.



Figure 23: NetEnforcerAC-1000

4. This Section Intentionally Omitted



5. Detailed answers to the RFI Items

5.1.1 Network Architecture

Allot solution includes enhanced Peer-to-Peer (P2P) classification capabilities. Allot uses the application signature to classify many protocols and applications including P2P applications. Allot constantly updates it s/w to support new P2P and had been doing so from the first days of Napster.

Furthermore in its new version (currently in Beta testing), Allot can distinguish between uploading and download (‘get’ and ‘put’) at the initiation of the file transfer process. This capability enables you to know who is the ‘uploader’ and who is the ‘downloader’ and set more advanced policies, such as blocking external KaZaA-users from downloading files from KaZaA-users inside your network.

While taking advantage of the superior P2P classification capabilities Allot’s solution can be classified to any of the following tools classes (all capabilities are built-in to the NetEnforcer):

• Bandwidth Shaping

Allot’s solutions can guarantee, limit and prioritize each type of traffic. The NetEnforcer’s QoS engine uses the patent Per Flow Queuing (PFQ) mechanism enables flexible policy creation on one hand and very accurate enforcement. This QoS engine has a hierarchical structure thus enables you to split the traffic to several groups (that can reflect physical lines, users or even applications) and prioritize the traffic within each group. In addition this mechanism enforces fairness between the different traffic flows.

• Data/File Sharing Blocking

The NetEnforcer, in addition to its shaping capabilities, can block traffic according to the network administrator’s policies. The NetEnforcer is capable of blocking traffic in two manners:

a. Block traffic by dropping all packets of the blocked flow.

b. Block traffic by dropping all packets of the blocked flow and send a message back to the initiator of the session.

• Matching, Screening and Filtering

With the NetEnforcer you can define a list of filters according to the classification criteria listed in the classification section (previously described). These filters can be monitored with the NetEnforcer’s monitoring tools. You can see dynamic, auto-updated graphical reports, tabular reports and trend reports.



• Network Performance

The NetEnforcer’s real–time and long-term monitoring and usage accounting modules provide an excellent means to monitor the network performance. The NetEnforcer collects variety of counters (e.g. bytes, packets, number of connections….) and displays different reports with a Java-based reporting tool that allows interactive analysis of the network.

5.1.2 Scalability

Allot offers the widest range of solutions in the industry. The NetEnforcer have different models that start models that support 128Kbps and range up to 1Gbps. The full description of the different models in presented in section 2.1.3.

The latency of all the models of the NetEnforcer product line is less then 1 millisecond.

The high-end model in terms of performance is the AC-1000/1000M. The AC-1000/1000M model supports bi-directional gigabit wire-speed. With full functionality applied, the AC-1000 supports full bi-directional gigabit wire-speed for average packet size of 256bytes.

5.1.3 Protocol Identification

Allot uses the both layer 7 analysis (application signatures) and TCP/UDP/IP/Ethernet header analysis to classify protocols and applications. Allot has extended layer 7 capabilities allows its product to classify various applications by layer 7 analysis:

• Peer-to-Peer applications such as KaZaA, Gnutella and many more (Allot is constantly adding new applications as they start to appear in the network).

• Business applications such as Oracle.

• General applications such as HTTP and FTP.

• Streaming and VoIP applications such as H.323 and RTSP.

In addition Allots products can classify flows according to content in the application layer:

• Classify the Peer-to-Peer flows according to the direction of the download (identify between ‘Put’ and ‘Get’).1

• Classify business applications such as Citrix according to the application used on top, or Oracle according to the database name.

• Classifies general applications like HTTP according to URL and Mime type, or SMTP (mail protocol) according to the mail sender (used for limiting bandwidth of suspected SPAM mails).

1 This feature will be released in version 5.1. Release is target for 3Q03.



Allot also provides extensive support to non TCP/UDP protocols such as routing protocols.

Allot’s enhanced GUI enable users to easily add new applications and proprietary application to the ‘service catalog’ (see section 3 for details about service catalog). Allot also enables customer to automatically update their service catalog from Allot web site by a simple mouse click. There are cases that adding new applications will require s/w upgrade – this depends in the application characteristics.

5.1.4 Granularity of Protocols

In addition to the description mentioned in the previous section, this section will elaborate more about the technology related to Peer-to-Peer.

The NetEnforcer classifies all the common Peer-to-Peer applications. For most of them Allot classifies all related flows (control sessions, search session and the transfer session). For all applications supported the NetEnforcer classifies the transfer sessions.

The list of the protocols supported is updated frequently. Examples are mentioned in section 4.2 above and there are many more. Allot can provide upon request the most updated list of protocols it supports.

Partial list of the protocols supported today:

KaZaA Version 1 and Version 2 (Other applications that use this protocol are: KaZaA Lite, Grokster, iMesh and more); Gnutella (Used by applications such as Shareaza, Morpheus, Gnucleus, XoloX, LimeWire, Bearshare); WinMX; eDonkey; AoudioGalaxy; Direct connect; Hotline; Madster and more.

In addition Allot also supports over 30 gaming protocols.

Allot’s technology can auto-detect each protocol separately. Without the need of configuring anything, the Network administrator can generate reports with a simple wizard that shows him the top protocols in his network and how they are being used. The network administrator can easily define different policies for each protocol. Moreover the network administrator can define different policies according to the direction of the file transfer - e.g. different policy for file transfer from an internal peer (a peer located inside the university network) to an external peer and for file transfer from an external peer to an external peer2.

With the NetEnforcer you can provide different policies (including rate limits) on file transfer sessions and search session.

2 Available in version 5.1



5.1.5 Content Identification

The NetEnforcer supports classification by content for many of the common applications. For example with the NetEnforcer Network administrator can classify HTTP traffic by the content type it transfers (same for FTP).

For P2P applications the NetEnforcer is able to classify P2PPeer flows according to the direction of the file transfer (according to ‘put’ and ‘get’ commands)3. Allot is in the process of developing additional capabilities for classifying P2P applications by different content characteristics.

5.1.6 Examination of Network Packets or File Content

The NetEnforcer is located in-line before the access router. All traffic going from the university network to the Internet and vise versa is going through the NetEnforcer. The NetEnforcer inspects each packet that enters and matches it to the appropriate flow. The flow is matched to the appropriate protocol and policy.

The NetEnforcer uses the Ethernet header, the IP header, the TCP/UDP headers and the content of the application for classifying protocols and applications. For example in KaZaA we look at the UserAgent field in the application layer as part of the classification process (for other protocols we use other fields).

5.1.7 Distribution System

Information about the distribution system is defined in previous sections. A detailed and updated list can be provided as needed.

5.1.8 Resilience of the Technology to Countermeasures

The NetEnforcer has built in mechanisms to resist all countermeasures described:

1. Countermeasures taken by the P2P software – Allot is able to classify all currently known P2P protocols as long as the protocol has a unique signature. In case there isn’t such a signature (e.g. all the content in layer 7 is encrypted) the NetEnforcer will not uniquely identify this traffic. In such cases Allot offers the ‘elimination method’ – meaning that all the identified traffic will be assigned to policies according to their traffic type and the remaining traffic including the unclassified traffic will be matched to the ‘fallback’ pipe. The network administrator can establish the policies for the ‘fallback’ pipe. This way, the network administrator can rate limit the Peer-to-Peer protocols that utilize encryption or any other countermeasure.

3 Available in version 5.1.



2. Circumvention efforts by P2P users – All known measures can be identified by Layer-7 / content inspection.

3. Denial-of-Service (DoS) against components of the technology – The NetEnforcer has internal capabilities that protect the NetEnforcer against DoS attacks. For example the NetEnforcer can limit the ‘number of connections’ and ‘new connections rate’ and let the network administrator decide what to do with the extra connections – block them or pass them without classification and enforcement.

5.1.9 Testing and Installed Base

5.1.9.1 Testing

The testing of new software version is done in several phases. The first phase is the unit-test, where the software update is tested as an independent sub-module. In the second phase the unit is placed in an environment running all known protocols. In this environment many different scenarios are executed to verify that the NetEnforcer can classify the protocol under a wide variety of conditions.

In the third phase we conduct performance testing to verify that there is no degradation in performance of the NetEnforcer or the network performance. The performance testing is conducted using real traffic that includes all known protocols.

5.1.9.2 Installed Base

Allot’s NetEnforcer has been installed in over 4,000 locations around the world in a wide variety of environments, including colleges & universities, enterprises and service providers of all types.

5.1.10 Competitive Approaches

The NetEnforcer with its extended classification capabilities, especially in layer-7 and content inspection, and with the widest range of performance in the market makes it the most attractive solution for controlling Peer-to-Peer traffic.

The main strength of the NetEnforcer is in its advanced classification, policy enforcement and monitoring and reporting capabilities.

Allot has broad and deep expertise in Layer 7 classification over the course of approximtaely 4 years. This long experience allows Allot to develop a solid infrastructure for Layer-7 classification which, today, enables quick addition of new protocols that required Layer-7 inspection.

In addition to the classification capabilities Allot has enhanced enforcement measures. The NetEnforcer’s patented PFQ (Per Flow Queue) mechanism provides a wide rage of benefits:



• Guarantee bandwidth and Rate limiting applications, users and combination of the two.

• Prioritizing different types of traffic.

• Provide fairness (same users with the same priority and same application will have same level of service).

• Limit number of connections per application, user or combination of the two.

• Guarantee Constant Bit rate (CBR) policy to streaming applications.

The NetEnforcer’s Monitoring and Reporting tools provide for the network administrator and extremely powerful troubleshooting tool. In each second one can see which are the top applications that use the expensive bandwidth, and who is using them. More information about the NetEnforcer’s monitoring feature can be found in previous sections.

5.2 Intellectual Property

Patent #1 (NetEnforcer) – IP traffic classification International Application number PCT/IL02/00515

The present invention is a method for the fast and multi-stage selection. According to the present invention there is provided an improved method for the multi-stage message classification, comprising:

• A binary tree building stage, wherein a plurality of binary trees are built from an identical number of groups of arrays selected from a database of filters; and

• A filter selection stage in which a subset of filters are selected from among a table of filters, the selection being performed using the binary trees built in the first stage.

Once a group of filters has been selected from among said database filters, they may be, for example, applied to packet headers for determining the handling of these packets. According to the present invention, look-up, which is a resource-consuming operation of a filter search in the prior art methods, can now be conducted on the smaller number of filters from said selected group only, rather than on the a full database of filters.

Patent #2 (NetEnforcer) – Per Flow Queue (PFQ) – Scheduling method

International Application number PCT/IL01/01109

It is a purpose of the present invention to provide a computerized system and a method for the enforcement of a comprehensive, flexible, controllable and dynamically applied multi-tiered policy, for the determination of actions based on policy determined priorities used for the allocation of communication resources among network users, said action includes the binding of equal priority connections into sub-groups to be equally handled according to a rule applied to said sub-group, and the assembling of said sub-groups of a particular LAN into a group to which the LAN’s communication resources are allocated and in which



they are divided among said sub-groups, according to a policy. This inventive system and method is referred to herein below as Policy Enforcer, abbreviated to PE.

In the NetReality product line we have 3 additional patents:

• Patent #3 (NetReality) issued Patent # 6282562 - Method of Economically Sub Optimizing Interactions In Data-Communications Network Environments And Device According to the Method

• Patent #4 (NetReality) Application # 09/697,213 - A Method for Computing a Metric of

Mean Roundtrip transit time

• Patent #5 (NetReality) Application # 09/461,480- VIRTUAL QUEUE BASED TRAFFIC-SHAPE MANAGEMENT METHOD

5.3 Corporate Characteristics and Resources

See introductory sections.

5.4 Pilot Testing

Allot Communications is committed to working side-by-side with the Joint Committee, its constituents an the higher education community to proactively address; 1) the issues surrounding unauthorized distribution of copyrighted digital information, 2) long-term solutions that enable the authorized distribution of such materials, and 3) comprehensive and intelligent solutions that allow P2P traffic to be managed as a component of an overall traffic management strategy.

As a part of an overall program to support the Joint Committee and the higher education community, Allot Communications is pleased to offer the following multi-stage process to assist in the evaluation, selection, pilot testing and implementation of our products and services:

1. Personalized information packet

2. Web-based or CDROM-based product overview

3. Product demonstration via Web conference

4. Free, 10-day on-site pilot testing/evaluation ($0 purchase order required). Onsite installation and configuration by Allot or its resellers may incur a fee of up to $1500 per day.

5.5 Commercial Terms

Allot’s pricing structure is based on the upfront purchase of the desired base unit along with any desired hardware or software add-ons. Pricing for the baseline units varies based on the level of processing power required by the customer, which includes factors for:



bandwidth throughput required, # of policies required and # of simultaneous connections needed.

Maintenance & Support

Twelve-month and 36-month maintenance and support agreements are required for each purchased unit which provides:

• Hardware warranty (12-month or 36-month) with expedited product replacement • Software updates including major upgrades for the life of the support agreement • 24-hour worldwide Hotline/Web/email support with maximum 4-hour response

time (maximum 24-hour response time on weekends) • Access to online Knowledge Base.

Pricing

See attached Excel spreadsheet containing standard list pricing for all products, services and support/maintenance agreements.

Payment Terms

Terms are Net 30.

Discounts

The following discounts are offered to US-based colleges and universities:

1. 15-20% discount on all NetEnforcer and NetPure base models, hardware upgrade options and optional software modules.

2. 0-10% discount on 12-month and 36-month maintenance/support agreements.

3. Optional on-site professional services ($1500/day) for installation and/or configuration may be waived at the discretion of Allot Communications and/or its resellers.

Allot Communications is committed to working side-by-side with the Joint Committee, its constituents an the higher education community to proactively address; 1) the issues surrounding unauthorized distribution of copyrighted digital information, 2) long-term solutions that enable the authorized distribution of such materials, and 3) comprehensive and intelligent solutions that allow P2P traffic to be managed as a component of an overall traffic management strategy.



5.6 Additional Information/Summary

Allot Communications is committed to working side-by-side with the Joint Committee, its constituents and the higher education community to proactively address; 1) the issues surrounding unauthorized distribution of copyrighted digital information, 2) long-term solutions that enable the authorized distribution of such materials, and 3) comprehensive and intelligent solutions that allow P2P traffic to be managed as a component of an overall traffic management strategy.

With over 6 years of high-relevant industry experience and over 4,000 worldwide installations (including many of the world’s largest colleges and universities), Allot Communications is ideally positioned to address the issues and challenges presented by this RFI. Our 130 employees are working tirelessly advance and perfect the technologies associated with P2P control, QoS and traffic management.

As a part of our commitment to this process, we are in the process of developing a variety of support programs specifically targeted at meeting the specialized needs of colleges and universities. Among other things, these programs will include:

• A dedicated toll-free sales & support center staffed by personnel who are specially trained and qualified to support the needs of this market

• A dedicated email support system specifically for colleges and universities

• A Web-based resource portal containing a wealth of information designed to inform, educate and support the higher education market

6. Contact Details

Please direct any questions or follow-up discussions related to this response to:

Derek Peterson Marketing/Business Development Manager Allot Communications Inc. 250 Prairie Center Drive #335 Eden Prairie, MN 55344 952.944.3100 (phone) 952.270.7595 (mobile) 952.944.3555 (fax) [email protected] www.allot.com

Date post:	01-Jan-2016
Category:	Documents
Upload:	gibson-moses
View:	55 times
Download:	4 times

Allot Original

Documents