View
1
Download
0
Category
Preview:
Citation preview
© 2015, VASEXPERTS.RU
SCAT DPIPRODUCT OVERVIEW
Artem Tereschenko
Partner relationship manager
VASEXPERTS.RU
Product featuresSCАТ is a hardware and software system,
developed with the purpose to carry out theanalysis,use of rules and modification of traffic, alongwith the use of DPI (Deep Packet Inspectiontechnology).
Features:Automatic processing of the register of blacklisted sitesof the Federal Service for supervision in the sphere ofTelecom, Information Technologies and MassCommunications (ROSKOMNADZOR) and the Ministry ofJustice (in compliance with Law FZ-139)• Online analyt ics• Control of subscribers’ and common bands (QoS)• Notification of subscribers, advertising placement• Bonus program• CACHing of YouTube, VKontakte, etc. video and audiocontent (QoE)• Protection against DDoS attacks• SОRМ Prefilter
VASEXPERTS.RU
TechnologyIntel Xeon based standard hardware platforms
are used. Low cost of equipment, investmentprotection. 1U form factor.
Technology of direct access to the network cardinterface (DNA, Direct NIC Access) and bypass on physicallevel (L1) function are supported.
Fast CMS detects over 6000 protocols. Allows toprocess up to 14.88 Mpps per channel 10Gbps withdelay not exceeding 30 microseconds.
We support VLAN, Q-in-Q, MPLS, LACP
VASEXPERTS.RU
Classification
By overall service capacity per platform, SCAT-хх is:
Platform SCАТ-6 (6GbE, 6x1GbE 1000Base-T Copper RJ-45)
Platform SCАТ-20 (20GbE, 2x10GbE 10GBase-LR/SR SFP+)
Platform SCАТ-40 (40GbE, 4x10GbE 10GBase-LR/SR SFP+)
Platform SCАТ-60 (60GbE, 6x10GbE 10GBase-LR/SR SFP+)
Platform-80 (80GbE, 8x10GbE 10GBase-LR/SR SFP+)
Functionality (variants of delivery):
• Entry - traffic filtering according to requirements of the federal laws• Base - allows to control traffic in general, including band and channel
prioritization control, statistics and notification of subscribers, SОRМprefilter
• Complete - control of subscribers, CACHE server, additional functionality
VASEXPERTS.RU
Variants of delivery
SCAT-DPI: the System of control and analysis of traffic. Variants of delivery
Entry Base Complete
Bypass mode support Yes Yes YesFiltering according to the registry of blacklisted websites
Yes Yes Yes
Collection and analysis of statistics according to protocols and destinations
No Yes Yes
Marking the traffic priority in accordance with the protocol
No Yes Yes
Notification of subscribers No Yes YesDistribution of the access channel between subscribers
No No Yes
Advertising blocking and replacement No No YesWhitelist and Captive Portal No No YesInternet cache No No Yes1 year update subscription Yes Yes Yes
VASEXPERTS.RU
Typical configuration characteristics
Characteristics SCAT-6 SCAT-20 SCAT-40 Performance 6 Gbits 20 Gbits 40 Gbits
Maximum No. of sessions 4 М 16 М 32 М
Maximum No. of new sessions per second
100 К 250 К 500 М
Number of detected protocols 6000+
Maximum number of subscribers 400 К 2 М 4 М
Traffic procession net interfaces(with bypass)
6x1GbE (RJ45) 2x10GbE (SR/LR)
4x10GbE (SR/LR)
Maximum delay (Latency), not exceeding
30 µc (microseconds)
30 µc 30 µc
Maximum No. of packets (Data Frame Size = 84 bytes), minimum
4 М 11 М 20 М
Hardware platform 1U, 19” 1U, 19” 1U, 19”
VASEXPERTS.RU
Comparison
SCAT DPI Huawei SIG9810
PlatformComputer
Xeon,SSE4.2,IGB/IXGBE
Switch
ASIC/NP/FPGA/Multi-core
CPU
Performance Up 40 GBPS per 1 RU 40/50 GBPS
Number of flowsUnlimited (20 mln. per 20
GB RAM)32/40 mln.
Size 1 RU 20 RU
Delay 30 μs 200 μs
Reliability Bypass Bypass,1+1
Price Up to 3 mln. rubles 5 mln. rubles
VASIncluded into the cost of
productN mln. rubles
VASEXPERTS.RU
SCAT-80 vs SCE10000VASEXPERTS SCAT-80 CISCO SCE10000
Technology
Distribution of data flows processing by multicore CPU
Intel x86
Programmable expandable architecture providing
protection of investments
Performance80 Gbits
2.5Tbs in cluster
60 Gbits
480 Gbits in cluster
Number of flows 20 mln.
Number of
subscribers2 mln.
Hardware: RAM, CPU,
Hard Drive, Main
Network, Control
Network
128 GB, CPU 18 cores
HDD 2 x 500 GB
8 x 10 GBE with bypass
1 x 1GBE
512 GB, CPU 40 cores
HDD 2 x 300 GB
8 x 10 GBE with bypass
4 x 1 GBE
Size 1 RU 2 RU
Min GPL cost 20 000 c.u. 400 000 c.u.
VASEXPERTS.RU
Work schemes
Installation “in break” is a recommended scheme, where bothcomponents, incoming and outgoing, pass via SCAT; it allows to use the wholeavailable functionality, including traffic prioritization and subscriber bandcontrol (Complete version).
ПользователиКонцентратор
BRAS СКАТNAT/Граничный маршрутизатор
Internet
HubUsers
SCATEdge router
VASEXPERTS.RU
Work schemesAsymmetric scheme: only outgoing traffic component passes via SCAT,
3 variants of organization:• with the use of additional router and route announcement• with the use of PBR for certain ports (80)• traffic mirroring: SPAN ports or optical splitters
Can be used for VAS, to obtain “click stream” analytics, to notifysubscribers, and to interact with CACHE server, SORM prefilter(Entry and Base variants of delivery).
СКАТ
BRAS
ПользователиКонцентратор
NAT/Граничный маршрутизатор
Internet
Зеркалированный трафик
СОРМ
Edge router
UsersHub
/SORM/SCAT
Mirrored traffic
VASEXPERTS.RU
Scaling
Support of scaling up to 320 Gbits at using Arista/Extreme switches andJuniper/Cisco routers. Traffic balancing is provided by the use of “symmetrichash”.
A B
СКАТ-20
Cisco/Juniper/Arista/ExtremeCisco/Juniper/Arista/ExtremeСКАТ-40
СКАТ-80
SCAT-20
SCAT-40
SCAT-80
VASEXPERTS.RU
Option: Traffic filteringCharacteristics Description
Upload of the Roskomnadzor register (Laws FZ-139, FZ-187, FZ-398)Centralized, cloud
service
Possibility to use the request signed by a personal electronic signatureYes, located on the
cloud
Upload of the federal list of extremist materials of the Ministry of Justiceof the Russian Federation (FZ-114)
Centralized, cloud service
Filtering according to the own operator's list Yes
Support of the centralized own operator's list for server cluster Yes
Support of connection schemesIn break,
asymmetric, mirroring
Possibility to control filtering according to specific users Yes
Blocking the http/https traffic Yes
Support for http redirect to the information content page Yes
Possibility to collect statistics of the blocked pages Yes
Possibility to monitor downloading of lists and functioning of filters Yes
Maximum list volume Up to 4bn. URL
VASEXPERTS.RU
Option: Analytics
VASEXPERTS.RU
Provision is made for analytical information under the protocol Netflow, for the following characteristics:• Band allocation according to
application protocols• Band allocation according to the
autonomous systems (AS) • Uploading of the total information
into the billing by classes for each subscriber
• Uploading of the full netflowby subscribers
• All specified modes can operate simultaneously
• Using the summary information for billing by classes for each subscriber allows to tariff separately sip, skype, and bittorrent traffic
Band distribution according to protocols:
Distribution according to directions:
VASEXPERTS.RU
Option: Traffic prioritizationSCAT allows to change the priority field in packets passed through it,
depending on the detected DPI protocol.
The following fields are supported:
• DSCP/TOS in IP packet headers• priority in headers of VLAN and QinQ packets• traffic class in headers of MPLS packets
Router or shaper can use marking in the priority field to ensure the requiredQoS for specific protocols, even without having the own DPI features.DSCP value is set in numeric (10-,16- or 8-ary) format or using textabbreviation.
Example:• dns 0x3F• skype drop• compressnet 010• ftp keep• http cs0• default keep
VASEXPERTS.RU
Option: Uplink optimizationSCAT allows to limit the size of the occupied band by protocol groups. This
mechanism is often applied for limiting the torrents.
Two mechanisms are available:
Band limitation with burst support in the form of the classical token
bucket
Band limitation with borrowing in the form of Linux HTB
This band is paid by
operator
99% of the time traffic
does not exceed this
value
VASEXPERTS.RU
Option: Distribution of bandbetween subscribers
Control of the traffic bandwidth (QoS) for each subscriber in accordance withtariff plan.The option allows:• to use TBF or HTB policing type with borrowing the channel band• to set up the flexible control of the classes, thus improving QoE within the
tariff in case of exceeded use of BURST and feedback incoming -> outgoingtraffic to control the band
• to limit the subscriber’s traffic bandwidth in accordance with tariff plan• to control the rules on per-subscriber's level, to prioritize traffic according to
the classes for QoS improvement, to limit the torrent traffic• to prescribe the uniform rules for corporate subscribers with a group• of IP addresses
VASEXPERTS.RU
Option: CACHE server
CACHE server is an additional SCAT DPI component allowing to CACH videocontent of popular services, such as YouTube, RuTube, and VK.com, updates ofWindows, browsers, anti-viruses, and other software, as well as repetitive files(for example, jquery libraries , pictures, etc.).
CACHE server functions only with SCAT and does not require proxy mode.
CACHE server network connection is similar to the typical WEB-server connection. During connection, it is required to provide 2 channels for the content distribution.
.
Router Router
CACHE server
SCAT-1
SCAT-N
Internet
VASEXPERTS.RU
Option: White list and CaptivePortal
The white list allows to limit available for subscribers websites and pagesand forwards subscribers to the predetermined content page at their attemptsto go beyond this list.
Application:• blocking of subscriber at zero balance account, with possibility to pay debts
through the authorized payment systems• user's identification in WiFi networks, provision of certain user's actions in
WiFi network to grant accessWork on the white list of the websites is combined with restriction to work
on the list of protocols on the subscriber's level, for the purpose of notifying thesubscriber about failure to pay for the provided services.
VASEXPERTS.RU
Option: Notification ofsubscribers
Possibility to notify subscribers about new offers of the operator and towarn them about planned work in the network or emergency.
VASEXPERTS.RU
Option: Protection against DOSand DDOS
The system provides the following mechanisms against DoS and DDoSattacks:• Protection against TCP SYN Flood• Protection against fragmented UDP Flood
SCAT includes high-performance mechanism of protection against TCPSYN Food and fragmented UDP Flood attacks, allowing to process
(depending on configuration) of up to 20 million packets per second.
• Protection against DDoS (LOIC, etc.)based on Turing test (HumanDetection, CAPTCHA)
• In case of SCAT threshold exceeds,only users included into the white listare allowed to work with thewebsite, all other users areforwarded to the page withCAPTCHA for check.
VASEXPERTS.RU
VASEXPERTS.RU
Option: Lawful interception:traffic interception
SCAT allows to make online network traffic recording required for supportof the future standard SORМ-3, and can be used in traffic monitoring forsecurity threat diagnostics and analysis.
The system ensures:• traffic interception by certain
protocols, IP-addresses, or sub-networks (CIDR) along with information storage on a disc drive
• information storage on httpqueries
Change of parameters of traffic damp queries and http queries is carriedout in “flying” mode without necessity to restart the whole process.
VASEXPERTS.RU
Advantages
• Support of the available server platformso SuperMicro, Dell, Fujitsu, and other x86 platforms
• High performance per 1 unito Up to 80Gbits
• Development and high-quality support of the product in Russiao NBD - Next business dayo 8x5x8o 24x7x4
• Competitive price• Simplicity of scaling and upgrade• Abundant functionality
© 2015, VASEXPERTS.RU© 2015, VASEXPERTS.RU
Thank you for your attention!info@vasexperts.ru+7 (812) 313 88 15
http://vasexperts.ru/
Recommended