L7+Platform - EN DPI Accupix

Top Performance Deep Packet Inspection Platform
August. 2013
Next Generation leader of Extended Network
[0]
Background
[1]
13 Major Security Threats
APT Attack
Upsurge Mobile Malware
Increase specific purpose

hacking
Mobile Device Hacking
Mobile Policy &

Management
Corporate image loss

Suspending Business work
Hacking the government

or corporate website for
political/social purpose
Increase Ransomware
Illegally obtain data
Crash the OS
[2]
Security System Type
Intrusion Prevention System
Digital Rights Management
Intrusion Detection System
DB Security
Firewall
Patch Management
Integrated RMS
Encrypt Storage Device
Network Access Control System

Virtual Private Network(VPN)
Web APPS Firewall
Integrated Device Security
Threat Management System
Virus Vaccine
Risk Management System
Security Printer
Network Monitoring System
Device Encryption Solution
Control System
Forensic
[3]
Problems of Existing Security System

Existing security solutions such as firewalls are developed based on statefull inspection technology
that establish the security policy with Port/IP Address/Packet types developed around 16 years ago.
Application control is major requirement of IT security.

(ISO 27001, PCI, etc.) The Principle of Least Privilege
Existing Fire wall, IPS and UTM..etc.

Can not satisfy these requirements
[4]
Require Elaborated Traffic Management

Port Based Trust / Trustless Policy
Traffic Header Inspection
Trust / Trustless Rule based policy
Application & Port match Based Trust/Trustless

Policy
Ports Applications : PASS
IP addresses Users : PASS
Trust / Trustless Rule Based Policy
Ports Applications : BLOCK
IP addresses Users : BLOCK
Performance is few*1 G & millisecond latency
AND
AND
Traffic Total Inspection
THEN
BUT
[5]
Performance is many *10G or higher &

microsecond latency
L7 DPI Platform
[6]
What is Deep Packet Inspection Technology?

DPI Technology is .
Collecting, analyzing and control all network traffic from L2 to L7 at the real time.
DPI
MAC Header
IP Header
TCP/UDP
Payload
Servers
MAC Header
IP Header
TCP/UDP
Payload
Firewall
MAC Header
IP Header
TCP/UDP
Payload
Router
MAC Header
IP Header
TCP/UDP
Payload
Switch
MAC Header
IP Header
TCP/UDP
Payload
[7]
DPI Key Features

Network Packet Total In-Line care
Real time process without latency
Wire-Speed
Process whole payload
Signature
Signature Based Service Recognition
Traffic Management
Traffic Management for all sessions that pass through the devices
3rd Party Application
Traffic Record
Data (L7) based Real time checking
Header
MAC
MAC
Address
Address
00:06:C4:00:00:01
Data
IP Address
192.168.0.1
TCP Port
80
Layer 3
Layer 4
Layer 2
Recognize address and

Transfer packets to appointed devices
Packet Contents
Get/image/nroconference.jpg
HTTP/1.1 + DATA
Layer 5~7
Recognize/decide port number or packet contents,

then perform the packet pass, convert and filtering operation
[8]
Deep Packet Inspection System
Identify
Various Application
Mostly Port 80(web)
Categorize
Per User/Group
Major Apps: Guarantee the Bandwidth

and Authentication
Deep Packet Inspection
Cloud-based
Extra-Firewall
Intelligence
Control/Certify
Multi-Layer
Packet Analyze
Allowed Apps: Bandwidth Management
Disallow Apps: Blocking
Monitoring & Reports

(policy applied)
[9]
DPI system Network Diagram(In-Line)

Internet
Service Failure Analysis
PORT != APPLICATION Management(Analyzing & Control)
Abnormal Traffic Analysis and Detection / Apply Service-Specific QoS
[10]
DPI Platforms
[11]
Top Class DPI Platform

L7+ DPI Platform Series
Best DPI Platform in Network industry and scalable up to 320G
Consist with PPM(Packet Processing Module) and Application Host based on parallel processing technology
Able to access and analyze data traffic without latency based on wire speed DPI platform
Application Host
Application
Application
OS (Linux)
Hardware
Direct Memory Access Channel
PPM
Network Packet
PPM
P acket P rocessing M odule

Front I/O
[12]
Network Packet
Key Specialty
Platform
Provide 3 kind of Platform for proper line speed
10 / 20 / 80 G 3 different capacity Platform
Packet Processing API
Application Host
System Environment
Linux : CentOS 6.4

GCC tool chain version 4.4.2 or higher
Signature Library
Kernel Level Packet Processing API
800+ Signature installed, able to add additional Custom

Signature
Flow Handling Functions
Cross Port Packet Ordering and Merging

Flow and Rule based CPU core load balancing
Traffic Management
Packet Programming API
provide programming environment that compatible with

libpcap
DPI Engine based API
Pass, Drop, Re-Direction, Shaping
Provide L7 level packet programming environment
Before Traffic
Recognition
5 Tuple based Flow

Management
Unknown Flow
FIO
PPM
Analyze Flow
A. Host
Known Flow
After Traffic
Recognition
Traffic Control By Policy
FIO
PPM
[13]
A. Host
L7+ DPI Platform

80N
Packet Handler
20N
10S
[14]
L7+80N L7 Traffic Management Platform

L7+80N Series is the best L7 Platform
Technical Specifications
Network
Interface
10 G GBIC X 8 Port
Physical
Dimensions : 3U
Power : Max 980W (AC/DC )
Weight : 30.4Kg
Operating temperature & humidity : Centigrade 0 ~ 50,
Humidity 5 ~ 95%
Storage
Max 8 x 2 TB Raid(1,3,5,10)
Packet
Processing
Module
Host
Performance & Feature
Packet recognition based packet management

packet flow management for Host core
H/W based traffic management
SNORT Engine
Multi Core Processor

Provide Signature engine, Packet handing API, Traffic
management, Basic statistics data, policy management
module
Host Memory
NUMA partitioned 64G DDR3(Max. 128G)
Management
&
Provisioning
Support IPMI for Remote Management

Support SNMP, SSH, HTTPs, Syslog
Network
Redundancy
Optical Bypass on Network Interface

heartbeat on Packet Processing Module
Latency &
Max flow
Number
Real Network Traffic packet processing performance

Host(160 ~ 180), Packet Processing Module(3),
Max Concurrent Flow(25M), New Flow(1.5M)
Traffic
Management
RED, WRED Algorism based congestion control and 16M

QoS and 1M Class
ACL and service based Management Drop, Bypass,
Redirection, Shaping
Real time In-Line control such as P2P, Web Hard, Smart
TV, mVoIP, Block Harmful Sites etc
Signature
Matching
Packet Processing Module can install maximum 2K PCRE

ReqEx Patterns on H/W and processing SNORT PCRE Rule
and Literal String Rules
Host can analyze more than 700 service
[15]
L7+64PH Packet Clustering Switch

Packet Handler (Packet Clustering Switch)
Packet Aggregation & Load Balancing Switch (10G x 64 Port Available)
Clustering maximum 4 x L7+80N devices. Up to 320G
10G X 64 / 10G X 48 / 10G X 24
L7+64PH
[16]
L7+ 320G Devices Structure
L7+64PH - Clustering Switch
10G x 32Port (Line Side)

10G x 32Port(L7+80N Side)
L7+80N
10G x 2Port x 4Module
L7+80N
L7+80N
L7+80N
[17]
10G
x
32Port
L7+20N Network Service Platform

High performance router level Packet Processing Module and Application Host
Network
Interface
1 Gbe C/F X 2 Port X 4 Slot = 8 Port

10 Gbe Fiber X 2 Port X 4 Slot = 8 port
Physical
Dimensions : 2U
Weight: 16.8Kg
Operation environment : 0 ~ 50, Humidity 5 ~
95%(None-condensable)
Storage
Max 4 x 2 TB Raid(1,3,5,10)
Packet
Processing
Module
Host
Packet Recognition Based Packet Management

Packet flow management for Host core
H/W Based traffic management
SNORT engine

Signature engine, Packet handing API, Traffic
management, Default statistics data, Policy management
support
Host Memory
NUMA partitioned 32G DDR3(Max. 64G)
Management &
Provisioning

SNMP, SSH, HTTPs, Syslog support
Network
Redundancy

Real Network Traffic Processing Performance
Full DPI takes Min 67~Max 250 Max Concurrent
flow(7M), New Flow(750k)
Traffic
Management
RED, WRED Algorithm based control, 512K QoS queue

and 128k Class support
ACL based, Service based packet management Drop,
ByPass, Redirection, Shaping
P2P, Web hard, ; TV, mVoIP, Block Harmful websites, InLine realtime control
Signature
Matching
Optical Bypass in Network Interface
Latency &
Max flow
[18]
Packet Processing Module can load 512 RegEx

Patterns and SNORT PCRE Rule and Literal String
Rules processing
L7+10S Network Application Platform

10G support packet processing module and Support Multi-Core based Application Host
Network
Interface

10 Gbe Fiber X 2 Port X 2 Slot = 4 Port
Physical
Dimensions : 2U
Weight : 9.8Kg
Storage
Max 2 x 2 TB Raid(1,3,5,10)
Packet
Processing
Module
Host
Host Memory
Management &
Provisioning
Network
Redundancy
Packet recognition based Packet Management

Host core packet flow management
Traffic management engine (*)
Latency &
Max flow

Signature engine, Packet handing API, Traffic
management, Default statistics data, Policy
management
Traffic
Management
(*)
NUMA partitioned 32G DDR3

SNMP, SSH, HTTPs, Syslog support
Signature
Matching
Optical Bypass in Network Interface
[19]
Packet Processing Module

- Host(0.6ms ~ 1.5ms),
Packet Processing Module(0.2ms),
- Max Concurrent Flow(750k), New Flow(128k)
RED, WRED Algorithm based control, over 128K QoS

queue
ACL based, Service based packet management, Drop,
Bypass, Redirection, Shaping
P2P, Web hard, Smart TV, mVoIP, Block Harmful
websites , In-Line realtime control
Packet Processing Module can load 128 RegEx Patterns
and SNORT PCRE Rule and Literal String Rules processing
Providing Signature Global Service

Provide various signatures for Global service /
Provide continuous update with low cost maintenance fee
Category
Count
File Transfer
119
4Shared Desktop, Bitorrent, Dropbox, eDonkey, FileZilla, NFS
Mail
17
Gmail, Hotmail, Microsoft Exchange, Outlook, POP2, Yahoo mail
Messaging
34
AIM Official Client, Google Talk, ICQ Messenger, mIRC, SKYPE, MSN
Messenger
Networking
270
ARP, Cisco DRP, DHCP, DNS, Ethernet, IGMP, STUN, UDP
SNS
27
Facebook, Google+, Sourceforge, Twitter
Remote Access
30
rlogin, RSH, SSH Client, Teamviewer, Telnetd, VMWare View
Games
103
Zynga Games, Happy Land, IMGames,Puzzle Saga
Streaming Media
37
Adobe Flash Player, Apple Quick Time, FaceTime, RTP, RTSP, Windows
Media Player, Youtube
Web Services
88
Amazon.com, Bing, eBay, Google, HTTP, MySql, Yahoo
Total Count
833+
Protocol
Other 108EA, + (Additional Update)
[20]
Providing Signature Korea

For domestic service in Korea, providing and developing proven signatures.
Category
Protocol
File Transfer
Mail
Messaging
Nate On, Kakao Talk, Daum My people, Naver Line
Networking
Line, My people
SNS
Remote Access
Crazy Remote
Shopping Mall
Auction, G-Market, Interpart, 11st
Streaming Media
Web Services
Total Count
Korea Webhard Service

Naver-Mail, Hanmail, Paran Mail, Nate Mail
Me Today, Cyworld
Pandora, Africa, PPStream, GomTV, DaumTV Pot, Nate On Movie

Naver, Daum
Approximately 50 services
[21]
User Defined Signature

Signature Example
Daum TV Pot
Service
Handler
HTTP ?
NO
YES
Server -> Device
One way Packet ?
NO
YES
Payload Size
> 1368 Byte ?
NO
YES
Packet Count >
30 ?
NO
pax_pkt_stream_cbfn_rc_e
__user_packet_callback_cbfn(uint8_t* user_ctx,
struct pax_packet_cbf_stanza_s* cbf_stanza,
/*IN*/
struct pax_packet_cbf_stanza_user_ack_s* stanza_ack, /*OUT*/
uint8_t* reserved1,
uint64_t reserved2,
uint64_t reserved3
)
{
struct transports_hdr_port_info_swab_s *l4_hdr_swab = (struct
transports_hdr_port_info_swab_s *)(cbf_stanza->pkt_ptr + cbf_stanza->l4_offset);
if (80 == ntohs(l4_hdr_swab->src_port) || 80 == ntohs(l4_hdr_swab->dst_port) )
{
// Identification is done..
// Indicate UPDATED BAR Id and also cut lose this flow from further callbacks.
stanza_ack->user_bar_id = __g_new_app_idx;
stanza_ack->cbf_disposition = (pax_pkt_strm_cbf_rc_cut_loose_flow_e |
pax_pkt_strm_cbf_rc_service_id_updtd_e );
} else
stanza_ack->user_bar_id = cbf_stanza->bar_id;
}
YES
Recognize as Daum TV Pot
[22]
Programmable Platform
L7+ Packet Handling API
Libpcap API
pax_register_for_packet_stream
(pax_devices_handles_arr[start_index],
NULL, __user_packet_callback_cbfn)
if(pcap_loop(pd, /*PCAP_CNT_MAX*/ -1 , packet_view, 0) < 0)
void packet_view(unsigned char *user,

const struct pcap_pkthdr *h,
const unsigned char *p)
pax_pkt_stream_cbfn_rc_e
__user_packet_callback_cbfn (
uint8_t* user_ctx,
struct pax_packet_cbf_stanza_s* cbf_stanza,
/*IN*/
struct pax_packet_cbf_stanza_user_ack_s* stanza_ack, /*OUT*/
uint8_t* reserved1, uint64_t reserved2, uint64_t reserved3 )
Struct pcap_pkthdr {
struct timeval ts;
bpf_u_int32 caplen;
bpf_u_int32 len;
};
Struct pax_packet_cbf_stanza_s {
unit8_t pkt_ptr ;
unit16_t pkt len ;
unit16_t l3_offset ;
unit16_t l4_offset ;
unit16_t payload_offset ;
unit32_t bar_id ;
unit32_t expression_id ;
/* times stamp */
/* length of portion present */
/* length of packet (off wire) */
[23]
Management Tool
Traffic Management
Traffic Management
Statistics
System
[24]
Box Performance
[25]
L7+ Test Network Diagram

Electronics and Telecommunication Research Institute(ETRI)
Next Generation Network Testbed
IXIA IxNetworks
IXIA XT80
L7+64PH
850
Signature
Installed
L7+10S
L7+80N
L7+20N
Breaking Point
[26]
L7+80N ( 10G X 8Port )
100
80
60
40
TCP Connection Time (S)
20
0
80
128
256
512
1024
1280
1518
RFC2544 Throughput ( % )
[27]
L7+80N ( 10G X 8Port )

TCP Connections per Second
Cumulated Total Connection Established
CPS Summary
[28]
L7+10S ( 10G X 2Port )

20
10
0
CPS Summary
RFC2544 Throughput (G bps)
[29]
Category
Key Performance Values
RFC 2544 Test
64Byte : 64.6% / 128Byte : 99.7% / 256Byte : 99.4%

512Byte : 99.3% / 1024Byte : 99.4% /
1280Byte : 99.2% / 1518Byte : 99.1%
Service Recognition
Test
Process Flow
Numbers
Simultaneously
New Flow
Per Second
Latency
Service recognition percentages for real traffic:

approximately 87%
30M Flow
Process 1.5M Flow per Seconds
FPGA Process : 3 / Host Process: 160 ~ 180
[30]
Remark
Usages
[31]
Applicable Main Target

Traffic Management
New Generation Firewall & Security Device
- Traffic Block / Management

- Gateway Solution
Billing Solution
- Billing Per Packet base
- Real Time / Mobile
- Application Based Firewall

- Malware & Security Threat Blocking
- High Capacity Network Environment Protection
Business
Platform
System Tracking
Security
Solution
- Bandwidth Guaranteed Solution

- Security Solution for Blocking
APT attack
DPI Platforms
- Log Analysis Network Analysis

- System Load Measurement &
Management
Network Performance
Performance
Contents
Security
- L7 Based QoS
- L2~L7 Integrated Management
- Payload based control and Management
Application Performance Measurement

- Specific Application Performance Measurement
- Performance Monitoring
[32]
Integrated Security Solution
Protecting Private Information

- Protecting & Blocking Private Info.
- Protecting Company & Organization
Information
Security & Control

- Platform for security control
- Network Packet Recording
- Monitoring & Control
Network Based Behavior Analyzer

DPI Based Traffic Analyzer
PC vs Mobile Daily Traffic
Need for Aggregate Network Traffic Pattern

Information
- With a variety of network terminals, atypical
traffic pattern occurs.
- Increased network complexity and difficulty of
managing.
- Need to build Big data based on packet data
coming from network-based services and
terminals.
Traffic Qualification
- Whole packet analyzing for Traffic pattern
identification and records.
- Analyzation for increasing service availability and
stability
Service Forecasting & Provisioning
- Predict service change based on analysis results
- Service oriented based resource reallocation
- Optimized and Unique service
- Personalization of Service
[33]
Mobile Web
PC Web
00
12
23
[Source : 2012 Man ]
Personalized
Advertising
[34]
Net DPI Guard

DPI based Network Inspection, Control & Recording System
Network Inspection
- Defined authorized packets at the each section by 5Tuple & Signature level
- Inspecting all packets flow on each section with L7
Level and detecting minatory traffic & data with
Network Control ( Traffic Management )
- Defined policies of each section and flow by normal
and emergency time.
- According to the situation, promptly control the
traffic bandwidth, isolate each section, Bypass per
each section, protocol and IP
Network Recording
- To identify abnormal packet and record, recording
whole packet
- Record, preserve and analyze abnormal packet
(Easy for post analyzing & tracking)
- Provide network log that not dependent on Server log
(Able to provide L2~L7)
- Identify abnormal and malicious traffic with
filtering/alarm/trigger function
[35]
Net DPI Guard Diagram
Locate at Major Network

Point
DPI Guard
Support Integrated Network
DPI Guard
DPI Guard
DPI Guard
Reporting &
Analysis
DPI Guard
NMS
A Network
Locate at Network In/out

point
B Network
[36]
Mobile Caching in GTP Tunnel

Caching System for Content forward deployment
Network Saving
- Operate GPRS range(before IP range)- actively saving
Bandwidth.
- Service recognition and control that applied DPI
function.
- Analyze Payload located inside of GTP Tunnel itself,
Video, Web and all kind of services are available.
Extreme Performance
- Possible to deploy on the subscriber side Implement
best positive response rate
- DPI Engine based service classification and process
Implement best response rate and correct response
- Wire Speed Platform
Cost Effective
- Developing functions/performance define for operator
requirement and network characteristics.
- Realistic price for the mass deployment
- Minimizing operating cost
[37]
Mobile Caching in GTP Tunnel

Caching S/W &
Cached contents
None Cached
Cached
Contents
DPI Based
Policy Engine
GTP Tunnel
Decryption
Encryption
GPRS Network
[38]
Integrated Security System Functions

Authentication and access control the user, device and contents at the real time.
Comprehensive management control Provide unique numbers to contents, devices, user
Control the transfer process from creation to transmission (VPN Transmission)
Control import, export, process of information, essentially remove illegal situation.
Existing Security
System
MDM
WiFi AP
Manager
Mobile VPN
Manager
AAA
GPKI
Internal Network
IPSec
Server
Mobile VPN
GW
Subscriber
mOffice
Server
Provide Integrated
Security System
WiFi AP
Manager
New Security
System
Mobile VPN
Manager
AAA
GPKI
Internal Network
Mobile VPN
GW
Subscriber
[39]
IPSec
Server
DPI
System
mOffice
Server
Thank you
[40]

L7+Platform - EN DPI Accupix

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

L7+Platform - EN DPI Accupix

Uploaded by

Copyright:

Available Formats

Top Performance Deep Packet Inspection Platform

Next Generation leader of Extended Network

Next Generation leader of Extended Network

13 Major Security Threats

Upsurge Mobile Malware

Increase specific purpose

Mobile Device Hacking

Mobile Policy &

Corporate image loss

Hacking the government

Next Generation leader of Extended Network

Security System Type

Intrusion Prevention System

Digital Rights Management

Intrusion Detection System

Encrypt Storage Device

Network Access Control System

Web APPS Firewall

Integrated Device Security

Threat Management System

Risk Management System

Network Monitoring System

Device Encryption Solution

Next Generation leader of Extended Network

Problems of Existing Security System

Application control is major requirement of IT security.

Existing Fire wall, IPS and UTM..etc.

Require Elaborated Traffic Management

Traffic Header Inspection

Trust / Trustless Rule based policy

Application & Port match Based Trust/Trustless

Ports Applications : PASS

IP addresses Users : PASS

Trust / Trustless Rule Based Policy

Ports Applications : BLOCK

IP addresses Users : BLOCK

Performance is few*1 G & millisecond latency

Next Generation leader of Extended Network

Traffic Total Inspection

Performance is many *10G or higher &

Next Generation leader of Extended Network

What is Deep Packet Inspection Technology?

Next Generation leader of Extended Network

DPI Key Features

Process whole payload

Signature Based Service Recognition

3rd Party Application

Recognize address and

Recognize/decide port number or packet contents,

Deep Packet Inspection System

Mostly Port 80(web)

Major Apps: Guarantee the Bandwidth

Deep Packet Inspection

Allowed Apps: Bandwidth Management

Disallow Apps: Blocking

Monitoring & Reports

Next Generation leader of Extended Network

DPI system Network Diagram(In-Line)

PORT != APPLICATION Management(Analyzing & Control)

Next Generation leader of Extended Network

Abnormal Traffic Analysis and Detection / Apply Service-Specific QoS

Next Generation leader of Extended Network

Top Class DPI Platform