TM Announcements: F5 new VIPRION Supports 160 Gbps L7 Throughput

 
F5 announced the ".. new VIPRION® solutions, including the 4480 chassis and 4300 performance blade. Extending F5’s portfolio of physical and virtual solutions, these new hardware offerings are specifically designed to help service providers and enterprises address rapidly increasing traffic levels and the growing demand for enhanced services .. Industry leading metrics and product highlights include .. the market’s first 40 Gbps Ethernet support for an application and services delivery platform and 160 Gbps of L7 throughput, 2x competitors’ offerings".
 
"Many vendors offer separate products throughout the infrastructure, but this segmented approach provides limited protection and can be difficult to scale. By contrast, F5 offers an ICSA-certified firewall that integrates L3–L7 security services to protect against massive, multilayered, and blended attacks. From a capacity standpoint, F5’s carrier-grade hardware delivers 144 million concurrent connections (3x the closest competitor) and 5.6 million L4 connections per second (nearly 12x the competition) at a similar price point to other vendors’ offerings".

See also "F5 Service Provider/Mobile Road Map: Focus on DPI" - here and "F5 Platform Road Map - 100GE Ports Planed for 2013/14" - here

See "F5’s VIPRION Solutions Help Service Providers and Enterprises Optimize Infrastructures and Reduce Costs" - here.

Security Win: $2M Wireless Tier1 Deal for Radware's Attack Mitigation System

  
A year ago Yankee Group predicted that - "A Denial-of-Service Attack Will Take a 4G Network Down"(here) saying  that "With clean-up costs (including the network, IT, customer care, media relations, etc.), fewer new subscriptions and increased churn, the bill for this DoS outage will be a minimum of U.S.$10 million in the first month alone .. The winners include vendors like Arbor Networks and Radware that help operators address these issues. But equipment vendors like Alcatel-Lucent (ALU), Cisco, Ericsson and Huawei will also be called on to assist, as will their professional services organizations".

   

One year after that, Radware announced a "a $2 million sale of its Attack Mitigation System (AMS) security solution to a leading Tier 1 wireless carrier in North America .. Radware's AMS solution will integrate the carrier's existing point security capabilities - such as firewall and proxy protection, signature-based intrusion prevention, anti-spam gateways and scrubbing center denial of service mitigation - into an holistic attack mitigation system."

"Radware's AMS is a real-time network and application attack mitigation solution that protects the application infrastructure against network and application downtime, application vulnerability exploitation, malware spread, information theft, Web service attacks and Web defacement. It contains a protection layer with security modules including denial-of-service (DoS) protection, network behavioral analysis (NBA), intrusion prevention system (IPS), reputation engine and Web application firewall (WAF) to fully safeguard networks, servers and applications against known and emerging network security threats"

See "Radware to Deliver Attack Mitigation System Solution To Tier 1 Wireless Carrier in North America" - here.

See also "[Juniper] Anomaly Detection and DPI Defend Against Application-Layer DDoS"- here and "NetScout: "Outages at NTT, AT&T and Verizon could have been detected and averted" - here.

Arbor: Badly Designed Firewalls Creates A DDoS Risk to MNOs

  
In an interview to ZDNet, Roland Dobbins, Arbor Networks Asia Pacific solutions architect, told Josh Taylor that "Mobile telcos that became "accidental" internet service providers (ISPs) through the rise of mobile broadband are more at risk of Distributed Denial of Service (DDoS) attacks than fixed broadband providers .. the TCP/IP side of mobile networks was mostly an afterthought for mobile telcos who found they'd become ISPs after the rise of smartphones such as the iPhone. He said that in order to keep the network secure, a lot of telcos put "stateful" firewalls or devices on their networks. This creates a potential DDoS point of attack allowing a bot to clog up the state table of a firewall and cause it to fall over".

See "DDoS risk plagues accidental ISPs" - here.

Research: US MNOs Firewall Policies Degrade Network Performance

  

A research paper by Zhaoguang Wang, Zhiyun Qian, Qiang Xu, Z. and Morley Mao (pictured) from the University of Michigan and Ming Zhang from Microsoft Research finds that key NAT and firewall policies used by celluar operators in the US have direct implications on performance, energy, and security.

For example, the research found that "One of the largest U.S. carriers is found to configure firewalls to buffer out-of-order TCP packets for a long time, likely for the purpose of deep packet inspection. This unexpectedly interferes with TCP Fast Retransmit and Forward RTO-Recovery, severely degrading TCP performance triggered merely by a single packet loss"

See "An Untold Story of Middleboxes in Cellular Networks" - here.

ABSTRACT

"We present NetPiculet, the first tool that unveils carriers’ NAT and firewall policies by conducting intelligent measurement. By running NetPiculet in the major U.S. cellular providers as well as deploying it as a smartphone application in the wild in more than 100 cellular ISPs, we identified the key NAT and firewall policies which have direct implications on performance, energy, and security. For example, NAT boxes and firewalls set timeouts for idle TCP connections, which sometimes cause significant energy waste on mobile devices. Although most carriers today deploy sophisticated firewalls, they are still vulnerable to various attacks such as battery draining and denial of service. These findings can inform developers in optimizing the interaction between mobile applications and cellular networks and also guide carriers in improving their network configurations".

VAS Deployments (87): SK Telecom [Korea] Selected Fortinet for Security Services

    

Fortinet announced that "SK Telecom, the leading telecommunications provider in Korea, has chosen Fortinet's FortiGate®-3950B high-end network security appliance to help protect its 24-million subscribers using its 3G and 4G LTE services against increasing malicious attacks .. SK Telecom has purchased FortiGate-3950B appliances for carrier-grade NAT service and for 10G firewall protection of its content server farm. With this implementation, the telco provider will be able to apply up to 10 million concurrent session firewall performance, SSL & IPSEC VPN, NAT/PAT, ALG-SIP, DPI (Deep Packet Inspection), and QoS features over its service at no additional cost. Moreover, SK Telecom will be able to offer greater stability in its services by preventing service delays caused by traffic overload and ensure high availability".  

See "SK Telecom Chooses Fortinet to Enable Broad, High Performance Security Protection to its Subscribers" - here.

DPI Announcements: Qosmos' DPI Engine Ready for Next-Generation Firewalls

  

Qosmos announced  "..Additions to Qosmos’ ixEngine Software Development Kit enable next generation firewall vendors to quickly embed Layer 7 applications visibility and control into products for real-time application identification irrespective of ports or tunnels, while reducing time to market and development costs .. the decoding capabilities of ixEngine have been optimized for all leading processors on the market: Intel x86, NetLogic XLR, Cavium Octeon (see also - here), Tilera TILEPro, and Freescale PowerQUICC"

See "Qosmos Enhancements to ixEngine SDK Improve Application Identification and Time to Market for Next-Generation Firewalls" - here.

"Qosmos ixEngine provides next-generation firewall vendors (see chart for an implementation example) with just such capabilities that ensure:

• Resilience, by functioning even under adverse external conditions (e.g. maliciously forged packets or flows)
   
• Robustness, by performing well during difficult situations (e.g. SYN flood attacks, incomplete traffic)
   
• Reliability, by adequately decoding traffic even under unusual circumstances (e.g. tunnels, obfuscated traffic, non-standard protocol behavior)"

Qosmos site quotes Brian Partridge (picture), VP, Yankee Group, saying: "By using proven tool kits from third-party specialists, vendors can improve development efficiency and time to market of new products and keep existing products updated in terms of feature enhancements such as new protocol support."