Allot Partners with Checkpoint

Allot Communications and Check Point Software Technologies, announced ".. collaboration to demonstrate a virtual mobile Security-as-a-Service (SECaaS) solution for bringing cutting-edge security services to mobile networks leveraging network functions virtualization (NFV) and software-defined networking (SDN). 

The joint solution that was demonstrated consists of Allot’s Service Gateway – Virtual Edition [see "Allot Launches a Virtual Gateway and Services @200Gbps/Server" - here] with Check Point’s Security Gateway Virtual Edition. 

• Allot provided a virtual network function (VNF) with pre-integrated services and a framework connected to the cloud infrastructure, orchestration, OSS and BSS platforms
   
• Check Point provided a VNF protecting dynamic virtualized environments from internal and external threats by securing virtual machines and applications with the full range of Check Point Software Blades. Software Defined Networking (SDN), which enables the separation of the control plane and data plane, is used to diminish deployment challenges in NFV such as service consistency and reliability.

During the earning call, Andrei Elfanct, Allot's CEO made some references to the new partnership:(see "Allot Communications' (ALLT) CEO Andrei Elefant on Q3 2015 Results - Earnings Call Transcript", by SeekingAlpha, here): 

• the work that we are doing with CheckPoint and specifically to what we announced this morning, we are working with them on this demonstration to build an offering that is targeting NFV network and this is part of some other work that we are doing with CheckPoint.
   
• to demonstrate the value of that we worked with Checkpoint where they're bringing the security as a service solutions and we enable it to be deployed very quickly and efficiently in a mobile environment, so we've delivered the subscriber management integration and the integration with orchestration and some other components

See "Allot and Check Point Partner and Demonstrate Virtual Mobile Security-as-a-Service" - here.

[Infonetics]: The DPI Market is Slow to Adapt NFV; to Reach $972M in 2015

A new report by Shira Levine [pictured], research director for service enablement and subscriber intelligence IHS on the DPI market:

• "projecting the global deep packet inspection (DPI) market to grow to $972 million in 2015, up 15 percent year-over-year, as communications service providers continue to use DPI as a key tool for bandwidth management and the creation of new services and feature ..
   
• The majority of the traditional DPI appliance suppliers had a challenging first half of 2015, but smaller players, particularly the embedded DPI suppliers such as Qosmos, saw healthy year-over-year growth [see "Openwave Mobility Integrates Qosmos' DPI " - here]
  
  [Related posts: "Is there a problem in the DPI Market ?" - part1, part2, part3]
  
  The chart on the right shows Infonetics' prediction for the DPI market from 2010

• While the major DPI suppliers are tackling the virtualization trend head-on, moving aggressively to introduce virtualized versions of their products and forge relationships within the NFV ecosystem, their customers are slower to jump on the bandwagon. Performance concerns remain an issue, and operators continue to be conservative with deployments of virtualized DPI technology
   
• DPI is playing a key role in another hot area—analytics—with operators increasingly interested in leveraging network intelligence gleaned from DPI as part of their larger ‘big data’ strategies
   
• There is renewed opportunity for DPI suppliers to address operators’ security concerns, leveraging their solutions to tackle network infrastructure threats such as distributed denial of service (DDoS) attacks, worms and viruses on a real-time basis" [related post - "Allot: $8M Expansion Order for Security Services" - here]

See "Deep Packet Inspection to Play Key Role in Operator Analytics, BigData Strategies" - here.

Qosmos and NetSTAR Integrate DPI and URL Categorization Enabling Technologies

NetSTAR and Qosmos announced a ".. strategic partnership that will simplify the integration of NetSTAR’s inCompass® URL categorization and web security technology with the Qosmos ixEngine® 

..hardware vendors, software vendors, solution providers, operators, and service providers will be able to quickly and easily exploit the full power of Qosmos DPI technology .. combined with NetSTAR’s ability to categorize over 98% of all URL (http/https) traffic in one of over 180 different categories as well as over 12 different securities categories including malware, botnets, infected sites, spyware, phishing and spam". 

NetSTAR Self-operated URL research center

See "Qosmos and NetSTAR, an ALSI Group Company, Announce Plans to Combine Qosmos’ ixEngine Deep Packet Inspection Technology with NetSTAR’s inCompass URL Categorization and Security Technology" - here.

Allot: $8M Expansion Order for Security Services

Allot Communications' strategy of focusing on security (see "Allot CEO: We Compete Against Security Vendors" - here and "Allot's Former CEO: "Security is the Right Direction for Allot"" - here) shows results.

Allot's Allot ServiceProtector

The company announced that it has ".. received an expansion order of approximately $8 million from a major APAC tier-1 fixed-line operator for Allot Service Gateway Tera, Allot Service Protector and Allot Websafe. 

This incumbent operator is using Allot’s Service Protector in-line solution to protect national critical infrastructure, business communication, and IT infrastructure nationwide against destructive DDoS attacks. 

This is an expansion order to an existing project, which augments the solution’s scale, providing rapid identification and in-line mitigation of large scale attacks . 

The solution manages and secures traffic of up to two Terabits per second without the need to redirect traffic to a scrubbing center. The operator’s complex and high capacity network requires effective protection at a vast scale, which is achieved by Service Gateway Tera and its integrated security services". 

See "Allot Communications Receives $8M Expansion Order from a Tier-1 Operator" - here.

Nokia Adds Security Solutions

Nokia Networks announced it has "extended its security portfolio with new protection capabilities complemented by expert professional services in assessment and deployment:

• Nokia’s Network Access Guard addresses the sheer intricacy that operators face in managing internal staff access to multiple network element systems. It secures, identifies and monitors employee access while simplifying the way privileged users handle critical network elements.

• Nokia’s Signaling Security Solution can identify weaknesses in an operator’s SS7 infrastructure and implement a firewall to protect against subscriber data being hacked as well as other malicious intrusions. Nokia Networks is the only major telecom infrastructure vendor to offer such end-to-end SS7 protection.

See "Nokia Networks safeguards network operations with two new security launches" - here.

[Oppenheimer} : "Mobile security is a key VAS driver" for Allot

Ittai Kidron [pictured], Analyst, Oppenheimer provided the following assessment on Allot Communications' business:

"In recent years Allot has evolved its core DPI platform into a value added services (VAS) engine with parental control and security as new features. Progress has been solid thus far with VAS now accounting for as much as ~40% of bookings for the company. We believe that mobile security is a key VAS driver and expect revenue from this area to grow at ~50% YoY for the foreseeable future. Tier 1 customers are already at hand and trial activity is heavy. 

We expect the company to show more progress in this area in 2016-2017 as trial activity moves into deployment and as the company refines its software licensing program (from perpetual to term) to better capture upside 

.. About 10 Tier 1 carriers have signed up for Allot's mobile security platform. Several of these have already launched the associated services in their networks and have seen strong subscriber adoption (yielding higher ARPUs for mobile carriers). Trial activity with many other carriers remains strong and should yield results in 2016-17.

.. We believe Allot is now promoting term-based licensing more aggressively to better capture the upside. This process could take time to show results.

See "Oppenheimer Reiterated Perform Rating on Allot Communications (ALLT) Expecting Mobile Security to Drive VAS - here and here.

Allot Offers NFV-Based TDF and Security Functions Over HP's OpenNFV

The Journey to NFV

Source: HP (here)

Allot Communications announced its participation in the "HP OpenNFV Partner Program ..  As part of the program, Allot will be offering its virtual Traffic Detection Function (vTDF) [see "Allot Enhances DPI Gateway with Standard TDF" - here] and security services on the HP OpenNFV platform. The integration demonstrates service enablement and delivery for virtual security services that are deployed over the HP OpenNFV cloud environment platform. Following the Internet Engineering Task Force (IETF) and 3rd Generation Partnership Project (3GPP) evolving standards, Allot’s vTDF together with Allot’s Element Manager (EM) enables dynamic creation and management of pre-integrated security services such as Allot’s DDoS protection and content-filtering.

[Related post: "Allot and Procera Push NFV-based DPI" - here]

..Allot’s integration with HP OpenNFV components such as HP NFV Director and HP Helion enables onboarding of Allot’s virtual solutions in the HP ecosystem environment. This transition from proprietary equipment installed in a specific topology location to Virtual Network Functions – that can be distributed throughout the network and uniformly managed – enables operators to:

• Simplify and automate service deployment, provisioning and configuration
• Add elasticity to the network for more fluid and efficient allocation of resources
• Leverage distributed cloud infrastructure to implement complex use cases with ease
• Reduce time-to-market for consumer and business services"

See "Allot Communications Offers Robust Security Services on HP OpenNFV Cloud Platform" - here.

Allot's Former CEO: "Security is the Right Direction for Allot"

The Israeli financial paper, Globes, interviewed (by Shlomit Lan, here, Hebrew) Rami Hadar [pictured], former Allot Communications' President and CEO about his new activity as one of the 3 managing partners of  Eucalyptus, a new investment fund seeking now $300M investments.

The article also discusses Allot's current situation [see "Is there a Problem in the DPI Market?" - here], providing some remarks from Rami (who is still a member of Allot's board of directors):

• Of the 3 acquisitions made during his CEO term, Rami admits that one, the smallest, in the security space, was successful while the other two [see "Allot Buys Oversi for $16M in Cash" - here and "Allot to Buy Ortiva Wireless" - here] haven't yet shown success
   
• "Every company goes through a crisis each time it doubles its revenues. It happens to Israeli companies when they reach annual revenues of $100-120M and then they standstill till they find the next growth engine, which takes few years"
   
• "Almost half of Allot's revenues comes from 3-5 large customers [see "Allot: Two 10% Customers in 2014" - here] - that creates volatility. Andrei [Elefant, current CEO], understands that, and knows he needs to win more large operators and add complementary solutions. He announced recently that Allot entry into the security market [see "Allot CEO: We Compete Against Security Vendors " - here] - and I think it is the right direction for Allot" 

Allot CEO: We Compete Against Security Vendors

Quotes from Allot's Q1 2015 earnings call (see also "Before Procera Disappears from the Public Eye" - here), made by the president and CEO, Andrei Elefant [pictured]:

• Answering Catharine Trebnick, VP, Senior Research Analyst, Dougherty & Company question on the competitive landscape for security value-added services:
  
  "So first of all, the security additional enhancements that we have on our platform. The Security-as-a-Service solutions are coming on top of our DPI and the basic service gateway capabilities. Some of the wins that I mentioned earlier together with Optenet, we delivered security services on existing platforms that were deployed there in the market with existing customers.
  
  However we did win some new customers together, leveraging this advantage that we have. In these projects, we competed against the security providers and not against DPI players, including a major deal that we won last quarter together with a tier-1 operator. We mentioned that in one of our press releases. And that project was purely about Security-as-a-Service, and we competed against other security providers and not against our traditional DPI competitors"
   
• we divide our VAS category between four groups; Security, Monetization, Analytics and Optimization. During the quarter, the monetization and security categories were leading followed by optimization and analytics, similar to the ranking in previous quarter .. Monetization and security accounted for 70% of our VAS bookings. We continued to view VAS as our main business driver in the coming years, with key strengths coming from the security and monetization categories
   
• During the quarter, we had one 10% customer [in 2014, Allot derived 44% of its total revenues from two Tier 1 mobile and fixed operators - here]

See "Allot Communications' (ALLT) CEO Andrei Elefant on Q1 2015 Results - Earnings Call Transcript", by SeekingAlpha, here.

Allot: 4 Contracts for Web Security Offering

Allot Communications announced that it has "won four contracts in the first quarter of 2015 to supply its Allot WebSafe Personal product, a carrier-class Web Security service that enables service providers and enterprises to deliver a safer and more protected Internet environment to their users.

• The first two orders came from existing Tier-1 mobile operator customers in EMEA. These operators are expanding their SECaaS offerings with Allot Service Gateway Tera and Allot WebSafe Personal to enable rapid rollout of value-added parental control and anti-malware services. Allot’s technology will allow the operators to easily scale to the growing demand from millions of users for these security services.

• A third order was from a new Tier-1 American operator customer that plans to monetize its security offerings by leveraging WebSafe Personal to offer SECaaS services.

• The fourth order was secured from an existing Tier-1 operator customer in APAC that is adding WebSafe Personal to its Allot Service Protector deployment. The existing deployed solution is already being used to protect against high-volume distributed denial of service (DDoS) attacks. The expanded security capabilities now allow the operator to comply with government regulation by filtering harmful content"

Recently Allot released Key findings of the Allot MobileTrends Report H1 2015:

• Of CSPs who offer SECaaS, 60% charge a premium for it at prices ranging from $1 to $5 per month per line.
   
• Security services are mutually beneficial for broadband users and service providers. Users perceive parental controls and anti-malware services as high-value, while CSPs can quickly achieve positive ROI from delivering security solutions with incremental pricing
   
• Network-based security SECaaS create customer stickiness that can reduce churn rates by as much as 2.4% annually, which can cover the cost of deployment and operation on its own
   
• ROI on premium parental controls and anti-malware services can be achieved in five to seven months (six months on average), with ROI reaching greater than 250% in 12 months.

See "Allot Receives Four Orders from Tier-1 Operators to Enable Delivery of Security-as-a-Service and Comply with Regulation" - here.

Allot: Security VAS Solutions Sold to 5 Carriers

Allot Communications announced it has "..received five orders for Allot ServiceProtector, a solution that provides protection against massive distributed denial of service (DDoS) attacks, prevention of outbound spam, and containment and cleanup of infected botnet hosts .. In response to growing cyber threats, five Tier-1 operators have selected Allot ServiceProtector to deliver and monetize value-added security offerings to customers. 

[Related posts: "Allot: 2 Orders, $5M" - here and "Allot Receives a $15M Expansion Order, W/Analytics and DDoS Protection" - here]

.. ServiceProtector Sensor and Mitigation functions are embedded within Allot Service Gateway platforms and Allot NetEnforcer devices to protect service networks against a number of growing threats including DoS/DDoS attacks against customer web services; Zero Day attacks; anomalous traffic impacting network and service performance; anomalous behavior such as spamming, worm propagation, botnet attacks; and malicious user activity such as probing and flooding".

Source: Allot Communications 

See "Allot ServiceProtector Selected by Five Tier-1 Operators to Secure High Capacity Networks from Evolving Cyber Security Threats" - here.

ALU Adds NFV-Based Malware Protection Solution

Alcatel-Lucent announced that "Motive is to introduce the Motive Security Guardian (powered by Motive Security Labs, formerly Kindsight Security Labs), a virtualized security solution to optimize both the delivery of services as well as the customer experience by protecting service provider’s networks, machine-to-machine (M2M) communications, and mobile and home devices from malware that can degrade performance, mine information and even steal data minutes.

.. When malware is found on a device, its owner is immediately alerted with step-by-step instructions on how to remove the threat. This intervention can significantly reduce calls to care agents triggered by malware, such as complaints of mobile device batteries draining too quickly; bill shock due to pirated data usage; and unwanted pop-up ads on a laptop.

[Related post - "Kindsight Helps ISPs to Detect, Block and Remove Bots" - here]

.. Residing on an operator’s cloud network, it can identify and pinpoint malware on mobile or home devices without having to be installed on them. The solution can be onboarded and managed using Alcatel-Lucent’s CloudBand™ 2.0 NFV platform and can be rapidly scaled up or down to meet market demand". 

See "Alcatel-Lucent’s Motive to deliver virtualized security solution to help service providers ensure a safe ultra-broadband customer experience" - here.

Will Allot's $5M Order Rebound the DPI Market?

The recent announcements from Procera Networks (See "Procera: Q3 Revenues Decline by 25% Y/Y" - here), and other TEMs (Juniper), resulted in a free-fall for the pure-players DPI shares.

Allot, Procera and Sandvine Stock Performance, 5 Days

The announcement made by Allot Communications on Friday (during the holiday season and weekend in Israel) tries to regain some confidence in the market, and to show that the multi-million $  projects are still out there (but sometime they take a long time to show-up in revenue, says Sandvine - see "Sandvine: IBM is a 10% Reseller with an 'active pipeline of opportunities'" - here).

Allot's Service
Gateway Tera

Allot announced that it has " ..  received expansion orders of over five million dollars from two Tier-1 mobile operators for the Allot Service Gateway Tera for delivering value-added services to the Operators' subscribers. 

The key offering enabled by Allot is a virtualized security service which protects subscribers and boosts ARPU. This follows a $15 Million expansion order from another major Tier-1 operator [here] that was announced recently for the Allot Service Gateway Tera and associated value-added services".

See "Allot Communications Receives Expansion Orders of Over $5 Million Dollars from Two Tier-1 Mobile Operators" - here.

UK: How do ISPs Implement Network Based Parental Control Service?

Ofcom has "published a report for Government outlining measures the UK's largest internet service providers have put in place to help parents protect children from harmful content online. This follows an agreement between the Government and BT, Sky, TalkTalk and Virgin Media, the four largest fixed line internet service providers (ISPs), announced in July 2013 [see "UK to Enforce Opt Out Network Based Web Filtering on All ISPs" - here]. Each ISP committed to offer new customers 'family-friendly network-level filtering' by the end of December 2013 [see "UK ISPs for Safer Internet" - here]" 

"The report finds that the four ISPs now have a network level family friendly filtering service .. There are a number of filtering categories common to all four ISPs. Suicide and self-harm, pornography, file sharing, crime, drugs, violence and hate are covered by each provider's classification systems .. All of the ISPs offer some additional services alongside the network family-friendly filters, some including internet security services aimed at protecting the subscriber from issues like viruses or malware. All offer device level filtering or security software for installation on individual computers

All of the ISPs have commissioned third parties to perform the categorisation of 

internet content and services: 

• BT and Virgin employ Nominum
• Sky uses Symantec 
• TalkTalk uses Huawei [see "Huawei's SIG: Policy Enforcement and URL Filtering" - here], although Symantec was also initially involved.

The filtering solutions rely on two basic technologies:

• Filtering by Uniform Resource Locator (URL) blocking: the filtering of sites or services based on their web address – either addresses covering whole websites (http://www.example.com) or individual sections or pages on those sites (http://www.example.com/adultpictures). This involves the ISP checking some or all of the URLs which an opted-in subscriber requests against the list of sites or pages to be blocked. If there is a match, the subscriber request is not fulfilled – typically a page with the message “this site is blocked because it is classified as…” may be delivered instead.

• Filtering by Domain Name System (DNS) alteration: the DNS translates domain names (“www.example.com” into IP addresses “192.0.32.10”), to allow a subscriber’s content request to be correctly directed – this is the first stage in requesting a website or service. When used for filtering, the ISP’s DNS server will not provide the IP address for domains on the list; it may instead direct the subscriber request to an information page with “this site is blocked because it is classified as…”.

Each of Virgin Media, BT and TalkTalk has adopted a slightly different version of URL blocking; Sky’s filtering system is exclusively based on its DNS servers. The use of URL blocking allows a more granular classification of online content and services: Sky’s system will always block whole domains, while BT, Virgin Media and TalkTalk can target specific parts of a domain.

See "Ofcom publishes report on internet safety measures" - here.

VAS/Security Deployments [302]: AT&T Uses Bluecoat for Network based Protection

  

AT&T announced ".. the launch of AT&T Cloud Web Security for businesses of any size. The new offering will provide real-time protection against viruses, malware, and compromised web sites --- all without the need for on-site equipment ..  built on Blue Coat Systems’ Security Policy and Enforcement Center. It enables customers to enforce consistent global security policies across wired, roaming, and mobile environments".

See "AT&T Continues Drive to Strengthen Security for Businesses" - here.

VAS/Security Deployments [275]: Singtel Uses Fortinet to Protect Enterprise Customers

Fortinet announced that it has ".. partnered with SingTel to immediately roll out secured broadband services to enterprises across Singapore. Running on Fortinet's high performance FortiGate® network security platforms and FortiManager® and FortiAnalyzer® centralised management and reporting appliances, the SingTel Business Fibre Broadband Security Suite intercepts security threats and eliminates them in the cloud before they reach a company's IT network. Businesses subscribed to this Suite will have online content filtering bundled with their broadband access. Antivirus and anti-spam protection can be added as options. Besides improving security, the content filtering and anti-spam functions help businesses optimise bandwidth usage and increase staff productivity".

Mr Goh Boon Huat [pictured], VP Business Products, Global Products, SingTel Group Enterprise said: “The SingTel Business Fibre Broadband Security Suite is tailor-made for SMEs, which have little or no IT support. Having a reliable, convenient and automated cloud security enables them to protect their vulnerable IT networks from internal and external threats. Our SME customers can enjoy a secured Internet network allowing them to focus on their business, enhance customer experience and drive new revenue growth,"

See "SingTel and Fortinet Partner to Provide Secured Broadband Services to Businesses" - here.

Australian Police Seeks DPI Appliances @10Gbps

The Australian Federal Police (AFP) ".. intends to expand upon its network forensics expertise to include new deep packet inspection capacity that will be able to capture and retain metadata. The agency is currently seeking tenders for an appliance that can accept a stream of TCP/IP traffic or potentially previously captured packets in PCAP format. The request for tender does not specify where the input to the appliance will come from, but states that at a minimum, it must be able to analyse flows of information at 10Gbps, regardless of whether it is using IPv4 or IPv6. Further requirements that the AFP needs are the ability to identify services and applications at the application layer.

Proposals are additionally expected to be able to filter out packets based on keywords, protocols, applications, IP addresses and ports. They should also identify malware, antivirus activity, communication and mobile applications, detect various types of encryption when used and de-capsulate tunnelling protocols. An example of the latter could include the Layer 2 Tunneling Protocol commonly used in virtual private network (VPN) connections, assuming the AFP is able to bypass the secure channel typically established to protect such data.

See "AFP seeks deep packet inspection capability to capture metadata" - here.

Security VAS Deployments [272]: TDS [US] Deploys Kindsight for Malware Protection

Alcatel-Lucent and TDS Telecommunications [see "DPI Deployments: TDS Uses Sandvine" - here] announced that ".. Kindsight security technology is powering TDS’ Hacker Alert service. The Kindsight Broadband Security solution enables TDS to continuously analyze Internet traffic for threats, inform subscribers and provide directions on how to remove ‘malware’ or other infections on a device. TDS Hacker is the fastest selling value-added service in the company’s history and already ranks as the second most popular premium service that TDS offers".

See also "Kindsight Helps ISPs to Detect, Block and Remove Bots" - here.

See "TDS Telecommunications Corp. uses Alcatel-Lucent’s Kindsight solution to help protect U.S. customers from malicious hacker attacks on home network" - here.

Gartner: SDN/NFV should Lead CSPs to DPI, Analytics and New OSS Investments

Paula Bernier [pictured], Executive Editor, TMC, reports to NFVZONE that "Gartner says the dynamic nature of networking SDN and NFV enable will require service providers to up their game in terms of security. They can do that, according to Gartner, by investing in deep packet inspection and SDN analytic tools that monitor traffic, diagnose threats and mitigate security challenges. At the same time, the research firm suggests, network operators must be sure to manage and monitor security controller access to see who is logging in when and for what purpose.

As for billing and operational support systems, Gartner recommends that service providers invest in new ones that support SDN orchestration and provisioning, policy-based control with security functions, and real-time control and billing.
  
With SDN's control and NFV's flexibility, CSPs can develop business models that are based on tiered services, elastic services like security-as-a-service using DPI functions on-demand or more applications on demand
See "Gartner: SDN, NFV Create New Security, OSS Requirements" - here.

Arbor Acquires Packetloop (Security Analytics)

Arbor Networks announced that it has ".. acquired privately held Packetloop, an innovator and leader in the field of Security Analytics. Packetloop’s solution delivers real-time, network-wide situational awareness through a combination of packet capture, big data analytics, security forensics and visualizations that help enterprises identify malware, targeted attacks and attackers. Packetloop’s capabilities complement Arbor’s market leading NetFlow visibility, anomaly detection, application intelligence and identity tracking. Arbor will integrate Packetloop’s capabilities into its enterprise solution platform this year, delivering a broad, integrated set of network visibility; threat detection and mitigation; incident response; and forensics capabilities that become the foundation of Arbor’s next-generation threat monitoring and mitigation platform".

See "Arbor Networks Acquires Security Analytics Innovator Packetloop" - here.