© 2015, VASEXPERTS.RU

SCAT DPIPRODUCT OVERVIEW

Artem Tereschenko

Partner relationship manager

VASEXPERTS.RU

Product featuresSCАТ is a hardware and software system,

developed with the purpose to carry out theanalysis,use of rules and modification of traffic, alongwith the use of DPI (Deep Packet Inspectiontechnology).

Features:Automatic processing of the register of blacklisted sitesof the Federal Service for supervision in the sphere ofTelecom, Information Technologies and MassCommunications (ROSKOMNADZOR) and the Ministry ofJustice (in compliance with Law FZ-139)• Online analyt ics• Control of subscribers’ and common bands (QoS)• Notification of subscribers, advertising placement• Bonus program• CACHing of YouTube, VKontakte, etc. video and audiocontent (QoE)• Protection against DDoS attacks• SОRМ Prefilter

VASEXPERTS.RU

TechnologyIntel Xeon based standard hardware platforms

are used. Low cost of equipment, investmentprotection. 1U form factor.

Technology of direct access to the network cardinterface (DNA, Direct NIC Access) and bypass on physicallevel (L1) function are supported.

Fast CMS detects over 6000 protocols. Allows toprocess up to 14.88 Mpps per channel 10Gbps withdelay not exceeding 30 microseconds.

We support VLAN, Q-in-Q, MPLS, LACP

VASEXPERTS.RU

Classification

By overall service capacity per platform, SCAT-хх is:

Platform SCАТ-6 (6GbE, 6x1GbE 1000Base-T Copper RJ-45)

Platform SCАТ-20 (20GbE, 2x10GbE 10GBase-LR/SR SFP+)

Platform SCАТ-40 (40GbE, 4x10GbE 10GBase-LR/SR SFP+)

Platform SCАТ-60 (60GbE, 6x10GbE 10GBase-LR/SR SFP+)

Platform-80 (80GbE, 8x10GbE 10GBase-LR/SR SFP+)

Functionality (variants of delivery):

• Entry - traffic filtering according to requirements of the federal laws• Base - allows to control traffic in general, including band and channel

prioritization control, statistics and notification of subscribers, SОRМprefilter

• Complete - control of subscribers, CACHE server, additional functionality

VASEXPERTS.RU

Variants of delivery

SCAT-DPI: the System of control and analysis of traffic. Variants of delivery

Entry Base Complete

Bypass mode support Yes Yes YesFiltering according to the registry of blacklisted websites

Yes Yes Yes

Collection and analysis of statistics according to protocols and destinations

No Yes Yes

Marking the traffic priority in accordance with the protocol

No Yes Yes

Notification of subscribers No Yes YesDistribution of the access channel between subscribers

No No Yes

Advertising blocking and replacement No No YesWhitelist and Captive Portal No No YesInternet cache No No Yes1 year update subscription Yes Yes Yes

VASEXPERTS.RU

Typical configuration characteristics

Characteristics SCAT-6 SCAT-20 SCAT-40 Performance 6 Gbits 20 Gbits 40 Gbits

Maximum No. of sessions 4 М 16 М 32 М

Maximum No. of new sessions per second

100 К 250 К 500 М

Number of detected protocols 6000+

Maximum number of subscribers 400 К 2 М 4 М

Traffic procession net interfaces(with bypass)

6x1GbE (RJ45) 2x10GbE (SR/LR)

4x10GbE (SR/LR)

Maximum delay (Latency), not exceeding

30 µc (microseconds)

30 µc 30 µc

Maximum No. of packets (Data Frame Size = 84 bytes), minimum

4 М 11 М 20 М

Hardware platform 1U, 19” 1U, 19” 1U, 19”

VASEXPERTS.RU

Comparison

SCAT DPI Huawei SIG9810

PlatformComputer

Xeon,SSE4.2,IGB/IXGBE

Switch

ASIC/NP/FPGA/Multi-core

CPU

Performance Up 40 GBPS per 1 RU 40/50 GBPS

Number of flowsUnlimited (20 mln. per 20

GB RAM)32/40 mln.

Size 1 RU 20 RU

Delay 30 μs 200 μs

Reliability Bypass Bypass,1+1

Price Up to 3 mln. rubles 5 mln. rubles

VASIncluded into the cost of

productN mln. rubles

VASEXPERTS.RU

SCAT-80 vs SCE10000VASEXPERTS SCAT-80 CISCO SCE10000

Technology

Distribution of data flows processing by multicore CPU

Intel x86

Programmable expandable architecture providing

protection of investments

Performance80 Gbits

2.5Tbs in cluster

60 Gbits

480 Gbits in cluster

Number of flows 20 mln.

Number of

subscribers2 mln.

Hardware: RAM, CPU,

Hard Drive, Main

Network, Control

Network

128 GB, CPU 18 cores

HDD 2 x 500 GB

8 x 10 GBE with bypass

1 x 1GBE

512 GB, CPU 40 cores

HDD 2 x 300 GB

8 x 10 GBE with bypass

4 x 1 GBE

Size 1 RU 2 RU

Min GPL cost 20 000 c.u. 400 000 c.u.

VASEXPERTS.RU

Work schemes

Installation “in break” is a recommended scheme, where bothcomponents, incoming and outgoing, pass via SCAT; it allows to use the wholeavailable functionality, including traffic prioritization and subscriber bandcontrol (Complete version).

ПользователиКонцентратор

BRAS СКАТNAT/Граничный маршрутизатор

Internet

HubUsers

SCATEdge router

VASEXPERTS.RU

Work schemesAsymmetric scheme: only outgoing traffic component passes via SCAT,

3 variants of organization:• with the use of additional router and route announcement• with the use of PBR for certain ports (80)• traffic mirroring: SPAN ports or optical splitters

Can be used for VAS, to obtain “click stream” analytics, to notifysubscribers, and to interact with CACHE server, SORM prefilter(Entry and Base variants of delivery).

СКАТ

BRAS

ПользователиКонцентратор

NAT/Граничный маршрутизатор

Internet

Зеркалированный трафик

СОРМ

Edge router

UsersHub

/SORM/SCAT

Mirrored traffic

VASEXPERTS.RU

Scaling

Support of scaling up to 320 Gbits at using Arista/Extreme switches andJuniper/Cisco routers. Traffic balancing is provided by the use of “symmetrichash”.

A B

СКАТ-20

Cisco/Juniper/Arista/ExtremeCisco/Juniper/Arista/ExtremeСКАТ-40

СКАТ-80

SCAT-20

SCAT-40

SCAT-80

VASEXPERTS.RU

Option: Traffic filteringCharacteristics Description

Upload of the Roskomnadzor register (Laws FZ-139, FZ-187, FZ-398)Centralized, cloud

service

Possibility to use the request signed by a personal electronic signatureYes, located on the

cloud

Upload of the federal list of extremist materials of the Ministry of Justiceof the Russian Federation (FZ-114)

Centralized, cloud service

Filtering according to the own operator's list Yes

Support of the centralized own operator's list for server cluster Yes

Support of connection schemesIn break,

asymmetric, mirroring

Possibility to control filtering according to specific users Yes

Blocking the http/https traffic Yes

Support for http redirect to the information content page Yes

Possibility to collect statistics of the blocked pages Yes

Possibility to monitor downloading of lists and functioning of filters Yes

Maximum list volume Up to 4bn. URL

VASEXPERTS.RU

Option: Analytics

VASEXPERTS.RU

Provision is made for analytical information under the protocol Netflow, for the following characteristics:• Band allocation according to

application protocols• Band allocation according to the

autonomous systems (AS) • Uploading of the total information

into the billing by classes for each subscriber

• Uploading of the full netflowby subscribers

• All specified modes can operate simultaneously

• Using the summary information for billing by classes for each subscriber allows to tariff separately sip, skype, and bittorrent traffic

Band distribution according to protocols:

Distribution according to directions:

VASEXPERTS.RU

Option: Traffic prioritizationSCAT allows to change the priority field in packets passed through it,

depending on the detected DPI protocol.

The following fields are supported:

• DSCP/TOS in IP packet headers• priority in headers of VLAN and QinQ packets• traffic class in headers of MPLS packets

Router or shaper can use marking in the priority field to ensure the requiredQoS for specific protocols, even without having the own DPI features.DSCP value is set in numeric (10-,16- or 8-ary) format or using textabbreviation.

Example:• dns 0x3F• skype drop• compressnet 010• ftp keep• http cs0• default keep

VASEXPERTS.RU

Option: Uplink optimizationSCAT allows to limit the size of the occupied band by protocol groups. This

mechanism is often applied for limiting the torrents.

Two mechanisms are available:

Band limitation with burst support in the form of the classical token

bucket

Band limitation with borrowing in the form of Linux HTB

This band is paid by

operator

99% of the time traffic

does not exceed this

value

VASEXPERTS.RU

Option: Distribution of bandbetween subscribers

Control of the traffic bandwidth (QoS) for each subscriber in accordance withtariff plan.The option allows:• to use TBF or HTB policing type with borrowing the channel band• to set up the flexible control of the classes, thus improving QoE within the

tariff in case of exceeded use of BURST and feedback incoming -> outgoingtraffic to control the band

• to limit the subscriber’s traffic bandwidth in accordance with tariff plan• to control the rules on per-subscriber's level, to prioritize traffic according to

the classes for QoS improvement, to limit the torrent traffic• to prescribe the uniform rules for corporate subscribers with a group• of IP addresses

VASEXPERTS.RU

Option: CACHE server

CACHE server is an additional SCAT DPI component allowing to CACH videocontent of popular services, such as YouTube, RuTube, and VK.com, updates ofWindows, browsers, anti-viruses, and other software, as well as repetitive files(for example, jquery libraries , pictures, etc.).

CACHE server functions only with SCAT and does not require proxy mode.

CACHE server network connection is similar to the typical WEB-server connection. During connection, it is required to provide 2 channels for the content distribution.

.

Router Router

CACHE server

SCAT-1

SCAT-N

Internet

VASEXPERTS.RU

Option: White list and CaptivePortal

The white list allows to limit available for subscribers websites and pagesand forwards subscribers to the predetermined content page at their attemptsto go beyond this list.

Application:• blocking of subscriber at zero balance account, with possibility to pay debts

through the authorized payment systems• user's identification in WiFi networks, provision of certain user's actions in

WiFi network to grant accessWork on the white list of the websites is combined with restriction to work

on the list of protocols on the subscriber's level, for the purpose of notifying thesubscriber about failure to pay for the provided services.

VASEXPERTS.RU

Option: Notification ofsubscribers

Possibility to notify subscribers about new offers of the operator and towarn them about planned work in the network or emergency.

VASEXPERTS.RU

Option: Protection against DOSand DDOS

The system provides the following mechanisms against DoS and DDoSattacks:• Protection against TCP SYN Flood• Protection against fragmented UDP Flood

SCAT includes high-performance mechanism of protection against TCPSYN Food and fragmented UDP Flood attacks, allowing to process

(depending on configuration) of up to 20 million packets per second.

• Protection against DDoS (LOIC, etc.)based on Turing test (HumanDetection, CAPTCHA)

• In case of SCAT threshold exceeds,only users included into the white listare allowed to work with thewebsite, all other users areforwarded to the page withCAPTCHA for check.

VASEXPERTS.RU

VASEXPERTS.RU

Option: Lawful interception:traffic interception

SCAT allows to make online network traffic recording required for supportof the future standard SORМ-3, and can be used in traffic monitoring forsecurity threat diagnostics and analysis.

The system ensures:• traffic interception by certain

protocols, IP-addresses, or sub-networks (CIDR) along with information storage on a disc drive

• information storage on httpqueries

Change of parameters of traffic damp queries and http queries is carriedout in “flying” mode without necessity to restart the whole process.

VASEXPERTS.RU

Advantages

• Support of the available server platformso SuperMicro, Dell, Fujitsu, and other x86 platforms

• High performance per 1 unito Up to 80Gbits

• Development and high-quality support of the product in Russiao NBD - Next business dayo 8x5x8o 24x7x4

• Competitive price• Simplicity of scaling and upgrade• Abundant functionality

© 2015, VASEXPERTS.RU© 2015, VASEXPERTS.RU

Thank you for your attention!info@vasexperts.ru+7 (812) 313 88 15

http://vasexperts.ru/