Intelligent Policy Enforcement
Intelligent Policy Enforcement (IPE): Enables broadband network operators to provide unprecedented levels of personalization, service optimization, network assurance, and rapid creation of business models to monetize their infrastructure investments. IPE has evolved from simple uses like P2P traffic management, fair usage, and business intelligence to more sophisticated uses designed to increase operator profitability and service innovation.
Deep Packet Inspection – Technology that analyzes data traffic traversing the network with the capability to detect trends and future threats or opportunities.
Classification: True Flow-based classification, operating between Layer 3 to Layer 7 and using multiple techniques to determine the core application operating on the network.
Categorization: DRDL™ automatically categorizes applications into logical groupings, including Streaming Media, VoIP, File Sharing, Entertainment, and Business Applications, dramatically reducing policy complexity and reporting.
Accuracy: Designed to reduce misclassification. No port-based signatures, ability to manage based on behavior even for unidentified traffic. Behavior flags are visible in the Procera LiveView application for each individual flow to provide operators real-time visibility into application behavior for network and security forensics. Procera prefers to be cautious on our accuracy, and will not “guess” at applications, dramatically reducing false positive (incorrect classifications). Unknown traffic can be managed by behavior flags in order to provide control over streaming, downloading, and encrypted traffic even if the application cannot be determined.
Layer 7 Details: Extracts many Layer 7 headers and properties from each connection to provide granular control over traffic (Layer 7 shaping and firewalling). Examples of Layer 7 details are URLs, http referrers, SIP phone numbers, device-type, or character classes in World of Warcraft.
Signatures: A signature is a distinct application, service, or protocol that can be distinguished from general traffic. Examples of signatures would be flash video over http (which is distinct from http browsing), BitTorrent, SIP, SMTP, CastleCraft for iPad, Skype, etc. The Procera solution supports over 2000 (April 2012) applications, services, and protocol signatures.
Virtual Service: A custom-created definition that uses distinct properties of a signature to create a more specific signature for use in business intelligence or service creation. Examples of this would be a YouTube or Facebook Virtual Service for charging purposes. Websites and Content are not counted in the Procera signature count, but thousands additional services can be created and compiled in real-time on the system.
Updates: New signature updates released every 7 days. Updates can be installed without affecting uptime or traffic.
Traffic Shaping and Queuing Technology: Procera Network’s Advanced Queuing Mechanism (AQM) provides unique queue management technology that buffers, queues, and prioritizes packets per flow. It is designed to provide host fairness and minimize packet drops during congestion for all protocols, not just TCP.
Parallel Queuing: Packets can be enqueued in multiple shaping queues, permitting simultaneous control of multiple combinations of subscribers, applications, and upstream & downstream pipe. This is critical for controlling backhaul over-subscription in an efficient manner by supporting a hierarchical queuing structure that is most effective for network congestion management.
Traffic Control / Network Congestion Management: Create powerful traffic management policies with fine grained control per-network, per-subscriber, per-application or any combination of policy attributes, including Networks, Subscribers, Application signatures or categories, Time schedules, VLANs, MPLS Tags, BGP AS Paths, URLs, MIME types, time-of-day, and many more.
Prioritization: Ensure time-sensitive applications like VoIP, Video, and Gaming get the bandwidth and priority they require.
Asymmetric Traffic Identification: FlowSync™ provides true accurate asymmetric traffic analysis and support synchronizing traffic flows between two or more PacketLogic Appliances, with extraordinarily low overhead (1-5% of total traffic volume). FlowSync™ also is used for Carrier Grade NAT and Advanced Traffic Steering to support geographic redundancy or asymmetric deployments.
Asymmetric Traffic Control: QueueSync™ provides true accurate asymmetric traffic control. Supports synchronizing shaping queues between two or more PacketLogic Appliances.
Multi-System Scalability: Scale up capacity with multiple systems, without sacrificing control or capacity. Flow-Sync and Queue-Sync technologies can be used to eliminate the complexity of full mesh clusters and save significant cost for geographically dispersed systems.
Volume Based Traffic Shaping: Create usage quotas for subscribers, applications, or any combination of policy criteria and automatically apply more aggressive bandwidth limits once quota is exceeded or re-direct users to top-up portals.
Fair Use Policies: Dynamically partition available bandwidth to ensure that all users receive equal share of bandwidth during times of congestion or network outages.
Policy Responsiveness: Enforce policy changes on the fly, including affecting existing connections and traffic. New policies are immediately evaluated against all traffic in the system, not just new connections.
Throughput: Systems capable of between 4 Mbps to 320 Gbps of throughput across PRE product families. Throughput is usually dependent on exactly what functionality and the traffic mix is present in the system, but can be determined once the operational characteristics of a deployment are known.
Efficiency: Uses IPE-optimized OS (PLOS) to achieve a dynamic, real-time, feature-rich, and low latency system. PLOS is optimized to use fewer cycles per packet and identify traffic faster to enable higher scalability and more services to be active in the PRE systems. PLOS operates 20-50% faster on equivalent hardware than solutions from competing vendors.
Scalability: High scalability for subscribers and sessions per system enable more efficient deployments and enable broadband operators to grow their services and subscriber count to ensure that their networks can grow to meet exploding broadband demands.
Transactions Per Second: Performance metric used to characterize interactions with Policy Management (PCRF) and Charging (OCS and OFCS) systems.
Filtering and Redirection
Filtering: Accept, reject, or deny traffic based on any combination of Layer 3-7 criteria (i.e. URLs, content types, etc).
Traffic Steering: Redirect traffic or specific connections for the purpose of integrating with 3rd party application services or value-added services. Traffic Steering can be done per-application, per-subscriber, per-content type or provider, or any other policy metric.
Advanced Traffic Steering: Redirect traffic or specific connections using Traffic Steering, but managing TCP sessions during application identification to minimize traffic sent to 3rd party application services.
Carrier Grade NAT: Address conservation by implementing Large Scale NAT to allow a network operator to use private addressing space internal to their network and translation to public addressing at the network access border.
Browser Redirection: Force browser redirection for matching URLs or web servers for captive portals or walled gardens.
Inject: Injecting specific information into a packet for processing by downstream systems.
Packet Capturing: Integrated packet capture on-board to collect unknown traffic to develop new application signatures.
Packet Mirroring: Mirror selected traffic for lawful intercept or processing by 3rd party security applications.
Re-write: Ability to re-write Destination IP, MAC, VLAN, or DSCP
Connection Limiting: Control connection rates and totals for any combination of policy elements to mitigate DDOS attacks. Mitigation can be on any policy level – subscriber, application, etc.
Malware detection: Common malware signatures that can be used to detect, block, or quarantine infected hosts.
Host Connection and Throughput Thresholds: Create triggers for custom responses to hosts abusing network resources. Assists in identifying potentially infected hosts including hosts involved in zombie-based DDoS attacks.
Extensive Real-time Diagnostics: GUI access and SNMP support for performance and resource information. Graph system resources and correlate recent network events and impact on resources and performance. Every critical process and metric is available for review in real time, with peak, minimum, and current values displayed for all diagnostic values.
Alerts: Create thresholds and generate alerts for key system resource usage, environmental, or hardware failure.
Redundancy and Bypass
Procera Bypass Switch: External 1RU device capable of 1GE or 10GE Fiber bypass. Supports up to 4 channels.
PacketLogic Intelligence CenterReporting on the Box: Local statistics storage supported on the PL7720, PL7810, PL8720, PL8920, and PL8820 products.
Reporting Server: High capacity, fully redundant PacketLogic Intelligence Center platform for long term historical statistics.
PacketLogic Report Studio: Completely customizable analytics solution to enable user-defined reports and analysis to be created by network administrators to answer the business questions need to enable new services and ensure network profitability. Report Studio leverages the rich statistics dataset available from the PRE systems.
Statistics: Statistics can be collected for each flow and correlated with any available subscriber attributes (location, service plan, etc). Statistics available per flow include incoming and outgoing bytes, connections (incoming, outgoing, unestablished, concurrent), incoming and outgoing shaping drops, incoming and outgoing latency, popularity, incoming and outgoing Round Trip Time (RTT), and incoming and outgoing Quality of Experience metrics.
Real-time Traffic Monitoring
LiveView Real-Time Visibility: Real-time visibility of traffic per host, network, user, and application with five second updates across single or multiple systems. Information available includes bandwidth, connections, Quality of Experience metrics, shaping latency and drops, and RTT measurements.
Layer 7 Properties: Detailed Layer 7 connection information for many applications (URLs, User IDs, Email addresses, SIP phone numbers, etc) is available through drill down into individual flows.
Behavioral Flags: DRDL utilizes behavior flags to categorize applications based upon their behavior to enable policies even on unidentified applications, including Encrypted, Streaming, and Downloads.
Quality of Experience: QoE metric monitors packet loss, retransmissions, and fragmentation to determine upstream or downstream congestion conditions. This is available at any level of the LiveView hierarchy from the network as a whole or through drill-down to a single flow.
Shaping LiveView: LiveView provides real-time feedback on the latency added by shaping as well as the drops for each queue configured in the PRE system. This ensures that the network operator can monitor the network to determine the impact of the policies that have been applied. It also enables detailed SLA information that can be provided to subscribers to ensure that committed SLAs are being met.
Analytics and Reporting
Report Studio templates: Completely customizable report templates supporting complex, multi-system reports that can include SQL queries to other systems for comprehensive network-wide reports. Dramatically simplifies creation of custom reports.
Web-based report scheduler: Simplify the distribution of selected reports via email to any user through a web-based reporting interface.
Location-based reports: When integrated with OSS/BSS systems, location -based can be used to monitor upstream and downstream network issues or for network congestion management and to conduct extensive service planning and analysis.
Device-based reports: When integrated with OSS/BSS and through user agent detection, ability to create reports based on behavior of specific devices on the network. Extremely important for capacity planning for broadband connected PCs, Smartphones, and tablet computers.
Network Congestion Management reports: Network Congestion Management reports can be created showing most congested interfaces, minutes of congestion, when congestion occurs in specific locations and regions. Includes capability to create Quality of Experience reports using built-in QoE capabilities.
Service Plan-based reports: Understand the usage patterns and behavior of users of different bandwidth and service plans on the network to manage capacity on network as service plan usage increases.
Top Application reports: Determine top applications and application groups (Streaming, Download, Gaming, VOIP) used by subscribers on the network.
Top Sites reports: Determine top domains, sites, and servers visited by users to manage site-based Quality of Experience. Extremely useful for understanding peering needs.
Over-The-Top-Video reports: Understand the usage of popular OTT video streaming services and their impact on the network. Can be combined with device awareness to give insight into adoption of devices as video players.
Peering reports: Integration with BGP routing provides important insight into upstream link routing preferences and utilization (on-net vs. off-net, domestic vs. international)
Drill-down interactive reports: Commonly requested reports are fully interactive with drill-down capability. Peak analysis and 95 percentile reports are supported with configurable depth.
Report Exporting: Export reports via PDF, CSV, email, or API to external BSS/OSS systems or customer portals.
BSS and OSS integration: The PacketLogic Subscriber Manager (PSM) integrates with Billing Systems, Policy Servers, and Operational Support Systems to provide network awareness (including subscriber, device, location, and service plans). Using open interfaces, the PSM automates the provisioning of subscribers on the PacketLogic appliances, and provides per-user data usage and historical reporting.
Policy Integration: Integration with PCRF systems using Gx for standards-based policy control and quotas. High capacity per system to manage high volumes of user registrations and mobility.
Charging Integration: Integration with OCS and OFCS systems using Gy, Gx, or CDRs for charging and billing purposes.
RADIUS integration: Intercepts RADIUS packets to extract User IDs, IP addresses and custom RADIUS attributes, and provisions users in the PacketLogic configuration.
DHCP integration: Intercepts DHCP packets to extract Option 82 (Port/Host identifier) and IP addresses, and provisions in the PacketLogic configuration.
SIP integration: Included in the box. Intercepts SIP packets to extract SIP Handset type, Caller & Callee phone numbers and other attributes, and configures these in the PacketLogic configuration. Can be used to apply SIP policies and provide better call quality.
Other Integration Capabilities: SOAP, JSON, NAC, and Active directory.
Service Packages: Subscriber, device and location awareness enables per-user service plans that can include usage allowances (including per-application), QoS priorities, fair use controls, and additional service packages (Parental Control. Security, etc).