Solution Brief
Oct 2014
Cloud Access Optimization
Solutions for Enterprise
Contents
Executive Summary ... 3
Who needs Cloud Access Optimization? ... 4
Why? ... 4
Data Center Migration to the Cloud... 4
Virtualization and SDDC... 4
User Mobility and Unified Communications ... 4
What’s the problem? ... 5
Weak links in the cloud application delivery path ... 5
Unpredictable availability & performance of applications ... 5
Need to allocate Access resources to users and applications ... 5
Need to scale Access resources to new demand levels quickly and easily ... 6
Need to measure and control how Access capacity is utilized by applications and users ... 6
Point solutions from multiple vendors are complicated to provision and do not always work together ... 6
Cloud Access Optimization is the solution ... 6
Visibility ... 6 Control ... 8 Security ... 9 Solution Technologies ... 10 Solution Benefits ... 12 Solution Deployment ... 13 Why Allot ... 13
Executive Summary
A number of evolving market trends are having a big impact on the ability of enterprises to run efficient networks that satisfy users, increase productivity, and ensure business continuity.
Cloud Migration is on the rise with enterprises transitioning their IT infrastructure to
private, public and hybrid clouds. Together with this comes Application Mobility in
which applications are increasingly hosted in the cloud and accessed via the Internet
instead of the enterprise LANs. In addition, the rise in User Mobility and BYOD makes it
more challenging than ever to ensure application performance and secure access to
Unified Communications applications in the cloud.
While cloud data centers and applications are powered by virtualized and software-defined architectures, enterprises are still using the same Internet and WAN resources
to access those cloud hosted applications. Cloud access has not kept pace with the
advances in data center capacity, elasticity, central control, and virtualization.
With users vying for the same shared cloud access capacity, application performance (and hence user productivity) is highly subject to degradation by heavy transaction loads from real-time video and voice, file transfer, endpoint upgrades and Denial of Service attacks. Hence, the cloud access points are the weakest links in the delivery path from the user to the application.
Allot’s Cloud Access Optimization solution overcomes the main
performance and security challenges of user access to cloud-hosted applications and in doing so, transforms the WAN Optimization Controller (WOC) market into a new domain.
Going beyond traditional WOC
functionality, Allot employs access
virtualization to allocate dedicated resources to multiple tenants, users and applications in the cloud. In other words,
the shared cloud access is divided into multiple virtual instances – each with its own SLA that is individually monitored, controlled and secured. Allot’s ability to virtualize physical access resources and flexibly manage them means that enterprises can dynamically match cloud application performance to user and business requirements.
Cloud Access Optimization
ensures user QoE and
productivity by controlling
application availability,
performance, and security
Who needs Cloud Access Optimization?
Allot Cloud Access Optimization solutions are ideal for enterprises who have:
migrated their data center to private, public or hybrid cloud
adopted virtualization, Software Defined Data Centers, and SaaS applications
branch offices connecting to cloud resources via a WAN
mobile employees working at home or on the road
encourage BYOD and collaboration applications over the Internet
Why?
Cloud and mobility trends are having a big impact on the ability of enterprises to run efficient networks that satisfy users, increase productivity, and ensure business continuity.
Data Center Migration to the Cloud
As enterprises transition their data center and applications to private, public or hybrid cloud business models, they introduce new challenges in controlling the entire
application delivery path and assuring application performance.
Private cloud data centers may be owned by the enterprise or hosted by a
managed services company in a virtual private cloud.
Public cloud data centers provide Data Center as a Service (DCaaS) to
enterprise tenants who share the data center resources.
Enterprises who use Hybrid cloud data centers, host some data center functions
in a private cloud while others are hosted in a public cloud.
As a result, applications are increasingly hosted in the cloud and accessed via the Internet instead of the enterprise LAN. Application mobility makes the Internet access an ever more critical business resource for the enterprise.
Virtualization and SDDC
Virtualization and Software Defined Networks (SDN) are two of the most important IT trends in the enterprise arena. As enterprise data centers migrate to the cloud, HW and SW applications are decoupled, enabling machines and their functions to be deployed, duplicated and scaled dynamically. This has given rise to the Software Defined Data Center (SDDC) where software components and open APIs are used to facilitate application and resource flexibility, agility and customization.
User Mobility and Unified Communications
Enterprise users who primarily accessed applications from their Campus and Branch offices are increasingly accessing applications while at home and on the road. Moreover, many enterprises allow both employees and other users to connect their
own endpoint devices (smartphones, tablets, laptops) to the network. As a result, it is more challenging than ever to ensure the performance of applications in the cloud – especially collaboration applications.
What’s the problem?
Weak links in the cloud application delivery path
Enterprises are migrating their applications to data centers powered by virtualized and software-defined architectures. But, employees are still using the same Internet and WAN connections to access those cloud hosted applications. Cloud access resources have not kept pace with the advances in cloud data center capacity, elasticity, central control, and virtualization. Hence, the cloud access points are the weakest links in the path from the user to the application.
Unpredictable availability & performance of applications
With users and applications vying for the same shared Internet and WAN access capacity, application performance (and hence user productivity) is highly subject to degradation by heavy transaction loads from real-time video and voice, file transfer, endpoint upgrades, and ad hoc events. Denial of Service attacks on data center resources and internal bot infections also take their toll by flooding the network with unwanted and unplanned traffic. Employee productivity depends on reliable
performance of the applications that facilitate their ability to work, collaborate and support customers effectively.
Need to allocate Access resources to users and applications
Enterprise cloud data centers serve numerous users – each needing access to different business applications at different times, in different locations, on different devices and with different access priorities. For example, sales personnel demand round-the-clock
availability and fast response time from Salesforce.com in order to book and close sales, while marketing staff on the enterprise campus use Salesforce.com only during business hours to set up campaigns and view reports. Basic traffic prioritization goes only so far in managing today’s complex application and network environment. Enterprises need the ability to tailor application performance to the disparate and dynamic needs of each user.
Need to scale Access resources to new demand levels quickly
and easily
Although connectivity prices have come down over the years and capacity is abundant, Internet and WAN access is still a bottleneck because additional capacities are quickly utilized by growing application demand. Enterprises need to be able to assign access resources to different users and to scale their assignments up or down on demand, without repeated investment in new access infrastructure.
Need to measure and control how Access capacity is utilized by
applications and users
If you can’t see it, you can’t control it. While enterprises intuitively understand that Internet and WAN access is still a bottleneck, they can’t pinpoint the culprits who are causing the congestion. Clear visibility of every application and network transaction is critical to understanding and managing how well enterprise business applications are supporting employees and helping (or hindering) their productivity.
Point solutions from multiple vendors are complicated to
provision and do not always work together
Enterprises can choose from a range of solutions to increase application performance and optimize the user experience across large, complex and hybrid environments. The trick is getting them to work together and to be able to orchestrate their functions. The challenges associated with network integration projects, such as concerns about cost and the potential of business downtime, as well as technology implementation issues, can lead businesses to put off network changes and improvements. Solutions that provide pre-integrated functions in a future-ready platform can be used to create a solid foundation for network improvement and service level assurance.
Cloud Access Optimization is the solution
Cloud Access Optimization goes beyond the traditional WAN Optimization Controller (WOC), enabling enterprises to overcome the main performance and security
challenges of user access to cloud hosted applications, and to ensure high user QoE and productivity. This solution provides three essential capabilities, Visibility, Control, and Security.
Visibility
Awareness
Highly granular visibility and reporting of every transaction is required in real-time in order to optimize access routes to cloud application resources. That’s why Allot Cloud
Access Optimization solutions provide awareness per application, user, endpoint, URL and SLA with continuous real-time reporting.
Application awareness is based on Dynamic Actionable Recognition Technology
(DART) –Allot’s superior brand of DPI. Allot employs multiple inspection and analytical methods to identify specific applications and protocols, including encrypted traffic flows that are designed to evade detection. These methods, together with Allot’s extensive signature library, ensure recognition accuracy and reduce unidentified traffic, even at maximum speeds and peak loads. Moreover,
hitless signature updates ensure that traffic flows are continuously and accurately detected, and classified.
DART interoperates with Active Directory resources, allowing enterprises to monitor individual employee or guest usage. This visibility is the key to service level assurance whether applications are hosted on campus, in the cloud, or both.
Analytics
Allot’s Cloud Access Optimization solution enables enterprises to obtain greater insight into the performance of their network and applications. It allows IT staff and engineers to understand how their access resources are utilized by applications and users on the network, and to determine Quality of Service (QoS) policies that link application performance to business goals and to user expectations.
Long-term reports and analytics tools collect data from across the network and prepare it for presentation in order to understand usage trends and to assist with capacity and service planning. Reports can show network usage by application, user, site, time of day, to help you understand your current state of affairs and determine the best way forward. For example:
Track access utilization, Top Talkers, Top Endpoints, and other popular metrics.
Track the performance of specific applications, for specific users
Measure SLA performance over time
Customize reports for specific audiences or user groups
Automatically generate and email reports to relevant audiences
Troubleshooting
Allot’s Cloud Access Optimization solution facilitates Root Cause Analysis (RCA) of service degradation, enabling enterprises to pinpoint the specific application, user, network and location (site) causing the service problem. Fast and accurate
troubleshooting increases service up-time and user productivity and significantly decrease service degradation by resolving the problem at its source.
Granular
visibility
per
application, user, endpoint,
URL, SLA with continuous
real-time reporting
Control
Allot’s expertise in granular and multi-dimensional awareness is matched by our ability to control QoS and security with the same level of granularity.
Internet & WAN Access Virtualization
Allot uses access virtualization to allocate dedicated Internet and WAN resources to
multiple tenants, users and applications in the enterprise cloud. In other words, the shared cloud access is divided into multiple virtual instances – each with its own SLA policy that is individually monitored, controlled and secured.
Virtualized cloud access allows enterprises to align application performance to business needs.
Allot uses software and APIs to create virtual instances of Internet and WAN access links that operate completely independently of one another. Then dedicated network resources (such as bandwidth, QoS, URL filtering, etc.) are allocated to the application and user traffic on each virtual link. Unlike the shared access resource, the traffic in one “virtual access link” is not affected by the traffic in any other “virtual access link.” Allot’s ability to virtualize Internet and WAN access resources in this manner means that enterprises can dynamically match cloud application performance to different user and business requirements.
Service Level Assurance
Service Level Assurance allows enterprises to guarantee fast, predictable and
consistent cloud application performance for a variety of users. Once the Internet and WAN access connections are virtualized, users and applications no longer compete with one another for resources. IT staff are now able to assign appropriate SLA policy to the different applications and users accessing the cloud data center, taking into
account both the inherent requirements of all applications together with their importance to the business.
SLA policy may control a number of factors such as bandwidth allocation, QoS, forwarding priority and others. Service Levels may include automatic enforcement triggers such as temporary rate-limiting when utilization reaches a congestion threshold.
Allot Cloud Access Optimization solutions also enable users or “customers” to track their own SLA and to verify that key performance indicators (KPI) match their expectations. This is particularly important when enterprises outsource their data centers to an IaaS provider.
Service Integration
Allot’s future ready platform for Cloud Access Optimization expertly steers and balances traffic loads across multiple access ports and/or servers in a way that is completely transparent to applications or the users. Moreover, Allot has integrated Visibility, Control and Security capabilities within a future-ready and highly scalable platform, using standard interfaces to interoperate with other elements in your
network as needed. In this way, enterprises reduce the risk and enhance the success of cloud data center implementations.
Allot’s experience in service integration has been acquired over years of successful implementations with very large carriers and enterprises. We pour this experience back into our product features and into the support we provide to our channels and
customers.
Security
DDoS Protection
Enterprise network users expect their online experience to be always available and secure. As data centers and applications move to the cloud, enterprises are challenged to implement sufficient security measures without compromising application
performance. Allot Cloud Access Optimization solutions protect your cloud data center and its availability by creating a transparent security perimeter in the access network, to mitigate Denial of Service (DoS/DDoS) and Zero Day attacks before they can do damage. It’s your first line of defense.
Allot ServiceProtector is a fully integrated anti-DDoS module within Allot Cloud Access Optimization solutions. Its advanced Network Behavior Anomaly Detection (NBAD) technology identifies DDoS and other network flooding events by the traffic anomalies they cause. Filtering rules are obtained dynamically by searching deep into the
captured DDoS packets for unique repeating patterns in each event.
Guarantee fast, predictable
and consistent cloud
Surgical DoS/DDoS protection neutralizes flooding attacks within seconds of
emergence by rapidly detecting, identifying and filtering DDoS packets while allowing legitimate traffic to flow unimpeded.
Endpoint Protection
Allot ServiceProtector also protects users from malicious bots by neutralizing malware-infected hosts and spam activity before it adversely affects the performance and integrity of your network.
Enterprises can prevent unintended spam and IP scanning traffic from eating up valuable bandwidth and quickly identify infected hosts that require cleanup. Allot ServiceProtector uses Host Behavior Anomaly Detection (HBAD) technology to monitor connection establishment rates and other symptoms of anomalous user behavior, allowing enterprises to surgically treat the root cause (i.e., the malware-infected host) without having to resort to broader measures such as blocking entire subnets, links or ports. Behavior-based anomaly detection enhances existing security layers with frontline mitigation of spambots and other malware.
Regulatory compliance (URL filtering)
Some enterprises, such as financial and health organizations, are subject to regulation and oversight to protect consumer transactions and data privacy. Regulation often affects the kind of online service that these enterprises can provide, as well as the online activity of their employees. Allot WebSafe is a fully integrated URL filtering module within Allot Cloud Access Optimization solutions that allows enterprises to block access to blacklisted or illegal content at the network level. The URL filtering capability is fully integrated with Internet Watch Foundation (IWF), including
automated online updates from the IWF. The service may be easily integrated with any local regulatory or watchdog body.
Likewise, enterprises who seek to enhance employee productivity by limiting access to recreational, social, or e-commerce applications can use the Allot WebSafe module to block access per URL, user or user group.
Solution Technologies
DART (DPI)
Dynamic Actionable Recognition Technology (DART) combines Allot’s vast expertise in deep packet inspection (DPI) and real-time policy enforcement into a highly effective toolkit for managing network utilization and service level assurance. DART employs multiple inspection and analytical methods to identify specific applications and protocols – from simple packet header identification to session-level analysis of
encrypted protocols. DART represents our long-standing core competence and unique differentiation in Layer-7 DPI visibility and control technologies, which are now being applied to solve cloud business challenges.
NFV
Network Functions Virtualization refers to the transition from a legacy data center where there is a dependent relationship between HW and SW applications, to a virtual data center where HW and SW applications are decoupled, enabling them to be duplicated, scaled, deployed, from a central software control center.
Allot is one of the key contributors to the Virtual Network Functions
Architecture standard that is currently being defined by the ETSI NFV Industry Specification Group.
Allot provides advanced technologies such as Distributed DPI and Distributed
QoS in which meta data synchronization is used to ensure that user-application traffic is correctly identified and information is propagated to relevant software instances.
Allot has implemented hundreds of successful use cases that bridge data and
control planes to enable service delivery.
Allot solutions are compliant with VMware and KVM.
SDN
Software Define Networking (SDN) is a true revolution in networking and a real disruption to the way we have traditionally built, configured and managed networks. SDN was created to make the network agile and programmable, whether it is a virtual network environment or a physical one. SDN will control and automate sophisticated routing decisions in a very complex IT world where various applications with various characteristics are consumed from multiple locations. SDN will enable application workloads to easily migrate from one server to another or from a private cloud data-center to a public cloud or to a managed hosting service. As currently defined, the SDN Controller is the main decision maker in the network.
To make the right decisions in a timely manner, the SDN controller needs accurate information in real-time. The highly granular application, user and endpoint awareness provided by Allot solutions is precisely what the SDN controller needs to program the network to meet evolving business needs. Allot recently implemented a service provider use case for enterprises, that based on certain conditions, SaaS users at branch offices will be routed on-the-fly, directly to the Internet where the SaaS is hosted, rather than routing them through a central IT location and then to the Internet, which is the normal procedure.
Allot solutions are compliant with OpenFlow.
SDDC
Software-Defined Data Centers are related to the broader SDN trends that use software components and APIs to facilitate application and resource flexibility, agility and customization. As data centers evolved to software-defined data centers, the highly granular application, user and location awareness provided by Allot solutions will be used to program the data center to meet evolving business needs
Anomaly Detection (NBAD, HBAD)
Allot’s anti-DDoS and anti-bot capabilities are based on advanced anomaly detection technologies whose effectiveness has been proven in demanding service provider environments, and is now being applied in cloud data centers.
Network Behavior Anomaly Detection (NBAD) identifies DDoS and other network
flooding events by the anomalies they cause in the normally time-invariant behavior of “network ratios” (combinations of Layer 3 and 4 packet rate statistics). Filtering rules are obtained dynamically by searching deep into the captured DDoS packets for unique repeating patterns in each event. Optimum filtering accuracy may be achieved by using patterns found in the Layer 2 to 4 headers and payload.
Host Behavior Anomaly Detection (HBAD) identifies hosts exhibiting symptoms of
malware infection or abusive behavior through their abnormal levels of outbound connection activity and further categorized by their match to profiles of malicious connection patterns.
Solution Benefits
Improve cloud application performance and user productivity
Gain accurate visibility of cloud application usage
Align application performance with user and business needs
Assure service availability, scalability, performance
Keep malicious and unauthorized application traffic off the network
Solution Deployment
Cloud Access optimization assures user experience and productivity whether you own your cloud data center, rent it, or use a hybrid model.
Why Allot
We could sum it up in three words: Visibility, Control and Security. But there is much more:
Customers: proven results with more than 4500 enterprise customers
worldwide.
Product Scalability: from the smallest to the biggest networks
Superior Technology: hands-down expert in application awareness
Reliability: bringing carrier-class network know-how to Enterprise and Cloud
solutions
Support: 24/7 worldwide support to channels and end-users.
In everything we do, we believe in being innovative, customer-centric and
results-oriented
