Mobile Carrier Solutions Intelligent Mobile Internet Service Delivery

Mobile Carrier Solutions
Intelligent Mobile Internet Service Delivery
Smart Network. Smart Business.

Mobile Carrier Solutions
Intelligent Mobile Internet Service Delivery
Radware provides mobile carriers with an intelligent mobile internet service overlay, extending IP service visibility
and control for optimized, high-performance and programmable mobile Internet service delivery. With Radware
mobile operators gain user, service and content awareness and granular policy-based IP traffic management,
providing the tools needed to effectively ‘open’ mobile networks to the Internet:
+
*
•
Optimized Internet Service Delivery over the Radio Access Network (RAN)
Radware enables optimized and seamless Internet service delivery over the RAN. Coupling on-the-fly traffic classification,
with network TCP (W/TCP) optimization, content compression, acceleration and caching, Radware
overcomes mobile network service and handset bandwidth constraints, enabling adapted, reliable, high
performance mobile Internet service delivery.
•
Granular Traffic Control and Mobile Internet Service Programming
Radware lets carriers extend VAS/content offerings and new business models based on managing mobile Internet
traffic by any user, application, or service criteria. With Radware, carriers can take control, differentiate and bill
users exploiting RAN resources (extending the carrier ‘Walled Garden’ model to Internet traffic to charge for
bandwidth hungry ‘freeware’) and enable new premium VAS services for differentiated programming and tiered
delivery to end-users.
•
Mobile Internet Gateway Security and Service Integrity
Radware multi-Gig Intrusion Prevention and Adaptive Behavioral DoS detect and mitigate attacks in real-time,
immediately protecting network resources from Ingress and Egress (‘misbehaving customers’) attack traffic to
ensure service integrity and continuity. Utilizing advanced ’zero minute’ behavioral detection and attack mitigation
and bandwidth management (BWM), Radware’s MIG affords robust, high performance mobile Internet security.
2

‘Open’ Mobile-Internet Networks:
Optimized, Programmable, Secured.
Carrier-Grade Visibility, Control & Performance
T A B L E O F C O N T E N T S
Radware enhances the network's ability to identify, classify,
ensure QoS and charge for differentiated services, letting
mobile operators leverage their investments in 3G/4G
networks and capitalize on Internet service models and
business opportunities.
O P T I M I Z E D M O B I L E I N T E R N E T D E L I V E R Y 4
M O B I L E I N T E R N E T T R A F F I C C O N T R O L 8
M O B I L E N E T W O R K S E C U R I T Y 1 2
Radware Mobile Internet Solutions are built on-top of multi-
Gigabit, carrier-grade Content Inspection Director, AppXcel
and DefensePro APSolute Application Switches to meet
even the most demanding carrier networking environments.
The system is designed for 99.999% uptime and supports
fully redundant configurations for fault tolerance and
immediate disaster recovery.
.
3

Radware Optimized Mobile Internet Delivery Solution
Radware Content Inspection Director (CID) and AppXcel optimize mobile Internet service delivery, managing all mobile Internet
traffic to ensure reliable and high-speed mobile data services and QoS for end-users, while reducing mobile carrier operating
costs.
Located within the Gi/Pi Network, CID and AppXcel eliminate the key operational and performance obstacles to delivering fullfeatured,
rich-media Internet services over mobile networks, while affording the scalability to support a subscriber base into
the millions.
Coupling on-the-fly traffic classification, with network transport adaption, service acceleration, content compression and
caching, Radware lets operators overcome mobile network service and handset bandwidth constraints, enabling 1000% X
mobile Internet performance over the Radio Access Network.
CID transparently intercepts and inspects and performs wire-speed classification by Layer 2-7 criteria. Employing subscriber
handset, application and content classification and service attributes (Radius sniffing), CID makes it possible to intelligently
route traffic to relevant compression, acceleration or caching services. By identifying granular mobile data service needs,
M O B I L E I N T E R N E T D E L I V E R Y C H A L L E N G E S
Mobile data services account for a significant and growing percentage of mobile service provider ARPU.
The proliferation of data enabled mobile devices coupled with mobile-broadband convergence are transforming the way mobile users
communicate with each other, obtain information and interact with Internet content and rich media. With the growth of mobile Internet services
comes the need to ensure effective service delivery to meet subscriber expectations for high-quality user experiences and reliable services.
Wireless operators are struggling to guarantee the quality of multi-media messaging and new data services over mobile broadband networks.
While wireless broadband networks provide the connectivity for mobile Internet services, end-to-end service responsiveness depends on
resolving high packet loss and latency that characterize data networking protocols, primarily TCP - the underlying transport for most mobile
Internet applications.
Wide-spread mobile Internet service adoption depend on the ability to control service quality to eliminate messaging failures and address
sluggish media delivery and IP application latencies. This includes ensuring TCP reliability, which is particularly significant for mobile operators,
since TCP was not designed for wireless networks. Characterized by high bit-error rates (BER), random loss, bursty traffic and disconnections
wireless networks increase TCP retransmission rates, time-outs and congestion in comparison with wired networks.
Mobile Internet services depend on operator ability to ensure mobile data networking QoS to support increasingly richer content across a
growing number of subscribers.
4

Mobile Internet Optimization
5

R A D W A R E M O B I L E I N T E R N E T O P T I M I Z A T I O N K E Y F E A T U R E S & B E N E F I T S
Wire-speed traffic inspection and
granular classification for differentiated
mobile Internet data acceleration
CID enables differentiated traffic handling and ‘best-fit’ mobile Internet data service
acceleration.
Operating as a WTCP-TCP gateway, Radware’s solution dramatically accelerates TCP
transmission across the mobile RAN. By splitting end-to-end TCP connections into two
parts AppDirector ‘shields’ the problems of the wireless link from the wire-line Internet
path and vice versa, making it possible to address key differences in TCP latencies,
packet loss and congestions across networks.
WTCP - TCP Gateway for adapted and
truly convergent mobile Internet
CID-AppXcel WTCP-TCP Gateway makes TCP ‘aware’ of service loss across the RAN.
By managing end-to-end TCP packet transmissions across wire-line and wireless
links CID-AppXcel WTCP-TCP gateway controls TCP service reliability and transmission
integrity.
CID WTCP-TCP Gateway also affords full support of Transactional TCP (T/TCP),
extending the benefits of T/TCP’s from wire-line to wireless networks. These include
enhanced reliability and speed along with reduced bandwidth consumption for short
transactional sessions including World Wide Web, Remote Procedure Calls and DNS
requests.
TCP network transport optimization
for consistent QoS and accelerated
performance
AppXcel optimizes TCP protocol transmission over wireless networks employing
multiple techniques to overcome TCP inefficiencies. AppXcel manages TCP
session initiation eliminating the negative impact of slow session starts, controls
TCP handshakes and TCP transmission window size, including increased initial
window size, packet reordering, maximum transmission unit and packet size
definition to eliminate congestion and service latencies. By managing TCP session
acknowledgement, error handling and retransmission decisions AppXcel further
increases TCP session efficiency and reliability. AppXcel TCP header compression and
IP payload compression coupled with active queuing management are also employed
to accelerate TCP transmission and reduce bandwidth consumption. With AppXcel,
mobile carriers can mitigate inherent TCP transmission inefficiencies, eliminating
their negative impact on mobile data services for faster subscriber access, QoS while
improving link bandwidth utilization loss, to reduce the cost per bit of information
delivered, reducing OpEx.
Advanced Web compression for
improved response times and reduced
data flow bandwidth consumption
AppXcel employs industry leading compression techniques for on-the-fly compression
of mobile data traffic. AppXcel uses loss-less compression techniques to handle
plain text, HTML, Javascript and Content Style Sheets (CSS) mail attachments and
HTTP/SMTP headers, reducing the amount of data being transferred for up to 700%
improvement in mobile Internet web page loading times.
Image compression and manipulation
for best end-user performance
To expedite image retrieval, AppXcel image compression employs industry-leading
image manipulation algorithms for up to 90% file size reduction for already
compressed graphic formats, such as JPEG and GIF, enabling these for mobile devices.
AppXcel’s built-in caching further accelerates media retrieval for frequently requested
images, boosting delivery speeds, while significantly reducing bandwidth requirements
to cut mobile network rich media service scaling and operating costs.
6

Smart caching for optimal delivery of
frequently retrieved content
CID analyzes subscriber application and content requests by layer 4-7 information
including URLs and selectively directs subscribers to AppXcel units for the serving
of cached content. By extending caching services from within the Gi network, closer
to users, CID dramatically reduces delivery times across subsequent user requests
for the same content. CID and AppXcel eliminate the need to fetch content from
the Internet or recompress, for excellent user response times while reducing overall
bandwidth consumption by eliminating unnecessary network congestion. CID’s unique
smart traffic routing capability makes it possible maximize storage of cached content
in each AppXcel farm, while ensuring highly accurate caching services, preventing
caching overlap, for the best end user experience and highly economical cache
service growth.
Scalable, best-of-breed service growth
through seamless component addition
CID enables the redirection of traffic to any new compression component by any
Layer 2-7 criteria, for seamless addition and full interoperability of best-of-breed
acceleration tools. Affording a unified service delivery platform CID’s flexible
component addition lets carriers economically grow their content security services to
match new business models, or meet growth in customer demand, without requiring
investment in new infrastructure, for CapEx savings and ROI.
Full end-user transparency
Radware mobile acceleration does not require any client installation or plug-in, for
fully transparent operation. This simplifies carrier acceleration service management,
reduces carrier OpEx and delivers immediate mobile data acceleration across all end
user mobile devices.
Carrier grade performance, network
transparency and fault tolerance
CID and AppXcel are designed for carrier grade performance, availability and
scalability requirements, capable of handling up to 2,000,000 concurrent sessions
for unlimited service scaling to handle growth in mobile data and subscribers.
CID Multi-Gigabit performance is realized via a 3-tier ASIC and network processing
switching architecture capable extending unprecedented performance. CID, dual
Power Supplies and fully redundant topologies ensure fault tolerance and 99.999%
uptime for uninterrupted smart routing service availability even under the most
demanding application processing and high volume networking environments.
CID supports multi-GGSN configurations for seamless integration in mixed vendor
environments. CID may be installed as either a bridge or a router and operates as a
transparent device, supporting all network tunneling protocols and encapsulations
including MPLS, L2TP, GRE, GTP and PPP, for seamless operation across any carrier
network.
7

Mobile Internet Traffic Control & Differentiated Service Delivery
Radware Content Inspection Director (CID) enables transparent interception, wire-speed DPI/DFI and smart application traffic
routing across the mobile carrier core, providing the service intelligence needed to optimize traffic to control RAN bandwidth
and enable premium IP service delivery.
With CID, mobile operators can classify traffic by any subscriber, application and content criteria including Internet ‘Freeware’
and redirect traffic to relevant network resources including value-added/premium services, content caching, content
acceleration and security processing, or direct traffic to the carrier peering edge for Internet applications. With CID operators
can control the off-net traffic as well as the Ingress Internet based streaming traffic.
Most importantly CID drives mobile carrier profitability by enabling dynamic service selection and premium value added service
delivery, based on any granular Layer 2-7 service criteria. With Radware, carriers can extend of value of their mobile Internet
network, delivering the service intelligence needed to identify subscribers and extend a new generation of premium content
Internet services.
M O B I L E I N T E R N E T T R A F F I C C O N T R O L C H A L L E N G E S
The market for mobile operators is well poised to introduce new premium Internet based subscriber offerings. However the lack of traffic
visibility and the absence of application and subscriber awareness across the mobile network’s data plane make it impossible for operators to
gain control and create differentiated Internet business models and proprietary content services.
In addition, when opening mobile networks to the Internet bandwidth-hungry ‘freeware’ (eg. Slingbox, YouTube) consume mobile networks
critical RAN resources, negatively impacting the quality of mobile Internet ‘walled garden’ services. As a result, mobile operators require tools
capable of controlling and prioritizing all Internet traffic, along with the ability to bill by subscriber, service and bandwidth consumption to
support new Internet business models
R A D W A R E M O B I L E I N T E R N E T T R A F F I C C O N T R O L K E Y F E A T U R E S & B E N E F I T S
CID transparent ‘edge’ interception,
wire-speed visibility and on-the-fly
provisioning
CID operates as a transparent, multi-gigabit, in-line device capable of intercepting,
identifying and classifying all mobile carrier traffic at wire speeds. CID detects
subscriber, application and content directly from the data-stream, at the carrier
edge and ‘understands’ application semantics, affording the visibility needed to
distinguish and intelligently route traffic to any resource within the carrier core, or
to/from the Internet.
8
CID makes it possible to intelligently route traffic across the mobile carrier
core based on any Layer 2-7 policy (Including Web, SIP/SDP and XML based
redirection, along with RADIUS parameters) and any requisite traffic flow enabling
programmable services.

DPI/DFI in the Gi Network
Flow 1- ‘Regular’ open web access
Flow 2- Content monitoring, caching and acceleration (CMA) for Internet ‘Freeware’
Flow 3- Premium, differentiated and billable Internet services (based on ‘Walled Garden’ policy)
Mobile Internet Control
9

R A D W A R E M O B I L E I N T E R N E T T R A F F I C C O N T R O L K E Y F E A T U R E S & B E N E F I T S
Smart traffic routing for new revenue
generating services
Capture incremental market share and
increased ARPU by moving beyond
commodity transport, to premium value
added services
Fastest service delivery to subscribers
for best user experience, high mobile
data service responsiveness and
reduced subscriber churn
On-the-fly, self provisioning reducing
time-to-market and management
overhead for new service deployment
•
Premium Walled Garden Content Services: CID ‘captures’ users from the
network edge and selectively routes subscribers to dedicated mobile content
services including Third Party Trans-coding Servers adapting MMS, Presence, On-line
Gaming, Music and any other dedicated content service. With CID mobile carriers
can distinguish between paying and non- paying customers and direct users to
dedicated premium services, letting operators participate in the content service
value chain.
•
Value Added Content Security: CID inspects and selectively redirects relevant
traffic to dedicated scanning services including URL filtering, Anti-Virus services,
Anti-SPAM, among others. CID inspects traffic from both the subscriber and peering
edge affording granular control over all scanning flows, for best-of-breed, multi-step
content security services. Carriers can easily provide a wide set of value added
content security services to their residential and business customers using any
combination of security tools - eg, Symantec, Trend Micro, McAfee etc.- for fully
flexible content security architectures.
•
Value Added Acceleration: CID enables the redirection of traffic to acceleration
services to boost response times for end-users. By using application, content and
destination information, CID can intelligently direct requests to AppXcel accelerators
along with 3rd party products, for web compression, wireless protocol conversion
for acceleration, image download acceleration and TCP optimization, dramatically
improving delivery speeds over fixed and mobile networks.
•
Radius-Based Self Provisioning: CID enables on-the-fly, real-time subscriber
service provisioning, without requiring static, manual reconfiguration. Based on
real-time sniffing of Radius replies, CID enables dynamic subscriber profiling to
match subscribers with relevant services. With CID operators can provision services
to users with dynamic IP addresses, eliminating the need to update and populate
static network policies. CID’s self-provisioning enables the rapid introduction of new
services, dramatically reducing time to- market constraints for mobile data service
rollout along with automated management of subscriber growth for reduced IT
complexity.
Carrier grade performance, network
transparency and fault tolerance
Smart application routing availability and
seamless integration
CID is designed for carrier grade performance, availability and scalability
requirements. CID’s Multi-Gigabit performance is realized via a 3-tier ASIC and
network processing switching architecture extending industry leading processing
power and throuput speeds. CID’s dual PS and fully redundant topologies ensure
fault tolerance and 99.999% uptime for uninterrupted service availability even
under the most demanding application processing and high volume networking
environments.
CID supports multi-GGSN/PDSN configurations for seamless integration in mixed
vendor environments. CID may be installed as either a bridge or a router and
operates as a transparent device, supporting all network tunneling protocols and
encapsulations including MPLS, L2TP, GRE, GTP and PPP.
10

Radware Mobile Internet Security and Service Integrity Solution
DefensePro detects and blocks security attacks at wire-speeds, cleaning all mobile Internet Gateway traffic from malicious
intrusions and mitigating Denial of Service attacks in real-time.
DefensePro couples deep packet inspection/deep flow inspection (DPI/DFI) capabilities with network-based IPS and Behavioral
DoS security to ensure the integrity of mobile Internet networks, all the while guaranteeing service continuity and enforcing
mobile Internet bandwidth policies to meet customer SLAs:
DefensePro Internet Gateway ‘zero minute, zero-touch, zero-false positives’ Network-based IPS and DoS Security
DefensePro affords complete visibility, blocking and rate limiting of all inbound and transit traffic to extend a first line of
defense at the mobile carrier Internet Gateway. Operating at multi-gigabit speeds as a transparent in-line device, DefensePro
network IPS blocks malicious content, worms and prevents network scanning/probing to secure Bots and servers against
known attacks. In addition, DefensePro adaptive behavioral DoS/DDoS security delivers and ‘zero minute, zero-touch, zero
false positives’ detection and blocking of even the most aggressive service floods while preventing illicit RAN bandwidth
consumption, safeguarding mobile network infrastructure and subscriber service integrity.
Traffic Shaping for Mobile Internet Service Continuity and SLAs
‘Opening’ the mobile network to the Internet introduces uncontrolled traffic that can cause service bottlenecks and degrade
end-user service performance. DefensePro multi-level, proactive, real-time behavioral traffic shaping extends full control over
mobile Internet bandwidth, moderating and prioritizing traffic to guarantee service QoS for end users. By cleaning all attack
traffic and rate limiting uncontrolled traffic DefensePro lets mobile carriers ensure end-user SLAs and optimize bandwidth
utilization for additional OpEx savings.
M O B I L E I N T E R N E T S E C U R I T Y C H A L L E N G E S
Mobile Internet networks are exposed to new security and service integrity challenges brought on by carrying uncontrolled Internet and peering
traffic that contain growing volumes of malicious attacks. DoS attacks, worms and malware aimed at critical mobile network infrastructure
throughout the Gi/Pi network can negatively impact ‘high-touch’ servers including DNS, DHCP, Radius among others such as over-theair
servers, causing service disruptions and failures as well as compromising network elements by attacking the control plane and the
management plane through targeted exploits. Mobile Internet network threats include new forms of compound DDoS/DoS-worm attacks that
consume huge volumes of bandwidth, while propagating aggressively across mobile networks and subscribers in minutes rather than days.
Other forms of attacks include low-scale traffic scanning/probing as well as targeted Bot attacks. In addition, new ‘low rate’ battery draining
attacks have emerged as an effective means of exploiting mobile handsets as well as the mobile network itself through Paging attacks.
Thus in addition to threatening mobile Internet service continuity, uncontrolled attack traffic causes severe service disruptions that degrade
service and prevent carriers from meeting customer SLAs.
11

12
Mobile Internet Security

R A D W A R E M O B I L E S E C U R I T Y K E Y F E A T U R E S & B E N E F I T S
Wire-speed, in-line DPI/DFI, security
classification
DefensePro operates as an in-line, transparent device, supporting all network tunneling
protocols and encapsulations including MPLS, L2TP, GRE, GTP and PPP and IPV6 for
wire-speed traffic inspection, security classification and integrity across all mobile carrier
environments and peering points.
Zero minute flood protection through
unique behavioral anomaly detection
Carrier network service continuity,
ensuring customer SLAs and
eliminating costs associated with
security attacks (including DNS, DHCP,
Radius, SIP service integrity)
DefensePro behavioral IPS and DoS modules deliver ‘zero-minute, zero-touch’ security
protecting against network attacks ensuring carrier and subscriber service integrity while
preventing service failures to guarantee SLAs:
- DefensePro adaptive, behavioral DoS/DDoS delivers wire-speed mitigation of
network floods including TCP Syn floods, other TCP floods (Psh+Ack, Reset, FIN...), UDP
floods, DNS floods, ICMP floods, IGMP floods and aggressive self-propagating worms
(TCP and UDP worms). Applying fuzzy logic algorithms for analysis and correlation of
anomalies DefensePro immediately detects any form of DoS attack and creates a filter
‘on-the-fly’ to mitigate it.
- DefensePro worm propagation protection algorithms immediately block the spread of
attacks and identify mis-behaving users, to pre-empt attack outbreaks.
- DefensePro server protection algorithms protect against server DoS, application
vulnerability scanning and brute force attacks.
IPS signature based protection, for service
integrity
DefensePro signature based protection is designed to block over 1,500 signature
attacks and known DoS attacks in real time. Based on a patented ASIC based
StringMatch Engine, DefensePro inspects traffic to identify malicious content, known
worms, viruses and other attack signatures, immediately blocking known attacks.
Radware attack database, profile-based policies and pre-defined signature groups are
dedicated to preventing mass volume customer oriented attacks, affording protection
for SIP applications, DNS, web applications, messaging etc. ensuring the integrity of
all mission critical carrier infrastructure. In addition, Radware Security Update Service
(SUS) delivers ongoing protection from new and emergent threats.
Traffic shaping and infrastructure
protection
Bandwidth optimization to ensure
customer SLAs for mission critical
applications and optimize carrier OPEX
DefensePro Bandwidth Management (BWM) module lets carriers rate limit and shape
traffic to further protect mobile carrier mission critical resources against attacks and
surges. By limiting the number of sessions for critical resources per end user (SIP
registrars, DHCP requests etc.) or limiting total bandwidth to a critical resource (total
DNS requests for example) DefensePro BWM normalizes traffic to prevent flooding,
SLAs, eliminate congestions and preventing uncontrolled worm propagation on top of
P2P traffic, all the while guaranteeing bandwidth to meet SLAs.
Attack visibility & understanding
Enables effective security management
and streamlines security reporting
APSolute Insite provides comprehensive attack visibility and reporting, enabling
immediate identification of attack sources, attack analysis over time and full reporting
of attack scope. With APSolute Insite, mobile carriers can gain understanding of mobile
Internet service vulnerabilities to better manage network and service security.
Carrier-grade reliability and performance
Mobile Internet security availability and
continuity
DefensePro delivers unmatched, carrier-grade 6Gbps security processing performance
and reliability. Built on top of a 4-tier ASIC switching architecture —with a 44 GB
wire-speed non-blocking backplane, dual network processors, RISC processor and
a hardware ASIC StringMatch Engine for 1000X accelerated inspection speeds.
DefensePro’s internal bypasses, dual PS and fully redundant topologies ensure fault
tolerance and 99.99 % uptime.
13

International Headquarters
Americas Headquarters
APAC Headquarters
EMEA Headquarters
Au s tra lia
Belgium
B ra zil
G e rm a n y
H o n g K on g
In d ia
Ita ly
Ja p a n
Ko re a
Netherlands
R u ssi a
S in ga p o re
S o u th Africa
Sp a in
Taiw a n
Th a il a n d
U n it ed K ingd o m