InstantScan InstantScan Content Manager Content Manager

L7 Networks L7 Networks service@L7-Networks.comservice@L7-Networks.com

L7 Networks Inc.L7 Networks Inc.

AgendaCompany Profile• L7 Missions• L7 Investors

Layer-7 Content Manager• Part-I Market Demand• Part-II Solutions• Part-III Successful Cases

• Appendix-I Layer-7 App.• Appendix-II Product Spec.• Appendix-III Patents

Missions: Internal Network Security

Internal Threats

ExternalThreats

InstantLock Co-DefenderDefending Internal Attacks:Isolate virus-infected PCs

InstantBlock Application FirewallPreventing External Attacks/Thieves:Unified threat management

InstantQos Bandwidth Mgr.Shaping Internal Traffic:Manage P2P / streaming / VoIP / … by layer-7 in-depth classification

InstantScan Content Mgr.Catching Internal Thieves:Employee internet content / behavior management

L7 Investors

InstantScan InstantScan Content Manager Content Manager

L7 Networks Inc.L7 Networks Inc.

Part-IMarket Demands

Catching the Internal ThievesCatching the Internal Thieves

network performancenetwork performancekillerkiller

network performancenetwork performancekillerkiller

employee productivity killeremployee productivity killeremployee productivity killeremployee productivity killer

What are your employees doing at work?

Outlook for Outlook for emailsemails

Outlook for Outlook for emailsemails

Internet Internet Explorer Explorer for for web sitesweb sites

Internet Internet Explorer Explorer for for web sitesweb sites

MSN for MSN for chatschats

MSN for MSN for chatschats

Communicating for work?Communicating for work?Speak to lovers first!Speak to lovers first!

Looking for info for work?Looking for info for work?Check out stock price first!Check out stock price first!

BT, ED2K, XunleiBT, ED2K, XunleiBT, ED2K, XunleiBT, ED2K, Xunlei

Download a movie back Download a movie back home for fun!!home for fun!!

Survey & Studies

• Heavy Usage– Gartner: >30% enterprise, <1% control (2005)– Radicati Group: >80% enterprise (2008)

• Security Theats– WORM_KELVIR.A– WORM_FATSO.A– …

1. Employees with low productivity

2. Information Leakage or Virus

Price Book

3. Bandwidth stealers for downloads

P2P downloads•Illegal music•Illegal movies•……• ……

Bandwidth inadequate for• HTTP• Email• ERP• ……

Plug & Play

Content Manager

(stealth mode)

switch

L7

Firewall2005/03/25: NBL Editor’s Choice Beat Facetime, Akonix2005/12/01: National Innovation Awards

20 Mbps

10 Mbps

35 Mbps

Step.1Discovery

MSN file transferAnti-Virus

File Recording

Keyword block

IM Game

IM Chat

IM Streaming

P2P Bandwidth Mgmt.

Chat Recording

Step.2Normalization

Step.3Behavior Mgmt.

Step.4Content Mgmt.

Step.5Report Analysis

Interactive Behavior Mgmt.

Deep Content Inspection

Layer-7 to Layer-4 Normalization

Real-time Learning

Offline Report / Analysis

5-Step Content Management

1. Employees with low productivity

Instantly respondto employees in

Chat windows even IS doesn’t have an

IP address

2. Information Leakage or Virus

Price Book

Instant Warning

3. Bandwidth stealers for downloads

After installing InstantScan

P2P downloads•Illegal music•Illegal movies•……• ……

Mission critical app.• HTTP• Email• ERP• ……

Part-IISolutions

Solutions

NetworkPerformance

Layer-7Visibility

Employee Productivity

InternalSecurity

built-in backend reports for 3-level analysis: (1) index for productivity, performance, security; (2) dashboards for summary; (3) detailed reports for inspection

limit P2P / P2SP traffic and guarantee mission critical traffic such as ERP, VoIP, Web traffic

manage / filter / record / audit employee’s IM & Web behaviors and contents to increase their productivity

understand the real applications running by your employees

highspeed UTM hardware platform with intelligent 3-tier arch. for performance, availability, and reports

prevent internal network users from virus/worm or information leakage by P2P / tunnel software, spyware, WebMail, WebIM, etc.

Painless Installation?

Firewall/VPN

Inline-IDP

Virus Wall

Spam Wall

Content Mgmt.

What if IM behaves like Web Proxy?

WebSense / BlueCoat / FaceTime / IM Logic / Akonix require to setup every client to connect to the IM Proxy

IMProxy

WebProxy

What if IM is tunneled in WebMSN/Mail/HTTP/…?

IM P

roxy

data path

IM@

HTTP cann

ot b

e m

anag

ed

Tunne

led

IM c

anno

t be

man

aged

Check website for comparison

DHCPServer

Step 0. No Modification of Networks

switch

ManagementServer

switch

Firewall/Router

Proxy

IM in port-80, proxy, socks4/5 can still be managed

ADServer

IS

Even in wireless/dhcp env, still can be managed by AD

3-Tier Architecture

Powerful reporting and alerts

Plug & play installation without modifying network arch.

Friendly user interfaces

20 Mbps

10 Mbps

35 Mbps

Step.1Discovery

MSN file transferAnti-Virus

File Recording

Keyword block

IM Game

IM Chat

IM Streaming

P2P Bandwidth Mgmt.

Chat Recording

Step.2Normalization

Step.3Behavior Mgmt.

Step.4Content Mgmt.

Step.5Report Analysis

Interactive Behavior Mgmt.

Deep Content Inspection

Layer-7 to Layer-4 Normalization

Real-time Learning

Offline Report / Analysis

5-Step Content Management

Step 1. Discovery (App. View)

Watch applications’ sessions and highlight tunneled IM sessions

Step 2. Setup L7 Policy

Scheduled updates to Application Patterns to manage application usage by defined time schedules

Step 3.1 Setup IM Policy for Individuals

IM management for individuals by (1) specific IM accounts, (2) learning, (3) registration, (4) AD name, (5) AD group

Step 3.2 Setup IM Behavior Mgmt.

Define permission levels to facilitate individual IM policy deployment

Step 3.3 Setup IM Peers

Limit the peer for chat by individuals or groups

Step 3.4 Self-Defined Policy Violation Warning Messages

Multi-language support for all languages

Step 3.4 Setup Bandwidth PipesDivide outbound bandwidth pipes by mouse drags

Divide inbound bandwidth pipes by mouse drags

Step 4.1 Setup IM Chat Content Management

Right click to define your own chatting keywords / groups

Step 4.2 Setup IM File Transfer Content Management

Right click to define your own filename keywords/groups

Step 4.3 Setup IM File Transfer Anti-Virus

Anyone who is infected with virus will be notified the name of the virus

Step 5.1 Multi-level Auditing Levels

3-levels: admin/mis/audit to separate operating and auditing parties

Step 5.2 Ranking by app. usage

Step 5.3 Ranking by traffic volume

Step 5.4 Scheduled Reports in HTML/PDF/XLS Formats

Step 5.4 Scheduled Reports in HTML/PDF/XLS Formats

Part-IIISuccessful

Cases

Accounting & Auditing

Anyone who is auditing others should have themselves well-audited so as to assist customers to be compliant tovarious regulations.

Manufacturing

Confidential information should be kept as private as possible. InstantScan isable to detect varieties of tunneled software which may cause a lot ofsecurity holes for information leakage.

Semiconductor

Confidential design sheet is the core technology of IC design and must be kept as private as possible. Anyone who use IM to transfer confidential files can be caught with strong evidence.

IC Design

Confidential design sheet is the core technology of IC design and must be kept as private as possible. Anyone who use IM to transfer confidential files can be caught with strong evidence.

Banking & Stocks

With a heavy usage of IM across the stocktransactions, they do need a tool to log andrecord what the customers have issued tothe brokers, and what the brokers havespoken to the internal dealers.

Photodiode

Confidential design sheet is the core technology of Photodiode and must be kept as private as possible. Anyone who use IM to transfer confidential files can be caught with strong evidence.

Electronics

Confidential price book is the core value of us to sale the chips and must be kept as private as possible. Anyone who use IM to transfer confidential files can be caught with strong evidence.

Media

Confidential news are invaluable if they are kept in secret.However, journalists communicate largely with IM so theycan share the resources. What is worse, internal staffsmay also use IM to tell other staffs in other companies. However, IM is extremely convenient for communicationsamong internal staffs. We need L7 to control them.

Spin-off from the D-Link corporation, Alpha continued tosue VIA Technology for the stolen confidential designs. Inthe mean time, Alpha Networks put 4 InstantScan boxesat the outbound links to control the use of IM so as togather the information of IM usage.

As the largest multi-level company in the world, Amway continued to make itself conform to the toughest regulations in order to keep its electrical communicationsas secure as possible, just like what it had done to weband emails.

Confidential patents are invaluable if they are kept in secret. Biochemistry has become the most emergentIndustry that can boost revenue in the century. Just likewhat health-care industry has emphasized, the data of thepatient or people under experiments is extremely proprietary and never be leaked to anyone else. L7’sInstantScan helps to control the usage of IM.

Benefits for Deploying InstantScan

• Discovery– See who is actually using the network for what, especially in multi-

culture environments which mix a huge number of applications.

• L7 Firewall: IM / P2P / Tunnel / Streaming / VoIP / File-Transfer / …– Effective control the applications in your networks, either blocking or

shaping

• Content Manager: IM & Web– Selectively log/record employees' activities and contents for regulations

and compliance.– Actively control the activities/contents instead of just logging/recording

to prevent confidential information leakage while improving productivity.

• Report & Analysis– log and archive for potential legal discovery needs or other purposes– Indication of employees' policy violations or productivity.

Layer-7

Content Manager

Appendix-IFAQ

1. L7 support what applications?

• Check Appendix II or L7 Web Portal

Large(<1000)

Huge(<3000 people)

Tiny(<30)

Medium(< 150)

Small(<70)

2. Target customers and competitorsActively mgmt. + auditing

Passive auditing

IS-100

IS-1000

IS-5000Competitor: Facetime/Akonix/ImLogicInstallation: WinFunction: EvenPrice: win (no need to have 2 devices)

Competitor BlueCoat has dominated the proxy market by huge number of deployed proxies. Emphasize L7’s IM/P2P advantage while unneeded to change their proxy architecture

IS-10

IS-50

UTM-oriented market. Need passive sniffing instead of active management. So L7 integrates IS+IB+IQ to penetrate this market

Appendix-IIL7

Applications

20 Mbps

10 Mbps

35 Mbps

Step.1Monitor

MSN file transferAnti-Virus

File Recording

Keyword block

IM Game

IM Chat

IM Streaming

P2P Bandwidth Mgmt.

Chat Recording

Step.2Normalization

Step.3Behavior Mgmt.

Step.4Content Mgmt.

Step.5Report Analysis

Interactive Behavior Mgmt.

Deep Content Inspection

Layer-7 to Layer-4 Normalization

Real-time Learning

Offline Report / Analysis

Normalization: Step 1~Step 2

General Applications

• No mater which port they use– HTTP– SMTP– POP3– IMAP– FTP

Instant Messenger (IM)• MSN: 6.2, 7.0, 7.5, 8.0 beta, Windows Live Messenger 8.0• Yahoo Messenger: 5.5, 6.0, 7.0, 8.0 beta, 8.0• ICQ: 2003pro, 4.14lite, 5.0• AIM: 5.9• QQ:

– YamQQ-2003II, QQ-2003II, QQ-2003III, YamQQ-2004III, QQ-2004 formal edition, – YamQQ 2005 Formal Edition, QQ 2005 Beta2, – QQ 2005 Simplified Chinese Formal edition (include 珊瑚蟲增強包 v4.0 Formal Edition)– qqfile: QQ2006Beta2, qqshare: QQ2006Beta2

• Miranda: v0.4• Gaim: v1.30• Trillian: Basic 3.0• Google talk beta• Webim: include web-msn, web-aol, web-yahoo, web-icq

– http://www.e-messenger.net/, http://e-messenger.net/, http://vweb.e-messenger.net/, – http://start.e-messenger.net/, http://hanoi.e-messenger.net, http://www.meebo.com/,– http://www.iloveim.com/, http://x??.iloveim.com/, http://hanoi.e-messenger.net,– http://webmessenger.msn.com/, http://www.icq.com/icq2go/, http://aimexpress.aim.com/– http://www.ebuddy.com

Peer-to-Peer (P2P)• Bittorrent:

– BitComet 0.54 / 0.6 / 0.67, Bitspirit 2.7, Mxie 0.6.0.2, utorrent 1.5, azureus 2.4• Kuro: m6, 2005 5.18• Edonkey:

– Emule 0.42b/0.44d/0.45b, edonkey2000 V1.0, Overnet tested-version, utorrent v1.5, azureus v2.4• ezPeer+ v1.0beta• Directconnect: directconnect 2.205, dc++ 0.668• OpenFT: crazaa v3.55, Kceasy v0.14• Pigo: pigo v3.1, 100bao v1.2.0a• Kugoo: v2.03, v2.055, v3.10• Ares: 1.04• poco:

– poco 2005– pp point (pp奌奌通 ) v2006

• Fasttrack:– kazaa 2.7 / 3.0 / 3.2– grokster 2.6/2.6.5– iMesh 4.5 build 151 / 5.20 / 6.5

• Gnutella:– ezpeer: 1999A6, 1999A10, BearShare Pro 4.6.2, Shareaza 2.1.0.0, Morpheus 4.6.1/ 4.7.1– Gnucleus 1.55, 2.0.9.0, Mxie 0.6.0.2, Foxy 1.8.6

Voice Over IP (VoIP)

• Skype: – 1.0, 1.1, 1.2, 1.3, 1.4, 2.0, 2.5beta, 2.5.0.113

• SkypeOut: – 1.4, 2.0

• SIP: – TelTel 0.8.5.3, Wagaly TelTel 0.8.4, MSN Voice 7.5 , Yahoo Voic

e 7.0

• H323: – NetMeeting: 3.01

Tunnel Ware

• hopster: Release 17• Httptunnel: v3.2, 3.4• Realtunnel: v0.9.9, 1.0.1• VNN: 2.1, 3.0• Softether: 1.0, 2.0• Tor: v0.1.0.1X, v0.1.1.22• JAP 00.05.022• YourFreedom 20060725-01

Remote Access

• Windows remote desktop• VNC (Virtual Network Computing)

– vnc, Ultra VNC 1.0.1, Win v3.3.7

• Symantec pcAnywhere 10.5 / 11• NetOP Remote Control v9.00• Remote Administrator 2.2

Streaming• RTSP:

– http://www.haody99.com/, MediaPlayer 10.0, RealPlayer 10.5– QuickTime 6.5, 7.0, KKBox: v1.0, v2.0, v2.2, RealOne 1.0, 2.0– MMS(Multimedia Messaging Service), – Yahoo music

• (http://music.yahoo.com/, http://tw.music.yahoo.com/, http://music.yahoo.com.cn/)

• - Shoutcast: – winamp 5.111 / 5.24– JetAudio 6.2– Icecast 2.3

• Live365: Radio365 1.11 build17• Google Video(http://video.google.com/)• AOL Radio(http://music.aol.com/radioguide/bb.adp)• iTunes 6.0• TVAnts 1.0• PeerCast 0.1217• Napster (www.napster.com)• qqtv (qq直播 ; tv.qq.com) 3.2• ppstream 1.0• Webs-tv (http://www.webs-tv.net)

Appendix-IIIProduct

Comparison

L7 vs. Facetime vs. Akonix vs. IM Logic

Facetime’s Solution

Require clients to assign proxy to IM Auditor

What if not set the proxy?

Limited solution. Cannot control P2P bandwidth. Can block Skype

Akonix’s Solution (I)

Require clients to assign proxy to IM Auditor

What if not set the proxy?

Limited solution. Cannot control P2P bandwidth.

Cannot manage Skype

Akonix’s Solution (II)

Limited solution.

Cannot control P2P bandwidth.

Cannot manage Skype

Cannot manage MSN / Yahoo / AOL / ICQ over random ports

IMLogic’s Solution

L7 Networks’ Solution

Award-winning test report

NBL Test Report (2005/2/23)

Test item 3.1: IM to be managedFacetime Akonix L7 Networks Abocom

MSN ○ ○ ○ ○

AOL ○ ○ ○ ○

QQ ╳ ╳ ○ ○

ICQ ○ ○ ○ ○

Yahoo ○ ○ ○ ○

Skype ╳ ╳ ○ ○

NBL Test Report (2005/2/23)

Test item 3.1.1: MSN ManagementFacetime Akonix L7 Networks Abocom

Message OK OK OK N/A

File transfer OK FP OK N/A

Voice OK FN OK N/A

Image FP OK OK N/A

Game FP OK OK N/A

FP: False positive, FN: False negative, N/A: Not available

NBL Test Report (2005/2/23)

Test item 3.1.2: Yahoo! ManagementFacetime Akonix L7 Networks Abocom

Message OK OK OK N/A

File transfer OK OK OK N/A

Voice FP FP OK N/A

Image OK OK OK N/A

Game FP FP OK N/A

FP: False positive, FN: False negative, N/A: Not available

NBL Test Report (2005/2/23)

Test item 3.1.3: QQ ManagementFacetime Akonix L7 Networks Abocom

Message N/A N/A N/A N/A

File transfer N/A N/A N/A N/A

Voice N/A N/A N/A N/A

Image N/A N/A N/A N/A

Game N/A N/A N/A N/A

FP: False positive, FN: False negative, N/A: Not available

NBL Test Report (2005/2/23)

Test item 3.1.4: ICQ ManagementFacetime Akonix L7 Networks Abocom

Message OK OK OK N/A

File transfer FP FP OK N/A

Voice OK FN OK N/A

Image OK FN OK N/A

Game OK FN OK N/A

FP: False positive, FN: False negative, N/A: Not available

NBL Test Report (2005/2/23)

Test item 3.1.5: AOL ManagementFacetime Akonix L7 Networks Abocom

Message OK OK OK N/A

File transfer FP OK OK N/A

Voice OK FP OK N/A

Image OK OK OK N/A

Game OK FN OK N/A

FP: False positive, FN: False negative, N/A: Not available

NBL Test Report (2005/2/23)

Test item 3.1: Action to be takenFacetime Akonix L7 Networks Abocom

Blocking ○ ○ ○ ○

Filtering ○ ○ ○ ╳Intervening ○ ○ ○ ╳Recording ○ ○ ○ ╳

Bandwidth Control ╳ ╳ ○ ╳Virus Detection ○ ○ ╳ ╳

Virus scanning is supported in advanced version

NBL Test Report (2005/2/23)

Test item 3.1: Object to be managedFacetime Akonix L7 Networks Abocom

IP address ╳ ○ ○ ○

IM user account ○ ○ ○ ╳

Appendix-IV

Patents

Patent-1: PostACK TCP BW. Mgmt.(1)

• Contributed to IEEE– IEEE Transactions on Computers, Vol.53, No.3, March 2004:

Assessing and Improving TCP Rate Shaping over Enterprise Edges

– IEEE Communications Surveys and Tutorials, Vol.5, No.2, 2003: A Measurement-Based Survey and Evaluation of Bandwidth Management Systems

– IEEE Global Telecommunications Conference 2004 (IEEE Globecom 2004), Dallas, Texas USA, Nov. 2004: On Shaping TCP Traffic at Edge Gateways

– IEEE Symposium on Computers and Communications (IEEE ISCC 2003), Kemer - Antalya, Turkey, Jun. 2003: Co-DRR: An Integrated Uplink and Downlink Scheduler for Bandwidth Management over Wireless LANs

Patent-1: PostACK TCP BW. Mgmt.(2)

• Packeteer– TCP Rate Control

• Window sizing

• L7– PostACK

• Delaying the reverse ACK

P2P/BT@HTTPP2P/BT@HTTP

Step 3. Cut-ThrStep 3. Cut-ThrForwardingForwarding

Patent-2: SoftASIC® Classification

……..Yahoo app. patternAOL app. patternMSN app. patternBT app. pattern………

Step 1. ReassemblyStep 1. Reassembly

patt

ern

matc

hin

gp

att

ern

matc

hin

g

Step 2. Match!!Step 2. Match!!

At most first 10 pkts can judge if this HTTP is At most first 10 pkts can judge if this HTTP is BTBT(average case: first 3 pkts can finish the process)(average case: first 3 pkts can finish the process)

Patent-3: Multi-Stage Inspection(1)

Firewall/VPN

Inline-IDP

Virus Wall

Spam Wall

Content Mgmt.

IMProxy

WebProxy

•Standard@Any•HTTP•Proxy@HTTP@Any•Socks4@Any•Socks5@Any•….

IM P

roxy

data path

IM@

HTTP cann

ot b

e m

anag

ed

Tunne

led

IM c

anno

t be

man

aged

MSN@Socks@AnyMSN@Socks@Any

Patent-3: Multi-Stage Inspection(2)

……..Yahoo app. patternAOL app. patternMSN app. patternBT app. pattern………

Step 1. Strip HeadersStep 1. Strip Headers(socks4/5)(socks4/5)

patt

ern

matc

hin

gp

att

ern

matc

hin

g

Step 2. Match!!Step 2. Match!!

IM Content Mgmt.Engine

Step 3. RedirectStep 3. Redirect

MSN@Socks@AnyMSN@Socks@Any

Patent-4: Inline-Proxy Stack(2)

QueueQueue

Inline-Proxy TCP Stack

IM/Web Content Mgmt.Engine

Emulate original Emulate original IP/port while swapping sequence #IP/port while swapping sequence #

Benefits:Benefits:• True inline plug & play proxy stackTrue inline plug & play proxy stack• Stable user-space programmingStable user-space programming• Easy for SMP parallel processingEasy for SMP parallel processing

Layer-7

Content Mgmt.

Expert