carrier-grade nat (cgn) solution - data.proidea.org.pl · fortinet confidential november 7, 2012...
TRANSCRIPT
![Page 1: Carrier-grade NAT (CGN) Solution - data.proidea.org.pl · Fortinet Confidential November 7, 2012 Carrier-grade NAT (CGN) Solution with FortiGate . Robert.Dabrowski@fortinet.com](https://reader031.vdocuments.us/reader031/viewer/2022012322/5e02fbf6d9e2ea2f204136a6/html5/thumbnails/1.jpg)
Fortinet Confidential November 7, 2012
Carrier-grade NAT (CGN) Solution with FortiGate [email protected]
![Page 2: Carrier-grade NAT (CGN) Solution - data.proidea.org.pl · Fortinet Confidential November 7, 2012 Carrier-grade NAT (CGN) Solution with FortiGate . Robert.Dabrowski@fortinet.com](https://reader031.vdocuments.us/reader031/viewer/2022012322/5e02fbf6d9e2ea2f204136a6/html5/thumbnails/2.jpg)
Fortinet Confidential
Our focus area: Gi / SGi
Protecting EPC from Users and Peers •GTP, SCTP LTE firewall •Content Scanning/ VAS
UE (e)NodeB EPC
ROAMING PARTNERS
Securing Data Transport Between User Equipment and EPC •High Capacity VPN Concentrator
Defending EPC from External Threats •D/DOS Guard •CGN & Gateway Firewall
Network Integration: Routing Protocols support, IPv6, Resilient & Scalable clustering
OSS Integration: Supports SNMP, Syslog, Sflow, web service APIs
![Page 3: Carrier-grade NAT (CGN) Solution - data.proidea.org.pl · Fortinet Confidential November 7, 2012 Carrier-grade NAT (CGN) Solution with FortiGate . Robert.Dabrowski@fortinet.com](https://reader031.vdocuments.us/reader031/viewer/2022012322/5e02fbf6d9e2ea2f204136a6/html5/thumbnails/3.jpg)
Fortinet Confidential
Background
• Driven by: » Explosion of subscribers data usage » Limited & exhausting public IPv4
addresses owned by Carriers » IPv6 transition
Carrier Grade NAT “ … a NAT or NAPT device used by many subscribers … This might be NAT between any combination of IPv4 and IPv6 …” - draft-wing-nat-pt-replacement-comparison
![Page 4: Carrier-grade NAT (CGN) Solution - data.proidea.org.pl · Fortinet Confidential November 7, 2012 Carrier-grade NAT (CGN) Solution with FortiGate . Robert.Dabrowski@fortinet.com](https://reader031.vdocuments.us/reader031/viewer/2022012322/5e02fbf6d9e2ea2f204136a6/html5/thumbnails/4.jpg)
Fortinet Confidential
Why subscribers need IP connections?
![Page 5: Carrier-grade NAT (CGN) Solution - data.proidea.org.pl · Fortinet Confidential November 7, 2012 Carrier-grade NAT (CGN) Solution with FortiGate . Robert.Dabrowski@fortinet.com](https://reader031.vdocuments.us/reader031/viewer/2022012322/5e02fbf6d9e2ea2f204136a6/html5/thumbnails/5.jpg)
Fortinet Confidential
Why subscribers need IP connections?
![Page 6: Carrier-grade NAT (CGN) Solution - data.proidea.org.pl · Fortinet Confidential November 7, 2012 Carrier-grade NAT (CGN) Solution with FortiGate . Robert.Dabrowski@fortinet.com](https://reader031.vdocuments.us/reader031/viewer/2022012322/5e02fbf6d9e2ea2f204136a6/html5/thumbnails/6.jpg)
Fortinet Confidential
Gi / SGi Customers and products
3G SP (France) [FG 3950] Telco (UK) [FG5000 chassis + ELBC] Telco (Belgium) [FG3950] 3G SP (Romania) [FG5000 chassis + ELBC] 3G SP (Poland) [FG 3040] 3G SP (Moldova) [FG 3950] 3G SP (Egypt) [FG5000 blades] 3G SP (Qatar) [FG 3810] 3G SP (Malaysia) [FG3950] 3G (Philippines) [FG5000 chassis + ELBC] Telco (Korea) [FG 3950] 3G SP (Taiwan) [FG3950] 3G SP (HK) [FG3950]
![Page 7: Carrier-grade NAT (CGN) Solution - data.proidea.org.pl · Fortinet Confidential November 7, 2012 Carrier-grade NAT (CGN) Solution with FortiGate . Robert.Dabrowski@fortinet.com](https://reader031.vdocuments.us/reader031/viewer/2022012322/5e02fbf6d9e2ea2f204136a6/html5/thumbnails/7.jpg)
Fortinet Confidential
CGN solutions
Routers
• Traditional carrier routers with NAT enabled
• May have challenges with complex multimedia protocols
NAT Devices
• Specialized or repurposed devices to perform NAT function
• Better performance than routers
• Can be scalable • Lack of session
management tools
CGN Firewalls
• High performance firewall • Supports ALGs to provide
security to carrier infrastructure
• Session visibility • Excellent high performance
& scalability • Proven solution
VALUE
![Page 8: Carrier-grade NAT (CGN) Solution - data.proidea.org.pl · Fortinet Confidential November 7, 2012 Carrier-grade NAT (CGN) Solution with FortiGate . Robert.Dabrowski@fortinet.com](https://reader031.vdocuments.us/reader031/viewer/2022012322/5e02fbf6d9e2ea2f204136a6/html5/thumbnails/8.jpg)
Fortinet Confidential
Dedicated Firewall Solution Advantage
Test Performed IPv6 Layer 3 Performance Test Layer 4 Traffic Test Layer 7 HTTP Traffic Test Layer 7 Mixed Applications Traffic
Test Results Throughput 536 Gbps (1518B) /510 Gbps (256B) Frame Latency 7.6 μs / 5.4 μs New Connections Per Second 1.4 million new connection per second 502 Gbps 514 Gbps
![Page 9: Carrier-grade NAT (CGN) Solution - data.proidea.org.pl · Fortinet Confidential November 7, 2012 Carrier-grade NAT (CGN) Solution with FortiGate . Robert.Dabrowski@fortinet.com](https://reader031.vdocuments.us/reader031/viewer/2022012322/5e02fbf6d9e2ea2f204136a6/html5/thumbnails/9.jpg)
Fortinet Confidential
Dedicated Firewall Solution Advantage
NAT ALG • Ability to perform pin-hole openings for
popular multimedia applications, provides water tight security against attacks to the infrastructure
![Page 10: Carrier-grade NAT (CGN) Solution - data.proidea.org.pl · Fortinet Confidential November 7, 2012 Carrier-grade NAT (CGN) Solution with FortiGate . Robert.Dabrowski@fortinet.com](https://reader031.vdocuments.us/reader031/viewer/2022012322/5e02fbf6d9e2ea2f204136a6/html5/thumbnails/10.jpg)
Fortinet Confidential
CGN Algorithms : normal FG NAT
NAT efficiency • Per blade architecture allows linear IP address usage scaling
» Centralized routing module which limits the scalability doesn’t have to be implemented
• 1 Public IP supports = 59K sessions • Max sessions per blade = 11Mil, hence supports 180
public IPs • Assume each user’s avg concurrent sessions = 200,
55K subscribers per blade • Full Chassis can support 660K concurrent Subscribers • NAT efficiency = 10 class B private IPs for public
IPs of 8 class C
![Page 11: Carrier-grade NAT (CGN) Solution - data.proidea.org.pl · Fortinet Confidential November 7, 2012 Carrier-grade NAT (CGN) Solution with FortiGate . Robert.Dabrowski@fortinet.com](https://reader031.vdocuments.us/reader031/viewer/2022012322/5e02fbf6d9e2ea2f204136a6/html5/thumbnails/11.jpg)
Fortinet Confidential
CGN Algorithms : Predictable port selection
• Originated when Telco operator was testing online gaming
• FG now supports STUN
Session Traversal Utilities for NAT
via source port selection predicatability
(NO ALG)
cNAT hNAT
GameServer
Host Client
eAddr:ePort
iAddr:inego
eAddr:ePort
iAddr:inego
1. hNAT
2.cNAT 2.hNAT 3. CH channel
3.HC channel 4.Connection stats report 4.Connection stats report
1.cNAT
iAddr:7777 iAddr:icccc iAddr:idddd iAddr:7777
0. initiate host session(iport=7777)
![Page 12: Carrier-grade NAT (CGN) Solution - data.proidea.org.pl · Fortinet Confidential November 7, 2012 Carrier-grade NAT (CGN) Solution with FortiGate . Robert.Dabrowski@fortinet.com](https://reader031.vdocuments.us/reader031/viewer/2022012322/5e02fbf6d9e2ea2f204136a6/html5/thumbnails/12.jpg)
Fortinet Confidential
CGN Algorithms : Mobile pool
IPv6(1) # set type one-to-one one to one mapping overload ip addresses in pool can be shared by clients
•one-to-one makes sure that at any given time only 1 client is using a pool IP
•overload is our default behaviour.
![Page 13: Carrier-grade NAT (CGN) Solution - data.proidea.org.pl · Fortinet Confidential November 7, 2012 Carrier-grade NAT (CGN) Solution with FortiGate . Robert.Dabrowski@fortinet.com](https://reader031.vdocuments.us/reader031/viewer/2022012322/5e02fbf6d9e2ea2f204136a6/html5/thumbnails/13.jpg)
Fortinet Confidential
CGN Algorithms : full cone NAT
• AKA: • Endpoint-Independent Filtering • Endpoint independent mapping
• Basic requirement: Facetime.
Internet
Testing Client IP1
Public Pool NAT44 (full cone to be done by Firewall No application-control enabled Policy is allow: Trust to Untrust only
Testing Client IP2
Facetime server IP3
LAN private addresses
Testing Client Private IP
![Page 14: Carrier-grade NAT (CGN) Solution - data.proidea.org.pl · Fortinet Confidential November 7, 2012 Carrier-grade NAT (CGN) Solution with FortiGate . Robert.Dabrowski@fortinet.com](https://reader031.vdocuments.us/reader031/viewer/2022012322/5e02fbf6d9e2ea2f204136a6/html5/thumbnails/14.jpg)
Fortinet Confidential
The Fortinet Advantage
Detailed Logging • Standard based syslogging to external facilities • Fulfills govt regulations and business compliance
![Page 15: Carrier-grade NAT (CGN) Solution - data.proidea.org.pl · Fortinet Confidential November 7, 2012 Carrier-grade NAT (CGN) Solution with FortiGate . Robert.Dabrowski@fortinet.com](https://reader031.vdocuments.us/reader031/viewer/2022012322/5e02fbf6d9e2ea2f204136a6/html5/thumbnails/15.jpg)
Fortinet Confidential
The Logging problem
•Firewalls log each connection or EVEN connection attempt and connection close
•In CGN environment > 10Gbps this could create massive storage needs •More than 100k logs/s !!!
•Bottlenecks are on Firewall and logging server
![Page 16: Carrier-grade NAT (CGN) Solution - data.proidea.org.pl · Fortinet Confidential November 7, 2012 Carrier-grade NAT (CGN) Solution with FortiGate . Robert.Dabrowski@fortinet.com](https://reader031.vdocuments.us/reader031/viewer/2022012322/5e02fbf6d9e2ea2f204136a6/html5/thumbnails/16.jpg)
Fortinet Confidential
Possible solution: logging hierarchy
n x FortiGate 5001B
FAZ-1000C (n x Collectors)
FAZ-4000B (Analyzer)
● ● ● ● ● ● ● ● ●
Traffic I/O
Traffic Load Balancing
FS-5003B
FG-5001B
Internet
![Page 17: Carrier-grade NAT (CGN) Solution - data.proidea.org.pl · Fortinet Confidential November 7, 2012 Carrier-grade NAT (CGN) Solution with FortiGate . Robert.Dabrowski@fortinet.com](https://reader031.vdocuments.us/reader031/viewer/2022012322/5e02fbf6d9e2ea2f204136a6/html5/thumbnails/17.jpg)
Fortinet Confidential
− Additional Blade in Slot 10 shares same configuration but is configured as backup
− Slot 5 is lost :The Backup blade takes over and replace the blade5
Redundancy: Node blade failure Scenario
17
Port 1
Port 2
Internal
External
Fabric
FG-5001B / SLOT 5
Internal
External
Fabric
FG-5001B / SLOT 6
Internal
External
Fabric
FG-5001B / SLOT 7
FS-5003B
Fabric
Internal
External
Fabric Ports
SESSION-1
SESSION-2
INGRESS
EGRESS
X Internal
External
Fabric
FG-5001B / SLOT 10
![Page 18: Carrier-grade NAT (CGN) Solution - data.proidea.org.pl · Fortinet Confidential November 7, 2012 Carrier-grade NAT (CGN) Solution with FortiGate . Robert.Dabrowski@fortinet.com](https://reader031.vdocuments.us/reader031/viewer/2022012322/5e02fbf6d9e2ea2f204136a6/html5/thumbnails/18.jpg)
Fortinet Confidential
FortiOS IPv6 Support
Phase I • Dual Stack • FW + VPN
Phase II • IPv6 routing protocols • IPv6 support for AV, WCF,
IPS (SIG,DOS) • IPv6 admin Access • IPv6 FW acceleration
Phase III • IPv6 DHCP service • IPv6 FW auth. • IPv6 SSL VPN access • IPv6 SNMP
Phase IV (current) • IPv6 NAT (NAT64, NAT66) • IPv6 DNS • IPv6 MIBS • IPv6 ALG support • FortiGuard service &
device communications
USGv6 CORE
USGv6 NPD
![Page 19: Carrier-grade NAT (CGN) Solution - data.proidea.org.pl · Fortinet Confidential November 7, 2012 Carrier-grade NAT (CGN) Solution with FortiGate . Robert.Dabrowski@fortinet.com](https://reader031.vdocuments.us/reader031/viewer/2022012322/5e02fbf6d9e2ea2f204136a6/html5/thumbnails/19.jpg)
Fortinet Confidential 19
IPv6 Network Address Translation
New in 4.0 MR3
• NAT66: IPv6 to IPv6 Network Prefix Translation Internet draft-mrw-nat66-12 Provides address independence
• NAT64: from IPv6 clients to IPv4 servers RFC6146 With DNS64, provides the ability for IPv6 only clients to connect to IPv4 only servers
• DNS64: DNS Extensions from IPv6 clients to IPv4 servers RFC6147 Added to DNS Proxy, note that DNSSEC is not supported Option to synthesize AAAA record from A record
New in 5.0
![Page 20: Carrier-grade NAT (CGN) Solution - data.proidea.org.pl · Fortinet Confidential November 7, 2012 Carrier-grade NAT (CGN) Solution with FortiGate . Robert.Dabrowski@fortinet.com](https://reader031.vdocuments.us/reader031/viewer/2022012322/5e02fbf6d9e2ea2f204136a6/html5/thumbnails/20.jpg)
Fortinet Confidential 20
LAB
IPv4
IPv6
NAT64
FGT5001B
P7
P8
P5
172.16.254.0/24
FC00:1000::/64
IPv6
IPv4
![Page 21: Carrier-grade NAT (CGN) Solution - data.proidea.org.pl · Fortinet Confidential November 7, 2012 Carrier-grade NAT (CGN) Solution with FortiGate . Robert.Dabrowski@fortinet.com](https://reader031.vdocuments.us/reader031/viewer/2022012322/5e02fbf6d9e2ea2f204136a6/html5/thumbnails/21.jpg)
Fortinet Confidential 21
How NAT64 Works
IPv4 Network
IPv6 Network
DNS64
SIP: FC00:1000::1 DIP: 64:ff9b::B01:A
SIP: <SNAT> DIP: 11.1.0.10
![Page 22: Carrier-grade NAT (CGN) Solution - data.proidea.org.pl · Fortinet Confidential November 7, 2012 Carrier-grade NAT (CGN) Solution with FortiGate . Robert.Dabrowski@fortinet.com](https://reader031.vdocuments.us/reader031/viewer/2022012322/5e02fbf6d9e2ea2f204136a6/html5/thumbnails/22.jpg)
Fortinet Confidential
5.0 • Is 3rd party certified IPv6 firewall enaugh to deliver security? • Now in IPv6 Firewall Policy UTM options
IPv6 UTM + IPS & AppCtl
![Page 23: Carrier-grade NAT (CGN) Solution - data.proidea.org.pl · Fortinet Confidential November 7, 2012 Carrier-grade NAT (CGN) Solution with FortiGate . Robert.Dabrowski@fortinet.com](https://reader031.vdocuments.us/reader031/viewer/2022012322/5e02fbf6d9e2ea2f204136a6/html5/thumbnails/23.jpg)
Fortinet Confidential
IPv6 – Fortinet Solution
Stateful Inspection
Transition Techniques
Performance
Virtualisation
Unified Threat Management
GTP Diameter sigtran
Core Backbone
Management
![Page 24: Carrier-grade NAT (CGN) Solution - data.proidea.org.pl · Fortinet Confidential November 7, 2012 Carrier-grade NAT (CGN) Solution with FortiGate . Robert.Dabrowski@fortinet.com](https://reader031.vdocuments.us/reader031/viewer/2022012322/5e02fbf6d9e2ea2f204136a6/html5/thumbnails/24.jpg)
Fortinet Confidential
WORLD IPv6 LAUNCH
![Page 25: Carrier-grade NAT (CGN) Solution - data.proidea.org.pl · Fortinet Confidential November 7, 2012 Carrier-grade NAT (CGN) Solution with FortiGate . Robert.Dabrowski@fortinet.com](https://reader031.vdocuments.us/reader031/viewer/2022012322/5e02fbf6d9e2ea2f204136a6/html5/thumbnails/25.jpg)
Fortinet Confidential
Get prepared
„The transition from IPv4 to IPv6 is under way as more network and content providers embrace IPv6. As the amount of IPv6 traffic (and IPv6-based threats) increases in networks around the world, it's essential that organizations deploy a network security solution that can deliver the same level of protection for IPv6 content as IPv4” http://www.fortinet.com/solutions/ipv6.html
![Page 26: Carrier-grade NAT (CGN) Solution - data.proidea.org.pl · Fortinet Confidential November 7, 2012 Carrier-grade NAT (CGN) Solution with FortiGate . Robert.Dabrowski@fortinet.com](https://reader031.vdocuments.us/reader031/viewer/2022012322/5e02fbf6d9e2ea2f204136a6/html5/thumbnails/26.jpg)
Fortinet Confidential
Thank You
![Page 27: Carrier-grade NAT (CGN) Solution - data.proidea.org.pl · Fortinet Confidential November 7, 2012 Carrier-grade NAT (CGN) Solution with FortiGate . Robert.Dabrowski@fortinet.com](https://reader031.vdocuments.us/reader031/viewer/2022012322/5e02fbf6d9e2ea2f204136a6/html5/thumbnails/27.jpg)
Fortinet Confidential
Jaki element jest niezbędny do wdrożenia NAT64?
Konkurs !!!
Wymień 1 przewagę FW we wdrożeniu CGN. Jaki jest najbardziej krytyczny parametr w FW na brzegu sieci operatora? Jak Fortinet radzi sobie z dużą ilością logów na sekundę we wdrożeniach CGN?
Ile razy dłuższy jest adres IPv6 od IPv4?