Carrier-grade NAT (CGN) Solution - data.proidea.org.pl · Fortinet Confidential November 7, 2012...

27
Fortinet Confidential November 7, 2012 Carrier-grade NAT (CGN) Solution with FortiGate [email protected]

Transcript of Carrier-grade NAT (CGN) Solution - data.proidea.org.pl · Fortinet Confidential November 7, 2012...

Page 1: Carrier-grade NAT (CGN) Solution - data.proidea.org.pl · Fortinet Confidential November 7, 2012 Carrier-grade NAT (CGN) Solution with FortiGate . Robert.Dabrowski@fortinet.com

Fortinet Confidential November 7, 2012

Carrier-grade NAT (CGN) Solution with FortiGate [email protected]

Page 2: Carrier-grade NAT (CGN) Solution - data.proidea.org.pl · Fortinet Confidential November 7, 2012 Carrier-grade NAT (CGN) Solution with FortiGate . Robert.Dabrowski@fortinet.com

Fortinet Confidential

Our focus area: Gi / SGi

Protecting EPC from Users and Peers •GTP, SCTP LTE firewall •Content Scanning/ VAS

UE (e)NodeB EPC

ROAMING PARTNERS

Securing Data Transport Between User Equipment and EPC •High Capacity VPN Concentrator

Defending EPC from External Threats •D/DOS Guard •CGN & Gateway Firewall

Network Integration: Routing Protocols support, IPv6, Resilient & Scalable clustering

OSS Integration: Supports SNMP, Syslog, Sflow, web service APIs

Presenter
Presentation Notes
Evolved Packet Core (EPC)
Page 3: Carrier-grade NAT (CGN) Solution - data.proidea.org.pl · Fortinet Confidential November 7, 2012 Carrier-grade NAT (CGN) Solution with FortiGate . Robert.Dabrowski@fortinet.com

Fortinet Confidential

Background

• Driven by: » Explosion of subscribers data usage » Limited & exhausting public IPv4

addresses owned by Carriers » IPv6 transition

Carrier Grade NAT “ … a NAT or NAPT device used by many subscribers … This might be NAT between any combination of IPv4 and IPv6 …” - draft-wing-nat-pt-replacement-comparison

Page 4: Carrier-grade NAT (CGN) Solution - data.proidea.org.pl · Fortinet Confidential November 7, 2012 Carrier-grade NAT (CGN) Solution with FortiGate . Robert.Dabrowski@fortinet.com

Fortinet Confidential

Why subscribers need IP connections?

Page 5: Carrier-grade NAT (CGN) Solution - data.proidea.org.pl · Fortinet Confidential November 7, 2012 Carrier-grade NAT (CGN) Solution with FortiGate . Robert.Dabrowski@fortinet.com

Fortinet Confidential

Why subscribers need IP connections?

Page 6: Carrier-grade NAT (CGN) Solution - data.proidea.org.pl · Fortinet Confidential November 7, 2012 Carrier-grade NAT (CGN) Solution with FortiGate . Robert.Dabrowski@fortinet.com

Fortinet Confidential

Gi / SGi Customers and products

3G SP (France) [FG 3950] Telco (UK) [FG5000 chassis + ELBC] Telco (Belgium) [FG3950] 3G SP (Romania) [FG5000 chassis + ELBC] 3G SP (Poland) [FG 3040] 3G SP (Moldova) [FG 3950] 3G SP (Egypt) [FG5000 blades] 3G SP (Qatar) [FG 3810] 3G SP (Malaysia) [FG3950] 3G (Philippines) [FG5000 chassis + ELBC] Telco (Korea) [FG 3950] 3G SP (Taiwan) [FG3950] 3G SP (HK) [FG3950]

Page 7: Carrier-grade NAT (CGN) Solution - data.proidea.org.pl · Fortinet Confidential November 7, 2012 Carrier-grade NAT (CGN) Solution with FortiGate . Robert.Dabrowski@fortinet.com

Fortinet Confidential

CGN solutions

Routers

• Traditional carrier routers with NAT enabled

• May have challenges with complex multimedia protocols

NAT Devices

• Specialized or repurposed devices to perform NAT function

• Better performance than routers

• Can be scalable • Lack of session

management tools

CGN Firewalls

• High performance firewall • Supports ALGs to provide

security to carrier infrastructure

• Session visibility • Excellent high performance

& scalability • Proven solution

VALUE

Page 8: Carrier-grade NAT (CGN) Solution - data.proidea.org.pl · Fortinet Confidential November 7, 2012 Carrier-grade NAT (CGN) Solution with FortiGate . Robert.Dabrowski@fortinet.com

Fortinet Confidential

Dedicated Firewall Solution Advantage

Test Performed IPv6 Layer 3 Performance Test Layer 4 Traffic Test Layer 7 HTTP Traffic Test Layer 7 Mixed Applications Traffic

Test Results Throughput 536 Gbps (1518B) /510 Gbps (256B) Frame Latency 7.6 μs / 5.4 μs New Connections Per Second 1.4 million new connection per second 502 Gbps 514 Gbps

Page 9: Carrier-grade NAT (CGN) Solution - data.proidea.org.pl · Fortinet Confidential November 7, 2012 Carrier-grade NAT (CGN) Solution with FortiGate . Robert.Dabrowski@fortinet.com

Fortinet Confidential

Dedicated Firewall Solution Advantage

NAT ALG • Ability to perform pin-hole openings for

popular multimedia applications, provides water tight security against attacks to the infrastructure

Page 10: Carrier-grade NAT (CGN) Solution - data.proidea.org.pl · Fortinet Confidential November 7, 2012 Carrier-grade NAT (CGN) Solution with FortiGate . Robert.Dabrowski@fortinet.com

Fortinet Confidential

CGN Algorithms : normal FG NAT

NAT efficiency • Per blade architecture allows linear IP address usage scaling

» Centralized routing module which limits the scalability doesn’t have to be implemented

• 1 Public IP supports = 59K sessions • Max sessions per blade = 11Mil, hence supports 180

public IPs • Assume each user’s avg concurrent sessions = 200,

55K subscribers per blade • Full Chassis can support 660K concurrent Subscribers • NAT efficiency = 10 class B private IPs for public

IPs of 8 class C

Page 11: Carrier-grade NAT (CGN) Solution - data.proidea.org.pl · Fortinet Confidential November 7, 2012 Carrier-grade NAT (CGN) Solution with FortiGate . Robert.Dabrowski@fortinet.com

Fortinet Confidential

CGN Algorithms : Predictable port selection

• Originated when Telco operator was testing online gaming

• FG now supports STUN

Session Traversal Utilities for NAT

via source port selection predicatability

(NO ALG)

cNAT hNAT

GameServer

Host Client

eAddr:ePort

iAddr:inego

eAddr:ePort

iAddr:inego

1. hNAT

2.cNAT 2.hNAT 3. CH channel

3.HC channel 4.Connection stats report 4.Connection stats report

1.cNAT

iAddr:7777 iAddr:icccc iAddr:idddd iAddr:7777

0. initiate host session(iport=7777)

Page 12: Carrier-grade NAT (CGN) Solution - data.proidea.org.pl · Fortinet Confidential November 7, 2012 Carrier-grade NAT (CGN) Solution with FortiGate . Robert.Dabrowski@fortinet.com

Fortinet Confidential

CGN Algorithms : Mobile pool

IPv6(1) # set type one-to-one one to one mapping overload ip addresses in pool can be shared by clients

•one-to-one makes sure that at any given time only 1 client is using a pool IP

•overload is our default behaviour.

Page 13: Carrier-grade NAT (CGN) Solution - data.proidea.org.pl · Fortinet Confidential November 7, 2012 Carrier-grade NAT (CGN) Solution with FortiGate . Robert.Dabrowski@fortinet.com

Fortinet Confidential

CGN Algorithms : full cone NAT

• AKA: • Endpoint-Independent Filtering • Endpoint independent mapping

• Basic requirement: Facetime.

Internet

Testing Client IP1

Public Pool NAT44 (full cone to be done by Firewall No application-control enabled Policy is allow: Trust to Untrust only

Testing Client IP2

Facetime server IP3

LAN private addresses

Testing Client Private IP

Page 14: Carrier-grade NAT (CGN) Solution - data.proidea.org.pl · Fortinet Confidential November 7, 2012 Carrier-grade NAT (CGN) Solution with FortiGate . Robert.Dabrowski@fortinet.com

Fortinet Confidential

The Fortinet Advantage

Detailed Logging • Standard based syslogging to external facilities • Fulfills govt regulations and business compliance

Page 15: Carrier-grade NAT (CGN) Solution - data.proidea.org.pl · Fortinet Confidential November 7, 2012 Carrier-grade NAT (CGN) Solution with FortiGate . Robert.Dabrowski@fortinet.com

Fortinet Confidential

The Logging problem

•Firewalls log each connection or EVEN connection attempt and connection close

•In CGN environment > 10Gbps this could create massive storage needs •More than 100k logs/s !!!

•Bottlenecks are on Firewall and logging server

Page 16: Carrier-grade NAT (CGN) Solution - data.proidea.org.pl · Fortinet Confidential November 7, 2012 Carrier-grade NAT (CGN) Solution with FortiGate . Robert.Dabrowski@fortinet.com

Fortinet Confidential

Possible solution: logging hierarchy

n x FortiGate 5001B

FAZ-1000C (n x Collectors)

FAZ-4000B (Analyzer)

● ● ● ● ● ● ● ● ●

Traffic I/O

Traffic Load Balancing

FS-5003B

FG-5001B

Internet

Page 17: Carrier-grade NAT (CGN) Solution - data.proidea.org.pl · Fortinet Confidential November 7, 2012 Carrier-grade NAT (CGN) Solution with FortiGate . Robert.Dabrowski@fortinet.com

Fortinet Confidential

− Additional Blade in Slot 10 shares same configuration but is configured as backup

− Slot 5 is lost :The Backup blade takes over and replace the blade5

Redundancy: Node blade failure Scenario

17

Port 1

Port 2

Internal

External

Fabric

FG-5001B / SLOT 5

Internal

External

Fabric

FG-5001B / SLOT 6

Internal

External

Fabric

FG-5001B / SLOT 7

FS-5003B

Fabric

Internal

External

Fabric Ports

SESSION-1

SESSION-2

INGRESS

EGRESS

X Internal

External

Fabric

FG-5001B / SLOT 10

Page 18: Carrier-grade NAT (CGN) Solution - data.proidea.org.pl · Fortinet Confidential November 7, 2012 Carrier-grade NAT (CGN) Solution with FortiGate . Robert.Dabrowski@fortinet.com

Fortinet Confidential

FortiOS IPv6 Support

Phase I • Dual Stack • FW + VPN

Phase II • IPv6 routing protocols • IPv6 support for AV, WCF,

IPS (SIG,DOS) • IPv6 admin Access • IPv6 FW acceleration

Phase III • IPv6 DHCP service • IPv6 FW auth. • IPv6 SSL VPN access • IPv6 SNMP

Phase IV (current) • IPv6 NAT (NAT64, NAT66) • IPv6 DNS • IPv6 MIBS • IPv6 ALG support • FortiGuard service &

device communications

USGv6 CORE

USGv6 NPD

Page 19: Carrier-grade NAT (CGN) Solution - data.proidea.org.pl · Fortinet Confidential November 7, 2012 Carrier-grade NAT (CGN) Solution with FortiGate . Robert.Dabrowski@fortinet.com

Fortinet Confidential 19

IPv6 Network Address Translation

New in 4.0 MR3

• NAT66: IPv6 to IPv6 Network Prefix Translation Internet draft-mrw-nat66-12 Provides address independence

• NAT64: from IPv6 clients to IPv4 servers RFC6146 With DNS64, provides the ability for IPv6 only clients to connect to IPv4 only servers

• DNS64: DNS Extensions from IPv6 clients to IPv4 servers RFC6147 Added to DNS Proxy, note that DNSSEC is not supported Option to synthesize AAAA record from A record

New in 5.0

Page 20: Carrier-grade NAT (CGN) Solution - data.proidea.org.pl · Fortinet Confidential November 7, 2012 Carrier-grade NAT (CGN) Solution with FortiGate . Robert.Dabrowski@fortinet.com

Fortinet Confidential 20

LAB

IPv4

IPv6

NAT64

FGT5001B

P7

P8

P5

172.16.254.0/24

FC00:1000::/64

IPv6

IPv4

Page 21: Carrier-grade NAT (CGN) Solution - data.proidea.org.pl · Fortinet Confidential November 7, 2012 Carrier-grade NAT (CGN) Solution with FortiGate . Robert.Dabrowski@fortinet.com

Fortinet Confidential 21

How NAT64 Works

IPv4 Network

IPv6 Network

DNS64

SIP: FC00:1000::1 DIP: 64:ff9b::B01:A

SIP: <SNAT> DIP: 11.1.0.10

Page 22: Carrier-grade NAT (CGN) Solution - data.proidea.org.pl · Fortinet Confidential November 7, 2012 Carrier-grade NAT (CGN) Solution with FortiGate . Robert.Dabrowski@fortinet.com

Fortinet Confidential

5.0 • Is 3rd party certified IPv6 firewall enaugh to deliver security? • Now in IPv6 Firewall Policy UTM options

IPv6 UTM + IPS & AppCtl

Page 23: Carrier-grade NAT (CGN) Solution - data.proidea.org.pl · Fortinet Confidential November 7, 2012 Carrier-grade NAT (CGN) Solution with FortiGate . Robert.Dabrowski@fortinet.com

Fortinet Confidential

IPv6 – Fortinet Solution

Stateful Inspection

Transition Techniques

Performance

Virtualisation

Unified Threat Management

GTP Diameter sigtran

Core Backbone

Management

Page 24: Carrier-grade NAT (CGN) Solution - data.proidea.org.pl · Fortinet Confidential November 7, 2012 Carrier-grade NAT (CGN) Solution with FortiGate . Robert.Dabrowski@fortinet.com

Fortinet Confidential

WORLD IPv6 LAUNCH

Page 25: Carrier-grade NAT (CGN) Solution - data.proidea.org.pl · Fortinet Confidential November 7, 2012 Carrier-grade NAT (CGN) Solution with FortiGate . Robert.Dabrowski@fortinet.com

Fortinet Confidential

Get prepared

„The transition from IPv4 to IPv6 is under way as more network and content providers embrace IPv6. As the amount of IPv6 traffic (and IPv6-based threats) increases in networks around the world, it's essential that organizations deploy a network security solution that can deliver the same level of protection for IPv6 content as IPv4” http://www.fortinet.com/solutions/ipv6.html

Page 26: Carrier-grade NAT (CGN) Solution - data.proidea.org.pl · Fortinet Confidential November 7, 2012 Carrier-grade NAT (CGN) Solution with FortiGate . Robert.Dabrowski@fortinet.com

Fortinet Confidential

Thank You

Page 27: Carrier-grade NAT (CGN) Solution - data.proidea.org.pl · Fortinet Confidential November 7, 2012 Carrier-grade NAT (CGN) Solution with FortiGate . Robert.Dabrowski@fortinet.com

Fortinet Confidential

Jaki element jest niezbędny do wdrożenia NAT64?

Konkurs !!!

Wymień 1 przewagę FW we wdrożeniu CGN. Jaki jest najbardziej krytyczny parametr w FW na brzegu sieci operatora? Jak Fortinet radzi sobie z dużą ilością logów na sekundę we wdrożeniach CGN?

Ile razy dłuższy jest adres IPv6 od IPv4?