Carrier-grade NAT (CGN) Solution - data.proidea.org.pl · Fortinet Confidential November 7, 2012...
Transcript of Carrier-grade NAT (CGN) Solution - data.proidea.org.pl · Fortinet Confidential November 7, 2012...
Fortinet Confidential November 7, 2012
Carrier-grade NAT (CGN) Solution with FortiGate [email protected]
Fortinet Confidential
Our focus area: Gi / SGi
Protecting EPC from Users and Peers •GTP, SCTP LTE firewall •Content Scanning/ VAS
UE (e)NodeB EPC
ROAMING PARTNERS
Securing Data Transport Between User Equipment and EPC •High Capacity VPN Concentrator
Defending EPC from External Threats •D/DOS Guard •CGN & Gateway Firewall
Network Integration: Routing Protocols support, IPv6, Resilient & Scalable clustering
OSS Integration: Supports SNMP, Syslog, Sflow, web service APIs
Fortinet Confidential
Background
• Driven by: » Explosion of subscribers data usage » Limited & exhausting public IPv4
addresses owned by Carriers » IPv6 transition
Carrier Grade NAT “ … a NAT or NAPT device used by many subscribers … This might be NAT between any combination of IPv4 and IPv6 …” - draft-wing-nat-pt-replacement-comparison
Fortinet Confidential
Why subscribers need IP connections?
Fortinet Confidential
Why subscribers need IP connections?
Fortinet Confidential
Gi / SGi Customers and products
3G SP (France) [FG 3950] Telco (UK) [FG5000 chassis + ELBC] Telco (Belgium) [FG3950] 3G SP (Romania) [FG5000 chassis + ELBC] 3G SP (Poland) [FG 3040] 3G SP (Moldova) [FG 3950] 3G SP (Egypt) [FG5000 blades] 3G SP (Qatar) [FG 3810] 3G SP (Malaysia) [FG3950] 3G (Philippines) [FG5000 chassis + ELBC] Telco (Korea) [FG 3950] 3G SP (Taiwan) [FG3950] 3G SP (HK) [FG3950]
Fortinet Confidential
CGN solutions
Routers
• Traditional carrier routers with NAT enabled
• May have challenges with complex multimedia protocols
NAT Devices
• Specialized or repurposed devices to perform NAT function
• Better performance than routers
• Can be scalable • Lack of session
management tools
CGN Firewalls
• High performance firewall • Supports ALGs to provide
security to carrier infrastructure
• Session visibility • Excellent high performance
& scalability • Proven solution
VALUE
Fortinet Confidential
Dedicated Firewall Solution Advantage
Test Performed IPv6 Layer 3 Performance Test Layer 4 Traffic Test Layer 7 HTTP Traffic Test Layer 7 Mixed Applications Traffic
Test Results Throughput 536 Gbps (1518B) /510 Gbps (256B) Frame Latency 7.6 μs / 5.4 μs New Connections Per Second 1.4 million new connection per second 502 Gbps 514 Gbps
Fortinet Confidential
Dedicated Firewall Solution Advantage
NAT ALG • Ability to perform pin-hole openings for
popular multimedia applications, provides water tight security against attacks to the infrastructure
Fortinet Confidential
CGN Algorithms : normal FG NAT
NAT efficiency • Per blade architecture allows linear IP address usage scaling
» Centralized routing module which limits the scalability doesn’t have to be implemented
• 1 Public IP supports = 59K sessions • Max sessions per blade = 11Mil, hence supports 180
public IPs • Assume each user’s avg concurrent sessions = 200,
55K subscribers per blade • Full Chassis can support 660K concurrent Subscribers • NAT efficiency = 10 class B private IPs for public
IPs of 8 class C
Fortinet Confidential
CGN Algorithms : Predictable port selection
• Originated when Telco operator was testing online gaming
• FG now supports STUN
Session Traversal Utilities for NAT
via source port selection predicatability
(NO ALG)
cNAT hNAT
GameServer
Host Client
eAddr:ePort
iAddr:inego
eAddr:ePort
iAddr:inego
1. hNAT
2.cNAT 2.hNAT 3. CH channel
3.HC channel 4.Connection stats report 4.Connection stats report
1.cNAT
iAddr:7777 iAddr:icccc iAddr:idddd iAddr:7777
0. initiate host session(iport=7777)
Fortinet Confidential
CGN Algorithms : Mobile pool
IPv6(1) # set type one-to-one one to one mapping overload ip addresses in pool can be shared by clients
•one-to-one makes sure that at any given time only 1 client is using a pool IP
•overload is our default behaviour.
Fortinet Confidential
CGN Algorithms : full cone NAT
• AKA: • Endpoint-Independent Filtering • Endpoint independent mapping
• Basic requirement: Facetime.
Internet
Testing Client IP1
Public Pool NAT44 (full cone to be done by Firewall No application-control enabled Policy is allow: Trust to Untrust only
Testing Client IP2
Facetime server IP3
LAN private addresses
Testing Client Private IP
Fortinet Confidential
The Fortinet Advantage
Detailed Logging • Standard based syslogging to external facilities • Fulfills govt regulations and business compliance
Fortinet Confidential
The Logging problem
•Firewalls log each connection or EVEN connection attempt and connection close
•In CGN environment > 10Gbps this could create massive storage needs •More than 100k logs/s !!!
•Bottlenecks are on Firewall and logging server
Fortinet Confidential
Possible solution: logging hierarchy
n x FortiGate 5001B
FAZ-1000C (n x Collectors)
FAZ-4000B (Analyzer)
● ● ● ● ● ● ● ● ●
Traffic I/O
Traffic Load Balancing
FS-5003B
FG-5001B
Internet
Fortinet Confidential
− Additional Blade in Slot 10 shares same configuration but is configured as backup
− Slot 5 is lost :The Backup blade takes over and replace the blade5
Redundancy: Node blade failure Scenario
17
Port 1
Port 2
Internal
External
Fabric
FG-5001B / SLOT 5
Internal
External
Fabric
FG-5001B / SLOT 6
Internal
External
Fabric
FG-5001B / SLOT 7
FS-5003B
Fabric
Internal
External
Fabric Ports
SESSION-1
SESSION-2
INGRESS
EGRESS
X Internal
External
Fabric
FG-5001B / SLOT 10
Fortinet Confidential
FortiOS IPv6 Support
Phase I • Dual Stack • FW + VPN
Phase II • IPv6 routing protocols • IPv6 support for AV, WCF,
IPS (SIG,DOS) • IPv6 admin Access • IPv6 FW acceleration
Phase III • IPv6 DHCP service • IPv6 FW auth. • IPv6 SSL VPN access • IPv6 SNMP
Phase IV (current) • IPv6 NAT (NAT64, NAT66) • IPv6 DNS • IPv6 MIBS • IPv6 ALG support • FortiGuard service &
device communications
USGv6 CORE
USGv6 NPD
Fortinet Confidential 19
IPv6 Network Address Translation
New in 4.0 MR3
• NAT66: IPv6 to IPv6 Network Prefix Translation Internet draft-mrw-nat66-12 Provides address independence
• NAT64: from IPv6 clients to IPv4 servers RFC6146 With DNS64, provides the ability for IPv6 only clients to connect to IPv4 only servers
• DNS64: DNS Extensions from IPv6 clients to IPv4 servers RFC6147 Added to DNS Proxy, note that DNSSEC is not supported Option to synthesize AAAA record from A record
New in 5.0
Fortinet Confidential 20
LAB
IPv4
IPv6
NAT64
FGT5001B
P7
P8
P5
172.16.254.0/24
FC00:1000::/64
IPv6
IPv4
Fortinet Confidential 21
How NAT64 Works
IPv4 Network
IPv6 Network
DNS64
SIP: FC00:1000::1 DIP: 64:ff9b::B01:A
SIP: <SNAT> DIP: 11.1.0.10
Fortinet Confidential
5.0 • Is 3rd party certified IPv6 firewall enaugh to deliver security? • Now in IPv6 Firewall Policy UTM options
IPv6 UTM + IPS & AppCtl
Fortinet Confidential
IPv6 – Fortinet Solution
Stateful Inspection
Transition Techniques
Performance
Virtualisation
Unified Threat Management
GTP Diameter sigtran
Core Backbone
Management
Fortinet Confidential
WORLD IPv6 LAUNCH
Fortinet Confidential
Get prepared
„The transition from IPv4 to IPv6 is under way as more network and content providers embrace IPv6. As the amount of IPv6 traffic (and IPv6-based threats) increases in networks around the world, it's essential that organizations deploy a network security solution that can deliver the same level of protection for IPv6 content as IPv4” http://www.fortinet.com/solutions/ipv6.html
Fortinet Confidential
Thank You
Fortinet Confidential
Jaki element jest niezbędny do wdrożenia NAT64?
Konkurs !!!
Wymień 1 przewagę FW we wdrożeniu CGN. Jaki jest najbardziej krytyczny parametr w FW na brzegu sieci operatora? Jak Fortinet radzi sobie z dużą ilością logów na sekundę we wdrożeniach CGN?
Ile razy dłuższy jest adres IPv6 od IPv4?