Allot Network Intelligence Tomás Gómez de Acuña tgomez@allot.com

Allot–At-A-Glance Company Status Public company traded on NASDAQ [ALLT] Employees 250 R&D and Operations Israel, Hod Hasharon WW Sales and Support Americas: MN, CA, NY, TX, AZ, Brazil Europe: France, UK, Germany, Italy, Spain, Scandinavia Asia/Pac.: Singapore, Japan, Australia Founded 1997 Track Record More than 9000 units sold in 118 countries More than 700 service providers More than 2060 enterprises and educational inst.

Allot Network Intelligence Solution Internet Access Internet Web, Email, Citrix Servers Video Citrix Clients SAP/Citrix Oracle VoIP GW PBX Data Center London Office VoIP Service Protector NetEnforcer RED LAN / CORE WAN NetEnforcer NetEnforcer VPN/ Leased Line/ MPLS Paris Office VoIP Service Protector NetEnforcer Tokyo Office VoIP SMP Server NetXplorer Server GUI Client

Network Intelligence Solution – Main Features Network visibility & Network Intelligence Network troubleshooting Layer 7 Firewall Signature Base, DPI (Deep Packet Inspection) Connection Control Connection limitation per rule Badwidth assignment per connection Data center protection / DoS protection DDoS and Malicious Traffic Control (Service Protector) P2P Control Application Control QoS Bandwidth Management Video Caching (MediaSwift) Block of Illegal Webside URLs (Websafe) Managed Services. Virtual Traffic Control Subscriber Management. Traffic Control per Subscriber Accounting and Billing

Allot Product Family NetEnforcer Service Protector WebSafe NetXplorer & NetXplorer Provisioner Subscriber Management Platform (SMP)

NetEnforcer Products NetXplorer SMP AC-400 AC-800 AC-1000 AC-2500 Service Gateway Ancho De Banda 2 a 100 Mb 45 a 310 Mb 155 Mb a 1 Gb 310 Mb a 2,5 Gb 4 Gb to 20 Gb 5 Gb a 40Gb Politicas 4.000 28.000 80.000 80.000 400.000 400.000 Internet Access, Local ISPs Pymes y SMB Enterprise ISPs Universidades Tier 2-3 Carriers, ISPs, Enterprise Universidades Tier 1, 2 Carriers, ISPs, Enterprise Universidades Tier 1, 2 Carriers, ISPs, Enterprise Universidades Tier 1, 2 Carriers, ISPs Clientes

NetEnforcer: Enterprise / Medium SP Platform Model Bandwidth Pipes VCs Managed Links AC-40X Monitoring Only 100 Mbps 1 024 4,096 1 - 2 AC-40X/2M 2 Mbps AC-40X/6M 6 Mbps AC-40X/10M 10 Mbps AC-40X/45M 45 Mbps AC-40X/100M AC-80X Monitoring Only 310 Mbps 28,672 1 - 2 - 4 AC-80X-C&F 155 Mbps

NetEnforcer: SP & Carrier Platform Model Bandwidth Full Duplex Pipes VCs Managed Links AC-10X0-Monitoring Only 1000 Mbps 10,000 80,000 1-2 AC-10X0-155M 155 Mbps AC-10X0-310M 310 Mbps AC-10X0-620M 620 Mbps AC-10X0-1000M AC-25X0- Monitoring Only 2500 Mbps 40,000 1-2-4 AC-25X0-310M AC-25X0-620M AC-25X0-1000M AC-25X0-2500M

AC10000 21 March 2017 Component / Feature Description Hardware Blade ATCA Chassis Management interface 10/100/1000T Traffic Interface 2 x 10 GE 4 x 10 GE 8 x 1GE High Availability 1+1 Active Redundancy External Bypass 1 per Traffic card Component redundancy Inherent redundancy of every component Hot Swapable Yes Redundant power Supply Trhoghput Up to 20 Gbps Subscribers 800.000 Policy Size Up to 200k Pipes and 400k VCs Concurrent Connections Up to 10M connections (20M flows) New Connections per sec Up to 200k new connections per sec (400k new flows) 21 March 2017

Service Gateway 21 March 2017 Component / Feature Description Hardware Blade ATCA Chassis Management interface 10/100/1000T Traffic Interface 2 x 10 GE 4 x 10 GE 8 X 10 GE 16 x 1 GE High Availability N+1 Redundancy Internal Bypass 1 per Traffic card Component redundancy Inherent redundancy of every component Hot Swapable Yes Redundant power Supply Trhoghput Up to 40 Gbps Subscribers 800.000 Policy Size Up to 200k Pipes and 400k VCs Concurrent Connections Up to 10M connections (20M flows) New Connections per sec Up to 200k new connections per sec (400k new flows) 21 March 2017

The Service Gateway Vision Network + Subscriber Management 3rd Party Services Future Service ... Monitoring QoS Control Malicious traffic control URL Filtering Content Caching DPI Engine Open platform enabling integration of best-in-class services 21 March 2017

Service Gateway Redirecction Internet Access Caching URL Filtering IDS Firewall Contect Inspection Reponse Time System Third Party Product RED LAN / CORE Centralized DPI System Reduce System Investment Better Traffic Control Really Intelligent (L7) Forward

Redundant Configuration 1 & 2 links Topologies One link Two Links. Redundant Configuration Two Links. Different Networks Internet NetEnforcer Router Firewall LAN Switch DMZ Internet Router Firewall LAN Switch DMZ LAN WAN NetEnforcer NetEnforcer 10/100 Ethernet: NE 402/802 1 Giga: NE 802/1010 10 Giga: NE 10100 / SG 10/100 Ethernet: NE 404/804 1 Giga: NE 804/1020/2520 10 Giga: NE 10200 / SG 10/100 Ethernet: NE 404/804 1 Giga: NE 804/1020/2520 10 Giga: NE 10200 / SG

Redundant Configuration. 4 links Topologies Four Links. Redundant Configuration. Fully Meshed FourLinks. Different Networks. NetEnforcer 10/100 Ethernet: NE 808 1 Giga: NE 808/2540 10 Giga: SG 8 x 10G 10/100 Ethernet: NE 808 1 Giga: NE 808/2540 10 Giga: SG 8 x 10G

8 links Topologies Service Gateway: 8 links of 1 giga Eight Links. Different Networks Service Gateway: 8 links of 1 giga

Redundancy Support Link Active Redundancy Link High Availability Redundancy Support Link Active Redundancy Link Router Internet Secondary Normal Scenario Primary Active Primary Primary Bypass Active Mode Secondary Bypass Bypass Mode

SMP Arquitecture

SMP Features Subscriber Monitoring Tiered Services Quota Management Time Based Volume Based Portal

NetXplorer Provisioner Arquitecture Managed Services: Virtual Traffic & Network Intelligence Authentication NetXplorer Server RADIUS Server Users Policy Modifications and Data Collection Back-end control Front-end Provisioning and Monitoring Internet Users NetEnforcer NetXplorer Provisioner Network Operator

NetXplorer Provisioner (NPP)

NetXplorer & SMP Arquitecture GUI Client GUI Client OSS RADIUS/DHCP Mediation / Billing NetXplorer Server Subscriber Management NetXplorer Data Collector NetXplorer Data Collector NetXplorer Data Collector March 21, 2017

Netxplorer Features Main Features Network Visibility Real Time Monitoring Long Term Monitoring Auto Application Discovery Centralized Policy Management QoS definition L7 Firewalling Port Redirection DoS control Reports Creation Reports Scheduling Events & Alarms

Netxplorer Drill Down Capability

Rich Set of Graphs Statistics Utilization Distribution Graphs NetEnforcers Lines / Pipes / VCs Protocols Hosts / Int / Ext / Conversations Subscribers Average Protocol Popularity Typical Time Five main classes of predefined graphs are available in NetXplorer. Statistics graphs: Display the bandwidth consumed over a given period of time by your network, or specific entities within it Utilization graphs: Display the bandwidth consumed on a given entity as a percentage of a pre-defined maximum Object graphs: For each of the objects listed two types of reports are available: Most active object graphs. These display the most active objects over the period defined. The user can determine on what scale to measure “most active” (e.g: total bandwidth consumed, number of new connections, number of inbound packets etc), and of course, the number of “top” objects to view up to a total of 50. Object distribution graphs. These display the distribution of selected objects over the period defined. The user can again determine the scale on which the distribution is measured. Average protocol popularity graphs. Available specifically for the “protocols” object, these reports display protocol statistics, not according to the amount of bandwidth, packets or connections consumed, but according to the number of subscribers who used these protocols during the defined period. Typical time graphs: Display the results for any of the above graphs as a typical day or a typical week for the time period defined.

NetXplorer Most Active Graphs Reports Top N Available for: Netenforcer Lines, Pipes, Virtual Channels Protocolos Hosts Internal Host External Host Conversations Three Dimensional Graphs

NetXplorer Data Selection Date & Time Range

NetXplorer Report Creation Multiple Format Output Reports

NetXplorer Report Scheduling

Events & Alarms

QoS Optimization & Control Without Allot With Allot P2P Upload P2P Download Visible and Managed Unmanaged VoIP WebTV Video Conferencing Gaming email Allot NetEnforcer

NetXplorer Policy Definition Policy Name Conditions Actions

Superior DPI technology New dedicated H/W offers scalability & upgradability Based on Allot’s Next Generation DPI engine S/W with native APU (Allot Protocol Updates) support Advanced Proactive Learning System for finer identification of sophisticated P2P Apps Leader in real time and internet protocols

Service Catalog

Improvement of QoS features 3-level policy control LINE, PIPE & Virtual Channel Expedited Forwarding for real time applications Assured Forwarding for video streaming Drop Precedence for effective BW management (short term peak traffic) Tailored QoS behavior per Application Per Flow Queuing mechanism

QoS Catalog

DoS & Connection Control DoS Control Connection Control

ServiceProtector Protects against DDoS attacks; network attacks; worms; subscriber zombies; spambots Behavior-based ADS (Anomaly Detection System) Facilitates surgical isolation at the network or subscriber level KEY BENEFITS Reduce customer complaints Reduce OPEX Avoid email blacklisting Enhance network mgmt Improve network stability Protect key customers Protect revenue streams 21 March 2017

ServiceProtector’s Main Features Signature free DDoS, Spam and Zombie detection 0 day detection Fully based on traffic behavior <5% false positives, >95% rate true positives Fast attack identification. Normally less than 5 min from begin to mitigation “On-Fly” attack signature creation For Mitigating the attacks Easy and transparent installation Distributed system Multiples sensors with one management console Independent solution No help needed from routers Fully integrated with NetXplorer’s Network Intelligent System External server or a ATCA blade Up to 10Gbits real-time detection per sensor 38 21 March 2017 38 38

Network Behavior Anomaly Detection (NBAD) Network attacks disrupt network behavior and the normal relationship between network statistics Uses TCP/IP statistics to build behavioral models Identifies disruptions in absolute and relative network statistics Connectionless, sessionless, stateless Detection speed inversely proportional to magnitude of attack Invariant to normal peaks and troughs Sensitive to attacks 21 March 2017

Deployment SP-Controller SP-Sensor SP-Sensor blade* SP-Sensor NetXplorer SP-Sensor Cable Subscribers SP-Sensor blade* SP-Sensor Core IP Network Access DSL Subscribers SP-Sensor blade* International/local peering partners NetEnforcer Service Gateway ServiceProtector is deployed where you need protection; at key aggregation points usually next to the threat; use enforcement devices such as NetEnforcer or Service Gateway appliances for blocking, limiting or redirecting offending traffic; alternatively use network infrastructure like BRAS or routers or even network security devices; ServiceProtector has a passive network probe appliance called the ServiceProtector Sensor that listens to network traffic from optical taps (as shown here) or via port mirror or port SPAN; In the near future, the ServiceProtector Sensor will also be implemented as a blade on the Service Gateway; In the meantime, the Sensor appliance can deployed as an appliance via optical taps or port SPAN; Each Sensor communicates with a central management, storage, and reporting appliance called the ServiceProtector Controller; A Controller can manage either kind of Sensor with no need to expand the storage (unless desired). This is because ServiceProtector uses summarized metadata about the traffic so its storage requirements will not scale linearly in proportion to the amount of traffic; Controller can manage up to 16 Sensors; NOTE: Passive deployment of Sensors – not inline Do not require collection intrusive collection of flow records from routers Can automatically capture packets and flows from the network for analysis, real-time signature creation and verification 10GE Sensors do not substantially increase the volume of data compared with 1GE Sensors Access Hosting Services DDoS protection Service Gateway * Availability of Service Protector blade to be announced – expect mid-late ‘08 21 March 2017

MediaSwift Intelligent Media Caching maximizes network efficiency Accelerates content delivery and provides highest QoE Reduce delivery costs and improve service quality KEY BENEFITS Transparent caching of all bandwidth-intensive protocols Reduce OPEX Reduction of upstream bandwidth Wire speed data delivery Preserves functionality for all Internet services Scalable multi-gigabit bandwidth generation 21 March 2017

Bandwidth Control & Media Acceleration Internet HTTP Traffic Manages traffic and BW growth Produces BW savings Fastest downloads possible Best Quality of Experience (QoE) Satisfy user demand for media Competitive advantage over other ISPs MediaSwift P2P Traffic ISP Core Network ISP Access Network Subscribers HTTP Video P2P Peer VoIP Email, HTTP March 21, 2017March 21, 2017March 21, 2017March 21, 2017March 21, 2017

How it Works Stopped! Requested file is in the storage File is downloaded from storage MediaSwift Blade Connection with peer is maintained File Request File Download File Request Keep Alive File Download Stopped! SG-Sigma ISP User Internet User SG redirects multimedia traffic to/from blade March 21, 2017

Network-based illegal content filtering solution WebSafe Network-based illegal content filtering solution An add-on service for Allot Service Gateway Sigma Supports encrypted URL blacklists up to 50,000 entries Supports Whitelist Overrides Blacklist in case of over-blocking Up to 10,000 entries Multiple enforcement actions: Redirect or block user March 21, 2017March 21, 2017March 21, 2017March 21, 2017March 21, 2017

Referencias Banca y Seguros BBVA Banco Sabadell Santa Lucia Caixanova Rural Servicios Informáticos Agroseguro BBK Ibercaja Cajasegovia Aseval Caja Laboral Administración Pública Turespaña Catastro Servicio Andaluz de Salud Oficina de Patentes Forum de Barcelona Principado de Asturias Gobierno de La Rioja Gobierno de Canarias Gobierno de Navarra Gobierno de Cantabria Ayuntamiento de Gijón Ayuntamiento de Rivas Ayuntamiento Laguna de Duero Ayntamiento de Torre Pacheco Parlamento de Cataluña Informática Comunidad de Madrid Estrada Dixital Hospital Marqués de Valdecilla Sescam Xunta de Galicia Ayunt. Quitanadueñas Ayunt. de Barcelona Ministero de Sanidad Ministerio de Agricultura Ministerio de Economía (IGAE) Marina Mercante Generalitat Valenciana Ayuntamiento de Lloret Dirección General de Aragón (DGA) Sadesi (Junta de Andalucía) Junta de Extremadura Consejería Educación Junta de Andalucía Parlamento de Vasco Osakidetza (Servicio Vasco de Salud) IKT (Gobierno Vasco) Autoridad Portuaria de Valencia Dirección Gral de la Policia Ministerio de Defensa Ministerio del Interior Gobierno de Murcia (F. Integra) Colegio de Registradores CNMV

Referencias Universidades Universidad de Oviedo Operadores Unión Fenosa Telecomunicaciones Comunitel Neo Sky Fujitsu ASP BT Telecable R PTVTelecom Mcctelecom CableMutua Riosat Everbit Gemytel Más de 10 operadores de Cable regionales WifiOnline Axartel Novatelefonia Cable Sur Epresa Cable Melilla AWA Acorde Telecom Castilla La Mancha Universidades Universidad de Oviedo Universidad de Las Palmas Universidad de Málaga Universidad de Burgos Universidad de Cantabria Universidad de León Universidad Alfonso X el Sabio Universidad Miguel Hernández Universidad de Murcia Universidad de Barcelona Oxford University Press Universidad Pública de Navarra Universidad de La Rioja Escuela universitaria Galileo Galilei Universidad de Jaen Universidad de Huelva Universidad Politécnica de Madrid Universidad de Granada

Referencias Industria y Empresa Iron Montain ENCE Barceló Viajes Garden Hotel Praxair RTVE Turespaña Agroseguro DHL Tectotrans Marmedsa Mundo Social Viajes Marsans Dorna Telemadrid Unión Española de Explosivos Arias La Cope MediaPro – La sexta Museo del prado Metro de Madrid Polaris World Cementos Rohe Prosegur Algeposa Global Interlink Azertia Garden Group Puleva Albatros Almirall Torraspapel Iberdrola OHL Telefónica Soluciones Blanco Diagomoda AENA Radio Televisión Valenciana Transportes AZKAR Marítima Bergé Singular Kitchen ABC-Vocento Ibermática Redcom Spainrep Clar Roboticker Ciudad de La Luz Detinsa Estrella de Galicia Plásticos Ferro Forum de Barcelona Grupo Urvasco Grupo Boluda Armillar Pipeline Sofware Punto Acceso Rodio Cimentaciones Mtorres Schneider Electric Trentinort Unisono ACS/dragados Telepizza