Saisei FlowCommand The Saisei FlowCommand family of network performance enforcement (NPE) solutions offers a new paradigm for real-time user- and application-policy enforcement and visibility made possible by its unique ability to change the way that chaotic routed IP networks behave. FlowCommand software handles all the anomalies associated with today s highly utilized and over-subscribed IP networks that are being overwhelmed by the influx of traffic from mobile, cloud and IoT deployments. FlowCommand instills order on the chaos of TCP/IP by creating predictable and equitable performance for all users while concurrently guaranteeing that no user session will ever crash or time out again. No other networking vendor can make this claim FlowCommand collects in-depth real-time, finegrained statistics about all traffic flowing on critical network links up to 5 million simultaneous flows on a 10G network. While monitoring these flows 20 times per second, it can control each and every flow according to powerful, flexible user-defined policies based on over 40 metrics included with the solution. FlowCommand software is distributed either as a virtual machine image to run on a hypervisor, or can be packaged on a bare-metal x86 hardware system suitable for real-time monitoring and policy enforcement across links up to 10G. FLOW COMMAND IN ACTION No Flow Left Behind When FlowCommand receives a data packet generally TCP or UDP the first thing it does is associate it to a flow, defined as the sequence of packets sharing the same IP addresses and TCP/UDP ports. FlowCommand then keeps extensive state for each flow including the transmission rate, duration, round-trip time, and a quality metric which is updated with every packet it receives. Every flow is associated with the: Application it is serving (for example, a specific website or business app, or a protocol such as VoIP) Geographic location it is serving (generally, a country or city) Hosts (internal and external) it is connecting Users it is serving (via an address-touser database such as Microsoft Active Directory or OpenLDAP) Custom Groups applications, geographic locations, hosts and users can be combined into groups (for example, a group could consist of all countries where a company has business partners, or all applications whose network usage is to be tightly controlled)
FlowCommand Functional Diagram GUI Historical Database Applications Users Hosts Locations Flow Plane Flow Stats Data Plane Packets Figure 1: FlowCommand Functional Diagram Eliminating Network Congestion FlowCommand constantly evaluates the traffic flow against the available bandwidth. Twenty times every second, each individual flow receives an immediate bandwidth allocation. The allocation is chosen so that the collective bandwidth usage in the system fulfills the specified policy and meets external constraints. Intelligent interaction with standardized congestion control schemes, such as the TCP Reno, Cubic and Compound mechanisms (RFC 6582), allows FlowCommand to achieve accurate control with no queueing. This avoids queuing delay issues that plague existing routed IP networks and results in smoother traffic flow, increasing the end user's quality of experience while making more efficient use of existing bandwidth. This is in stark contrast to other quality-of-service (QoS) systems that use a combination of queuing and random packet discard, generating delay and random disruption to the user experience. Open APIs for Multivendor Integration and a Clear Path to SDN and NFV All configuration and monitoring information about FlowCommand is exposed through a simple, intuitive RESTful API, which is used by the FlowCommand s own management tools, such as the GUI and CLI. (A
CLI interface is provided for IT users more comfortable with that practice.) FlowCommand is designed from the ground up for easy integration into a variety of third-party systems, such as orchestration tools for Software-defined Networking (SDN) and Network Functions Virtualization (NFV). How to Use FlowCommand Here we examine some general use cases for Network Performance Enforcement: Raise Network Utilization from 50% to Over 95% and Eliminate 99% of Service Complaints FlowCommand's patented traffic management algorithms allow a link to be operated at 95%+ capacity without creating delay or harming the traffic flow. Conventionally, links are not typically operated above 50-60% of their capacity because existing devices create large and random delays and network designers have to allow for peak traffic under random conditions. As network bandwidth is generally the highest single cost of operating a network, Increasing utilization from 50% to 95% can result in a substantial cost savings lower cost per bit -- and removes the operational overhead of chasing down rogue users or applications. With FlowCommand, traffic management is a smooth, gentle and predictable process. The effect is to reduce the apparent randomness of response time as seen by the user. Even with constant bandwidth, with Saisei in control the user's quality of experience improves as their sessions will never drop. True Real-time Monitoring Sub-Second Visibility and Analytics The FlowCommand dashboard provides continuous visibility on how the network is being used based on information collected and analyzed in less than a second. This new Best Practice eliminates the 10- minute response delay of traditional DPI and visibility appliances by removing the requirement for background analysis. For example, a chart showing the top 10 applications can be clicked to drill down to the users of each application, or to specific locations, allowing instant analysis of which users are responsible for traffic to each location. The real-time information is seamlessly integrated with historical data, allowing visualization and comparison of usage over any defined time period. This data processing is performed in-line with a powerful flow pre-processor engine that gives 100% visibility to the information flows on the network without requiring the use of external data or NetFlow collectors.
Figure 2: Saisei FlowCommand Dashboard Protect Key Business, VoIP and Video Applications While and Controlling Non-Critical Applications FlowCommand s granular real-time policy enforcement allows critical and vulnerable applications to be both protected and prioritized, and non-critical or undesirable applications to be limited, diverted, or blocked altogether. Voice (VoIP) traffic is especially vulnerable to network problems, since even low levels of packet loss make voice impossible to understand. FlowCommand allows all voice traffic to be placed into a protected class where packets will never be dropped. The same can be done for video. Some applications are clearly more important to a business than others. These can be assigned guaranteed bandwidth so that lower priority background traffic will not interfere with them. For example, a business may want to limit the bandwidth available to social networking sites so that it doesn t interfere with higher priority accounting, ERP or mobile applications. Detect and Prevent Security Risks in Real Time FlowCommand s real-time flow analysis also allows security risks to be identified in real time, and allows various forms of risk-mitigation controls to be established instantly in response. A significant component
of Network Performance Enforcement is to enhance the flow-based security posture of network operators by augmenting the capabilities of existing legacy and Next-Gen firewalls with faster and more granular flow manipulation. (FlowCommand s impact on network overhead is about 25% of a typical Next-Gen firewall.) For example, excessive traffic to a country outside of normal business operations may indicate a data exfiltration attempt. A low-bandwidth limit policy to such countries will make it hard to mount such an attack, while an instant response to a detected attack can shut down the traffic and block the attacking host. Known malware sites can also be blocked, and incoming suspicious traffic can be detected, blocked and reported on in real time, not after off-line retrospective analysis. Net Neutrality Arrives with Guaranteed Fair Usage Some users make disproportionate demands on network resources. Peer-to-peer applications, such as BitTorrent, can also be damaging in this regard. In typical networks, more than 80% of bandwidth is consumed by just 20% of users. Also, large file transfers or back-ups can devastate a network if inadvertently done at the wrong time of day. FlowCommand s unique Net Neutrality feature technically Host Equalization -- allows bandwidth to be shared equally among all users in real time, regardless of the applications they are running or how many users are attempting to use a link. Thus abusive users will get the same share of the network as anyone else, even though they may using 1000 flows for their purposes. There will always be users who are not using all the bandwidth available to them, and FlowCommand distributes their share among the other users, so all of the bandwidth is always being efficiently utilized. Granular Service Level Differentiation Paired with Enforcement Often, different users need to receive different service levels. For a service provider, some users pay a higher price for premium service. In an enterprise, certain functions may have priority because of their importance to business success. FlowCommand allows different users, or groups of users, to receive different services. High-priority users can be given assured bandwidth levels, or can use Saisei s unique Rate Multiplier feature to be given a higher proportion of network bandwidth without regard to absolute levels. Low-priority users can then be limited in the bandwidth they can use, or can be given lower Rate Multipliers. The options are limitless. Differentiation can also be applied based on many of the attributes available through Saisei s 40-metrics palette, such as the application in use or flow characteristics like duration and total data. For example, so called elephant flows of large amounts of data can be put into a specially protected class where they can be assured a defined share of network bandwidth. Scalable Software Architecture Designed for the Mobile, Cloud and IoT Data Loads Unlike existing networking solutions that were initially built to meet the relatively static demands of private
networks, Saisei s FlowCommand has been built for the Big Data demands of today s mobile, cloud and Internet-of-Things (IoT) deployments. For example, each instance of FlowCommand today can concurrently monitor up to 5 million flows on a 10G network link 20 times per second, and enforce any combination of policy decisions on any combination of flows in under one second. Architecturally, FlowCommand is scalable to 40G and 100G links as well. Additionally, the very first release of the software supports the management and control of up to 1B external hosts. The FlowCommand Advantage FlowCommand is the first Network Performance Enforcement solution on the market, offering a blend of next-generation flow-based policy creation and control; 40-metrics analytics and visibility; and the next generation of Next-Gen firewall security enhancements that allow you to: Immediately return all of your currently idle reserved bandwidth to productive use Crush OpEx by eliminating the cause of 99% of service tickets stemming from network congestion Minimize CapEx with a device-agnostic software running on off-the-shelf x86 servers and processors that replaces many expensive, standalone networking technologies WAN Ops, Packet Shapers, ADC and more. that are forced to operate within the constraints of today s TCP/IP behavior Take back control of your IT estate with granular, real-time, flow-based policy enforcement and reporting Allocate bandwidth to guarantee the performance of critical applications Prevent and act on security risks in real time Guarantee Net Neutrality fair network usage all users receive level of service they are entitled to Deliver and enforce granular service level differentiation Build in the flexibility for rapid implementation and scaling of networks, and a growth path to SDN and NFV To find out more about how FlowCommand can benefit your network, please contact a member of our team at sales@saisei.com and/or visit our website www.saisei.com. About Saisei Saise is the world s leading provider of Network Performance Enforcement software that provides integrated real-time bandwidth and security policy control combined with comprehensive 40-metrics visibility and analytics for virtual, physical, SDN and NFV networks alike. 710 Lakeway Drive, Suite 290 Sunnyvale, CA 94085 USA Tel: +1 669.224.4392