Pravail APS 2.

0 Certification Training
Unit 2
Implementation

Pravail
Objectives

At the conclusion of this unit you should be able to:

• Differentiate inline deployment mode from
monitor deployment mode
• Explain Pravail APS licensing relationship to
inspected throughput
• Describe Pravail 2100 hardware components
• Identify different media types of protection
interfaces
• Explain operation of protection bypass

Page 2 - Company Confidential

Implementation

• Deployment
• Licensing
• Hardware

Page 3 - Company Confidential

Deployment Scenarios

Pravail APS can be deployed in

multiple ways in order to fit a
variety of scenarios:

Data Center Network

Pravail APS • Inline deployment for attack
protection
• Monitor (off-line) deployment
Inline Deployment for attack detection and
reporting only

Pravail APS Data Center Network

Link Tap /
Port Span

Monitor (off-line) Deployment

Page 4 - Company Confidential

Preferred Network Placement

• Northbound of other security and

application devices:
– Firewall
– Web Application Firewall
Northbound
– Intrusion Protection System/
Intrusion Detection System

Data Center Network

– Load Balancer
Pravail APS
• Behind the customer edge (CE)
CE Router
router
– Eliminates any potential routing
protocol issues
– Can be deployed in front of a CE
router if required

Page 5 - Company Confidential

Deployment for SSL Protection

Because Pravail APS cannot

decrypt SSL, it is deployed in
parallel and with direct
connection to SSL accelerator
• Incoming traffic is copied to

Data Center Network

SSL Accelerator the Pravail APS
• SSL accelerator decrypts
HTTPS traffic and passes to
Pravail APS
Pravail APS
Inline Deployment for SSL Protection • Pravail APS applies protection
settings to decrypted HTTPS
traffic and non-HTTPS traffic
• Legitimate traffic is passed
into datacenter

Page 6 - Company Confidential

Implementation

• Deployment
– Inline Mode
– Monitor Mode
– Cloud Signaling
• Licensing
• Hardware

Page 7 - Company Confidential

Inline Deployment

Pravail APS

ext int

• Most common deployment

– Enterprises are familiar with inline model
– Easy to support at network layer
• Forwards traffic in both directions
• Layer 2 “bump in the wire”
– No MAC address change, no IP interaction
– Supports LACP and 802.1q VLANS transparently

Page 8 - Company Confidential

Inline Deployment
Inline Sub-modes

Pravail APS

ext int

• Active sub-mode
– Detects attacks and blocks unwanted traffic according to
current protection settings
• Inactive sub-mode
– Forwards all traffic but does not block any
• Reports traffic that it would block if active
• Use as test mode for protection settings
• Sub-mode is changed real-time in Web UI
– Both sub-modes provide reports on network traffic

Page 9 - Company Confidential

Implementation

• Deployment
– Inline Mode
– Monitor Mode
– Cloud Signaling
• Licensing
• Hardware

Page 10 - Company Confidential

Monitor Deployment

Pravail APS

ext int

• Designed for monitoring span ports (mirrors) or taps

• Pravail APS never forwards traffic in Monitor mode
– Expects that all traffic is duplicated
– Bypass is disabled
• Useful at restricted sites where:
– Adding additional inline devices is considered too risky
– On-site filtering is considered too risky
• Can monitor both directions if desired
Page 11 - Company Confidential
Monitor Deployment (Cont.)

Pravail APS
mgt

ext

• Monitor mode can use Cloud Signaling to request

upstream mitigation
– Strictly a trigger for volumetric attack protection
– When cloud mitigation threshold is reached, a cloud
mitigation signal will be initiated to mitigate the attack in
the cloud

Page 12 - Company Confidential

Trial Implementation

Before implementing Pravail APS in-line and active sub-mode,

Arbor recommends that you perform a trial implementation
• Can be a useful tool for discovering the level of protection that
Pravail APS provides
• Can be accomplished with the following deployment scenarios:
– Inline mode with sub-mode set to inactive
– Off-line Monitor mode
• Use the trial period to:
– Accumulate historical traffic information and statistics
– Observe how Pravail APS would block traffic
• Adjust different protection settings to analyze how they affect the
suggested mitigations
• Use the resulting information to set your protection settings for attack
detection and mitigation
• You can “whitelist” known good hosts that would have been blocked
• Arbor recommends a 30 to 60 day trial period

Page 13 - Company Confidential

Implementation

• Deployment
– Inline Mode
– Monitor Mode
– Cloud Signaling
• Licensing
• Hardware

Page 14 - Company Confidential

Cloud Signaling Deployment

• Only One Cloud

Signaling Provider

Public
per Pravail APS
mgt Pravail APS

Local
appliance
– When the Cloud

Users
Signaling Provider
Inline Deployment Model (Active or Inactive sub-mode) is the ISP, only
one ISP per
Pravail APS Pravail appliance

Public
mgt

Local
Link Tap /
Port Span

Users

Monitor Deployment Model for Detection Only

Page 15 - Company Confidential

Cloud Signaling Deployment (Cont.)

• Multiple Pravail APS

mgt
appliances can

Public
connect to the same
Cloud Signaling

Local
mgt
Provider

Users
Inline Deployment Model (Active or Inactive sub-mode)

Page 16 - Company Confidential

Cloud Signaling Deployment (Cont.)

• Separate Pravail APS

mgt
appliances are

Public
needed for multiple

Local
mgt
Cloud Signaling

Users
Providers
Inline Deployment Model (Active or Inactive sub-mode)

mgt

Public
Link Tap /
Port Span

Local
mgt

Link Tap / Users

Port Span
Monitor Deployment Model for Detection Only

Page 17 - Company Confidential

Implementation

• Deployment
• Licenses
• Hardware

Page 18 - Company Confidential

Pravail APS License Structure

• A Pravail APS license contains three parts

– Product
• Always “Pravail”
– Modules
• Contains all license attributes
• Contains multiple keywords and parameter values
• Enclosed in quotes to be one command argument
– Key
• Encrypted ASCII 40-character public key
• A Pravail APS license enables only one chassis

Page 19 - Company Confidential

Pravail APS License Options

Only two Pravail APS license options:

• Model number
– Determines inspected throughput capacity
• Expiration period
– Optional
• Defaults to “never”
– Limited expiration periods are intended for trial gear

Page 20 - Company Confidential

Pravail APS License Modules

• Always enclosed in quotes to make one text

keyword
• Contains Pravail APS model number
– Always in format “PRA-APS-210x”
• Last digit will match actual model number
• Might contain expiration time
– Each customer trial gets its own trial license
• Usually 30, 60, or 90 days depending on reseller
terms
– Always in format “expires: 1310012345”
• Number is expiration date and time in unix seconds
– If missing, Pravail APS license has unlimited lifetime

Page 21 - Company Confidential

Pravail APS License Modules (Cont.)

• Pravail APS License Key

– 40-character ASCII alphanumeric public key
• Format:
P8RG5-STWX4-F0DDW-4DYP4-DVTXW-YMDHH-Y3C1Y-X39N3-DY2RR

– Is a hash based on
• Chassis serial number
• License product
– “Pravail”
• License modules
• Randomized input (“salt”)

Page 22 - Company Confidential

Pravail APS Licenses

• Pravail APS production or lab gear is shipped with

a Pravail APS license key
– License sticker is attached to box lid
– License may be already configured if Arbor staging
was purchased
• A license will need to be acquired if
– Device was shipped with no license
• Spare or trial gear
– Trial license has expired
– Customer has purchased a capacity upgrade
• A license obtained from the ATAC usually includes
a command that can be pasted directly into the CLI

Page 23 - Company Confidential

Getting a Pravail APS License – ATAC License Text

License for PRV-20123456A

Serial: PRV-20123456A
Customer: Cloud Customer, Ltd
Modules : PRA-APS-2105
Created: 22 Jun 2011
Your generated license key is: 4JTZD-NC6T5-CPTX5-3PH50-0S65Q-02AX4-
3F0AJ-S8YYX-HE2ZE
Set license using the command:
/ system license set Pravail ”PRA-APS-2105 expires: 1313940036" 4JTZD-NC6T5-
CPTX5-3PH50-0S65Q-02AX4-3F0AJ-S8YYX-HE2ZE

• All information shown can be sent to the customer

– Only the license CLI command is truly needed

Page 24 - Company Confidential

Installing a Pravail APS License

admin@demo:/# system license show

No licenses are set

admin@demo:/# system license set Pravail

"PRA-APS-2105" 4JTZD-NC6T5-CPTX5-3PH50-0S65Q-
02AX4-3F0AJ-S8YYX-HE2ZE

admin@demo:/# system license show

Product: Pravail
Model: PRA-APS-2105
Expires: Never
Key: 4JTZD-NC6T5-CPTX5-3PH50-0S65Q-02AX4-3F0AJ-
S8YYX-HE2ZE

Page 25 - Company Confidential

Getting a Pravail APS License – Trial Licenses

License for PRV-20123456A

Serial: PRV-20123456A
Customer: Cloud Customer, Ltd
Modules: PRA-APS-2105 expires: 1313940036
Created: 22 Jun 2011
Expires: 21 Aug 2011
Your generated license key is: 4JTZD-NC6T5-CPTX5-3PH50-0S65Q-02AX4-
3F0AJ-S8YYX-HE2ZE
Set license using the command:
/ system license set Pravail ”PRA-APS-2105 expires: 1313940036" 4JTZD-NC6T5
CPTX5-3PH50-0S65Q-02AX4-3F0AJ-S8YYX-HE2ZE

• If this is a trial license, an “expires” module is

included in the license
– You can’t recreate the module set manually if you
don’t have the exact unix time of expiration

Page 26 - Company Confidential

Inspected Throughput Enforcement

• Each active Pravail APS model is licensed for only

a certain Gbps of inspected throughput
• Inspected throughput is enforced on input to
Pravail APS from all protection interfaces
– Includes a burstable bandwidth margin
• Only IPv4 is counted as throughput
– Other protocols are forwarded unthrottled
• Throughput licensing and enforcement counts all
IPv4 traffic input to Pravail APS
– Both forwarded and blocked traffic are counted
– Traffic in both directions is counted
ext à int and int à ext

Page 27 - Company Confidential

Inspected Throughput Enforcement (Cont.)

• Safe licensing is a licensed capacity no smaller

than all possible input bandwidth
– Attacks that fill uplinks can exceed a licensed
capacity that was sized only for good traffic
– Both good and bad traffic will be dropped due to
exceeded license before evaluation for threats

Page 28 - Company Confidential

Implementation

• Deployment
• Licenses
• Hardware
– Chassis
– Protection Interfaces
– Power Supplies

Page 29 - Company Confidential

Pravail 2100 Hardware

• Kontron NSN2U
– New model in Intel NSxxx server product line
• Enterprise-class server
• Intel T5520UR motherboard
– Kontron bought Intel server business in early 2009
• All Pravail 2100 models use the same hardware

Page 30 - Company Confidential

Pravail APS 2100 Hardware (Cont.)

• A total of 10 hardware variants

– Power can be dual AC or dual DC
– Five protection interface configurations
• Many additional Arbor SKUs are due to licensing
differences but specify the same hardware
• Hardware does not change for Pravail capacity
– Capacity (Gbps) is a only a numeric licensing limit

Page 31 - Company Confidential

Physical Specifications

• Physical Dimensions
– Height 3.45 in 87.6 cm 2 RU
– Width 17.14 in 435.3 cm
– Depth 24.0 in 610 cm
• Clearances
– Front 2 in 76 mm
– Side 1 in 25 mm
– Rear 3.6 92 mm
• Weight
– Built Chassis 41 lbs 18.5 kg
– Shipping Total 55 lbs 23 kg

• Cooling airflow is front to rear

Page 32 - Company Confidential
Front Panel

Serial Port Front Jack

USB Port

Status LEDs

Reset Button

Power Button

Blank Cover

Page 33 - Company Confidential

Status LEDs

System Status Fan Status

Management
Disk Activity
Ethernet Activity

System Status

Disk Activity

management Ethernet
Management
Ethernet Activity management Ethernet

Fan Status

Page 34 - Company Confidential

Back Panel

Power Supply 1

Power Supply 2

Access Ports

Protection Ports

Blank Covers

Page 35 - Company Confidential

Access Ports on Back

RMM/GCM/BMC Ethernet (not supported)

Management Ethernet (2)

USB Ports (4)

VGA Video

Serial Port Rear Jack

Page 36 - Company Confidential

Serial Number and License Labels

Pravail APS license number

Arbor serial number

• Labels are on chassis frame, not on cover

– Should not scrape off during normal movement
– Swapping cover doesn’t swap labels

Page 37 - Company Confidential

Serial Number and ID

• Arbor uses custom serial numbers for Pravail

– Format: PRV-12341234A
• “PRV-” identifies Pravail product line
• Eight digits as unique identifier
– First four digits could be a “build run”
– Last four digits are sequential
• Trailing letter specifies system integrator / reseller
• Motherboard NVRAM Identification
– Available from CLI command / system show
• System Board Model: T5520UR
• System Model Number: APS2100
• Serial Number: PRV-20110123C

Page 38 - Company Confidential

Motherboard Specifications

• 2 Intel Xeon CPU E5645 @ 2.40GHz

– 64-bit processing
– 12 cores (6 cores per CPU package)
– 24 threads (2 threads per core)
– Onboard memory controllers
• 3 memory channels
• 12 MB cache
– Intel hyperthreading is currently turned off
• 12 RDIMM DDR3 DRAM 1333Mhz sockets
– 18 GB memory
– 6 memory channels of 2 sockets each
• One 2 GB DIMM and one 1 GB DIMM per channel
– DIMMs alternate: 2 GB, 1 GB, 2 GB, 1 GB, 2 GB …
• 3 channels per CPU package

Page 39 - Company Confidential

Hard Disks

• System has 8 integrated SAS/SATA drive bays

– Compatible with both SAS and SATA
– Hot-swap capability
– All served by baseboard disk controllers
• Pravail APS uses only drive bays 0 and 1
– Two 120 GB Intel SSD drives
– RAID 1 mirroring using motherboard RAID controller

Disk 1

Disk 0
Page 40 - Company Confidential
Flash Drive Location

2 GB USB Flash Drive

Chassis Front Panel

Plastic Cover
folded open

If flash drive does

not mount in system,
try reseating the
flash drive card

Page 41 - Company Confidential

Management Ports

• 1 VGA DB-15 connector for KVM video

• 5 Integrated external USB 2.0 ports
– All five USB ports are equivalent, for any use
• KVM Keyboard and Mouse
• USB drives are supported
• 2 Internal USB Flash Drive Mounts
– Arbor installs one 2 GB flash drive as a recovery
disk

Page 42 - Company Confidential

Console Serial Port

• Serial port is system console

– BIOS, boot, ArbOS, etc.
• Serial port has BIOS redirect to serial
– Important key mappings
F1 … F9 F10 F11 F12 Backspace
<esc>1 … <esc>9 <esc>0 <esc>! <esc>@ <ctrl>h
• Scroll up with “^” ( <shift>6 )
• Scroll down with “v”
• If <ctrl>{key} doesn’t work, try <esc><ctrl>{key}
– Works around control keys with different function
mappings
• Administrator can use when Pravail APS is not
accessible from the management network
Page 43 - Company Confidential
Console Serial Port (Cont.)

• Serial port has two RJ45 (8P8C) jacks

– Front jack preempts rear jack
• Serial port connects to front jack anytime that DTE
signals are detected on the front jack
• Serial port connects to rear jack at all other times
• Ideal for permanent console server on rear jack with
technician access via front jack

If front jack has … rear jack is

connection … disconnected
even though it
has a connection

Motherboard
Page 44 - Company Confidential
Management Interfaces

mgt0 mgt1

• 2 Integrated GE ports used for management and cloud

signaling
– 1000base-T, 100base-TX, 10base-T
– Full or half duplex
– Full auto-negotiation
– RJ45 (8P8C) Connectors on motherboard
• Jack “1” is configured as mgt0
• Jack “2” is configured as mgt1

Page 45 - Company Confidential

Implementation

• Deployment
• Licenses
• Hardware
– Chassis
– Protection Interfaces
– Power Supplies

Page 46 - Company Confidential

Protection Interfaces

• Five protection interface configurations

– 12 x 1000base-T 1 GigE copper Cat 5e
– 12 x 1000base-SX 1 GigE multi-mode, 850nm
– 12 x 1000base-LX 1 GigE single-mode, 1310nm
– 2 x 10Gbase-SR 10 GigE multi-mode, 850nm
– 2 x 10Gbase-LR 10 GigE single-mode, 1310nm
• Ports are paired
– Internal and External ports for same path predefined
• All protection interfaces have hardware bypass!
• Order SKU specifies interface type
– No mixing of interface types in same Pravail APS
– No exchange of interface types for Pravail APS in field

Page 47 - Company Confidential

12 x 1GigE Copper

Back of APS with 12 x 1 GigE copper

• Three-speed card
– 1000base-T, 100base-TX, 10base-T
– Full or half duplex
– Full auto-negotiation
• RJ45 (8P8C) Connectors
• All three full-height PCIe slots have 4-port cards

Page 48 - Company Confidential

12 x 1GigE Fiber

Back of APS with 12 x 1 GigE fiber

• 1000base-SX and 1000base-LX are different cards
• LC Connectors
• Integrated SFP optics
– No external access
– Cannot be swapped by customer
• All three full-height PCIe slots have 4-port cards

Page 49 - Company Confidential

2 x 10GigE Fiber

Back of APS with 2 x 10 GigE fiber

• 10Gbase-SR and 10Gbase-LR are different cards
• LC Connectors
• Integrated SFP+ optics
– No external access
– Cannot be swapped by customer
• Always installed in top full-height PCIe slot

Page 50 - Company Confidential

Protection Port Names

• Protection port names are silkscreened on rear of

Pravail chassis
– Labels help prevent errors
• Protection port pairs are arranged with the “ext”
port on the left and the “int” port on the right
– Conforms to common practice in some parts of
enterprise security
• Protection port pairs are numbered left to right,
then top to bottom, starting with “ext0” and “int0”

Page 51 - Company Confidential

Protection Port Names (Cont.)

12 x GigE ext0 int0 ext1 int1

Copper
ext2 int2 ext3 int3

ext4 int4 ext5 int5

12 x GigE ext0 int0 ext1 int1

Fiber
ext2 int2 ext3 int3

ext4 int4 ext5 int5

2 x 10GigE
Fiber ext0 int0

Page 52 - Company Confidential

Protection Bypass

• All protection interfaces have hardware bypass

– Bypass uses internal switch between interface pairs
– Bypass mode is passive and requires no power
– Switch is held in “normal” mode by bypass timer
– Pravail resets interface bypass timers every second
– Bypass triggered if timer runs 2 seconds with no reset
• Pravail disables bypass during monitor mode
• Protection interfaces will go into bypass for
– Loss of power
– Interface control logic crash or failure
– Loss of motherboard connectivity
– Operating system crash
– Pravail services are stopped or not started
Page 53 - Company Confidential
Optical Power Budgets

Bypass
Type Output Power Receive Sensitivity
Insertion Loss
SX -9.5 dBm minimum -17 dBm minimum 1.6 dB maximum
-6.77 dBm typical -21.09 dBm typical 0.63 dB typical
LX -11.5 dBm minimum -19.5 dBm maximum 1.6 dB maximum

SR -7.3 dBm minimum -11 dBm maximum 1.6 dB maximum

-3.1 dBm typical -15.37 dBM typical 0.39 dB typical
LR Not yet tested

Summary: All customers using bypass functionality

should plan for 1.6 dB insertion loss during bypass
– Normal-mode limits will usually be less restrictive

Page 54 - Company Confidential

Onboard NIC LEDs

• Onboard Management Ethernet Status LEDs

LED Position LED State NIC State

Left Amber 1000 Mbps
Green 100 Mbps
Off 10 Mbps
Right Green Link active
– blinking Tx / Rx activity

Page 55 - Company Confidential

Onboard NIC LEDs (Cont.)

• GigE Copper Protection Port Status LEDs

LED Position LED State NIC State

Left Green Link active
– blinking Tx / Rx activity
Right Yellow – steady 1000 Mbps
Green – steady 100 Mbps
Off 10 Mbps
Green – blinking Bypass
Yellow – blinking Disconnected

Page 56 - Company Confidential

Onboard NIC LEDs (Cont.)

• GigE Fiber Protection Port Status LEDs

LED Position LED State NIC State

Left port
Above Green
Amber Link active
1000 Mbps
Right Green
– blinking
Green 100
Tx
Link/ Rx
Mbps
activity
active
Between port pair Off
– blinking
Off 10
Tx /Mbps
NormalRx activity
Between port pair Green Bypass
Link active
– blinking
Yellow Tx / Rx activity
Disconnected

Page 57 - Company Confidential

Onboard NIC LEDs (Cont.)

• 10GigE Fiber Protection Port Status LEDs

LED Position LED State NIC State

Left of port Blue 10 Gbps
Right of port Green Link active
– blinking Tx / Rx activity
Between port pair Off Normal
Green Bypass
Yellow Disconnect

Page 58 - Company Confidential

Implementation

• Deployment
• Licenses
• Hardware
– Chassis
– Protection Interfaces
– Power Supplies

Page 59 - Company Confidential

Power Supplies

• AC or DC
• 600 watts max continuous output
– Power subsystem is also 600 watts max for both
supplies combined
• 1 + 1 Redundant
– System can run at full rated power with one supply
– Redundant supplies must be both AC or both DC
• Hot-swap is supported
• Automatic over-temperature protection
• Pravail 2100 ships with two power supplies
– No single-supply builds
• Field Replaceable Unit (FRU)

Page 60 - Company Confidential

Power Supplies (Cont.)

• Power supplies are auto-ranging for input voltage

• Input specifications:

AC Power Input Nominal Rating Operating Range

AC input voltage 100 – 127 VAC 90 – 140 VAC
200 – 240 VAC 180 – 264 VAC
AC max input current 6 Amp at 100 VAC
3 Amp at 240 VAC
AC input frequency 50 or 60 Hz 47 – 63 Hz

DC Power Input Nominal Rating Operating Range

DC input voltage -48 or -60 VDC -38 – -75 VDC
DC max input current 13 A at -38 VDC

Page 61 - Company Confidential

Power Supply LED

• Single LED on power supply shows state

– Same meanings for AC and DC supplies

LED State Condition

Off No power to any system power supply
Flashing Green Supply has power and system is off
Steady Green Supply has power and is operating normally
Flashing Amber Supply has power and is operating with warnings
Steady Amber Supply has no power, has failed, or has shut down

Page 62 - Company Confidential

AC Power Supplies

• AC Power Supplies in operation

Spring Latch

Push latch down

to release

IEC-320 C14
AC Power Inlet

Page 63 - Company Confidential

DC Power Supplies

• DC power supplied via removable terminal block

– Slide cover open for access to terminal screws
Handle normally blocks
terminal screws

Block plugs into supply

Screw cover slides open

Retaining screw

Terminal screws

Wire entry

Retaining screw

Page 64 - Company Confidential

 DC Power Supplies (Cont.)

• DC Power Supplies in operation

Spring Latch
Push latch down
to release

Terminal Block

Grounding Studs
Earthing Studs
5/8” spacing
#10-32 studs

Page 65 - Company Confidential

Page 66 - Company Confidential