CROC Cloud services on Cisco technologies

Cisco, VMware

CROC’s cloud platform meets special software and hardware requirements regarding the deployment of Cisco solutions. In addition, the fact CROC is a certified Cisco Service Provider means customers can start directly from the solution deployment in the cloud, thus skipping architecture approval and Cisco hardware procurement phases.

Cisco Powered IaaS

CROC, jointly with Cisco Systems, offers Cisco Powered IaaS, a new cloud service, offering computational capacity, RAM, storage space, and access to network services on demand from a virtual environment constructed by CROC in the territory of the Russian Federation in compliance with Cisco recommendations and best practices. Services are available over the Internet and dedicated communication links and are billed according to consumption-based model («pay-per-use»).

Cloud environment is built on a fault-tolerant VCE Vblock hardware platform. The solution includes equipment and technologies by global leaders, such as Cisco, EMC, and VMware.

This service is aimed at large and medium businesses that:

  • already use Cisco solutions but are planning to migrate them to CROC’s cloud for using them as a service, while providing their employees and customers with access to these cloud solutions
  • are planning to deploy Cisco Powered Cloud solutions for the first time using Cisco Powered IaaS

Customers may be interested in the following Cisco Powered IaaS use scenarios:

  • VM migration from customer’s data center to CROC’s cloud
  • Deployment of new high-loaded and resource-intensive services in CROC’s cloud to avoid the need for procurement of new equipment
  • Migration of publicly available services to CROC’s cloud to ensure their independence of internal infrastructure
  • Complete migration of servers from remote offices and branches to CROC’s cloud, and integration of LAN in branches with isolated network in CROC’s cloud using network virtualization technology and Site-to-Site VPN tunnels
  • Using CROC’s cloud as backup data center
  • Deployment of Cisco Powered Cloud services:
  • - Unified Communications as a Service (UCaaS)

    - Contact Center as a Service (CCaaS)

    - Telepresence as a Service (TPaaS)

    - Disaster Recovery as a Service (DRaaS)

    - Desktop as a Service (DaaS)

    - Cloud architecture for SAP HANA o Hosted Security as a Service (HSaaS).


Competitive advantages

  • CROC cloud is built on VCE Vblock platform installed at CROC’s own Moscow data center, which is certified by the Uptime Institute for compliance with TIER III requirements—which means 99.982% availability
  • CROC has been creating data centers and cloud services for customers since 1994
  • Full range of services: resource provision as a service, assistance in migration from an existing site to CROC’s Cisco Powered IaaS cloud environment, and subsequent technical support
  • The platform supports wide range of additional Cisco cloud services according to SaaS model
  • Round-the-clock Russian-language Service Desk certified for compliance with ISO 20000
  • If a customer abandons using a service then CROC will export all customer’s virtual machines and transfer them to customer using agreed method

Our certificates and authorizations

  • Russia’s first EMC Service Provider Velocity² Signature Solution Centre Partner; Authorized Services Network (ASN) Partner since 2008 Best Partner for License Sales in 2009 (EMC Documentum)
  • Cisco Gold Partner in 7 specializations Advanced Cloud and Managed Services Certified Partner since 2015
  • Microsoft Enterprise Solution Provider since 2007 Gold Management and Virtualization Partner;
  • VMware Premier Partner and Best Partner 2012 VMware Service Provider Enterprise in vCloud Powered category since 2012
  • Citrix Gold Solution Partner since 2004 Citrix Cloud Solutions Consultant since 2012 Authorized Citrix support center since 2005
  • Certified local 1st line support for Oracle and Siebel software since 2011, and Oracle Business Process Outsourcing Provider
  • Service Desk is certified for compliance with ISO/IEC 20000-1:2011
  • Quality management system complies with GOST ISO 9001-2011 (ISO 9001:2008)
  • Information security management system complies with ISO/IEC 27001:2013

Technical Support

Technical support is included in the service cost and provided by CROC specialists around-the-clock in the Russian language. If necessary, technical support can be provided in English (to be agreed separately).

Service level and response time shall be agreed with a customer and documented in Service Level Agreement (SLA). To view our template SLA, please visit our website.

Difficult problems are escalated directly to respective vendor.

Service payment

The service shall be paid on monthly or quarterly basis according to pay-per-use model (postpayment). Monthly service rates shall be specified in a master agreement.

The rates shall include fixed tariffs for the following service elements:

1) VMs depending on the plan, which includes a certain number of virtual processors, allocated RAM, and VM OS license in use. These parameters are checked every hour and depend on VM status (switched on/off).

2) Used storage space (GB)

3) External IP address

4) IPSec VPN

5) Network traffic

Backup of running VMs and 30-day backup storage are included in the service cost and provided at no extra charge.

Cloud Managed SD-WAN

CROC provides deployment, maintenance, technical support of cloud managed software-defined wide-area network, based on Cisco products. Best suitable for enterprise customers with central offices and branches; geo-distributed sites, enterprise applications within private clouds and/or public clouds like an AWS.
Service hosted in CROC cloud.

Cisco Cloud Managed SD-WAN:
The Cisco Powered Cloud Managed SD-WAN service is a suite of managed SD-WAN solutions delivered and managed from the CROC cloud by using Cisco cloud orchestration. The end customers are consuming a set of SD-WAN services such as hybrid WAN, performance routing, load balancing, application visibility and control from a CROC. Cloud managed SD-WAN services enable a CROC to deliver SD-WAN at a high scale, with extreme efficiency, and in an automated fashion by utilizing Cisco cloud service orchestration. The end customers will gain additional self-service capabilities for configuring, monitoring, and reporting via a cloud based service portal.
  • Based on Cisco Digital Network Architecture (DNA)
  • The services are delivered and managed from the CROC’ or Cisco’s data centers
  • The services are delivered by Cisco physical network functions / appliances and/or Cisco virtual network functions (VNFs);
  • The services are orchestrated by Cisco orchestration software or services such as Cisco network orchestration or
  • Cisco security orchestration software hosted by Service Providers or Cisco;
The end customers are consuming a set of SD-WAN services:
  • hybrid WAN,
  • performance routing
  • load balancing
  • application visibility
  • control from a Service Provider.

CROC offers a Cisco SD-WAN solution.

Cisco Powered Cloud Managed SD-WAN services must use a Cisco CPE such as:
- Router ISR 1000 Series
- Router ISR 4000 series
- ASR 1000 Series
- vEdge physical and virtual
- CSR 1000V series
- ENCS 5400 series with ISRv
- When additional virtualized network functions (VNFs) are used to deliver value-added services such as Wide Area Application Services (WAAS) or security, these VNFs can be deployed on Cisco NFV infrastructure (NFVI) or Cisco virtualized CPE
Hybrid WAN:
  • MPLS network
  • Direct Internet Access
  • 4G LTE transport
  • intelligent path control capability to select a transport circuit for particular application traffic or both for load balancing
  • For a SD-WAN domain associated with an organization, this hybrid WAN design must be implemented at a number of sites such as headquarter sites or large branch sites. Some sites with single transport uplink within this organization are allowed.

Intelligent path control
  • Intelligent path control maximizes the value of multiple network paths (like dual MPLS access or dual Service Providers or MPLS + Internet) by ensuring the optimum usage of each available path between sites.
  • Dynamic path control capability that configure performance criteria for different types of traffic. And path selection decision is made based on application performance requirements and real-time network performance such as jitter, delay, loss and the available bandwidth

Manage the Cisco vSmart Controller policy.
  • Partner host the Cisco vSmart Controller in the Service Provider datacenter or Service Provider managed public cloud environment.
  • Cisco vSmart Controllers establish secure SSL connections to all other components in the network
  • run an Overlay Management Protocol (OMP) to exchange routing, security and policy information
  • The centralized policy engine in vSmart provides policy constructs to manipulate routing information, access control, segmentation, extranets and service chaining.

Cisco vBond Orchestrator
  • Cloud orchestration is a core capability Cloud Managed SD-WAN service.
  • CROC deploys vBond Orchestrator software in its cloud to orchestrate service capabilities
  • The vBond orchestrator facilitates the initial bring-up by performing initial authentication and authorization of all elements into the network
  • vBond provides the information on how each of the components connects to other components

Service portal based on vManage
  • Secured role-based access
  • Monitoring
  • Management
  • Reporting
  • Service deployment

Cisco Powered Managed Business Communications

CROC provides administration and technical support for Cisco Unified Communications systems. Business Communications is an enterprise collaboration solution based on Cisco Systems platform that combines various communication tools and methods. CROC can ensure the performance of the following modules, services, and features of Cisco Unified Communications:

Basic IP telephony features:

  • Call on hold
  • Configurable call forwarding between user devices
  • Call transfer between user devices
  • Connection of new participants to voice conferences
  • Video calls between employees

Supported user equipment:

  • IP telephone with options (headset, video)
  • Computer (Windows or OS X) )
  • Notebook (Windows or OS X) )
  • Tablet (Android or iOS) )
  • Smartphone (Android or iOS) )

Supported communication methods:

  • Instant Messaging, Voicemail
  • Video calls between users
  • CSF apps (Cisco Jabber)
  • Voice messages based on Unity Connection
  • Voice messages based on Microsoft Exchange

Voicemail users can:

  • Record and send voice message
  • Select and send pre-recorded voice message
  • Send messages to several recipients
  • Prioritize messages using tags
  • Alert to new messages using visual indication
  • Select and play voice message
  • Play voice records using enterprise e-mail client
  • Voice-activated control of a voicemail system

Presence and Instant Messaging (IM) indication system

Presence module helps check user availability for call and select the most convenient method of communication. User status indication system accelerates communication between employees and decision-making.

IM module adds a new fast communication channel enabling file transfer and document sharing.

CROC provides maintenance, administration, and support for the following functionality:

  • Texting (chatting) between employees
  • Persistent chat
  • Chats via employee mobile devices and PCs
  • Presence indication during calls
  • Presence indication when calendar events happen

Employee mobile workplace

One of Business Communications advantages is that employees can log in anywhere using corporate phones.

Mobile workplace features:

  • Dual-mode support on iOS and Android smartphones
  • Call transfer from fixed phone to mobile device
  • Instant messaging and status indication for mobile devices
  • VPN tunneling
  • Fixed phone control from a mobile workplace
  • Video calls between mobile workplaces

Voicemail access

Employees can play voicemails using alternative user devices. Available options:

  • Voicemail playback using enterprise e-mail clients (MS Outlook or MS Outlook Web Access)
  • Voicemail GUI for mobile devices and PCs)
  • Voicemail playback from alternative subscriber devices)
  • Centralized management of corporate voicemail within the company)

Voicemail security

To prevent unauthorized voicemail access, Business Communications allows users to control the following settings:

  • User password and PIN management policies
  • Phone number access control list
  • Additional protection tools for messages marked as private
  • Voicemail aging policy
  • Voicemail event logging

Fault tolerance assurance for the following modules and subsystems

  • Gatekeepers
  • Media resources
  • Voicemail servers
  • PSTN connection gateways
  • IP PBX cores
  • Configuring HSRP groups
  • Configuring Survivable Remote Site Telephony (SRST)

 Supported signaling protocols

  • SIP
  • H323
  • Skinny Skinny Client Control Protocol (SCCP)

Support of voice traffic prioritization in the architecture center (company headquarters, main office)

  • Configuring QoS for voice VLAN

Support of traffic prioritization at regional site level

  • Inbound traffic prioritization policy management
  • Outbound traffic prioritization policy management

General architecture of Business Communications System

Architecture components and capabilities:

  • Cisco Unified Communications Manager v. 10.5
  • Cisco Unity Connection v. 10.5
  • Support of SIP flows for PSTN connection
  • PSTN gateways
  • Transcoding support
  • Support of interaction among SIP and H.323 users
SLA — Managed Services

Cisco Powered Managed Security

CROC offers a wide range of solutions to secure customer's network infrastructure.

The service includes installation and configuration of the following information security system components:


Cisco devices with firewall modules (each processing multi-protocol traffic at 10 Gbps) are used as firewalls. To ensure redundancy and fault tolerance of server applications, duplication of device and module chassis is used. All Cisco firewall inter- and intra-chassis modules are combined in a cluster. Cluster interfaces are connected to Customer's network core switches using EtherChannel technology. To enable interaction between cluster members, an isolated VLAN is used that is declared both on firewall modules and network core devices.

All cluster members are in active mode and balance the traffic among them. If one of Cisco ASA chassis fails then traffic will be transparently switched to a working Cisco ASA chassis; if one of ASA modules fails then traffic will be forwarded to the less busy working ASA module of one of Cisco ASA chassis thus providing high availability and redundancy of network services.

Traffic passing through a cluster of ASA device

Once any of cluster modules fails, all subsequent packets are forwarded to the remaining modules that balace the load among them. 10 Gbps interfaces are used for data traffic transmission and are connected to network core switches using EtherChannel technology and LACP protocol according to manufacturer's recommendations.

Firewall clustering provides high redundancy and aggregated throughput. One module processes traffic at 10 Gbps in multi-protocol mode, while cluster of firewall modules ensures overall speed of up to 28 Gbps.

Firewall routes traffic using static routing and EIGRP dynamic routing. Access network of each system is accessible through corresponding interface of core switch VLAN.

Firewall protects customer's internal network against unauthorized access and various attacks. Traffic inspection is set up at application layer (Application Inspection) for the purposes of analysis. All traffic that passes through firewall is analyzed using an adaptive security algorithm.

As part of traffic analysis, firewall can also detect enterprise network security threats.

Firewall supports the following functions:

Network Address Translation (NAT)

Customer can use non-unique addresses and hide their internal address space behind one or multiple public addresses to prevent intruders from accessing these devices if they know a private address. In addition, NAT allows private IP network (local unicast) to access Internet by translating addresses to IP header.

De-Militarized Zone (DMZ)

This service is used when the customer needs to protect its Internet servers. Network is usually divided to segments with different protection levels: the highest level for internal zone and the lowest one for the Internet. Standard protection policy only allows outbound connections (not inbound connections). Both inbound and outbound interface users must have access to servers within DMZ, which usually has medium protection level (lower than inside interface but higher than outside). DMZ may not start a session to the internal network.

Stateful Firewall Inspection

Stateful Firewall Inspection monitors traffic and connection status and allows legitimate traffic pass from the Internet to corporate network. This is ensured by monitoring connected outbound sessions and creating a table with values. In addition to traffic and connection status, it monitors OSI layer from which the packet came. For example, TCP client sends a SYN to server, and server replies with a SYN-ACK if the session is established.

Authentication proxy

This Managed Security option allows network administrators to create per-user security policies, which only provide network access upon successful authentication. If user authentication fails or particular user policies do not allow for specific traffic, access to the requested resource is denied.

Transparent firewall

When firewalls are implemented without routing disruption, they remain transparent for network traffic and do not require changing settings of other network equipment. To do so, firewalls support a special mode that only requires the use of different incoming and outgoing traffic interfaces.

Stateful Inspection for encrypted traffic

If external services use encryption (VPN or HTTPS), then a firewall will be unable to view traffic content, so a special approach is used: first, traffic is decrypted (VPN or SSL decryption) and then checked for compliance with security policies. If necessary, traffic can be then encrypted again and sent to its destination.

User authentication and access provision

Firewall monitors status and number of sessions, thus ensuring protection against device memory overflow and CPU overload (in both firewall and end devices).

Access Control Lists (ACL) allow limiting user access to resources (both external and internal), while split tunneling technology describes rules to encrypt (or not encrypt) user traffic.

Application control

Packet inspection allows firewall to detect and block (when required) IM and point-to-point traffic. Packets are also checked whether their headers match their content for known packet formats (HTTP, SMTP, etc.). If, for example, non-HTTP traffic is found within a TCP/80 packet (or if HTTP header is incorrect), then such traffic shall be rejected to prevent it from affecting a server.

Inspect Internet Control Message Protocol (ICMP)

Firewalls can monitor ICMP traffic. In particular, external ICMP responses will only be allowed if a request was sent from inside. If this is the case, then only echo-reply, time-exceeded, destination unreachable, and timestamp reply packets will be expected.

Java code blocking

Thanks to packet inspection, firewall can detect Java code within HTTP traffic. Since Java code execution may be harmful, HTTP traffic with Java code can be discarded to prevent it from adversely impacting a server or end user.

Session Initiation Protocol (SIP) control

Firewall inspects content of SIP packets that are responsible for voice traffic signaling. Since SIP packet header contains information about of user IP addresses, and passing through NAT changes only IP packet headers, therefore passing through NAT disrupts SIP operation. SIP control allows for changing SIP packet header and check it for correctness and compliance with RFC.

H.323 protocol

SCCP and H.323 protocol inspection allows to control signaling and media traffic: substitute IP address in packet headers and dynamically create enabling rules for media traffic.

Firewall fault-tolerance

To ensure fault-tolerance at hardware level, High Availability solution is used enabling switchover from failed main firewall to backup firewall. In this case, all main firewall session status information is continuously replicated to a backup firewall to avoid resetting and reestablishing current sessions.

Configuration backup

Firewall can export equipment configuration both locally to a flash media and to external storage system. In addition, configuration can be imported from external storage system for recovery. Export and import functions support TFTP, FTP, HTTP, HTTPS and SCP protocols.

Intrusion detection system

The Intrusion Detection System tools enable the following functionality:

Intrusion detection

Firewalls provide rule-based access to resources and security, while IPS analyses traffic behavior, namely: viruses, worms, botnets, spyware, spam distribution, etc. Since any malware has specific behavior, which can be described using some pattern, IPS detects traffic matching such pattern previously defined in the system (such pattern are referred to as signatures).

Service profiling

Since checking traffic for matching signatures is a resource-intensive process, the best approach is to analyze Customer's network and network traffic and determine if any signatures need to be added. For example, if access rules prohibit outbound SMTP traffic then there is no need to check the entire traffic for SMTP signatures. If Customer's end users only use Linux devices then there is no need to check traffic for Windows vulnerabilities.

Intrusion monitoring

Signatures have so called 'engines' that describe substantially different malware behavior patterns. The choice of a particular engine when describing a signature defines traffic monitoring method: by single packet content, character sequence in a packet set, number of end user devices exchanging traffic, attack vector, etc. Upon detection of signature matching, a message is generated with details of threat type and rating.

Signature management

Signature base is continuously updated from (subject to subscription). You may also write your own signature to describe traffic using one of engines. You can enable/disable detection of certain signatures and change response to such detection (notify, reset, reset TPC, change content, etc.).

Incident handling

Behavior patterns of certain malware are based on repeatability of actions: either a system can be attacked 100 times during a certain period, or a group of 100 endpoints can be attacked. In both cases, IPS will detect 100 events with a specific signature. Such behavior complicates problem analysis and increases the number of entries in a log. To avoid entry multiplication, Summarizer and Meta Event Generator are used. Summarizer generates only one event and specifies the quantity of similar detections, while Meta Event Generator aggregates multiple events into a single event. For example, if signatures A, B, C and D are detected (and if we know that they describe behavior of the same virus using different technologies), then only one event (E=A+B+C+D), which describes group behavior of these signatures, will be created.

IPS backup

Since IPS is an autonomous module of Cisco ASA and its failure can cause traffic interruption, a special mechanism is developed: main Cisco ASA monitors IPS status and in case of its failure switches over to a backup Cisco ASA with operational IPS, thus avoiding data loss in the event of IPS failure.

Cisco Powered Managed Security benefits:

  • Quick deployment and configuration
  • Flexibility and scalability
  • No support and maintenance costs
  • Proven and certified security solutions
SLA — Managed Services

DRaaS (Disaster Recovery as a Service)

To ensure uninterrupted operation of a customer's IT infrastructure, CROC deploys custom-tailored solutions such as Disaster Recovery-as-a-Service (DRaaS). The solution is based on multiple cloud sites which are interconnected by optical links and also connected to М9 and М10 trunks.

CROC currently owns three data centers:

Cloud platform arms (parts) are located in two of the centers.

  • The Kompressor Data Center is one of three sites in Russia certified in accordance with Uptime Institute Tier III standards;
  • While starting a server or creating a disk/network on a self-service portal, you may select the arm (part) of the platform where the service is to be launched;
  • Connection between two data centers is provided via CROC's own optical links and is therefore free of charge;
  • Selection of telecom providers to ensure their trunks enter the data center via two different routes;
  • Two-site configuration allows for:
    • Building of distributed fault tolerant clusters;
    • Geographical separation of operational data and backup copies;
    • Configuration of site-to-site replication at the application software level.