Firewall Wizards mailing list archives
RE: Killing Napster and beyond...
From: "David O'Shea" <doshea () internap com>
Date: Thu, 19 Oct 2000 16:42:45 -0500
The only problem with implementing the solution on the router is that it can't manage the inbound flow. A T1 connection can be hammered by four or five people watching a 300kb feed from Bloomberg - and discarding packets would only compound the problem by filling up the pipe with resends. The router/queueing/QOS solution works great at the server end, but difficult to implement at the client side. It's a bear of a problem. A well-designed proxy can help some, but a little education of the user community often goes a long way. Unless there's a way to somehow tweak the outgoing connection request (i.e. setting some flag that says "I don't care what the desktop asks for, I can only handle a 64kb connection"), I don't know how to limit it completely. One solution is to use two connections: Allow non-http traffic to use one connection, and proxy all the other stuff (http, realaudio, etc.) through another connection. The NAT effect of a proxy allows it to work - and you at least manage to keep a heavy session of users browsing the web from killing, say, your SSH, etc., traffic. It's not quite QOS, but gets you the same effect. -----Original Message----- From: firewall-wizards-admin () nfr com [mailto:firewall-wizards-admin () nfr com]On Behalf Of Zarcone, Christopher Sent: Thursday, October 19, 2000 3:07 PM To: firewall-wizards () nfr net Subject: RE: [fw-wiz] Killing Napster and beyond... All, Indeed, Napster and RealAudio are greedy applications in terms of bandwidth, but there are a lot of creative solutions that don't involve blocking ports. The simplest solution I can think of would be to enforce a Quality-Of-Service policy on your network. Cisco routers, for example, have a QOS feature called Custom Queueing, where you can assign percentages of bandwidth to specific protocols and ports. For example, you could restrict RealAudio to 20% of the total bandwidth. In the presence of competing traffic, RealAudio traffic above the 20% threshhold would get queued (and ultimately dropped). Cisco also has another QOS feature called Priority Queueing, where "higher" priority traffic ALWAYS takes precedence over "lower" priority traffic. You can define multiple layers of prioirity, with your business application protocols at the highest priority, and RealAudio and Napster at the bottom. Your business applications will effectively preempt any RealAudio traffic. This can lead to certain protocols being "starved" in the presence of high utilization, but in the case of RealAudio, that's probably what you want anyway. There is, of course, the notorious problem of applications tunneling over other protocols. (Let's see, can we think of any protocols that get ruthlessly exploited as a generic tunnel? Wait, let me think... could it be HTTP? Bingo!) From the router's perspective, all you see is traffic on TCP port 80. From a standpoint of QOS, the router won't be able to help you here. You might be better served by shunting all of your HTTP traffic through a really good proxy for more fine-grained traffic control. It's times like this where it makes sense to step back, take off your Firewall Hat, and put on your Router Hat (or your Proxy Hat or General Purpose Infrastructure Hat). There are a lot of ways to skin a cat. Regards, Christopher Zarcone, CISSP Senior Consultant christopher.zarcone () netigy com Netigy Corporation www.netigy.com My opinions do not necessarily represent the opinions of my employer. In fact, my opinions have no intelligent content whatsoever and should not be considered by anyone. Message: 10 From: "Harris, Tim" <tharris () ocair com> To: "'Chris Cappuccio'" <chris () empnet com>, Todd Schroeder <todd () stipples com> Cc: firewall-wizards () nfr com Subject: RE: [fw-wiz] Killing Napster and beyond... Date: Wed, 18 Oct 2000 16:05:04 -0700 charset="iso-8859-1" The problem with Napster and similar programs (such as Real Audio) is that some companies have relatively small pipes (I have a T1) for a large number of users. I care less that they are going to sites than that they are clogging up my precious bandwidth. It takes very few people listening to Real Audio feeds before performance dies. We are buying the bandwidth to facilitate business operations. If they want to listen to music, they should buy a radio or a CD player. _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Killing Napster and beyond..., (continued)
- RE: Killing Napster and beyond... Andy Wigglesworth (Oct 27)
- RE: Killing Napster and beyond... Jürgen Nieveler (Oct 19)
- RE: Killing Napster and beyond... Harris, Tim (Oct 19)
- Re: Killing Napster and beyond... Vern Paxson (Oct 19)
- Re: Killing Napster and beyond... Brad Van Orden (Oct 19)
- Re: Killing Napster and beyond... Darren Reed (Oct 20)
- Re: Killing Napster and beyond... R. DuFresne (Oct 20)
- Re: Killing Napster and beyond... John McDermott (Oct 20)
- Re: Killing Napster and beyond... Brad Van Orden (Oct 19)
- RE: Killing Napster and beyond... Zarcone, Christopher (Oct 19)
- RE: Killing Napster and beyond... Barry Dykes (Oct 20)
- RE: Killing Napster and beyond... David O'Shea (Oct 20)
- RE: Killing Napster and beyond... Henry Sieff (Oct 19)
- RE: Killing Napster and beyond... Dave Costello (Oct 20)
- RE: Killing Napster and beyond... Harris, Tim (Oct 20)
- RE: Reducing Napster and beyond... Jonn Martell (Oct 23)
- RE: Killing Napster and beyond... Delmer Harris (Oct 20)
- Re: Killing Napster and beyond... Vern Paxson (Oct 20)
- Re: Killing Napster and beyond... Brad Van Orden (Oct 20)
- RE: Killing Napster and beyond... jcintron (Oct 23)
- RE: Killing Napster and beyond... agoldney (Oct 24)
- RE: Killing Napster and beyond... Barry Dykes (Oct 24)
(Thread continues...)