RE: Killing Napster and beyond...

["David O'Shea" <doshea () internap com>]

The only problem with implementing the solution on the router is that it
can't manage the inbound flow. A T1 connection can be hammered by four or
five people watching a 300kb feed from Bloomberg - and discarding packets
would only compound the problem by filling up the pipe with resends.

The router/queueing/QOS solution works great at the server end, but
difficult to implement at the client side.

It's a bear of a problem. A well-designed proxy can help some, but a little
education of the user community often goes a long way. Unless there's a way
to somehow tweak the outgoing connection request (i.e. setting some flag
that says "I don't care what the desktop asks for, I can only handle a 64kb
connection"), I don't know how to limit it completely.

One solution is to use two connections: Allow non-http traffic to use one
connection, and proxy all the other stuff (http, realaudio, etc.) through
another connection. The NAT effect of a proxy allows it to work - and you at
least manage to keep a heavy session of users browsing the web from killing,
say, your SSH, etc., traffic.

It's not quite QOS, but gets you the same effect.

-----Original Message-----
From: firewall-wizards-admin () nfr com
[mailto:firewall-wizards-admin () nfr com]On Behalf Of Zarcone, Christopher
Sent: Thursday, October 19, 2000 3:07 PM
To: firewall-wizards () nfr net
Subject: RE: [fw-wiz] Killing Napster and beyond...


All,

Indeed, Napster and RealAudio are greedy applications in terms of bandwidth,
but there are a lot of creative solutions that don't involve blocking ports.
The simplest solution I can think of would be to enforce a
Quality-Of-Service policy on your network.

Cisco routers, for example, have a QOS feature called Custom Queueing, where
you can assign percentages of bandwidth to specific protocols and ports. For
example, you could restrict RealAudio to 20% of the total bandwidth. In the
presence of competing traffic, RealAudio traffic above the 20% threshhold
would get queued (and ultimately dropped).

Cisco also has another QOS feature called Priority Queueing, where "higher"
priority traffic ALWAYS takes precedence over "lower" priority traffic. You
can define multiple layers of prioirity, with your business application
protocols at the highest priority, and RealAudio and Napster at the bottom.
Your business applications will effectively preempt any RealAudio traffic.
This can lead to certain protocols being "starved" in the presence of high
utilization, but in the case of RealAudio, that's probably what you want
anyway.

There is, of course, the notorious problem of applications tunneling over
other protocols. (Let's see, can we think of any protocols that get
ruthlessly exploited as a generic tunnel? Wait, let me think... could it be
HTTP? Bingo!) From the router's perspective, all you see is traffic on TCP
port 80. From a standpoint of QOS, the router won't be able to help you
here. You might be better served by shunting all of your HTTP traffic
through a really good proxy for more fine-grained traffic control.

It's times like this where it makes sense to step back, take off your
Firewall Hat, and put on your Router Hat (or your Proxy Hat or General
Purpose Infrastructure Hat). There are a lot of ways to skin a cat.

Regards,

Christopher Zarcone, CISSP
Senior Consultant
christopher.zarcone () netigy com

Netigy Corporation
www.netigy.com

My opinions do not necessarily represent the opinions of my employer. In
fact, my opinions have no intelligent content whatsoever and should not be
considered by anyone.

Message: 10
From: "Harris, Tim" <tharris () ocair com>
To: "'Chris Cappuccio'" <chris () empnet com>,
Todd Schroeder <todd () stipples com>
Cc: firewall-wizards () nfr com
Subject: RE: [fw-wiz] Killing Napster and beyond...
Date: Wed, 18 Oct 2000 16:05:04 -0700
charset="iso-8859-1"

The problem with Napster and similar programs (such as Real Audio) is that
some companies have relatively small pipes (I have a T1) for a large number
of users.  I care less that they are going to sites than that they are
clogging up my precious bandwidth.  It takes very few people listening to
Real Audio feeds before performance dies.  We are buying the bandwidth to
facilitate business operations.  If they want to listen to music, they
should buy a radio or a CD player.


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards