Bandwidth Patrol

Keeping data flowing is big business

Its about bandwidth, stupid! Who has it, who controls it, who shapes it, who can gobble it up first.

No matter where you stand on the Napster question — whether you lean toward the one-big-happy-file-sharing-village notion or the credo, "Thou shalt not steal music" — last years Napster dust-up certainly left one lasting legacy. The controversy alerted many companies and universities to the need to monitor, protect and control their own bandwidth — before the peer-to-peer legal kinks are worked out and the market is flooded with even more hungry file-sharers and network neighbors. While dot-com flights of fancy are disintegrating, PC sales are dropping like loose chad, and Napster itself is hooking up with a German media conglomerate to help legitimize its revolution, at least one segment of the technology industry is invigorated: the bandwidth patrol.

Napster certainly wasnt the first sign that networks needed to keep an eye on bandwidth allocation, but it quickly turned into the clarion call for many colleges and businesses. In effect, Napsters high profile caused a "big panic," says Eric Hanselman, director of corporate systems engineering at Sitara Networks, which markets several bandwidth management products. "People have seen, all of a sudden, tons of bandwidth being chewed up in all sorts of uses that are not the key path businesses want to follow," he says. "The problem has been in the background for a long time; Napster made it a whole heck of a lot worse."

Indeed, a number of companies have marketed such bandwidth management products to businesses for several years; however, this past year, Napster started cutting through bandwidth like an out-of-control lawn mower. Companies, and especially universities, had to do something to ensure that bandwidth was left over for such trivialities as research and generating revenue. Network administrators quickly discovered that Napster bypassed firewalls and consumed any additional bandwidth thrown in its direction.

Thus, in the wake of Napster, bandwidth tools are growing quite sophisticated, often allowing the customers — whether they are businesses, universities or service providers — to decide what types of files should be blocked or, as is the current trend, to be de-prioritized and allocated fewer crumbs of bandwidth. And, usually at a higher cost, IT managers can purchase applications that eliminate the need to control hundreds, or even thousands, of machines individually.

Sitara, for example, takes what Hanselman calls a "holistic perspective" on bandwidth management. Its products — QOSWorks, QOSDirector and the recently announced QOSArray — all come with a Web-based graphical user interface. QOSDirector allows all machines loaded with the QOSWorks software to be controlled from a centralized console, and QOSArray will allow two boxes to be clustered side by side, thus eliminating redundancy, he says.

The Sitara products integrate several bandwidth management tools, including class-based queuing, a method of assigning priority to different types of data packets, combined with Transmission Control Protocol (TCP) rate shaping, which means changing the amount of bandwidth granted to data on a network. These tools first provide a report of activity and then allow enforcement decisions to be made with a click of the interface.

Most compelling, Hanselman says, is that his products use those tools together to provide an automated selection of the appropriate tools: If its a TCP connection, TCP rate-shaping comes on; if not, the software puts more emphasis on queue management. All the tools are included in every package; package prices start at around $2,500 and go up to $18,000.

Packeteers PacketShaper is another popular bandwidth shaper that is suddenly hot in the academic market. "Over 110 universities have deployed the solution since September," says Senior Product Marketing Manager Jennifer Geisler. She uses highway analogies to explain how PacketShaper — a classification technology that tracks specific URLs and content types — tails the bandwidth offenders. "Students dont use the parking spot every day," she says of Napster usage. "They know how to make Napster go to a different port; universities spend all their time trying to track down Napster."

But not with PacketShaper. "We look to see whos actually driving," Geisler says. The app generates reports for IT managers who can then see "whos been run off the road," and apply enforceable policies. "Written policies are only as good as the ability to enforce them," she says.

With PacketShaper, a company or university can block applications such as Napster and iMesh altogether, or only allow them, say, to travel 25 miles per hour by giving them 10K of bandwidth. Several colleges, such as St. Johns University in St. Cloud, Minn., are doing just that, instead of blocking Napster and its progeny altogether.

Geisler says her companys most unique offerings are the products plug-and-play setup and partnerships with companies such as IBM to provide service. "Competitors dont have that kind of reach, in terms of distribution or serviceability of the products," she says. PacketShaper comes in a variety of models, depending on the wide-area capacity of the network. Prices go from $3,500 to $24,000.

Napster, Geisler says, is pleased with products such as PacketShaper that make both sides happy: When used as a prioritizer and not a blocker, Napsters files get through, as do priority files of the business or institution. "Napster has a choice: Be part of the problem or part of the solution," she says. "They liked the idea that universities and enterprises have an option to control it, letting more applications come through. Theyre very happy having us come in to contain it."

Network Guard Dog

Not every business or institution is looking to contain Napster & co., however. Some just want to bar the door. Palisade Systems is marketing a virtual doghouse full of products to help block unwanted bandwidth gobblers, as well as undesirable material, such as pornography. Recently the company started looking toward productivity and bandwidth issues, releasing PacketHound, its network guard dog that opens up file packets and blocks offending ones by sending a reset connection request back to the host. "To the user, it looks like the Internet isnt working," says Senior Network Engineer Ryan Jones.

Before bringing in the hound, however, concerned network administrators can download a little canine sniffer to find out which packets are already sneaking through the door. PacketPup is available as a free download on the companys Web site. Once you see offending activity, the big pooch can come to the rescue (starting at $5,000, with heavy discounts for educational institutions). "You can effectively eliminate all that crap traffic," Jones says. "Theres no degradation to the network whatsoever," he adds. And PacketHound can be, er, trained by its new owner. The application lets you exclude or include certain Internet Protocol (IP) addresses, or just block pornographic traffic.

Palisade spokeswoman Helena Poist warns that clients who choose products that shape bandwidth, rather than block offenders altogether, can face liability for making space for illegal files rather than blocking them. On the other hand, she adds, public colleges face censorship charges if they just block any large downloads in an effort to avoid Napster files. Thus, she says, several universities are using a combination of Palisade products and bandwidth shapers from other companies to meet their objectives. They can reshape bandwidth, while blocking offending files altogether. But, she warns, despite the liability challenges on both sides, neither businesses nor universities can afford to do nothing. "It gets to the point where you have to respond; you cannot be an open faucet."

NetReality takes a softer approach. Kit Waugh, a vice presIdent at the company, says, "It seems punitive to say, You cant do it anymore, " even though "Napster is extremely punitive to large institutions." Besides, the reality is that Napster is just the first of many bandwidth-intensive technologies that involve shared personal networks, he says, pointing to CTI (computer-telephony-integration) as one to watch. "You dont want to penalize people, or be some kind of dictator."

The solution is a product like NetReality that goes beyond bandwidth shaping by monitoring all traffic, Waugh says. NetReality also offers application response-time assurances and network management. It can spy for video gateways, PBX extenders, voice-over-IP products and the like.

According to Waugh, NetReality stands out because its not static like some of the competitors; this app is adaptive because it sits on the access link to the network and uses account variation. It can sense any network traffic congestion. It uses bandwidth rate control only when the app senses extreme congestion of the link and shuts everything down. "What other companies use as primary shaping is only appropriate for extreme measures," he says.

Waugh says the best use of NetReality is as an enforcement mechanism for internal service agreements written between IP departments and other members of companies and universities. "They can use our products as a tool to make those assurances," he says.

Circumventing Firewalls

Its no secret that file-sharers like Napster and other bandwidth hogs can get around firewalls. So Checkpoint Software Technologies has bundled its network security expertise into Floodgate-1, a bandwidth management tool thats been around for three years. It has been used primarily by service providers, but is enjoying renewed interest from universities.

"We werent sure until six months ago what the [Napster] impact was going to be. Its definitely playing a role in driving Floodgate sales," says Product Marketing Manager Mike Lee. "Weve added to whats there; its a new piece of the package."

Floodgate-1 is unique because of its integration with network security, Lee says. In most cases, a virtual private network would encrypt every packet, without differentiating between e-mail and Napster. But the integration of Floodgate-1 allows the good stuff to get through, and uses a single security box.

A major advantage with this product is that Floodgate users already know how to use the product. "They dont have to stick a new box out there," Lee says. And the cost can be attractive: It can be bundled with one of the companys firewall products for about $1,000 more than the firewall by itself. Bundles can range in cost from $4,400 to $21,000.

Lee argues that Floodgate-1 is a friend to Napster et al: "We are good news to Napster users. The knee-jerk reaction is to use firewalls or a router to shut down Napster. That doesnt make Napster people very happy. Lets figure out whats important, give it priority and let Napster use the unused bandwidth in between. Most Napster users dont really care if it takes an extra 10 seconds to download anyway."

Donna Ladd is a writer in New York.