By: Jorge Abellas
“My Internet access is so slow! Do you know what is going on?”
If you are an IT manager responsible for Internet connectivity for your SMB (small to midsize business), this is one of the most horrifying questions you can hear from a user-even more so if that user happens to be your boss, or worse yet, the owner or CEO. Scarier still is that the answer to the question is usually, “I don’t know.”
Packet shaping will not add bandwidth to your Internet connection, but packet-shaping devices will enable you to more efficiently utilize your bandwidth and can delay costly Internet connection upgrades. Insuring against unexpected bandwidth hogs and being able to pinpoint sources of consumption is also useful.
Although the cost of Internet connectivity and private WAN transport continues to drop, the proliferation of hungry Internet applications such as P2P (peer to peer), video and audio streaming tends to eat all available bandwidth when allowed to. These applications can quickly asphyxiate critical and time-sensitive services, such as mail and VOIP, if left unchecked. Locking down desktops to prevent access to these applications is often not an option and, in my experience, tends to create a lot of headaches for the IT staff-not to mention the hostility it engenders in users.
In the past, blocking ports at the router would help, but P2P and other “entertainment” applications, wise to this trick, can usually work over the standard port 80.
Packet shapers are smarter than that. They inspect the traffic going through them and match the packet content at layer seven, the application layer, to a known library of characteristic signatures and use that to identify the type of traffic, even if it is flowing over a common port. Once the traffic is classified, traffic can be blocked and prioritized using QOS (quality-of-service) rules and intelligently allocate bandwidth.
Open source and Exinda
These days, it is foolhardy for a conscientious IT manager not to consider open-source alternatives when in need of a tool, particularly one that will be invisible to users. Unfortunately, most of the community developed applications currently available, like the popular firewall IPCop, are limited to shaping traffic by port. The few tools available that can analyze packets at layer 7-iPP2P and L7-Filter, for example-require you to manually edit config files and tables of filters, and muck about in the kernel.
Besides the usability issues, such an approach places the onus of managing the library of application signatures on your already overworked IT manager. What she needs instead is a small, relatively inexpensive appliance with a friendly Web browser interface and an available subscription for support and signature updates.
Exinda Networks is a relative newcomer to the packet-shaping/WAN acceleration market, and has one of the lowest-priced appliances in the market today. Exinda’s x700 series is focused on packet-shaping and QOS management, while the x800 line adds application acceleration features. Exinda’s 1700 is the company’s entry-level appliance, about the size of a small Ethernet switch. It sports one WAN and four LAN 10/100baseT ports. Available in 2Mbps and 10Mbps versions, this model is appropriate for a small office with no more than 50 users.
The first step, after a brief setup via the built-in Web server, is to insert the device in monitor-only mode between your router and your firewall. Once you accumulate several days’ worth of data, you can use the very friendly Web interface to look at your overall traffic patterns by type of application, URLs, hosts and conversations, and easily drill down to pinpoint issues.
The next step is to configure priority and QOS rules to manage your Internet data flows. Priority rules allow you to give preferential treatment to packets that require low latency, such as VOIP; QOS policies let you protect bandwidth for critical applications such as e-mail or access to hosted services. The device is smart enough to expand the bandwidth allotted to other applications, such as Web browsing, when critical applications are not using it, and then throttling Web browsing back to free up space for the apps identified as critical. You can also set up rules to completely discard packets from any application you want to ban from your network such as P2P traffic.
Packeteer 1400 Lite
Packeteer 1400 Lite
Packeteer got its start providing packet shaping for universities and colleges, and is the oldest and perhaps best-known vendor in the space. The 1400 Lite is Packeteer’s entry-level device and is a small appliance, with four 10/100baseT ports: two main ports that act as a straight wire if the device fails and two secondary ports that can be used for a backup Internet connection.
The Exinda entry-level appliance competes against this Packeteer entry, and the feature sets are almost identical. The 1400 Lite offers monitoring and classification of traffic by deep packet inspection, can display captured data interactively over its Web interface and can prioritize that data. Users who purchase an additional license key can apply QOS with versatile and very granular control. Rules can be set to manage the amount of bandwidth allocated to a class of applications such as P2P, to a specific application like Kazaa, to a specific URL or IP address, even down to a specific workstation.
The Bottom Line
In real-world tests of the Exinda device, I was able to identify various automated update services consuming disproportionate amounts of bandwidth, which led to the deployment of Windows Server Update Services and other centralizing mechanisms to minimize the impact. The Exinda device is a clear winner in the bang for buck category and is an elegantly designed, simple-to-use entry-level device.
In order to match the functionality of the Packeteer, however, you would have to move up the Exinda product line, narrowing the price difference significantly. The limited memory in the Exinda 1700 also restricted the traffic it could shape, for example, it could not block encrypted P2P traffic from the popular Limewire application. The Packeteer can be upgraded in place to provide application acceleration, whereas the Exinda device requires a forklift upgrade.
Because of the constantly changing nature of Internet applications, you must buy the support/subscription service so that you can get updated application signature tables. Both manufacturers offer trials of the devices so you can test them in your environment. Be forewarned though: Have your PO ready because once you have access to a packet shaper, you can never go back.