Who's in the field these days? (Dated, I no longer do this routinely and have not refreshed this much recently at all)
Not including point-to-point WAN optimizers, or load balancers, but Internet bandwidth management appliances. In no particular order...
- Blue Coat (formerly Packeteer).
- Procera Networks - very capable.
- Allot Communications - NetEnforcer
- Net Equalizer - "Fire & Forget"
- Exinda - AD integration (not much use to me)
- Arbor - purchased Ellacoya
- XRoads Networks - small company, enterprise class?
- Emerging Technologies - "Net Neutral" shaping
- LogiSense - it does billing!
- Cyberroam
- A10 Networks - makes a thing of IPv6 (for their routers)
and there is a host of little boxes and/or software claiming to do this, but I need Gb/s throughput...
then, of course, there are the "next-generation" firewalls:
- SonicWall - doesn't include PaloAlto in their Gartner report
- Palo Alto - widely well-regarded... they got a Gartner report, too
- Barracuda has one, too
- SourceFire is jumping in as well.
- WatchGuard is an old name in the business
- Astaro has hardware, software, and VMs, and Sophos has Astaro
- CheckPoint is adding NGFW capability, as is
- Cisco, on the ASA platform
- Fortinet is doing things with the FortiGater
- Juniper is not to be outdone with their SRX
- even McAfee is getting into hardware, now that Intel owns them.
A presentation on the Procera Packetlogic given at OARTech in February of 2009. This is an overview, followed by a live demo of Oberlin's system which can't be reproduced here.
- HTML version of presentation
- PDF version
- Powerpoint version, if you insist...
Visio stencils of Procera equipment, courtesy of Mark Bailey of Procera Networks.
At the time this presentation was made, the Internet connection for Oberlin College is provided by the Ohio Academic and Research Network, OARNet. We enjoy a fiber connection from Time Warner, which provided us 450Mb/s usable combined intraOhio, Internet_2, and commodity Internet bandwidth. That sounds like a lot, until you divide by the number of users, which might be about half of us during busy times.
As applications have developed and demand grown, we've steadily increased our bandwidth purchased each year to try to keep pace. Our location in rural Lorain County at times has limited our options, as some types of circuits are simply not available and other carriers do not have a presence anywhere nearby. This situation keeps changing, and we're always looking for ways to increase our bandwidth within our budget. Until unlimited bandwidth becomes available cheaply, we will always need to manage what traffic we generate to keep things flowing smoothly.
If we were to let all traffic pass without management, there would be collisions and contention for passage through our connection to the rest of the world. Many applications would simply break, especially those sensitive to latency and jitter, like Skype and game play. But, as we've seen, even simple web browsing becomes painful or simply impossible in all the din. Once, our bandwidth manager was turned off for an afternoon, and pretty much everything besides BitTorrent came to a standstill.
General Principles
There are three classes of traffic in general: Good, Bad, and Fragile. Our goal is to give the Fragile the helping hand they need to function, encourage the Good to share nicely on the network, and squelch and limit the Bad as much as we can to make the network experience as responsive as we can. We also prioritize traffic from academic resources located outside our network, whether services such as OhioLINK and Naxos Music Service, or Oberlin resources provided by contractors like Blackboard (Oberlin OnCampus).
We use the Packetlogic in part to track some of the unwanted traffic associated with viruses, so we can identify our infected systems and get them cleaned up. Some sites we block entirely, which we've identified as being involved in virus spreading and phishing emails. Others we don't block, but monitor for suspicious activity associated with infected machines on campus that might need some help and clean up.
In the past, we had a script running that divided bandwidth available to students in the residence halls differently by time of day; giving them more bandwidth at night and reserving a larger portion of the total for faculty and staff during regular hours. With the Packetlogic, this is no longer necessary. Our shaping rules for the various segments of our network are set up to "borrow bandwidth" from each other as needed. Each shaping rule is set up with multiple bandwidth shaping objects, and once your primary object fills up, you get to borrow any available bandwidth from the others at a lower priority level. This way the adjustment is dynamic, and servers, for example, get to claim all the bandwidth they require at high priority while permitting students to share that allocation when it's available. The net result is we're using nearly all of our bandwidth (inbound, any way) all of the time but for the wee hours of the morning.
While we do have a firewall to drop some of the bad traffic before it even gets onto our network, there are not a lot of ports being blocked arbitrarily. That's not the reason your game doesn't play properly, no matter what the game developers say! We've been able to make special provisions for several games in common use on campus, as well as some Ventrilo servers and the like, but for this we're limited by the information the game developers provide. Some have been quite helpful, others don't seem to want to provide us with their networking details, fearing perhaps we'll use the information to block game play altogether. We'll do what we can, but can make no promises your favorite games will work on our network. Caveat emptor--try before you buy, if at all possible.
The Good, the Bad, and the Special
Bad traffic can be divided into two categories. We have a Gulag of applications that we don't want to enter our network at all, typically command and control traffic caused by trojan infections and zombie controllers. The less-bad traffic is that caused by peer-to-peer applications like KaZaA or BitTorrent serving files from on-campus users back out to the Internet. That's the traffic most likely to get one in trouble with the RIAA.
Then, we have the traffic that is generally good, but not usually able to make itself heard over the crowd of other voices on our network. This includes chat, AIM, Gaming, and video or telephony like Skype. These classes don't take much bandwidth, but need a protected portion of our bandwidth reserved for their use, and special rate or priority treatment to keep their connections from suffering latency or jitter.
Inbound and Outbound, they're nearly symmetrical- Gulag -- These traffic classes need to be contained or kept out of circulation.
- Code Red, Nimda, Spyware and Zombie controllers (Discard policies)
- These are host lists, traffic types, and subnets we don't need to hear from.
- La_La_LAN -- Violations of our acceptable use policy and severe bandwidth consumers when unchecked.
- Peer-to-Peer applications, specifically servers on our campus sharing out to the world. This group shares a rather small bandwidth partition, some have other restrictive policies.
- Copyright Violators. Those implicated in copyright violation by notice from the RIAA or other copyright holders are placed in a special class. Normal traffic is permitted to this class, but Peer-to-peer applications like Gnutella or BitTorrent are dropped.
- LANada -- Official Oberlin College services hosted off-campus, such as Blackboard, the Common Ap, or Naxos. They're kind of just like us, only on the other side of the border ;-)
- Munchkin_LAN -- Low-bandwidth applications easily lost in the noise of more-aggressive classes.
- Chat
- AIM, ICQ, MSN, Yahoo Messengers, SMS (File sharing is treated as P2P).
- Gaming -- Each client gets up to 1Mb/s, managed for minimum latency. Appears to be sufficient.
- All of the online games we or Packetlogic can identify easily, from Asheron's Call to XBox Live.
- Telephony -- same shaping rules as gaming traffic.
- CUSeeMe, Net2Phone, H.323 and T.120 applications, etc.
- Skype, treated separately but also to minimize latency above all.
- Play_LAN -- ResNet, wireless, and public lab computers, defined on IP ranges in use.
- Filesharing has volume-based restrictions, so after the first 2GB downloaded today greedy clients will notice an appreciable drop in speed; BitTorrent and Gnutella are in there duking it out.
- Default Resnet traffic uses dynamic partitioning; each IP address gets an equal share of up to 75% of our total bandwidth.
- Promised_LAN -- These are the College's official servers and services. They have priority over everything.
- Work_LAN -- Defined mostly by exclusion, this should be on-campus Faculty and Staff systems. A relatively small portion of bandwidth is reserved for these systems at all times, larger during the day and less after hours.
Comparing the Procera Packetlogic and the Blue Coat (nee Packeteer) Packetshaper:
There are many differences in configuration and approach used by these two devices. The Packetlogic primarily works by queuing packets through the device, and is very fast about it. One can build shaping rules for minimizing latency, for example. The Packetlogic (software version 11) has network objects, service and protocol objects, firewall and shaping objects, all of which are strung together into shaping or firewall rules which govern the traffic flow through the box. It can be set for "host fairness" which would grant every host an equal share of the abailable bandwidth, or you could use "volume based shaping," where as greedy users continue large downloads, their bandwidth is throttled back in steps to limit the damage they can do on your network during any particular period. We set ours so you can expect good transfer speeds for a couple of disk image files in any 24 hour period, but after that you receive a smaller share and others can have their turn. One very useful feature of the Packetlogic is the ability to set up one's shaping rules to permit "borrowing" bandwidth from other queues that are not quite full yet. By having our servers, academics, and students groups each borrowing bandwidth from each other as available and needed, we are making more efficient use of our bandwidth capacity than ever before.
The Packetshaper (Packetwise software version 8.3), now owned by Blue Coat, manipulates traffic by adjusting window sizes and other TCP/IP parameters to prioritize and partiion traffic by type. It identifies many traffic classes, and permits one to group these classes, partition or prioritize them, and has extensive reporting capability, besides. The Packetshaper permits one to create hard partitions to contain certain subnets, traffic classes, what have you to just the maximum amount of bandwidth you grant and no more. It also can be set up with "dynamic partitions" such that each host receives an equal share of the available bandwidth.
At Oberlin, we strive to contain the impact of Peer-to-Peer applications on our network, and we also carve out a little protected space for "fragile" applications like Skype and other voice/video/chat traffic and online game-play. In particular, these applications are sensitive to latency and jitter, and we try to limit that. Interesting then, is this comparison of the particular game and P2P applications identified by each device, using the more current documented information from each at the time I write:
Peer-to-Peer Applications | Games and Game VoIP |
||
---|---|---|---|
PacketWise 8.3 Aimster Ares Audiogalaxy BitTorrent Blubster DirectConnect EarthStationV eDonkey eXeem FileRogue Filetopia Furthurnet Gnutella Groove Hopster Hotline iMesh KaZaA Napster Pando PeerEnabler PPLive ScourExchange Share Soulseek Tripnosis Warez Winny Winny2 |
Packetlogic v.11 Ares Audiogalaxy Baidu P2P BitTorrent Congaltan DirectConnect eDonkey eXeem ExoSee FileGurl FilePia Foldero FreePop Gample Gnutella Hanafos QBic Hardmoa HotLine iMesh IRC DCC transfer JJangFile Dakemila KaZaA Kontiki Kor-p2p-generic search ManoLito Microsoft BITS MUTE Napster OpenFT transfer p2pia Pando PDBox PeerEnabler Perfect Dark Pruna Plus Red Swoosh Secure Content Downloader Share Share NT Soribada Soulseek Sunfile SunFolder Thunder V-share WinMX WPNP WinNy Xtoc ZEPP ClubBox ClubFolder ClubHard CoolDisk CrazyFile DACOM Webhard Client DiskPop DiskPot DiskPump DiyHard EA game update eMusic download ENdisk FileBee FolderPlus HotDisk iDisk iPop JJandDisk JJangHard M-File MelOn NeoFolder NetFolder OnFile Peepop PicoPot SegaPop Toto disk VDisk WeDisk |
PacketWise 8.3 AsheronsCall Battle.net CityofHeroes Doom Everquest/SonyOnline HalfLife Kali LucasArts MSN-Zone Mythic Quake SonyOnline Tribes Unreal WorldofWarcraft XBoxLive YahooGames VoIP for gamers Ventrilo |
Packetlogic v.11 9Dragons A Tale in the Desert A3 Advertising Age of Armor Age of Conan Age of Empires 3 Albatross18 All Seeing Eye America's Army Anarchy Online Angels Online Archlord Asheron's Call Avadetect Batle for Wesnoth Battle.net Battlefield 1942 Battlefield 2 Battlefield 2142 BOTS Bounty Bay Online Brettspielwelt client Cabal Online Call of Duty Call of Duty 4 Cheat Prevention City of Heroes Civilization 4 Command and Conquer 3 Conquer Online CorumOnline Counter-Strike Crysis Dance!Online Dark Age of Camelot DarkEden DarkOrbit Day of Defeat Decide Online Diablo 2 Dofus Doom3 DrakkarZone Dream of Mirror Online Dungeon Runners Dungeons Dragons Online chat EA:Nation Enemy Territory: Quake Wars EVE ONline EverQuest II Exteel Exteel lobby FEAR Fiesta Final Fantasy XI Fly for Free Freeciv Frontlines FunCom updater Furcadia Fury Gamarena Game Engines GameSpy GameSpy chat GG Game Guild Wars Gun XBox Gunbound Gunz Half-Life Handheld Hanagame GoStop Hero Online HLSW Holic Insurgency: Modern Infantry Combat Jumpgate KartRider Knight online Last Chaos Legend of Ares Lineage Lineage II Lord of the Rings Luminary Madden 06 Madden 07 Madden NFL 08 Magic Online Maple Story Metin2 MixMaster MU Online MythWar Navy Field NBA Live 07 Neocron 2 Neverwinter Nights Neverwinter Nights 2 Nexuiz NHL 07 NHL 08 Nintendo Wi-Fi connection test OpenArena Pirates of the Burning Sea PlayOnline PlayStation ProjectEntropia Puzzle Pirates Quake 4 Quake III Arena Rakion Rappelz revolution Red Stone Return to Castle Wolfenstein RF Online Ricochet Rising Eagle Rubies of Eventide Runescape Ryzom S.T.A.L.K.E.R. Scions of Fate Seafight Second Life ShadowBane Shalya Silkroad Online Sofnyx Soldier Front Soldier of Fortune 2 Sony Station Source engine Star Wars Galaxies Sword of the New World Tabula Rasa Tales of Pirates Team Fortress Tibia TimeShift Titan Quest Trickster Turbine Twelve Sky Ultima Onliine Universe at War Unreal Unreal 2 Unreal Tournament 3 Upshift StrikeRacer Vanguard War Rock Warcraft 3 Warmonger WarpFire Warsow Wii WiiConnect 4 World in conflict World of Warcraft XBlaster XBox Zero Online TeamSpeak Ventrilo Ventrilo udp Vivox XBox Live Chat |