Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Managing Network bandwidth

From: Dan Lynch <DLynch () placer ca gov>
Date: Wed, 11 Jan 2012 11:59:17 -0800
Peter Odigie said:


In my organization, we have had to upgrade our internet bandwidth two
times last year 2011.


As a gas will expand to fill the available space, so will your internet traffic expand to consume the available 
bandwidth. 

Start with a cheap / free / open-source monitoring solution to double-check your ISP's reports (1).

If there are no complaints of slowness, latency, dropped connections, etc, do nothing. But if there are, the cause is 
oftentimes misuse. Large file downloads, streaming internet radio, video snacking, etc, all conspire to overwhelm 
whatever bandwidth you allocate, reducing what's available for legitimate business use (2). 

These are largely social problems, with primarily social solutions. First set policy that restricts users from 
misbehaving. If they refuse to behave / they are management, then enforce that policy with technology if needed. Oracle 
dba needs a 7GB patch file? Please schedule it for off-peak hours. Or use a download manager to throttle the bandwidth, 
and/or schedule it for later (3). 

Block what torrent and peer-to-peer file sharing protocols you can at the firewall if you find them to be a problem. 
You'll need some amount of application-layer awareness, or "deep packet inspection" (tm). Some firewalls will do this 
natively, others need help (4).

Users can't keep themselves away from youtube / hulu / xm radio / pandora / netflix? Transparently proxy their traffic 
and block the domain(s). Last I checked, Squid was the de facto open source solution (5). It's been a while, but I 
understand Squid can be a challenge to seamlessly integrate with back-end auth systems. (I've used it, but I'm far from 
an expert on Squid.)

I don't know if there are Squid extensions that will perform QOS-style bandwidth management tasks. I've had excellent 
results from Blue Coat products in our relatively homogeneous Windows / AD environment. You might also try Microsoft 
Forefront TMG (nee, ISA Server). Lots of other solutions - both commercial and open source - exist in this space. What 
fits for you will depend heavily on your environment, your budget, and how much time you're willing to commit to 
shaping the solution to your needs.

Good luck!

- Dan

(1) Cheap monitoring:
     http://oss.oetiker.ch/mrtg/
     http://cacti.net/
     http://humdi.net/vnstat/
     http://www.paessler.com/prtg

(2) See "The War Between Mice and Elephants":
     http://web.cs.wpi.edu/~rek/DCS/D04/MiceElephants04.pdf

(3) Automating downloads:
     http://www.freedownloadmanager.org/
     http://sourceforge.net/projects/dfast/
     http://download.oracle.com/docs/cd/B19306_01/rac.102/b28759/softpatch.htm
     http://www.gnu.org/software/wget/

(4) Blocking bittorrent:
     http://www.lowth.com/rope/BlockingBittorrent

(5) Proxy internet traffic:
     http://www.squid-cache.org/


Dan Lynch, CISSP
Information Technology Analyst
County of Placer
Auburn, CA 
------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: