Firewall Wizards mailing list archives

Re: Traffic Management

From: "Swift Griggs" <ssgriggs () usa net>
Date: Wed, 14 Feb 2001 19:39:26 -0700 (MST)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 9 Feb 2001 bparis () sorrentolactalis com wrote:
- -=>   Recently we've been experiencing "congestion" of our internet
- -=>pipe. We've tried restricting various thing like Napster, Gnutella
- -=>and the like with varying degrees of success, but as more and more
- -=>users come onto our LAN/WAN we've noticed our performance
- -=>decreasing. Rather than manage this at our firewall (with many many
- -=>rules), I'd like to know how you manage your traffic. What do you
- -=>use?

        I'd recommend upgrading your network first and foremost. Cascading
switches on gigabit fabrics or very high speed backplanes tend to be the
best solution to layer 2 congestion. This may seem like a "brute force"
solution, but it's usually the most appropriate. Barring that you can also
use VLANs to segment bursty or broadcast prone segments (like tons of
winbl^H^Hdows clients broadcasting and holding SMB elections). Segmenting
server farms behind clustering devices is a definite to-do as well.
        If you want to track down and eliminate activities which are not
business related (ie.. Quake, streaming porn, icecast), then look into a
decent sniffer or check out a NIDS box than can do TCP (and limited UDP)
session killing like Sessionwall, Dragon, ISS RealSecure, NetProwler,
Cisco IDS, or SNORT which will can kill these services when it detects
them. This gives you an added benefit of being able to log the
perpetrators and thus tap them on the shoulder to knock it off. Once the
word gets out that segments are being "watched" and people are actively
getting nasty-grams, you'll probably see less unnecessary traffic. My
experience is that it's pretty tough to control. 
        Hardware upgrades for the network need to keep up with the demands
of the users. That's not to say that people should be given free reign to
take over the network with obnoxious and wasteful activities.

SWiFT GRiGGS | NiC SG1991 | PGP D38E3D91 | SSGRiGGS () USA NET
Non Illegitemus Carborundum.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE6i0Fhgta6ENOOPZERAlAIAJwPCTE1nW2gu/aHe1Y8T5KXM1aXywCfZ9p0
Q1Bca/6tAjL8Teye2znM41Y=
=pL9G
-----END PGP SIGNATURE-----

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

Traffic Management bparis (Feb 11)
- RE: Traffic Management Steven Osman (Feb 12)
- Re: Traffic Management Rama Kant (Feb 12)
- Re: Traffic Management Firewall Team (Feb 13)
- Re: Traffic Management Swift Griggs (Feb 15)
  - Re: Traffic Management Firewall Team (Feb 16)
- Re: Traffic Management Ng Pheng Siong (Feb 16)
- <Possible follow-ups>
- Re: Traffic Management Alex Goldney (Feb 12)
- RE: Traffic Management Safier, Adam (GEIO) (Feb 13)
- RE: Traffic Management Paul Heber (Feb 14)