apsolute bandwidth management[1]

8/6/2019 Apsolute Bandwidth Management[1]

http://slidepdf.com/reader/full/apsolute-bandwidth-management1 1/25

Bandwidth Management inRadware’s APSolute OS Architecture

North America

Radware Inc.

575 Corporate Dr Suite 205

Mahwah, NJ 07430

Tel 888 234 5763

International

Radware Ltd.

22 Raoul Wallenberg St

Tel Aviv 69710, Israel

Tel 972 3 766 8666

www.radware.com



Bandwidth Management White PaperJanuary , 2005

Pa e - 2 -

Introduction

Radware’s APSolute OS architecture is made up of five modules, each with its own richset of features: Traffic Redirection, Health Monitoring, Bandwidth Management,Application Security and DoS Shield. The Traffic Redirection module is responsible forthe actual load balancing of user sessions among the available resources, be itApplication servers, content servers, security servers (IDS servers, Anti-Viruses, URLFilters) or ISP links. The Health Monitoring module is responsible for assuring that theresources being managed are available, healthy, and capable of handling user traffic.These two modules incorporate the traditional feature sets of Radware products.

For a complete APSolute OS implementation, Bandwidth Management and ApplicationSecurity, and a DoS Shield module can be added to Traffic Redirection and Health

Monitoring modules. The Bandwidth Management module includes a feature set thatallows administrators to have full control over their available bandwidth. Using thesefeatures, applications can be prioritized according to a wide array of criteria, while takingthe bandwidth used by each application into account. As sessions are prioritized,bandwidth thresholds can be configured to either ensure a guaranteed bandwidth for acertain application and/or to keep them below a pre-determined bandwidth limit. TheApplication Security module includes a feature set that enables Radware’s products toprotect sensitive network resources against security risks. The system includes advancedsecurity measures such as server overload protection and the ability to hide resourcesfrom the general Internet population. This is coupled with the ability to provide advancedsecurity for the sensitive resources that APSolute OS provides. This includes detection ofand prevention from over 1,500 malicious attack signatures, including trojan, backdoor,

DoS and DDoS attacks.The purpose of this white paper is to discuss the Bandwidth Management module inRadware’s APSolute OS architecture. First, some basic concepts will be discussed,followed by a full discussion of Radware’s implementation. This document is updated toversion 10.20 of the Bandwidth Management. Although future enhancements to themodule will be made, the underlying fundamentals will be the same as those discussedhere.

Note: In order to benefit from the full feature set of Bandwidth Management Module,the module has to be activated with a BWM and IPS Activation Key.

What is Bandwidth Management?Bandwidth management, in general, is a simple concept. The idea is to be able todifferentiate or classify traffic according to a wide array of criteria and then assign variouspriorities to each classified packet or session. For example, bandwidth managementallows an administrator to give HTTP traffic a higher priority over SMTP traffic, which inturn may have higher priority over FTP traffic. At the same time, a bandwidthmanagement solution can track the actual bandwidth used by each application and setlimits as to how much each classified traffic pattern can utilize and in addition, set theguaranteed bandwidth for each application.

There are a variety of methods used in order to enforce the bandwidth managementpolicies configured by an administrator. The simplest method would be to discard packets

when certain thresholds are reached or when certain pre-allocated session buffers are




Pa e - 3 -

overflowing. More complex mechanisms include TCP rate shaping and priority based

queuing.

TCP rate shaping uses the inherent flow control mechanisms of the TCP protocol. Byadjusting parameters in the packets’ TCP headers, a bandwidth management solutioncan signal the end nodes to throttle the rate at which packets are transmitted. Needless tosay, the mechanism only works with TCP sessions. TCP rate shaping also has someuncertainties associated with it, as the amount of bandwidth associated with sessions canrarely be exactly enforced. Rate shaping also does not work well with protocols that useshort-lived sessions (such as HTTP), since such sessions usually end before thebandwidth manager has decided how to shape the rate of the session.

Priority based queuing is a mechanism by which all classified packets are placed inpacket queues, each with its own preset priority. A number of queues are available and

when it comes to traffic forwarding, packets are forwarded from the higher priority queuesfirst. This is an oversimplified version of what really happens, but it presents the generalconcept. Various algorithms and safety measures should be deployed to ensuremethodical packet forwarding as well as protection against starvation , where lower prioritypackets wait in queues for intolerably long amounts of time.

Radware’s Bandwidth Management solution uses priority queues as the fundamentalframework behind its operation. The remainder of this document will concentrate on thedetails of Radware’s implementation.

General Overview of Radware’s Implementation

Although the general concept of bandwidth management is simple, the complexity lies

within the implementation and the intricacies therein. To present Radware’s bandwidthmanagement solution, it’s best to first start with general concepts and analyze the basiclogical flow of packets/sessions as they go through the bandwidth management system.The following diagram describes the general components and tasks that make upRadware’s bandwidth management mechanism:

There are 4 major components in the system: the classifier, the queues, the schedulerand the Policy Database.

The packet first flows into the system through the classifier . It’s the classifier’s duty to

decide what to do with the packet. A very comprehensive set of user-configurable policiesthat make up the policy database; controls how the classifier identifies each packet and




Pa e - 4 -

what it does with each packet. The policy database will be discussed in greater details

later in this document.

When the classifier sees the packet, it can do one of three things:

• Discard the packet – This allows the classifier to provide a very robust and granularpacket filtering mechanism.

• Forward the packet in real time – This means that the packet bypasses the entirebandwidth management system and is immediately forwarded by the device. Theend-result is effectively the same as if bandwidth management was not enabled at all.

• Prioritize the packet – This allows the mechanism to provide actual bandwidthmanagement services.

How the classifier treats the packet is governed by the policy that best matches thepacket. After the classifier prioritizes the packet, it places it into a queue , which then getsa priority from 0-7, with 0 being the highest priority and 7 the lowest. Each policy gets itsown queue. So, the number of queues is equal to the number of policies in the policydatabase, but each queue is labeled with one of the 8 priorities 0-7. This means that therecould be 100 queues (if there are 100 policies), with each queue having a label from 0-7.

Finally, it’s the job of the scheduler to take packets from the many queues and forwardthem. The scheduler operates through one of two algorithms: WFQ (Weighted FairQueuing) and CBQ (Class Based Queuing).

With the WFQ algorithm, the scheduler gives each priority a preference ratio of 2:1 overthe immediately adjacent lower priority. In other words, a 0 queue has twice the priority of

a 1 queue, which has twice the priority of a 2 queue, and so on. The general flow of thecyclic algorithm can be presented as the following chain of packets:0,0,1,0,0,1,2,0,0,1,0,0,1,2,3, etc.

Note that two packets with priority 0 are forwarded before a packet with priority 1; and twopacket with priority 1 are forwarded before a packet with priority 2; and so on. Rememberthat each policy has its own queue, which means there could be many queues with apriority of 0. The scheduler systematically goes through queues of the same priority whenit is time to forward a packet with this priority.

The CBQ algorithm has the same packet-forwarding pattern as the WFQ algorithm, withone significant difference. The CBQ algorithm is aware of a predefined bandwidthconfigured per policy. Recall that each policy has its own queue. As policies are

configured, they can be given a minimum (guaranteed) allotted bandwidth number, inKbps (this will be discussed in detail later).

This is a good time to discuss the concept of bandwidth borrowing. As alreadydiscussed, if the scheduler is operating through the CBQ algorithm, it can forward packetsfrom queues, considering the minimum (guaranteed) bandwidth configured by thatqueue’s policy. If borrowing is enabled and the scheduler visits a queue whose bandwidthhas been exceeded (or is about to be exceeded), then the scheduler will check if anyother policy has left over bandwidth. If such a policy is found, bandwidth is borrowed fromthat policy and allocated to the policy whose bandwidth limit is about to be violated. Thisallows a scheduling scheme where available bandwidth can be used from other queues ifthe queue in question has exceeded its configured limit.

If a borrowing limit is set for a certain policy, as its queue is visited for packet forwarding,the bandwidth limit is examined. If forwarding this packet from the queue will violate the




Pa e - 5 -

limit configured within the policy, then the scheduler skips this packet and chooses

another packet from another queue of the same priority. This way, the classifier cangovern the scheduler and not allow certain applications to go over a pre-definedbandwidth allotment.

Bandwidth Management Operating Modes

Now that the general concepts of the system have been discussed, it’s time to delve intothe details of the bandwidth management operating mechanism.

Bandwidth management offers several operating options to allow for a large range ofapplications. Each of the following parameters can be configured by an administrator inorder to best match the needs of the network.

Classification ModeThis parameter determines whether the bandwidth management mechanism is enabledor disabled. When enabled, the classifier and the policy database will see packets as theyflow through the device. When disabled, the bandwidth management mechanism isinactive and does not operate.

Note: Changing the status of classification mode requires a device reset.

When classification is enabled, this parameter defines the type of classification to beused:

1. Disabled – Bandwidth Management module is disabled.2. Policies - The device classifies each packet by matching it to policies configured by the

user. The policies can use various parameters, such as source and destination IPaddresses, application, and so on. If required, the DSCP field in the packets can bemarked according to the policy the packet matches.

3. Diffserv - The device classifies packets only by the DSCP (Differentiated Services CodePoint) value.

4. ToS - The device classifies packets only by the ToS (Type of Service) bit value.

Application Classification

This option integrates the general bandwidth management module with the specificRadware device that hosts it. All Radware devices operate through the session table fortraffic which is only passing via the device or by the Client Table for traffic which is loadbalanced by the device. Classification happens in one of two places. It happens either asa packet causes an entry to be made into the client table, or as a packet is about to beforwarded by the device and then an entry is created in the Session Table. A packetcannot be classified twice.

If Application Classification is defined as Per Packet, the classifier will classify everypacket that flows through the device. In this mode, every single packet must beindividually classified.

If Application Classification is defined as Per Session, all packets are classified bysession. An intricate algorithm is used to classify all packets in a session until a best fit policy is found, fully classifying the session. Once the session is fully classified, all




Pa e - 6 -

packets that match that client table entry are classified according to the classification of

the session. This not only allows for true session classification but also saves someoverhead for the classifier, as it only needs to classify sessions, and not every singlepacket. Application Classification, if applicable, is a powerful tool for true sessionmanagement, which is an integral part of all Radware devices.

Scheduler Algorithm

As already discussed, the scheduler can operate in one of two modes: Cyclic (WFQ) andCBQ. Both operate in the same packet queue sequence (2:1), with the CBQ algorithmbeing aware of the bandwidth associated with each configured policy. In other words, theCyclic algorithm works only with prioritization, and is not aware of any bandwidthlimitations, configured or otherwise. Note that unless CBQ is used, policies cannot be

configured with an associated bandwidth.

Random Early Detection (RED)

The RED algorithm can be used in order to protect queues from overflowing, which maycause serious session disruption. The algorithm draws from the inherent retransmissionand flow control characteristics of TCP.

When all queues are full, packets are dropped from all sessions. All TCP sessionendpoints are forced to use flow control to slow down each session causing all sessionsto be throttled down and retransmissions are necessary. Furthermore, UDP packets aredropped and lost, since UDP does not have any inherent packet recovery mechanism.The purpose of RED is to prevent queue overflows before they happen.

When the RED algorithm is deployed, the status of queues is monitored. When thequeues are approaching full capacity, random TCP packets are intercepted and dropped.

Note: only TCP packets are dropped, and packet selection is entirely random. Thisprotects the queues from becoming completely full, thus causing less disruptionacross all TCP sessions and also protects UDP packets.

Radware’s bandwidth management mechanism deploys RED in two forms: Global REDand Weighted RED (WRED).

When Global RED is used, RED is deployed just prior to the classifier, as shown in thefigure below:




Pa e - 7 -

RED is activated when 25% of the capacity of all the queues is reached. The probabilityof a packet being dropped increases until 75% of the total queue size (for all the queues)is reached. At that point, all TCP packets are dropped. So, Global RED will monitor thecapacity of all the queues (i.e. the global set of queues) and randomly discard TCPpackets before the classifier sees them.

With WRED, the algorithm is deployed after the classifier and per queue (instead of for allthe packets in all the queues). The general concept is shown in the figure below:

As shown above, each queue will use RED independently of other queues. So, a queue

with priority 1 may be dropping TCP packets, while a queue with priority 2 (or anotherqueue with priority 1) is not.

The second difference between WRED and Global RED is that the priority of the queueaffects a packet gets dropped or not. The thresholds are still at 25% and 75%. In otherwords, when a queue hits 25% of its full capacity, packets start being dropped, with theprobability of a drop (only for that queue) increasing as the queue approaches 75% of itscapacity. However, the priority of the queue has a direct effect on the probability of apacket drop. Queues with lower priority have a higher probability of having a packetdropped. For example, if queue1 with priority 0 and queue2 with priority 3 are both at 30%capacity, a new TCP packet for queue2 will have a higher probability of being droppedthan a new TCP packet for queue1.

Classifier and Policy DatabaseNow that the general concepts of the APSolute OS bandwidth management module havebeen discussed, the details of the classifier and the policy database that drives it will beexplored.

The policy database consists of two sections. The first is the temporary or inactivesection. Policies belonging to the inactive database can be altered and configured withoutaffecting the current operation of the device. As these policies are adjusted, the changesdo not affect the flow of packets unless the inactive database is activated. The activationbasically updates the active policy database, which is what the classifier uses to sortthrough the packets that flow through it. The second section of the Policiy Dadabase isthe actual polices, by which the device classifies the traffic. In order to activate theinactive database, administartos has to manually update the policiy database.




Pa e - 8 -

When the classifier classifies the traffic it scans the entire policy database until there is a

match between the packet/session to one of the policies. Once there is a match theclassifier stops the scan. Hence it is important to set the order of the policy according tothe volume of the traffic, and set the most common protocol first.

Default Policy: The last policy in the policy database if the default policy. All traffic that isnot matched by the user defined policy will be matched by the default policy. By default,the default policy forward traffic is assigned a priority 4.

Policy Components

A policy has two main functions:

• To define how traffic should be classified to match the policy

• To define which action is to be applied on the classified traffic

Traffic can be classified according to the following parameters:

Inbound Physical Port Group Enables the user to set different policies to identical traffic classes that are received ondifferent interfaces of the device. For example, the user can allow HTTP access to themain server only for traffic entering the device via physical interface 3. This providesgreater flexibility in configuration. The user should first configure Port Groups .

VLAN Tag Group In environments where VLAN Tagging is used, it may be required to differentiate betweendifferent types of traffic using VLAN Tags. This field allows the user to define policies that

classify traffic according to VLAN tag. The user should first configure VLAN Tag Groups .

Note: This feature is not supported by Application Switch 3.

Source Address Packets with source IP addresses that match the Source Address field will be considered.The Source Address can be either a specific host IP address, or one of a set ofconfigured Networks .

A Network list is configured separately, and individual elements of the Network list arethen used in the individual policy. An entry in the Network list is known by a configuredname and can be either a range of IP address (from IP a to IPb) or a network address witha subnet mask. In addition a Network can encompass multiple disjointed IP addressranges or a group of discrete IP addresses. This is achieved by allowing multiple entriesin the Networks table to have the same name. For example in order to group network10.0.0.0/24 and range 10.10.10.13 – 10.10.10.243 the network names for the two entitiesmust be identical.

Note: In order to configure policies where the destination IP address is the device'sinterface, it is mandatory to explicitly specify the IP address and not to create anetwork containing the interface's IP address.

Destination Address Packets with destination IP addresses that match the Destination Address field will beconsidered. The semantics of Destination Address are exactly the same as that of the

Source Address.




Pa e - 9 -

Direction

A policy can be configured as a OneWay policy or a TwoWay policy. OneWay policies willonly look at packets from the configured Source Address to the configured DestinationAddress (as described above). In OneWay policies, retuning packets will not be matchedto the policy. A TwoWay policy will look at packets from Source to Destination (bothSource IP and Source port and destination IP and Destination Port). If matchingapplication ports are also defined for this policy (see Services), direction takes this intoaccount as well. For example if a TwoWay policy was configured for HTTP traffic fromSource A to Destination B, the policy will match the following:

Source IP = IPa, Source Port X, Destination IPb, destination port 80

As well as

Source IP = IPb , Source Port 80, Destination IPa, destination port XThis means that a client in network A will be able to communicate with a web server innetwork B, but a client in network B will not be able to communicate with a web server innetwork A.

Service The Service associated with a policy takes the capabilities of the classifier far beyondsimple identification by source and destination IP addresses. The Service configured perpolicy can allow the policy to consider many other aspects of the packet. The Service canconsider the protocol (IP/TCP/UDP), TCP/UDP port numbers, bit patterns at any offset inthe packet, and actual content (such as URLs or cookies) deep in the upper layers of thepacket. Available Services are very granular, and as such, warrant a completediscussion, which will immediately follow the analysis of the policy database, below.

Traffic Flow Identification Bandwidth Management provides the ability to limit allocated bandwidth per single trafficflow. A traffic flow can be defined as all traffic that comes from a client IP, or as singlesession traffic and so on. The traffic flow Identification field defines what type of trafficflow we are going to limit via this policy. The available options are:

• Client (source IP)

• Session (source IP and port)

• Connection (source IP and destination IP)

• Full Layer4Session (source and destination IP and port)

• SessionCookie (must configure Cookie Field Identifier )

Classification Point In the nature of Traffic Redirection and Load Balancing decisions, the device has tomodify packets when it forwards the packets to and from the servers. In AppDirector forexample, client's traffic is destined to the Layer 4 Policy VIP, but the AppDirector makes aLoad Balancing decision and forwards the packet to the selected server, it has to changethe destination IP address to the server's real IP address. On LinkProof, client’s use theirown IP addresses and after LinkProof forwards the traffic to the NHR, it uses theSmartNAT and changes the source IP address.Bandwidth Management allows administrators to select at which point in the traffic flow

the classification is performed: before modifying the packet or after the modification.




Pa e - 10 -

Bandwidth Management Rules

The following rules are applied to the matched traffic:

• Action

The action associated with the policy governs the action taken if the packet is asuccessful match. There are 4 options:

1. Forward – the packet is forwarded. It can either be forwarded in real time, or it can beplaced in a priority queue, as defined below.

2. Block – the packet is dropped.

3. Block and reset – the packet is dropped and a TCP Reset is sent to the source.

4. Block and bidirectional reset – the packet is dropped and TCP Resets are sent toboth endpoints of the packet: the source and the destination.

The two block-and-reset options will only send TCP Reset packets in case the session isTCP. This is very useful if the classifier is looking for content that can only be seen aftersuccessful session establishment. Blocking of certain HTTP GETs is a good example of auseful block and reset action, since a GET is sent only after a TCP session is established.

When a packet is being blocked by the Bandwidth Management module, Systemadministrators may configure the module to send a trap, reporting about the blockedpackets (including source IP; Source Port and Policy Index) in case the Report Block Packets flag is enabled.

• Priority

If the action associated with the policy is forward , then the packet will be classifiedaccording to the configured priority. There are 9 options available: Real time forwardingand priorities 0 through 7.

Note: Prioritization takes place only when the physical ports are saturated.Therefore it is mandatory to set the Port Bandwidth parameters for each physicalport.

• Guaranteed Bandwidth

If the CBQ algorithm is deployed for the scheduler, the policy can be assigned a minimum(guaranteed) bandwidth. The Scheduler will not allow packets that are classified throughthis policy to exceed the allotted bandwidth, unless borrowing is enabled. Note that themaximum bandwidth configured for the entire device, as described above, overrides per-policy bandwidth configurations. In other words, the sum of the guaranteed bandwidth forall the policies cannot be higher than the total device bandwidth.

• Borrowing Limit

As discussed above, Bandwidth Borrowing can be enabled when the scheduler operatesthrough the CBQ algorithm. If enabled, the scheduler borrows bandwidth from queuesthat can spare it, in order to forward packets from queues that have exceeded (or are

about to exceed) their allotted amount of bandwidth.




Pa e - 11 -

The combination of the Guaranteed Bandwidth and Borrowing Limit fields value causes

the bandwidth allotted to a policy to behave as follows:

GuaranteedBandwidth

BorrowingLimit

Policy bandwidth

0 0 Burstable with no limit, no minimum guaranteed.

X 0 Burstable with no limit, minimum of X guaranteed.

0 Y Burstable to Y, no minimum guaranteed.

X Y (Y>X) Burstable to Y, minimum of X guaranteed.

X X Non-burstable, X guaranteed.

• Traffic Flow Max Bandwidth

Bandwidth Management introduces the ability to limit allocated bandwidth per singletraffic flow. A traffic flow can be defined as all traffic that comes from a client IP, or assingle session traffic and so on.This functionality provides Radware customers with:

• Flexibility to set a general rule that is applicable for all users, thus eliminating theneed to set individual rules per user.

• Ability to protect applications and services from excessive use and DoS attacks bylimiting the number of open sessions per user.

• Ability to provide fair service to all users by limiting the amount of bandwidthallocated to each user or session.

Business examples – ISPsTo an ISP this functionality can provide the following benefits:

• Protect their infrastructure from excessive usage of P2P applications by limitingP2P traffic per each client.

• Control FTP downloads from hosted sites by:

o Limiting FTP traffic per each session.

o Limiting the number of concurrent sessions a client can open.

• Generate more revenue by offering differentiated download services for hostedsites.

• Protect key applications such as DNS from DoS by limiting number of opensessions per user.




Pa e - 12 -

Business examples – Universities To a university this functionality can provide the following benefits:

• Protect their infrastructure from excessive usage of P2P applications by:

o Limiting P2P traffic per each client.

o Limiting the overall traffic consumed by P2P applications.

o Control the bandwidth consumed by each student.

The maximum bandwidth allocated per traffic flow defined in the Traffic Flow Identifierfield.

• Maximum Concurrent Sessions

The maximum number of concurrent sessions allowed for each traffic flow defined inTraffic Flow Identifier field (If traffic flow is defined as session, this parameter is notapplicable).

• Limit number of HTTP requests per Traffic Flow

Sometimes it is not sufficient to limit only the number of concurrent connection or to limitbandwidth, since some severs are sensitive to the number of new HTTP GET requestsper second.When such servers are in use, the user may send numerous requests, which slows downthe servers. Also an attacker can easily attack the server by sending many requests per

second.Using the Bandwidth Management per Traffic Flow , it is possible to limit the number ofHTTP requests per second per traffic flow. Using this parameter, administrator can limitthe number of HTTP GET/POST and HEAD requests, arriving from the same user persecond.When the user configures this parameter, Bandwidth Management module keeps a trackof new requests per second per traffic flow, whether the traffic flow identification isSessionCookie or any other parameter.

• Packet Marking

Refers to Differentiated Services Code Point (DSCP) or Diffserv . Enables the device tomark the packet with a range of bits when the packet is matched to the policy.

• Policy Groups

BWM allows users to define several bandwidth borrowing domains on a device byorganizing policies in groups. Only policies that participate in a specific group can sharebandwidth. The total bandwidth available for a policy group is the sum of the Guaranteed Bandwidthvalues of all policies in the group. When some of the policies do not utilize all theirGuaranteed Bandwidth, this bandwidth is used by the other policies in the group. Thespare bandwidth is split between the policies that have already reached their guaranteedbandwidth according to their relative weight within the group.Example:We have a group containing the following policies:

o 100k to HTTP traffico 100k to Citrix traffic




Pa e - 13 -

o 50k to FTP traffico 26k to SMTP traffic

The total bandwidth available for this group is 256k. If at a certain moment there is only50k of HTTP traffic, this means there are 50k of spare traffic for this group. The sparebandwidth will be split between the other 3 policies – 28k to Citrix, 14k to FTP and 7k toSMTP.

• Policy Scheduler

System administrators may require that certain policies not be active during certain hoursof the day, or a certain policy will only be activated at a specific time of the day for specificduration time. For example – a school's library, may want to block instant messagingduring school hours, but allowing instant messages after school hours or an enterprisemay give high priority for mail traffic between 08:00 – 10:00. Using the Event Scheduler,

administrators can create events which can then be attached to a policy's configurations.Events define the date and time in which an action should be performed.There are three types of events:

1. Once – The event occurs only once.2. Daily – The event occurs every day on the same time.3. Weekly – The event occurs on specific day(s) every week.

For each Bandwidth Management policy, administrators can configure activationschedule and inactivation schedule. Whenever the activation event occurs, the modulechanges the status of the policy's Operational Status from Inactive to Active .

Note: Creation of new BWM polices or modification of existing policies does noteffect the traffic classification immediately. For the new or modified policies to takeeffect, the policy database must be updated using the Update Policies function.

Bandwidth Management Services

A very advanced and granular set of services is configured within the bandwidthmanagement system. Services are configured separately from policies. However, as eachpolicy is configured, it is associated with a configured Service.The service associated with a policy in the policy database is a basic filter, an advancedfilter, or a filter group. This represents tremendous flexibility for the classifier as itessentially gives the system a large number of possibilities for packet identification.

Basic Filters

The basic building block of a Service is a basic filter . The relationship between a filter anda service will be discussed shortly, but it’s important to first understand what a basic filteris. A basic filter is made up of the following components:

• Protocol

This defines the specific protocol that the packet carries. The possible choices are IP,TCP, UDP, ICMP and Non-IP. If the protocol is configured as IP , all IP packets (includingTCP and UDP) are considered. When configuring TCP or UDP protocol, some additionalparameters are also available:

1. Destination Port - Destination port number for that protocol. For example, for HTTP,

the protocol is configured as TCP and the destination port as 80.




Pa e - 14 -

2. Source Port - Like the destination port, the source port that a packet carries in order to

match the filter can be configured. The source port configuration can also allow for arange of source ports to be configured. This can help in situations where anapplication may use a well-known range of source ports.

Note: the device supports configuring range of Source Ports and Destination Ports,using the dash sign "-" as a separator between the first port in the range and the lastport in the range.

• Offset Mask Pattern Condition (OMPC)

The OMPC is a means by which any bit pattern can be located for a match for any offsetin the packet. This can aid in locating specific bits in the IP header, for example. TOS andDiffserv bits are perfect examples of where OMPC’s can be useful.

It is not mandatory to configure an OMPC per filter. However, if an OMPC is configured,there should be an OMPC match in addition to a protocol (and source/destination port)match. In other words, if an OMPC is configured, the packet needs to match theconfigured protocol (and ports) AND the OMPC.

When configuring OMPC based filters it is possible to configure the following parameters:

- OMPC Offset - The location in the packet from which the checking of data is started in orderto find specific bits.

- OMPC Offset Relative to – Indicates to which OMPC offset the selected offset is relativeto. You can set the following parameters: None, IP Header, IP Data, L4 Data, L4 Header,Ethernet or ASN1.

- OMPC Mask - The mask for the OMPC Pattern. Possible values: a combination ofhexadecimal numbers (0-9, a-f). The value must be defined according to the OMPC Length parameter. The OMPC Pattern parameter definition must contain 8 characters. If the OMPCLength value is lower than four Bytes, it has to be completed it with zeros. For example, ifOMPC Length is two Bytes, OMPC Mask can be:abcd0000.

- OMPC Pattern - The fixed size pattern within the packet that OMPC rule attempts to find.Possible values: a combination of hexadecimal numbers (0-9, a-f). The value must be defined

according to the OMPC Length parameter. The OMPC Pattern parameter definition mustcontain 8 characters. If the OMPC Length value is lower than four Bytes, it has to becompleted with zeros. For example, if OMPC length is two Bytes, OMPC Pattern can be:abcd0000.

- OMPC Condition - The OMPC condition can be either N/A, equal, NotEqual, GreaterThan orLessThan.

- OMPC Length - The length of the OMPC (Offset Mask Pattern Condition) data can be N/A,OneByte, TwoBytes, ThreeBytes or FourBytes.




Pa e - 15 -

• Content

In case the protocol configured is TCP or UDP, it is possible to search for any text stringin the packet. Like OMPC’s, a text pattern can be searched for at any offset in the packet.HTTP URL’s are perfect examples of how a text search can aid in classifying a session.

The service editor allows you to choose between multiple types of configurable content:

- URL – The Classifier searches in the HTTP Request for the configured URL. Nonormalization procedures are taken.

- Normalized URL - The Classifier normalized the configured URL and searches in theHTTP Request for the configured URL.

- Hostname – The Classifier searches for the Hostname in the HTTP Header.

- HTTP header field - The Content field includes the header field name, and the Content data

field includes the field value.- Cookie - The Classifier searches for HTTP cookie field. The Content field includes the

cookie name, and the content data field includes the cookie value

- Mail domain - The Classifier searches for the mail domain in the SMTP Header.

- Mail to - The Classifier searches for the mail to in the SMTP Header.

- Mail from - The Classifier searches for the mail from in the SMTP Header.

- Mail subject - The Classifier searches for the mail subject in the SMTP Header.

- File type - The Classifier searches for the type of the requested file in the http GETcommand (jpg, exe and so on).

- POP3 User - The Classifier searches for the POP3 user in POP3 traffic

- FTP Command: The Classifier performs parsing of FTP commands to commands andarguments, while performing normalization of the FTP packets and stripping of telnet opcodes.

- FTP content - The Classifier scans the data transmitted using FTP, performingnormalization of the FTP packets and stripping of telnet opcodes.

- Regular expression - The Classifier searches for Regular Expression anywhere inthe packet.

- Text - The Classifier searches for text string anywhere in the packet.

If the content type is URL for example, then the session is assumed to be HTTP with aGET, HEAD, or POST method. The classifier searches the URL following theGET/HEAD/POST to find a match for the configured text. In this case, the configuredoffset is meaningless, since the GET/HEAD/POST is in a fixed location in the HTTPheader. If the content type is text , then the entire packet is searched, starting at theconfigured offset, for the content text.

Content Encoding

By allowing a filter to take actual content of a packet/session into account, the classifiergains a powerful way to recognize and classify even a wider array of packets andsessions.

Like OMPC’s, content rules are not mandatory to configure. However, if a content ruleexists in the filter, then the packet needs to match the configured protocol (and ports), theconfigured OMPC (if one exists), AND the configured content rule.




Pa e - 17 -

ReportingTo view the results of bandwidth management

The following reports are available:

• Policy Utilization

• Policy Utilization with Peaks

• Top N Policies

• Policy Packet Rate

• Policy Maximum Threshold Rate

• Guaranteed Rate Failures

• Top N protocols (from the discovery process)

Following are some reporting samples:

Figure 1- Top N Policies




Pa e - 18 -

Figure 2 - Policy Utilization (Comparative graph)

Figure 3 - Top N protocols




Pa e - 19 -

Examples

Example 1 – Basic configuration of BWM

Now that the specifics of the Radware bandwidth management module have beenanalyzed, we can consider an example that can illustrate the practicality of themechanism. We’ll build a policy database, starting with the Network list and various filters.

First, let’s assume the following Networks have been configured:

Network Name Address Mask IP-from IP-to

Any - - 0.0.0.0 255.255.255.255

Net1 10.0.0.0 255.0.0.0 - -

Net2 - - 20.1.1.1 20.1.1.100

Net2 - - 30.1.1.1 30.1.1.100

Net3 80.1.1.0 255.255.255.0 - -

Note that Net2 has been configured twice. This is a legal configuration and the systemrecognizes Net2 as 20.1.1.1->20.1.1.100 and 30.1.1.1->30.1.1.100

Now, let’s consider some basic filters, advanced filters, and filter groups:

•

Basic Filter “HTTP”: dest. TCP port 80• Basic Filter “SMTP”: dest. TCP port 25

• Basic Filter “FTP”: dest. TCP port 21

• Basic Filter “DNS”: dest. UDP port 53

• Basic Filter “ompc1”: dest TCP port 333; ompc 11223300/ffffff00 offset 50

• Basic Filter “ompc2”: dest TCP port 333; ompc 55667700/ffffff00 offset 80

• Basic Filter “content1”: dest. TCP port 80; content “picture.gif”; content type=URL

• Basic Filter “content2”: dest. TCP port 80; content “image.gif”; content type=URL

• Basic Filter “content3”: dest. TCP port 80; content “cookie=gold”; content type=TXT

• Advanced Filter “AF1”={ompc1 AND ompc2}; which means both OMPC rules must bemet.

• Filter Group “FG1”={HTTP OR SMTP}

• Filter Group “FG2”={content1 OR content2}




Pa e - 20 -

After the above has been configured, let’s assume the following policy database, which

includes all the pieces defined so far:

Order Src Dest Direction Action Priority Bndwdth Service

1 Any Any TwoWay Drop - - DNS

2 Net1 Net2 TwoWay Forward RealTime - FG1

3 Any Any TwoWay Forward 1 300 FTP

4 Net1 Net3 TwoWay Forward 3 - AF1

5 Any Any TwoWay Forward 4 - -

If the above policy database exists, when the classifier receives a packet, it will start atpolicy #1 and try to find the first policy that fully applies to the packet in question. Sincethe database is searched in descending order, the following will be the basic decisionmaking flow of the classifier:

1. Check to see if the packet is DNS from any IP to any IP. If so, drop. If not, continuesearching.

2. Check to see if the packet is either HTTP or SMTP from Net1 to Net2 or from Net2 toNet1. If so, forward in real time. If not, continue searching.

3. Check to see if the packet is FTP. If so, queue with a priority of 1 and do not forwardpast 300Kbps. If not, continue searching.

4. Check to see if the packet is from Net1 to Net3 or from Net3 to Net1. If so, check tosee if 11223300/fffff00 is found at offset 50 and 55667700/ffffff00 is found at offset 80.If so, queue with a priority of 3. If not, continue searching.

5. Check to see if the packet is from any IP to any IP. If so, queue with a priority of 4.

To conclude the analysis of this sample policy database, it’s important to consider threenotes:

• Policy #5 is effectively the default policy of the system. This is because it matches anypacket that flows through the classifier. But, since it’s the last in the list, it will onlymatch if none of the other policies match the packet.

•

A TwoWay policy reverses source and destination port numbers if the source anddestination networks are distinct IP addresses. For example, let’s say we haveconfigured a policy above with source Net1, destination Net2, and ServiceHTTP (destination TCP port 80). Such a policy will consider packets from Net1 to Net2with destination port 80 and packets from Net2 to Net1 with source port 80.

• We did not use advanced filter group FG2, which has 2 filters each with a contentrule. Had we used it, the policy with an FG2 service should have been configuredbefore policy #2. This is because policy #2 would match any HTTP packet. If we hadconfigured a policy with FG2 at #3, for example, it would never match a packet, sincepolicy #2 would return a successful match for every HTTP packet, even for thosecontaining the content configured in FG2.




Pa e - 21 -

Example 2 – BWM for P2P

Peer to Peer (P2P) file trading is the single fastest-growing consumer of network capacityand is becoming one of the major challenges for carriers and service providers due to thecontinuous growth of file sharing applications and users. Carries and service providersare required to invest more time, money and resources to satisfy the endless demand forthe ever increasing bandwidth consumed by the P2P users, however, providing morebandwidth is not an effective solution, since the added bandwidth will immediately beused by the P2P traffic.

A true solution for the P2P never-ending bandwidth consumption is a traffic shapingsolution, were it is possible to block completely, prioritize or limit the verity of P2Papplications.

P2P Bandwidth Management The Bandwidth Management module includes a feature set that allows administrators tohave full control over their available bandwidth. Using these features, applications can beprioritized according to a wide array of criteria, while taking the bandwidth used by eachapplication into account. As sessions are prioritized, bandwidth thresholds can beconfigured to either ensure a guaranteed bandwidth for a certain application and/or tokeep them below a pre-determined bandwidth limit.

Bandwidth Management module supports the following P2P applications:

BitTorrent eDonkey eMule Kazaa WinMX Gnutella Winny FastTrack

Configuration

Bandwidth Management for P2P traffic can be done both for traffic passing via the device(CID or DefensePro) and for traffic that is load balanced by the device (LinkProof,SecureFlow or AppDirector). In case BWM for P2P is needed for load balanced trafficonly (sessions which appear in the Client Table), it is not needed to enable SessionTable.

1. From device setup, click on Global and edit Session Table Parameters. Ensurethat Session Table Status checkbox is checked and "Session Table LookupMode" is set to "Full Layer 4".

Note: In some environments, based on traffic volumes, there might be a need tochange the session table tuning.




Pa e - 22 -

2. From BWM global Parameters, change the classification mode to Policies andmake sure that Application Classification is set to "Per Session". Click Ok andreboot the device.

3. Create a BWM policy for P2P traffic. For BitTorrent and applications that uses theBitTorrent network, select Service Type Grouped Service and from the ServiceName dropdown menu, select the BT group. For other P2P application, selectP2P group.




Pa e - 23 -

Conclusion

As part of Radware’s APSolute OS architecture, bandwidth management allows networkadministrators to provide controlled traffic differentiation through their ITM infrastructure.Bandwidth management is a powerful value added service that APSolute OS delivers atsensitive and strategic locations on the networks where Radware devices can bedeployed. Through this value added service, user traffic can be controlled with greatgranularity and network resources can be efficiently optimized.




Pa e - 24 -

Appendix A

Service Name Description FilterType

ERP/CRMSap Basic

DatabaseMssql Microsoft SQL service group Group

Mssql-monitor SQL monitoring traffic Basic

Mssql-server SQL server traffic Basic

Oracle Oracle database application service group Group

Oracle-v1 Oracle SQL*Net v1-based traffic (v6, Oracle7) Basic

Oracle-v2 Oracle SQL*Net v2/Net 8-based traffic (Oracle7,8, 8i, 9i)

Basic

Oracle-server1 Oracle Server (e-business solutions) on port1525

Basic


Basic


Basic

Thin Client or Server Based

citrix Citrix connectivity application service group.Enables any type of client to access applicationsacross any type of network connection.

Group

citrix-ica Citrix Independent Computer Architecture (ICA) Basic

citrix-rtmp Citrix RTMP Basic

citrix-ima Citrix Integrated Management Architecture Basic

citrix-ma-client Citrix MA Client Basic

citrix-admin Citrix Admin Basic

Peer-to-Peer p2p Peer-2-peer applications Group

bt Bittorrent File Sharing Application. Includes thefollowing basic filters: bitports, Bittorrent, bt-

announce, bt-bitfield , bt-cancel, bt-choke, bt-

have, bt-interested, bt-ninterested, bt-peer, bt-

piece, bt-port, udp1, bt-udp2, bt-unchoke

Group

edonkey File Sharing Application Basic

gnutella File sharing and distribution network. Basic

fasttrack Data transfer protocol used by Kazaa Basic

kazaa Kazaa File Sharing Application (Note: Music CityMorpheus and Grokster also classify as Kazaa)

Basic

winmx(tcp) File Sharing Application Basic

winmx(udp) File Sharing Application Basic

winny File Sharing Application Basic

ed2ksignature EDonkey & eMule File Sharing Application

(dynamic port)

Advanced

Internet




Pa e - 25 -

Service Name Description Filter

Typedns Domain Name Server protocol Basic

ftp-session File Transfer Protocol service– both FTPcommands and data

Basic

http Web traffic Basic

http-alt Web traffic on port 8080 Basic

https Secure web traffic Basic

icmp Internet Control Message Protocol Basic

ip IP traffic Basic

nntp Usenet NetNews Transfer Protocol Basic

telnet Basic

tftp Basic udp Basic

Instant Messagingaol-msg AOL Instant Messenger Basic

aim-aol-any AIM/AOL Instant Messenger Basic

icq ICQ Basic

msn-msg MSN Messenger Chat Service Basic

msn-any MSN Messenger Chat Service (any port) Basic

yahoo-msg Yahoo! Messenger Group

yahoo-msg1 Yahoo! Messenger on port 5000 Basic

yahoo-msg2 Yahoo! Messenger on port 5050 Basic

yahoo-msg3 Yahoo! Messenger on port 5100 Basicyahoo-any Yahoo! Messenger on any port Basic

Emailmail Group

smtp Basic

imap Basic

Pop3 Basic

apsolute bandwidth management[1]

Documents