This section includes the following topics:
One of the major drawbacks of TCP/IP is the lack of true QoS functionality. Quality of Service in networks is the ability to guarantee and limit bandwidth for certain services and users.
Although there are protocols like DiffServ and other solutions that intend to offer QoS in large networks, none of the solutions have reached a high enough standard for large-scale usage.
Another fact is that most of the current Quality of Service solutions are application-based, that is, they work by having applications supplying the network with QoS-information. From a security standpoint, it is of course unacceptable that the applications (that is, the users) decide the priority of their own traffic within a network. In security-sensitive scenarios, where the users cannot be trusted, the network equipment should be the sole arbiter of priorities and bandwidth allocations.
The points listed above help explain why it is almost impossible to prioritize, guarantee to limit traffic in large and complex network topologies where different standards and different products exist. The Internet is a good example of such a network topology.
In well-delimited networks on the other hand, there are excellent possibilities to use different methods in order to control traffic. A well delimited network is defined mostly by the administrative limits, not the size of the network. The traffic in a MAN, and even in a very large WAN, could very well be managed, assuming that the network is designed in a homogeneous way.
Amaranten Firewall provides Quality of Service functionality by applying limits and guarantees to the network traffic itself, rather than trusting the applications and users to make these choices for themselves. It is hence well suited to manage bandwidth for a small LAN as well as in one or more choke points in large MANs or WANs.
The simplest way to obtain quality of service in a network, seen from a security as well as a functionality perspective, is to have the components in the network, not the applications, be responsible for network traffic control in well-defined choke points.
Traffic shaping works by measuring and queuing IP packets, in transit, with respect to a number of configurable parameters. Differentiated rate limits and traffic guarantees based on source, destination and protocol parameters can be created, much the same way firewall rules are implemented. Traffic shaping works by:
Applying bandwidth limits by queuing packets that would exceed configured limits, and sending them later when the momentary demand for bandwidth is lower.
Dropping packets if the packet buffers are full. The packet to be dropped should be chosen from those that are responsible for the "jam".
Prioritizing traffic according to the administrator's choice; if the traffic in a higher priority increases while a communications line is full, traffic in lower priorities should be temporarily limited to make room for the high-priority traffic.
Providing bandwidth guarantees. This is typically accomplished by treating a certain amount of traffic (the guaranteed amount) as a higher priority, and traffic exceeding the guarantee as the same priority as "any other traffic", which then gets to compete with the rest of the non-prioritized traffic.
Well-built traffic shapers do not normally work by queuing up immense amounts of data and then sorting out prioritized traffic to send before sending non-prioritized traffic. Rather, they attempt to measure the amount of prioritized traffic and then limit the non-prioritized traffic dynamically so that it won't interfere with the throughput of prioritized traffic.
Amaranten Firewall has an extensible traffic shaper integrated in the firewall core. Since a firewall is a central and vital part of a network, there are many benefits of having the firewall handle traffic control.
The traffic shaper in Amaranten Firewall has the following key features:
Traffic shaping in Amaranten Firewall is handled by a concept based on "pipes", where each pipe has several prioritizing, limiting and grouping possibilities. Individual pipes may be chained in different ways to construct bandwidth management units that far exceed the capabilities of one single pipe.
Each firewall rule may be assigned to one or more pipes, individually.
Each pipe contains a number of priority levels, each with its own bandwidth limit, specified in kilobits per second and/or packets per second. Limits may also be specified for the total of the pipe.
Traffic through a pipe can be automatically grouped into "pipe users", where each pipe user, or, "user pipe", if you wish, can be configured to the same extent as the main pipe.
Traffic may be grouped with respect to a number of parameters, for instance source or destination IP network, IP address or port number.
The traffic shaper can be used to dynamically balance the bandwidth allocation of different pipe users if the pipe as a whole has exceeded its limits.
This means that available bandwidth is evenly balanced with respect to the chosen grouping for the pipe.
When pipes are assigned to rules, up to eight pipes may be connected to form a chain. This permits filtering and limiting to be handled in a very sophisticated manner.
With the proper pipe configuration, the traffic shaping in Amaranten Firewall may be used to guarantee bandwidth (and thereby quality) for traffic through the firewall.
If the optional IPsec VPN module is used in the firewall, bandwidth and priorities may be configured for VPN tunnels as well as for ordinary firewall rules.
All measuring, limiting, guaranteeing and balancing is carried out in pipes. However, a pipe by itself is meaningless unless it is put into use in the Rules section. Each rule can pass traffic through one or more pipes, in a precedence (priority) of your choice.
So, to set up traffic shaping, the following steps are necessary:
Plan your traffic shaping requirements. If you do not know how traffic should be limited, prioritized, guaranteed, or distributed, you will likely find the configuration work more confusing than helpful.
Set up pipes that describe your different traffic classes in the Pipes section.
Assign specific types of communication to different pipes in the Rules section. This may mean that your ruleset grows. A rule that previously covered "NAT everything from the inside out" might have to be expanded to several rules using different priorities or limits for different protocols and/or ports.
Verify that your traffic shaping works the way you intended. There are two main ways of understanding what actually happens in your live environment: The "pipes" console command (use "help pipes" for more information) and the Pipes graphs in the statistics view.