First, a couple of definitions, so we are all on the same page.
A Web Filter
is basically a type of specialized firewall with a configurable list of URLs. Using a Web Filter, a Network Administrator can completely block specific web sites, or block complete categories of sites, such as pornography.
A Traffic Shaper is typically deployed to change the priority of certain kinds of traffic. It is used where blocking traffic completely is not required, or is not an acceptable practice. For example, the mission of a typical Traffic Shaper might be to allow users to get into their Facebook accounts, and to limit their bandwidth so as to not overshadow other more important activities. With a shaper the idea is to limit (shape) the total amount of data traffic for a given category.
From a technology standpoint, building a Web Filter is a much easier proposition than creating a Traffic Shaper. This is not to demean the value or effort that goes into creating a good Web Filter. When I say “easier”, I mean this from a core technology point of view. Building a good Web Filter product is not so much a technology challenge, but more of a data management issue. A Web Filter worth its salt must be aware of potentially millions of various websites that are ever-changing. To manage these sites, a Web Filter product must be constantly getting updated. The product company supporting the Web Filter must search the Web, constantly indexing new web sites and their contents, and then passing this information into the Web Filter product. The work is ongoing, but not necessarily daunting in terms of technology prowess. The actual blocking of a Web site is simply a matter of comparing a requested URL against the list of forbidden web sites and blocking the request (dropping the packets).
A Traffic Shaper, on the other hand, has a more daunting task than the Web Filter. This is due to the fact that unlike the Web Filter, a Traffic Shaper kicks in after the base URL has been loaded. I’ll walk through a generic scenario to illustrate this point. When a user logs into their Facebook account, the first URL they hit is a well-known Facebook home page. Their initial query request coming from their computer to the Facebook home page is easy to spot by the Web Filter, and if you block it at the first step, that is the end of the Facebook session. Now, if you say to your Traffic Shaper “I want you to limit Facebook Traffic to 1 megabit”, then the task gets a bit trickier. This is because once you are logged into a Facebook page subsequent requests are not that obvious. Suppose a user downloads an image or plays a shared video from their Facebook screen. There is likely no context for the Traffic Shaper to know the URL of the video is actually coming from Facebook. Yes, to the user it is coming from their Facebook page, but when they click the link to play the video, the Traffic Shaper only sees the video link – it is not a Facebook URL any longer. On top of that, often times the Facebook page and it’s contents are encrypted for privacy.
For these reasons a traditional Traffic Shaper inspects the packets to see what is inside. The traditional Traffic Shaper uses Deep Packet Inspection (DPI) to look into the data packet to see if it looks like Facebook data. This is not an exact science, and with the widespread use of encryption, the ability to identify traffic with accuracy is becoming all but impossible.
The good news is that there are other heuristic
ways to shape traffic that are gaining traction in the industry. The bad news is that many end customers continue to struggle with diminishing accuracy of traditional Traffic Shapers.
By Art Reisman, CTO APconnections