NetEqualizer Evaluation Policy

Our official policy for customers requesting evaluation units is to require payment upfront.  However, we do honor a no-questions-asked  30-day return policy.

As you can imagine, we get a constant stream of requests for evaluation units. Obviously we’d love to provide everybody who asks with a demo unit. After all, the other brand name packet shapers will throw them at you. Especially if you are coming from an account they want to win over.

So, you may be wondering why we don’t do the same…

Some background:

APconnections  sells quite a few units under $3000 dollars. To put this in perspective, last year a CEO from a larger competitor selling similar equipment admitted that $4000 is their break-even point.

So, how do we offer units starting at $2000 and still turn a profit?

A big part of our model to is make sure that we do not drill dry wells. Dry well is industry speak for pursuing business that will never materialize. Yes, we love chatting with people, but in order to pay our engineers and stay in business, we must limit money spent supporting customers that are just “looking”.  The easiest way to do this is to enforce our evaluation policy.

Serious customers that are ready to buy something but need to see it work in their network usually have no problem with purchasing up front.  Some, but not all, customers that are not agreeable to purchasing up front may have cash flow problems of their own. In an economy where banks do not know how to qualify loans, we don’t want  to try to calculate this risk.

The result of our conservative policy translates to much lower prices , and to date nobody is arguing with that.

Curbing RIAA Requests on Your Student Network

Editor’s Note: We often get asked by college administrators how the NetEqualizer can block p2p with our behavior-based rules. Since the NetEqualizer is containment based, it is effective in stopping approximately 80 to 90 percent of all p2p (see comparison with layer 7 shapers). Yet, questions and fears still remain about RIAA requests. Since the NetEqualizer is not a complete block, not that anything is, customers wonder how they can be safe from those intimidating lawyers.

In short, here’s the answer. The RIAA finds copyright violators by downloading files from your network. Since these downloads must be initiated from the outside, you simply need to block all outside initiated requests for data. Obviously you would still allow requests to your Web servers and other legitimate well known content servers on your network. Understanding this, administrators can configure their routers to work in conjunction with their NetEqualizers to largely curb RIAA requests.

Below, NetEqualizer user Ted Fines, the network administrator at Macalester College, shares his methods for preventing RIAA requests on his university network.

A few years ago, we implemented a rule on our firewall to improve our overall security. However, it has also had the added effect of stopping RIAA notices almost entirely.

The rule simply blocks all inbound connections to all ports on all residence hall computers. Here are some sample config lines from our firewall (aCisco PIX) that show how the rule works:

name Kirk description Kirk Res Hall
object-group network Res_Halls
description All Residence Halls
network-object Kirk
network-object Bigelow
network-object Wallace
access-list 101 extended deny ip any object-group Res_Halls

Even though it may appear this rule would interfere with normal user Web browsing, etc., this rule actually has no effect at all on what systems the student computers in our residence halls may access. This is because the firewall tracks what computer initiates the connection.

For instance, when a student tries to access “”, they are initiating the connection to CNN’s server. So when CNN’s server replies and send back news content, etc., the firewall knows that the student computer requested it and the incoming connection is allowed.

However, if a student is running a server, such as a Web server or a file sharing server, outside computers are not able to connect to it. The firewall knows that the outside computer is trying to initiate a connection, so it is blocked.

Our student body makes great use of our resources and we have a very open and unrestricted campus life, so I was pleasantly surprised that making this change did not ruffle any feathers. We do make exceptions when students request that a port be unblocked for a particular need. I have found that the ones who are savvy enough to know that they need a particular port opened are not typically the ones we have to be worried about, so we’re usually happy to accommodate them.

–Ted Fines, Macalester College, St. Paul, MN

Editor’s Note cont’d
: This recent tip was given on the ResNet mailing list by Sidney Eaton of Ferris State University…

If you want to minimize your notices, just block these address ranges on your firewalls (in and out):

These are MediaSentry IP addresses (the company scanning your network to determine if your users are sharing copyprotected materials). They are not the only company hired by the RIAA and MPAA but they are the largest one. So you may still get some but hopefully not as many.

Sidney Eaton, Ferris State University, Big Rapids, MI

CALEA Update

CALEAAs promised, NetEqualizer is now offering the utilities necessary to meet requirements set forth this month by CALEA, or the Communications Assistance for Law Enforcement Act. This law oversees telecommunication security and has now been expanded to Internet security. There are some fairly harsh federal penalties for noncompliance that became effective May 1.

In the spirit of protecting our nation, the mission is not to make life miserable and expensive for operators and thwart communications, but rather to give the FBI and homeland security tools to wire tap (if we can borrow the term) Internet conversation on a moment’s notice. We suspect it would be a rare occurrence for a small WISP to receive a warrant to comply, but it would be potentially devastating to security should the means to monitor conversation not be available.

The following updated Q&A will address NetEqualizer’s capabilities in reference to CALEA compliance.

1. Functionally, what does the Netequalizer CALEA release provide?

We provide a network probe with the following capabilities:

  • It will allow an ISP or other operator to comply with a basic warrant for information about a user by capturing and sending IP communications in real time to a third party.
  • Communication may be captured by headers or headers and content.

2. In what format is the data portion sent to a law enforcement agency?

We will provide basic descriptive tags identifying headers, data, and time stamps, along with HEX or ASCII representation of content data.

3. Do you meet the standards of the receiving law enforcement agency?

The law and specifications on “how” to deliver to a law enforcement agency are somewhat ambiguous. The FBI has created some detailed specifications, but the reality is that there are some 40,000 law enforcement agencies and they are given autonomy on how they receive data. We do provide samples on how to receive NetEqualizer-captured data on a third party server, but are unable to guarantee definite compliance with any specific agency.

4. Does the NetEqualizer do any analysis of the data?

No. We are only providing a probe function.

5. Is the NetEqualizer release fully CALEA compliant?

Although the law (see CALEA sections 103 and 107(a)(2)) is fairly specific on what needs to be done, the how is not addressed to any level of detail to which we can engineer our solution. Many people are following the ATIS specification which was put forth by the FBI, and we have read and attempted to comply with the probe portion of that specification. But, the reality is that there is no one agency given the authority to test a solution and bless it as compliant. So, if faced with a warrant for information, the law enforcement agency in charge may indeed want something in slightly different formats. If this is the case, there may be additional consulting.

As best we can tell at this time, there is no one government agency that can fully declare our technology CALEA compliant. However, we do pledge to work with our customers should they be faced with a warrant for information to adjust and even customize our solution; however additional fees may apply.

For more information on NetEqualizer and CALEA, visit our extended Q&A page at Additional information on CALEA itself can be found at

%d bloggers like this: