What does it take to build a firewall.

November 11, 2009 — netequalizer

Editors Note:

This paragraph written by Michael W. Lucas, was a lead into to a nice testimonial for a PFsense firewall.  For anybody that is in the IT consulting this first part is classic Dilbert.

Found in pfsense.org

My friends and co-workers know that I build firewalls. At least once a month someone says “My company needs a firewall with X and Y, and the price quotes I’ve gotten are tens of thousands of dollars. Can you help us out?”

Anyone who builds firewalls knows this question could be more realistically phrased as “Could you please come over one evening and slap together some equipment for me, then let me randomly interrupt you for the next three to five years to have you install new features, debug problems, set up features I didn’t know enough to request, attend meetings to resolve problems that can’t possibly be firewall issues but someone thinks might be the firewall, and identify solutions for my innumerable unknown requirements? Oh, and be sure to test every possible use case before deploying anything.

 

Posted in Commentary and Editorials. Tags: . Leave a Comment »

NetEqualizer Software Update 4.0 — Carrier-Class Shaping

November 3, 2009 — netequalizer

Continuing the constant evolution of the NetEqualizer line, we’re pleased to offer the most recent NetEqualizer software release – Carrier Class 4.0. In addition to providing the features and quality found in past NetEqualizer releases, among its many enhancements Carrier Class 4.0 will now support three times as many shaping buffers, translating into smoother shaping for up to tens of thousands of users.

For example, you will be able to take a one-gigabit pipe and break off 1,000 users into a subnet mask to share 100 megabits (with smoother results than current versions). Most routers that break out chunks of bandwidth use harsh rate control methods such as dropping packets when the limit is reached. Although there will be a small margin of error, the optimizations and techniques used to break off larger chunks of bandwidth and shape them smoothly without dropping packets rivals that of carrier class shapers sold for 10 times our cost.

The following features and enhancements will also be available with Carrier Class 4.0:

  • Full one- to 32-bit mask fields for hard limits  — You can now take any IP address and specify a mask in x.x.x.x/y format where y is the number of bits you wish to mask. All IP addresses in the masked range will receive the specified hard limit (Hard limits are individual rate limits for an IP address).
  • Pools support masks – You can now add members to a bandwidth pool using a mask field of the form x.x.x.x/y, Y can range from one to 32. The NetEqualizer will automatically add members of the range specified as they become active and retire them if they become inactive. This optimization will allow users to specify large ranges without overwhelming the system.
  • Full one- to 32-bit masking for traffic masking – You can now use the NetEqualizer masking function with odd numbered mask specifications, prior to this release only /24 and /16 masks were allowed.
  • Pool number displayed in active connection table – You can now see if a connection is part of a pool, the pool number will be displayed in the last column of the connection table.
  • Release 1.0 of our URL-based blocking feature – Now you can block a list of URL’s. This feature is commonly used by libraries and private institutions where there is a mandate to block particular recreational sites. In the initial release, customers need only supply a config file with all URLs by name that they wish to block and then hit the start button. In future releases, we will be contracting with providers that supply updated lists on a regular basis. There will be no charge to enable our URL-blocking feature, however there will likely be subscription charges to use third party URL lists.
  • Connection limit masks now fully supported – You can specify a connection limit mask of the form x.x.x.x/y where y is an int from one to 32. Prior to this release, only /24 and /26 were supported.
  • New Automatic detection of license overruns – The NetEqualizer will now automatically report any new license overruns. Any time you log into the GUI, a message will be displayed indicating how many license overruns you may have incurred since your last reboot. If you do see a license overrun, you should call support and see about upgrading your license.
  • New license levels available for enforcement in kernel
  • URL-based shaping

For more information on the Carrier Class 4.0 update, contact us at admin@apconnections.net or 303-997-1300.

Posted in New Features. Tags: , , . Leave a Comment »

Tech Tips, a script to block URLs with your NetEqualizer

October 31, 2009 — netequalizer

# The following script can be used with your NetEqualizer to block a set of URL’s of your choosing

# save the script below into a file in the /art directory , we named ours blockstuff.pl

# then create a file with URL’s  you wish to block,one per line in the same directory as this perl script

# you’ll need a NetEqualizer version 4.0 or higher

 

#!/usr/bin/perl -w

#
$| = 1;

if(scalar(@ARGV) < 1){
print “Usage: $0 <file name with urls to block> \n”;
exit 1;
}

open (SPECIAL, “< $ARGV[0]”) || die “openning  url file in block stuff problem”;

while ($line=<SPECIAL> )
{
chomp($line);
print ” blocking $line \n”;

$search_phrase = $line;

if ( -e “/usr/bin/nslookup”)
{
print ” calling  nslookup for $search_phrase \n”;
$data=`/usr/bin/nslookup $search_phrase`;
open (LOGF, “>> /tmp/arblog”) || die “opening log file “;
# uses same log file as NetEq process not sure if this a good idea ?
print “$data data \n”;
chomp($data);
@foo= split(/[\s#]+/, $data);
$counter=6;
while ( $counter  < @foo)
{
$counter= $counter+1;
if ( exists $foo[$counter] ) {
if ($foo[$counter] =~ /(\d+)(\.\d+){3}/)
{
print ” $foo[$counter] is an IP \n”;
# ADD_CONFIG CONNECTION x.x.x.x/y val porti direction optional_commenta
system (“/art/ADD_CONFIG CONNECTION $foo[$counter]/32 1 0  1 $line “);
print LOGF “putting block on site $search_phrase IP $foo[$counter] \n”;
}
else
{
print LOGF “problem with version of NS lookup could not find valid IP for $search_phrase \n”;
}
}
}
}
else
{ print “need nslookup utility to run this command part of dnslib package debian\n”;
exit 1;
}
}
# While there’s a URL in our queue which we haven’t looked at …

Posted in Support. Tags: , . Leave a Comment »

University of British Columbia IT department chimes in on Layer 7 shaping and its fallacy

October 27, 2009 — netequalizer

Editors notes: The following excerpt was pulled from the Resnet User Group Mailing list Oct 17 , 2009

Most subscribers to this user group are IT directors or adminstrators for large residence networks at various  universities. Many manage upwards of tens of thousands of Internet users.   If you are an ISP I would suggest you subscribe to  this list and monitor  for ideas.  Please note vendor solicitation is frowned upon on the Resnet list

As for the post below The first part of the post is Dennis’s recommendation for a good bandwidth shaper, he uses a carrier grade Cisco product.

The second part is a commentary on the fallacy of layer 7 shaping. No we do not know Dennis nor does he use our products , he just happens to agree with our philosophy after trying many other products.

Dennis OReilly <Dennis.OReilly@ubc.ca
reply-to Resnet Forum <RESNET-L@listserv.nd.edu> to RESNET-L@listserv.nd.edu date Sat, Oct 17, 2009 at 12:35 AM subject Re: Packet Shaping Appliance unsubscribe Unsubscribe from this sender

At 9:22 AM -0400 10/16/09, Brandon Burleigh wrote:

We are researching packet shaping appliance options as our current model is
end-of-life.  It is also at its maximum for bandwidth and we need to increase
our bandwidth with our Internet service provider.  We are interested in
knowing what hardware others are using on their Internet service for packet
shaping.  Thank you.

At the University of British Columbia we own and still use four PS10000’s.   A year ago we purchased a Cisco SCE 2020 which has 4 x 1G interfaces.  The SCE 2020 is approx the same price point as the PS10000.  There is also an SCE 8000 model which has 4 x 10G interfaces, also at a decent price point.

Oregon State brought the SCE product line to our attention at Resnet Symposium 2007.  A number of other Canadian universities recently purchased this product.

The SCE is based on P-Cube technology which Cisco acquired in 2004.

In a nutshell comparing the SCE to the PS10000:
– PS10000 reporting is much superior
– PS10000 and SCE are approx equal at ability to accurately classify P2P
– SCE is essentially a wire speed device
– SCE is a scalable, carrier-grade platform
– Installation of SCE is more complicated than PS10000
– SCE has some capability to identify and mitigate DoS and DDos attacks
– SCE handles asymmetric routing
– SCE has fine grained capabilities to control bandwidth

It is becoming more and more difficult over time for any packet shaping device like a Packetshaper, or a Procera, or an SCE to accurately classify P2P traffic. These days the only way to classify encrypted streams is through behaviorial analysis.  In the long run this is a losing proposition.  Thus, approaches like the NetEqualizer or script-based ‘penalty box’ approaches are better.   However, boxes like the SCE which have excellent capabilities to control bandwidth on a per user basis are also viable.  Otherwise the carriers wouldn’t be using these products.

Posted in Commentary and Editorials, News. Tags: , . Leave a Comment »

Network World Blog missing the boat on Packeteer’s decline in revenue

October 22, 2009 — netequalizer

The one thing bad about being a publicly traded company is that you cannot hide from your declining sales, in the following network world blog post and related comments ,the authors make some good points as to where and why they would choose Cisco Wan Optimization over Blue Coat and vice-versa. They also comment on all sorts of reasons why Blue Coat’s revenue in this area is declining , although they neglect one obvious reason.

Prices of bandwidth have fallen quite rapidly over the last 10 years. In some larger metro areas  Internet access runs for as little as $300 per month for 10 megabits. The same link 10 years ago would have run close to $5000 per month or more. Despite falling bandwdith prices,  WAN optimization solutions from the likes Blue Coat, Cisco and Riverbed, remain relatively high.  Many ptential WAN optimization customers will  simply upgrade  their bandwidth rather than invest in new optimization equipment.  You would think that vendors would lower their prices to compete, and they are to some degree; however the complexity of their core solutions requires a mimumum price floor.   The factors that create the price floor on equipment are related to, methodology  of the internal technology, and sales channel costs,  and unfortunately these fixed cost factors cannot keep pace with falling bandwidth prices .

Our prediction is that WAN optimization devices will  slowly become a commodity with automated reduced complexity. One measure of the current complexity is   all the acronyms being tossed around describing WAN optimization. The sales pitches filled with accronyms clearly corrolate that perhaps these devices are just too complicated for the market to continue to use. They will become turn key simple and lower cost or die. No player is bigger than the Market force of cheaper bandwith.

Related articles:

ROI calculation for packet shaping equipment

Does lower cost bandwidth foretell a decline in bandwidth shaper sales?

http://www.networkworld.com/community/comment/reply/46590

Posted in Commentary and Editorials, News. Tags: , , , , . 3 Comments »

How Does NetEqualizer compare to Mikrotik

October 7, 2009 — netequalizer

Mikrotik is a super charged Swiss army knife solution, no feature is off limits on their product, routing , bandwidth control, layer seven filters, PPPoe, firewall they have it all. If I was going off to start a WISP with a limited budget, and could bring only one tool with me, it would be a Mikrotik solution. On the other hand the NetEqualizer grew up with the value equation of optimizing bandwidth on a network and doing it in a smart turn key fashion. It was developed by a wireless operator that realized high quality easy to use bandwidth control  was needed to ensure a profitable business.

Yes there is some overlap between the two,  over time the NetEqualizer has gone beyond their included auxillary features,  for example:  NetEqualizer has a firewall and  a network access control module; but the primary reason an operator would purchase a NetEqualizer still goes back to our core mission.  To keep their margins in this competitive business, they need to optimize their Internet trunk without paying an army of technicians to maintain a piece of equipment.


The following was part of a conversation with a customer who was interested in comparing Mikrotik queues to NetEqualizer Equalizinq. So take off your Mikrotik hat for a minute and read on about a different philosophy on how to control bandwidth.

Equalizing is a bit different than  Microtik, so we can’t make exact
feature comparisons.  NetEqualizer lets users run until the network
(or pool) is crowded and then slaps the heavy users for a very short
duration, faster than you  or I could do it  (if you tried). Do you
have the arcade game “wack a mole”  in Australia?  Where you hit the
moles on the head when they pop up out of the holes with a hammer?

The vision of our product was to allow operators to plug it in ,give
priority to short real time traffic when the network is busy, and to
leave it alone when shaping is not needed.

It does this based on connections not based on users (as per your question)

Suppose out of your 1000 users, 90 percent were web surfing , 5
percent watching youtube, and  20 percent were doing chat sessions
while doing youtube and web surfing, and another 20 percent were on
SKype calls while web surfing.

Based on the different demand levels of all these users it is nearly
impossible to divide the bandwidth evenly.

But, If the trunk was saturated, in the example above, the
NetEqualizer would chop down youtube streams (since they are the
biggest) leaving all the other streams alone. So instead of having
your network crash completely a few youtube videos would break up for
a few seconds and then when conditions abated they would be allowed to
run. I cannot tell you the exact allocations per user because we don’t
try to hit fixed allocations, we just put delay on the nasties until
the bandwidth usage overall drops back to 90 percent.  It is never the
same . And then we quickly take the delay away when things are better.

The value to you is that you get the best possible usage of your
network bandwidth without micro managing everything. There are no
queues to manage. We have been using this model with ISPs for 6 years.

If you do want to put additional rules onto users you can do that with
individual rate limits. Or VLAN limits.

Lastly if you have a very high priority client that must run video you
can give them an exemption if needed.

To control p2p you can use our connection limits as most p2p clients
overload APs with massive connections. We have a fairly smart simple
way to spot this type of user and keep them from crashing your network.
Created by APconnections, the NetEqualizer is a plug-and-play bandwidth control and WAN/Internet optimization appliance that is flexible and scalable. When the network is congested, NetEqualizer’s unique “behavior shaping” technology dynamically and automatically gives priority to latency sensitive applications, such as VoIP and email. Click here for a full price list. .

Posted in Commentary and Editorials. Tags: , , , , . Leave a Comment »

NetEqualizer provides Net Neutrality solution for bandwidth control.

October 4, 2009 — netequalizer

By Eli Riles NetEqualizer VP of Sales

This morning I read an article on how some start up companies are being hurt awaiting the FCC’s decision on Net Neutrality.

Late in the day, a customer called and exclaimed, “Wow now with the FCC coming down  hard on technologies that jeopardize net neutrality, your business  must booming since you offer an excellent viable alternative” And yet  in face of this controversy, several of our competitors continue to sell deep packet inspection devices to customers.

Public operators and businesses that continue to purchase such technology are likely uninformed about the growing fire-storm of opposition against Deep Packet Inspection techniques.  The allure of being able to identify, and control Internet Traffic by type is very a natural solution, which customers often demand. Suppliers who sell DPI devices are just doing what their customer have asked. As with all technologies once the train leaves the station it is hard to turn around. What is different in the case of DPI is that suppliers and ISPs had their way with an ignorant public starting in the late 90’s. Nobody really gave much thought as to how DPI might be the villain in the controversy over Net Nuetrality. It was just assumed that nobody would notice their internet traffic being watched and redirected by routing devices. With behemoths such as Google having a vested interest in keeping traffic flowing without Interference on the Internet, commercial deep packet inspection solutions are slowly falling out of favor in the ISP sector. The bigger question for the players betting the house on DPI is , will it fall out favor in other  business verticals?

The NetEqualizer decision to do away with DPI two years ago is looking quite brilliant now, although at the time it was clearly a risk bucking market trends.  Today, even in the face of world wide recession our profit and unit sales are up for the first three quarters of 2009 this year.

As we have claimed in previous articles there is a time and place for deep packet inspection; however any provider using DPI to manipulate data is looking for a potential dog fight with the FCC.

NetEqualizer has been providing alternative bandwidth control options for ISPs , Businesses , and Schools of all sizes for 7 years without violating any of the Net Nuetrality sacred cows. If you have not heard about us, maybe now is a good time to pick up the phone. We have been on the record touting our solution as being fair equitable for quite some time now.

Posted in Bandwidth Monitoring, Commentary and Editorials, Net Neutrality, News. Tags: , , , . Leave a Comment »

Using NetEqualizer Lite to prevent the 802.11 Hidden Terminal problem

September 30, 2009 — netequalizer

Introduction

Of the numerous growing pains that can accompany the expansion of a wireless network, the hidden terminal problems is one of the most difficult problems to solve. Despite your best efforts, the communication breakdown between nodes can wreak havoc on a network, often leading to sub par performance and unhappy users.

What is a hidden terminal and why is it a problem for wireless networks?

An 802.11 wireless network in a normal, simple configuration consists of a central access point (AP) and one or more remote users – which are the individuals utilizing the computers and devices that constitute a node. Wireless transmission technology is such that if more than one remote user transmits data back to the AP at the same time, it is difficult for the AP to distinguish between the two talkers.

When the forefathers of 802.11 first designed the protocols for how a wireless network should prevent this problem, they assumed that all users and nodes would be in close proximity to the access point and could actually hear each other’s transmissions.

For example, say node A and node B are wireless laptops in an office building with one access point. Node A starts sending data to the access point at the same moment as node B. By design, node A is smart enough to listen at the exact moment it is sending data in order to ensure that it has the airwaves free and clear. If it hears some other talker at the same time, it may back off, or, in other cases, node B may be the one to back off. The exact mechanism used to determine the back off order is similar to right of way rules at a four-way stop. These rules of etiquette are followed to prevent a crash and allow each node to send its data unimpeded.

Thus, 802.11 is designed with a set of courtesies such that if one node hears another node talking, it backs off, going silent as to reduce the chaos of multiple transmissions at the same time. This should be true for every node in the network.

This technology worked fine until directional antennas were invented and attached to remote nodes, which allowed users to be farther away from an access point and still send and receive transmissions. This technology is widely available and fairly inexpensive, so it was adopted by many wireless service providers to extend Internet service across a community.

The impact of these directional antennas, and the longer distances it allows users to be from access points, is that individual nodes are often unable to hear each other. Since their antennas are directed back to a central location, as the individual nodes get farther away from the central AP, they also become farther apart from each other. This made it more difficult for the nodes to communicate. Think of a group of people talking while they stand around in an ever-expanding circle. As the circle expands away from the center, people get farther apart, making it harder for them to communicate.

Since it’s not practical to have each node point a directional antenna at all of the other nodes, the result is that the nodes don’t acknowledge one another and subsequently don’t back off to let others in. When nodes compete to reach the access point at the same time, typically those with the strongest signals, which are generally closest to the AP, win out, leaving the weaker-signaled nodes helpless and unable to communicate with the access point (see image below).

Your browser may not support display of this image.

When a network with hidden nodes reaches capacity, it is usually due to circumstances such as this, where nodes with stronger signals steal the airwaves and crowd out nodes with weaker signals. If the nodes with the stronger signals continue to talk constantly, the weaker nodes can be locked out indefinitely, leaving certain users without access to the network.

The degradation of the hidden node problem varies with time of day, as well as with who is talking at any moment. As a result, the problem is not in one place for long, so it is not easily remedied by a quick mechanical fix. But, fortunately, there is a solution.

How does a NetEqualizer solve the hidden node issue?

The NetEqualizer solution, which is completely compatible with 802.11, works by taking advantage of the natural inclination of Internet connections to back off when artificially restrained. We’ll get back to this key point in a moment.

Understanding the true throughput upper limit of your access point is key to the NetEqualizer’s efficiency, since the advertised throughput of an AP and its actual ceiling often vary, with most AP’s not reaching their full potential.

Once you have determined the peak capacity of the access point (done empirically through busy hour observation), you then place a NetEqualizer (normally the lower end NetEqualizer POE device) between the access point and it’s connection to the Internet. You then set the NetEqualizer to the effective throughput of the AP . This tells the NetEqualizer to kick into gear when that upper limit is reached.

Once configured, the NetEqualizer constantly (every second) measures the total aggregate bandwidth throughput traversing the AP. If it senses the upper limit is being reached, NetEqualizer will then isolate the dominating flows and encourage them to back off.

Each connection between a user on your network and the Internet constitutes a traffic flow. Flows vary widely from short dynamic bursts, which occur, for example, when searching a small Web site, to large persistent flows, as when performing peer-to-peer file sharing or downloading a large file.

By keeping track of every flow going through the AP, the NetEqualizer can make a determination of which ones are getting an unequal share of bandwidth and thus crowding out flows from weaker nodes.

NetEqualizer determines detrimental flows from normal ones by taking the following questions into consideration:

1) How persistent is the flow?
2) How many active flows are there?
3) How long has the flow been active?
4) How much total congestion is currently on the trunk?
5) How much bandwidth is the flow using relative to the link size?

Once the answers to these questions are known, NetEqualizer will adjust offending flows by adding latency, forcing them to back off and allow potentially hidden nodes to establish communications – thus eliminating any disruption. Nodes with stronger signals that are closer to the access point will no longer have the advantage over users based farther away. This is done automatically by the NetEqualizer, without requiring any additional programming by administrators.

The key to making this happen over 802.11 relies on the fact that if you slow a stream to the Internet down, the application at the root cause will back off and also slow down. This can be done by the NetEqualizer without any changes to the 802.11 protocol since the throttling is actually done independent of the radio. The throttling of heavy streams happens between the AP and the connection to the Internet.

Questions and Answers

How do you know congestion is caused by a heavy stream?

We have years of experience optimizing networks with this technology. It is safe to say that on any congested network roughly 5 percent of users are responsible for 80 percent of Internet traffic. This seems to be a law of Internet usage.2

Can certain applications be given priority?

NetEqualizer can give priority by IP address, for video streams, and in its default mode it naturally gives priority to Voice over IP (VoIP), thus addressing a common need for commercial operators.

How many users can the NetEqualizer POE support?

The NetEqualizer Lite can support approximately 100 users.

What happens to voice traffic over a wireless transmission? Will it be improved or impaired?

We have mostly seen improvements to voice quality using our techniques. Voice calls are usually fairly low runners when it comes to the amount of bandwidth consumed. Congestion is usually caused by higher running activities, and thus we are able to tune the NetEqualizer to favor voice.

How can I find out more about the NetEqualizer?

Additional information about the NetEqualizer can be found at our Web site.

How can I purchase an NetEqualizer for trial?

Customers in the U.S. can contact APconnections directly at 1-800-918-2763 or via e-mail at admin@APconnections.net. International customers outside of Europe can contact APconnections at +1 303-997-1300, extension 103 or at the e-mail listed above.

About APconnections

APconnections is a privately held company founded in July 2003 and based in Lafayette, CO. We develop cost-effective and easy-to-install and manage traffic shaping appliances. Our NetEqualizer product family optimizes critical network bandwidth resources for any organization that purchases bandwidth in bulk and then redistributes or resells that bandwidth to disparate users with competing needs.

Our goal is to provide fully featured traffic shaping products that are simple to install and easy to use and manage. We released our first commercial offering in July 2003, and since then over 1000 unique customers around the world have put our products into service. Our flexible and scalable solutions can be found at ISPs, WISPs, major universities, Fortune 500 companies, SOHOs and small businesses on six continents.

Competing demands for network resources and congestion are problems shared by network administrators and operators across the globe. Low priority applications such as a large file download should never be allowed to congest and slowdown your VoIP, CRM, ERP or other high priority business applications. Until the development of APconnections’ NetEqualizer product family, network administrators and operators who wanted to cost-effectively manage network congestion and quality of service were forced to cobble together custom solutions. This process turned a simple task into a labor intensive exercise in custom software development. Now, with the NetEqualizer product family from APconnections, network staff can purchase and quickly install cost-effective turnkey traffic shaping solutions.

University of Limerick published an independent study validating Equalizing as solution to the hidden node problem.

1 Nodes are defined as any computer or device that is within a network. In this white paper, the term “user” will refer to the individual or group utilizing these computers or devices and could effectively be interchanged with the term “node”. In addition, the term “talker” will at times be used to refer to nodes that are sending data.

Posted in White Papers. Tags: , , , , . Leave a Comment »

How much money does a NetEqualizer Save an ISP or cable internet operator?

September 24, 2009 — netequalizer

Just got this e-mail in unsolicited from a customer. We hear this all the time.

The context of the thread was that our customer had just gotten back from a convention and had told a couple of their peer companies (Canadian Cable Operators) about the NetEq and his improved margins.

Ya I’m sure they have to go home and pitch the deal to the management but
they are soooo wasting bandwidth.

6500 customers using 250M sustained

We on the other hand have 4000 using 60M sustained

Crazy!

Posted in Testimonials. Tags: , . Leave a Comment »

Burstable Internet Connections — Are They of Any Value?

September 17, 2009 — netequalizer

A burstable Internet connection conjures up the image of a super-charged Internet reserve, available at your discretion during a moment of need, like pushing the gas pedal to the floor to pass an RV on a steep grade. Americans find comfort knowing that they have that extra horsepower at their disposal. The promise of power is ingrained in our psyche, and is easily tapped into when marketing an Internet service. However, if you stop for a minute, and think about what is a bandwidth burst, it might not be a feature worth paying for in reality.

Here are some key questions to consider:

  • Is a burst one second, 10 seconds, or 10 hours at a time? This might seem like a stupid question, but it is at the heart of the issue. What good is a 1-second burst if you are watching a 20-minute movie?
  • If it is 10 seconds, then how long do I need to wait before it becomes available again?
  • Is it available all of the time, or just when my upstream provider(s) circuits are not busy?
  • And overall, is the burst really worth paying for? Suppose the electric company told you that you had a burstable electric connection or that your water pressure fluctuated up for a few seconds randomly throughout the day? Is that a feature worth paying for? Just because it’s offered doesn’t necessarily mean it’s needed or even that advantageous.

While the answers to each of these questions will ultimately depend on the circumstances, they all serve to point out a potential fallacy in the case for burstable Internet speeds: The problem with bursting and the way it is marketed is that it can be a meaningless statement without a precise definition. Perhaps there are providers out there that lay out exact definitions for a burstable connection, and abide by those terms. Even then we could argue that the value of the burst is limited.

What we have seen in practice is that most burstable Internet connections are unpredictable and simply confuse and annoy customers. Unlike the turbo charger in your car, you have no control over when you can burst and when you can’t. What sounded good in the marketing literature may have little practical value without a clear contract of availability.

Therefore, to ensure that burstable Internet speeds really will work to your advantage, it’s important to ask the questions mentioned above. Otherwise, it very well may just serve as a marketing ploy or extra cost with no real payoff in application.

Update: October 1, 2009

Today a user group published a bill of rights in order to nail ISPs down on what exactly they are providing in their service contracts.
ISP claims of bandwidth speed.

I noticed that  in the article, the bill of rights, requires a full disclosure about the speed of the providers link to the consumers modem. I am not sure if this is enough to accomplish a fixed minimus speed to the consumer.  You see, a provider could then quite easily oversell the capacity on their swtiching point. The point where they hook up to a backbone of other providers.  You can not completely regulate speed across the Internet, since by design providers hand off or exchange traffic with other providers.  Your provider cannot control the speed of your connection once it is off their network.

Posted by Eli Riles, VP of sales www.netequalizer.com.

Posted in Bandwidth Management, Commentary and Editorials, Network Speed, News. Tags: , , , , . 1 Comment »

When is it time to add more bandwidth to your network?

September 15, 2009 — netequalizer

We recently received an e-mail regarding this question from a customer, here is the basic dialogue with our answer below.

It occurred to me today…..pre netequalizer, I’d know that it was time to upgrade our network bandwidth by watching the network traffic graphs.  If there were periods of the day that the connection was maxed out it was a good sign that more bandwidth was needed.

Now that our traffic is running through netequalizer, with the threshold limit and then slowing of user connections beyond that point, we’ll not see the graph max out any more will we?  And if we did ever see that, we’d be way past the point of needing more bandwidth, because it would mean that our link was so saturated that netequalizer couldn’t slow down enough traffic fast enough to avoid that situation.

Answer: We actually do have systems that run very close to pegged(Max) for
hours at a time without complaint. Generally we would suggest waiting
until user perception for the speed of normal sized web pages and short
e-mails is perceived as slow. NetEqualizer does a very good job of allowing your network to run close to capacity without experiences adverse side effects so in essence it would be premature to add more bandwidth based on hitting peak usage.

Note: If you ask your sales rep for your local bandwidth provider if you should purchase more bandwidth, they will almost always recommend adding more solve almost ato ny issue on your network. Your provider whether it be Quest, Comcast, Time Warner or a host of other local providers,  most likely has a business model where they grow profit by selling bandwidth; hence their sales staff really is not incented to offer alternatives. Occasionally when it is physically impossible to bring more bandwidth to your business they will relent and offer a referal for a bandwidth opimization company.

Posted in Bandwidth Monitoring, Support. Tags: . Leave a Comment »

NetEqualizer reaches 5 Gigabit milestone, strengthens market lead inbandwidth controller price performance.

September 14, 2009 — netequalizer

NetEqualizer reaches 5 Gigabit milestone, strengthens market lead in
bandwidth controller price performance.

LAFAYETTE, Colo., Sep 15 APconnections, a leading supplier of
bandwidth shaping products, today announced  the addition of a
5-gigabit  model  to their NetEqualizer brand of traffic shapers. The
initial release will also be able to shape 40,000 simultaneous
Internet users.

“Prior to this release, our largest model, was rated for one gigabit,”
said Eli Riles, APconnections vice president of sales. “Many of our
current customers liked our technology, but just needed a higher-end
machine.   The price performance of our new traffic shaping appliance
is unmatched in the industry”

In its initial release, the five-gigabit model will start at  $11000
USD. For more information, contact APconnections at 1-800-918-2763 or
via email at sales@netequalizer.com.

The NetEqualizer is a plug-and-play bandwidth control and WAN
optimization appliance. NetEqualizer technology is deployed at over
3000 businesses and institutions around the world. It is used to speed
up shared Internet connections for ISP’s , Libraries, Universities,
Schools and Fortune 500 companies.

APconnections is a privately held company founded in 2003 and is based
in Lafayette, Colorado.

Contact: APconnections, 1-800-918-2763 http://www.apconnections.net/

http://www.netequalizer.com/

Special thanks to Candela Technologies www.candelatech.com and their
Network Emulation laboratories for making this release possible.

Posted in Press Releases. Tags: , , . Leave a Comment »

Why is NetEqualizer the low price leader in Bandwidth Control

September 10, 2009 — netequalizer

Recently we have gotten feed back from customers that stating they almost did not consider the NetEqualizer because the price was so much less than solutions  from the likes of: Packeteer (Blue Coat), Allot NetEnforcer and Exinda.

Sometimes low price will raise a red flag on a purchase decision, especially when the price is an order of magnitude less than the competition.

Given this feed back we thought it would be a good idea to go over some of the major cost structure differences betwen APconnections maker of the NetEqualizer and some of the competition.

1) NetEqualizer’s are sold mostly direct by word of mouth. We do not have a traditional indirect sales channel.

– The down side for us as a company is that this does limit our reach a bit.  Many IT departments do not have the resources to seek out new products on their own, and are limited to only what is presented to them.

– The good news for all involved is selling direct takes quite a bit of cost out of delivering the product. Indirect  sales channels need to be incented to sell,  Often times they will steer the customer toward the highest commission product in their arsenal.  Our  direct channel eliminates this overhead.

-The other good thing about not using a sales channel is that when you talk to one of our direct (non commissioned) sales reps you can be sure that they are experts on the NetEqualizer. With a sales channel a sales rep often sells many different kinds of products and they can get rusty on some of the specifics.

2) We have bundled our Manufacturing with a company that also produces a popular fire wall. We also have a back source to manufacture our products at all times thus insuring a steady flow of product without the liability of a Manufacturing facility

3) We have never borrowed money to run Apconnections,

– this keeps us very stable and able to withstand market fluctuations

– there are no greedy investors calling the shots looking for a return and demanding higher prices

4) The NetEqualizer is simple and elegant

– Many products keep adding features to grow their market share we have a solution that works well but does not require constant current engineering

Posted in Commentary and Editorials, ROI. Tags: , , , , , , . 2 Comments »

How to Implement Network Access Control and Authentication

August 19, 2009 — netequalizer

There are a number of basic ways an automated network access control (NAC) system can identify unauthorized users and keep them from accessing your network. However, there are pros and cons to using these different NAC methods.  This article will discuss both the basic network access control principles and the different trade-offs each brings to the table, as well as explore some additional NAC considerations. Geared toward the Internet service provider, hotel operator, library, or other public portal operator who provides Internet service and wishes to control access, this discussion will give you some insight into what method might be best for your network.

The NAC Strategies

MAC Address

MAC addresses are unique to every computer connected to the network, and thus many NAC systems use them to grant or deny access.  Since MAC addresses are unique, NAC systems can use them to identify an individual customer and grant them access.

While they can be effective, there are limitations to using MAC addresses for network access. For example, if a customer switches to a new computer in the system, it will not recognize them, as their MAC address will have changed.  As a result, for mobile customer bases, MAC address authentication by itself is not viable.

Furthermore, on larger networks with centralized authentication, MAC addresses do not propagate beyond one network hop, hence MAC address authentication can only be done on smaller networks (no hops across routers).  A work-around for this limit would be to use a distributed set of authentication points local to each segment. This would involve multiple NAC devices, which would automatically raise complexity with regard to synchronization. Your entire authentication database would need to be replicated on each NAC.

Finally, a common question when it comes to MAC addresses is whether or not they can be spoofed. In short, yes, they can, but it does require some sophistication and it is unlikely a normal user with the ability to do so would go through all the trouble to avoid paying an access charge.  That is not to say it won’t happen, but rather that the risk of losing revenue is not worth the cost of combating the determined isolated user.

I mention this because some vendors will sell you features to combat spoofing and most likely it is not worth the incremental cost.  If your authentication is set up by MAC address, the spoofer would have to also have the MAC address of a paying user in order to get in. Since there is no real pattern to MAC addresses, guessing another customer’s MAC address would be nearly impossible without inside knowledge.

IP Address

IP addresses allow a bit more flexibility than MAC addresses because IP addresses can span across a network segment separated by a router to a central location. Again, while this strategy can be effective, IP address authentication has the same issue as MAC addressing, as it does not allow a customer to switch computers, thus requiring that the customer use the same computer each time they log in. In theory, a customer could change the IP address should they switch computers, but this would be way too much of an administrative headache to explain when operating a consumer-based network.

In addition, IP addresses are easy to spoof and relatively easy to guess should a user be trying to steal another user’s identity. But, should two users log on with the same IP address at the same time, the ruse can quickly be tracked down. So, while plausible, it is a risky thing to do.

User ID  Combined with MAC Address or IP Address

This methodology solves the portability issue found when using MAC addresses and IP addresses by themselves. With this strategy, the user authenticates their session with a user ID and password and the NAC module records their IP or MAC address for the duration of the session.

For a mobile consumer base, this is really the only practical way to enforce network access control. However, there is a caveat with this method. The NAC controller must expire a user session when there is a lack of activity.  You can’t expect users to always log out from their network connection, so the session server (NAC) must take an educated guess as to when they are done. The ramification is that they must log back in again. This usually isn’t a major problem, but can simply be a hassle for users.

The good news is the inactivity timer can be extended to hours or even days, and should a customer login in on a different computer while current on a previous session, the NAC can sense this and terminate the old session automatically.

The authentication method currently used with the NetEqualizer is based on IP address and user ID/password, since it was designed for ISPs serving a transient customer base.

Other Important Considerations

NAC and Billing Systems

Many NAC solutions also integrate billing services. Overlooking the potential complexity and ballooning costs with a billing system has the potential to cut into efficiency and profits for both customer and vendor. Our philosophy is that a flat rate and simple billing are best.

To name a few examples, different customers may want time of day billing; billing by day, hour, month, or year; automated refunds; billing by speed of connections; billing by type of property (geographic location); or tax codes. It can obviously go from a simple idea to a complicated one in a hurry. While there’s nothing wrong with these requests, history has shown that costs can increase exponentially when maintaining a system and trying to meet these varied demands, once you get beyond simple flat rate.

Another thing to look out for with billing is integration with a credit card processor. Back-end integration for credit card processing takes some time and energy to validate. For example, the most common credit card authentication system in the US, Authorize.net, does not work unless you also have a US bank account.  You may be tempted to shop your credit card billing processor based on fees, but if you plan on doing automated integration with a NAC system, it is best to make sure the CC authorization company provides automated tools to integrate with the computer system and your consulting firm accounts for this integration work.

Redirection Requirements

You cannot purchase and install a NAC system without some network analysis. Most NAC systems will re-direct unauthorized users to a Web page that allows them to sign up for the service. Although this seems relatively straight forward, there are some basic network features that need to be in place in order for this redirection to work correctly. The details involved go beyond the scope of this article, but you should expect to have a competent network administrator or consultant on hand in order to set this up correctly. To be safe, plan for eight to 40 hours of consulting time for troubleshooting and set-up above and beyond the cost of the equipment.

Network Access for Organizational Control

Thus far we have focused on the basic ways to restrict basic access to the Internet for a public provider. However, in a private or institutional environment where security and access to information are paramount, the NAC mission can change substantially. For example, in the Wikipedia article on network access control, a much broader mission is outlined than what a simple service provider would require. The article reads:

“Network Access Control aims to do exactly what the name implies—control access to a network with policies, including pre-admission endpoint security policy checks and post-admission controls over where users and devices can go on a network and what they can do.”

This paragraph was obviously written by a contributor that views NAC as a broad control technique reaching deep into a private network.  Interestingly, there is an ongoing dispute on Wikipedia stating that this definition goes beyond the simpler idea of just granting access.

The rift on Wikipedia can be summarized as an argument over whether a NAC should be a simple gatekeeper for access to a network, with users having free rein to wander once in, or whether the NAC has responsibilities to protect various resources within the network once access is attained. Both camps are obviously correct, but it depends on the customer and type of business as to what type of NAC is required.

Therefore, in closing, the overarching message that emerges from this discussion is simply that implementing network access control requires an evaluation not only of the network setup, but also how the network will be used. Strategies that may work perfectly in certain circumstances can leave network administrators and users frustrated in other situations. However, with the right amount of foresight, network access control technologies can be implemented to facilitate the success of your network and the satisfaction of users rather than serving as an ongoing frustrating limitation.

Posted in Bandwidth Monitoring, Educational Articles, NAC. Tags: , , , , . 3 Comments »

The Real Killer Apps and What You Can Do to Stop Them from Bringing Down Your Internet Links

August 17, 2009 — netequalizer

When planning a new network, or when diagnosing a problem on an existing one, a common question that’s raised concerns the impact that certain applications may have on overall performance. In some cases, solving the problem can be as simple as identifying and putting an end to (or just cutting back) the use of certain bandwidth-intensive applications. So, the question, then, is what applications may actually be the source of the problem?

The following article works to identify and break down the applications that will most certainly kill your network, but also provides suggestions as to what you can do about them. While every application certainly isn’t covered, our experience working with network administrators around the world has helped us identify the most common problems.

The Common Culprits

YouTube Video (standard video) — On average, a sustained 10-minute YouTube video will consume about 500kbs over its duration. Most video players try to store the video (buffer ahead) locally as fast as your network  can take it.   On a shared network, this has the effect of bringing everything else on your network to its knees. This may not be a problem if you are the only person using the Internet link, but in today’s businesses and households, that is rarely the case.

For more specifics about YouTube consumption, see these other Youtube articles.

Microsoft Service-Pack Downloads — Updates such as Microsoft service packs use file transfer protocol (FTP). Generally, this protocol will use as much bandwidth as it can find. The end result is that your VoIP phone may lock up, your video’s will become erratic, and Web surfing will come to a crawl.

Keeping Your Network Running Smoothly While Handling Killer Apps

There is no magic pill that can give you unlimited bandwidth, but each of  the following solutions may help. However, they often require trade offs.

  1. The obvious solution is to communicate with other members of your household or business when using bandwidth intensive applications. This is not always practical, but, if other users agree to change their behavior, it’s usually a surefire solution.
  2. Deploy a fairness device to smooth out those rough patches during contentious busy hours — Yes, this is the NetEqualizer News blog, but with all bias aside, these types of technologies often work great. If you are in an office sharing an Internet feed with various users, the NetEqualizer will keep aggressive bandwidth users from crowding others out. No, it cannot create additional bandwidth on your pipe, but it will eliminate the gridlock caused by your colleague  in the next cubicle  downloading a Microsoft service pack. Yes, there are other  devices on the market that can enforce fairness, but the NetEqualizer was specifically designed for this mission. And, with a starting price of around $1400, it is a product small businesses can invest in and avoid longer term costs (see option 3).
  3. Buy more bandwidth — In most cases, this is the most expensive of the different solutions in the long term and should usually be a last resort. This is especially true if the problems are largely caused by recreational Internet use on a business network. However, if the bandwidth-intensive activities are a necessary part of your operation, and they can’t afford to be regulated by a fairness device, upgrading your bandwidth may be the only long-term solution. But, before signing the contract, be sure to explore options one and two first.

As mentioned, not every network-killing application is discussed here, but this should head you in the right direction in identifying the problem and finding a solution. For a more detailed discussion of this issue, visit the links below.

  • For a  more detailed discussion on how much bandwidth specific applications consume, click here.
  • For a set of detailed tips/tricks on making your Internet run faster, click here.
  • For an in-depth look at more complex methods used to mitigate network congestion on a WAN or Internet link, click here.
Posted in Bandwidth Monitoring, Educational Articles. Tags: , , , , , , , , . Leave a Comment »
« Older posts
Newer posts »