NetEqualizer White Paper Comparison with Traditional Layer-7 (Deep Packet Inspection Products)

Updated with new reference material May 4th 2009

How NetEqualizer compares to Packeteer, Allot, Cymphonics, Exinda

We often get asked how NetEqualizer compares to Packeteer, Allot, Cymphonics, Exinda and a plethora of other well-known companies that do layer 7 application shaping (packet shaping). After several years of these questions, and discussing different aspects with former and current application shaping IT administrators, we’ve developed a response that should clarify the differences between NetEqualizers behavior based approach and the rest of the pack.

We thought of putting our response into a short, bullet-by-bullet table format, but then decided that since this decision often involves tens of thousands of dollars, 15 minutes of education on the subject with content to support the bullet chart was in order. If you want to see just the bullet chart, you can skip to the end now, but if you’re looking to have the question answered as objectively as possible, please take a few minutes to read on

In the following sections, we will cover specifically when and where application shaping (deep packet inspection) is used, how it can be used to your advantage, and also when it may not be a good option for what you are trying to accomplish. We will also discuss how the NetEqualizer and its behavior-based shaping fits into the landscape of application shaping, and how in some cases the NetEqualizer is a much better alternative.

First off, let’s discuss the accuracy of application shaping. To do this, we need to review the basic mechanics of how it works.

Application shaping is defined as the ability to identify traffic on your network by type and then set customized policies to control the flow rates for each particular type. For example, Citrix, AIM, Youtube, and BearShare are all applications that can be uniquely identified.

As you are likely aware, all traffic on the Internet travels around in what is called an IP packet. An IP packet can very simply be thought of as a string of characters moving from computer A to computer B. The string of characters is called the “payload,” much like the freight inside a railroad car. On the outside of this payload is the address where it is being sent. On the inside is the data/payload that is being transmitted. These two elements, the address and the payload, comprise the complete IP packet. In the case of different applications on the Internet, we would expect to see different kinds of payloads.

At the heart of all current application shaping products is special software that examines the content of Internet packets as they pass through the packet shaper. Through various pattern matching techniques, the packet shaper determines in real time what type of application a particular flow is. It then proceeds to take action to possibly restrict or allow the data based on a rule set designed by the system administrator.

For example, the popular peer-to-peer application Kazaa actually has the ASCII characters “Kazaa” appear in the payload, and hence a packet shaper can use this keyword to identify a Kazaa application. Seems simple enough, but suppose that somebody was downloading a Word document discussing the virtues of peer-to-peer and the title had the character string “Kazaa” in it. Well, it is very likely that this download would be identified as Kazaa and hence misclassified. After all, downloading a Word document from a Web server is not the same thing as the file sharing application Kazaa.

The other issue that constantly brings the accuracy of application shaping under fire is that some application writers find it in their best interest not be classified. In a mini arms race that plays out everyday across the world, some application developers are constantly changing their signature and some have gone as far as to encrypt their data entirely.

Yes, it is possible for the makers of application shapers to counter each move, and that is exactly what the top companies do, but it can take a heroic effort to keep pace. The constant engineering and upgrading required has an escalating cost factor. In the case of encrypted applications, the amount of CPU power required for decryption is quite intensive and impractical and other methods will be needed to identify encrypted p2p.

But, this is not to say that application shaping doesn’t work in all cases or provide some value. So, let’s break down where it has potential and where it may bring false promises. First off, the realities of what really happens when you deploy and depend on this technology need to be discussed.

Accuracy and False Positives

As of early 2003, we had a top engineer and executive join APConnections direct from a company that offered application shaping as one of their many value-added technologies. He had first hand knowledge from working with hundreds of customers who were big supporters of application shaping:

The application shaper his company offered could identify 90 percent of the spectrum of applications, which means they left 10 percent as unclassified. So, right off the bat, 10 percent of the traffic is unknown by the traffic shaper. Is this traffic important? Is it garbage that you can ignore? Well, there is no way to know with out any intelligence, so you are forced to let it go by without any restriction. Or, you could put one general rule over all of the traffic – perhaps limiting it to 1 megabit per second max, for example. Essentially, if your intention was 100-percent understanding and control of your network traffic, right out the gate you must compromise this standard.

In fairness, this 90-percent identification actually is an amazing number with regard to accuracy when you understand how daunting application shaping is. Regardless, there is still room for improvement.

So, that covers the admitted problem of unclassifiable traffic, but how accurate can a packet shaper be with the traffic it does claim to classify? Does it make mistakes? There really isn’t any reliable data on how often an application shaper will misidentify an application. To our knowledge, there is no independent consumer reporting company that has ever created a lab capable of generating several thousand different applications types with a mix of random traffic, and then took this mix and identified how often traffic was misclassified. Yes, there are trivial tests done one application at a time, but misclassification becomes more likely with real-world complex and diverse application mixes.

From our own testing of application technology freely available on the Internet, we discovered false positives can occur up to 25 percent of the time. A random FTP file download can be classified as something more specific. Obviously commercial packet shapers do not rely on the free technology in open source and they actually may improve on it. So, if we had to estimate based on our experience, perhaps 5 percent of Internet traffic will likely get misclassified. This brings our overall accuracy down to 85 percent (combining the traffic they don’t claim to classify with an estimated error rate for the traffic they do classify).

Constantly Evolving Traffic

Our sources say (mentioned above) that 70 percent of their customers that purchased application shaping equipment were using the equipment primarily as a reporting tool after one year. This means that they had stopped keeping up with shaping policies altogether and were just looking at the reports to understand their network (nothing proactive to change the traffic).

This is an interesting fact. From what we have seen, many people are just unable, or unwilling, to put in the time necessary to continuously update and change their application rules to keep up with the evolving traffic. The reason for the constant changing of rules is that with traditional application shaping you are dealing with a cunning and wise foe. For example, if you notice that there is a large contingent of users using Bittorrent and you put a rule in to quash that traffic, within perhaps days, those users will have moved on to something new: perhaps a new application or encrypted p2p. If you do not go back and reanalyze and reprogram your rule set, your packet shaper slowly becomes ineffective.

And finally lest we not forget that application shaping is considered by some to be a a violation of Net Neutrality.

When is application shaping the right solution?

There is a large set of businesses that use application shaping quite successfully along with other technologies. This area is WAN optimization. Thus far, we have discussed the issues with using an application shaper on the wide open Internet where the types and variations of traffic are unbounded. However, in a corporate environment with a finite set and type of traffic between offices, an application shaper can be set up and used with fantastic results.

There is also the political side to application shaping. It is human nature to want to see and control what takes place in your environment. Finding the best tool available to actually show what is on your network, and the ability to contain it, plays well with just about any CIO or IT director on the planet. An industry leading packet shaper brings visibility to your network and a pie chart showing 300 different kinds of traffic. Whether or not the tool is practical or accurate over time isn’t often brought into the buying decision. The decision to buy can usually be “intuitively” justified. By intuitively, we mean that it is easier to get approval for a tool that is simple to conceptually understand by a busy executive looking for a quick-fix solution.

As the cost of bandwidth continues to fall, the question becomes how much a CIO should spend to analyze a network. This is especially true when you consider that as the Internet expands, the complexity of shaping applications grows. As bandwidth prices drop, the cost of implementing such a product is either flat or increasing. In cases such as this, it often does not make sense to purchase a $15,000 bandwidth shaper to stave off a bandwidth upgrade that might cost an additional $200 a month.

What about the reporting aspects of an application shaper? Even if it can only accurately report 90 percent of the actual traffic, isn’t this useful data in itself?

Yes and no. Obviously analyzing 90 percent of the data on your network might be useful, but if you really look at what is going on, it is hard to feel like you have control or understanding of something that is so dynamic and changing. By the time you get a handle on what is happening, the system has likely changed. Unless you can take action in real time, the network usage trends (on a wide open Internet trunk) will vary from day to day.1 It turns out that the most useful information you can determine regarding your network is an overall usage patter for each individual. The goof-off employee/user will stick out like a sore thumb when you look at a simple usage report since the amount of data transferred can be 10-times the average for everybody else. The behavior is the indicator here, but the specific data types and applications will change from day to day and week to week

How does the NetEqualizer differ and what are its advantages and weaknesses?

First, we’ll summarize equalizing and behavior-based shaping. Overall, it is a simple concept. Equalizing is the art form of looking at the usage patterns on the network, and then when things get congested, robbing from the rich to give to the poor. Rather than writing hundreds of rules to specify allocations to specific traffic as in traditional application shaping, you can simply assume that large downloads are bad, short quick traffic is good, and be done with it.

This behavior-based approach usually mirrors what you would end up doing if you could see and identify all of the traffic on your network, but doesn’t require the labor and cost of classifying everything. Applications such as Web surfing, IM, short downloads, and voice all naturally receive higher priority while large downloads and p2p receive lower priority. This behavior-based shaping does not need to be updated constantly as applications change.

Trusting a heuristic solution such as NetEqualizer is not always an easy step. Oftentimes, customers are concerned with accidentally throttling important traffic that might not fit the NetEqualizer model, such as video. Although there are exceptions, it is rare for the network operator not to know about these potential issues in advance, and there are generally relatively few to consider. In fact, the only exception that we run into is video, and the NetEqualizer has a low level routine that easily allows you to give overriding priority to a specific server on your network, hence solving the problem.

Another key element in behavior-based shaping is connections. Equalizing takes care of instances of congestion caused by single-source bandwidth hogs. However, the other main cause of Internet gridlock (as well as bringing down routers and access points) is p2p and its propensity to open hundreds or perhaps thousands of connections to different sources on the Internet. Over the years, the NetEqualizer engineers have developed very specific algorithms to spot connection abuse and avert its side effects.

This overview, along with the summary table below, should give you a good idea of where the NetEqualizer stands in relation to packet shaping.

Summary Table

Application based shaping

  • good for static links where traffic patterns are constant

  • good for intuitive presentations makes sense and easy to explain to non technical people
  • detailed reporting by application type
  • not the best fit for wide open Internet trunks
    • costly to maintain in terms of licensing

    • high initial cost

    • constant labor to tune with changing application spectrum

    • expect approximately 15 percent of traffic to be unclassified

  • only a static snapshot of a changing spectrum may not be useful
  • false positives may show data incorrectly no easy way to confirm accuracy
  • violates Net Neutrality


  • not the best for dedicated WAN trunks

  • the most cost effective for shared Internet trunks
  • little or no recurring cost or labor
  • low entry cost
  • conceptual takes some getting used to
  • basic reporting by behavior used to stop abuse
  • handles encrypted p2p without modifications or upgrades
  • Supports Net Neutrality

1 The exception is a corporate WAN link with relatively static usage patterns.

Note: Since we first published this article, deep packet inspection also known as layer 7 shaping has taken some serious industry hits with respect to US based ISPs

Related articles:

Why is NetEqualizer the low price leader in bandwidth control

When is deep packet inspection a good thing?

NetEqualizer offers deep packet inspection comprimise.

Internet users attempt to thwart Deep Packet Inspection using encryption.

Why the controversy over deep Packet inspection?

World wide web founder denounces deep packet inspection

Speeding up Your T1, DS3, or Cable Internet Connection with an Optimizing Appliance

By Art Reisman, CTO, APconnections (

Whether you are a home user or a large multinational corporation, you likely want to get the most out of your Internet connection. In previous articles, we have  briefly covered using Equalizing (Fairness)  as a tool to speed up your connection without purchasing additional bandwidth. In the following sections, we’ll break down  exactly how this is accomplished in layman’s terms.

First , what is an optimizing appliance?

An optimizing appliance is a piece of networking equipment that has one Ethernet input and one Ethernet output. It is normally located between the router that terminates your Internet connection and the users on your network. From this location, all Internet traffic must pass through the device. When activated, the optimizing appliance can rearrange traffic loads for optimal service, thus preventing the need for costly new bandwidth upgrades.

Next, we’ll summarize equalizing and behavior-based shaping.

Overall, equalizing is a simple concept. It is the art form of looking at the usage patterns on the network, and when things get congested, robbing from the rich to give to the poor. In other words, heavy users are limited in the amount of badwidth to which they have access in order to ensure that ALL users on the network can utilize the network effectively. Rather than writing hundreds of rules to specify allocations to specific traffic as in traditional application shaping, you can simply assume that large downloads are bad, short quick traffic is good, and be done with it.

How is Fairness implemented?

If you have multiple users sharing your Internet trunk and somebody mentions “fairness,” it probably conjures up the image of each user waiting in line for their turn. And while a device that enforces fairness in this way would certainly be better than doing nothing, Equalizing goes a few steps further than this.

We don’t just divide the bandwidth equally like a “brain dead” controller. Equalizing is a system of dynamic priorities that reward smaller users at the expense of heavy users. It is very very dynamic, and there is no pre-set limit on any user. In fact, the NetEqualizer does not keep track of users at all. Instead, we monitor user streams. So, a user may be getting one stream (FTP Download) slowed down while at the same time having another stream untouched(e-mail).

Another key element in behavior-based shaping is connections. Equalizing takes care of instances of congestion caused by single-source bandwidth hogs. However, the other main cause of Internet gridlock (as well as bringing down routers and access points) is p2p and its propensity to open hundreds or perhaps thousands of connections to different sources on the Internet. Over the years, the NetEqualizer engineers have developed very specific algorithms to spot connection abuse and avert its side effects.

What is the result?

The end result is that applications such as Web surfing, IM, short downloads, and voice all naturally receive higher priority, while large downloads and p2p receive lower priority. Also, situations where we cut back large streams is  generally for a short duration. As an added advantage, this behavior-based shaping does not need to be updated constantly as applications change.

Trusting a heuristic solution such as NetEqualizer is not always an easy step. Oftentimes, customers are concerned with accidentally throttling important traffic that might not fit the NetEqualizer model, such as video. Although there are exceptions, it is rare for the network operator not to know about these potential issues in advance, and there are generally relatively few to consider. In fact, the only exception that we run into is video, and the NetEqualizer has a low level routine that easily allows you to give overriding priority to a specific server on your network, hence solving the problem. The NetEqualizer also has a special feature whereby you can exempt and give priority to any IP address specifically in the event that a large stream such as video must be given priority.

Through the implementation of Equalizing technology, network administrators are able to get the most out of their network. Users of the NetEqualizer are often surprised to find that their network problems were not a result of a lack of bandwidth, but rather a lack of bandwidth control.

See who else is using this technology.

Created by APconnections, the NetEqualizer is a plug-and-play bandwidth control and WAN/Internet optimization appliance that is flexible and scalable. When the network is congested, NetEqualizer’s unique “behavior shaping” technology dynamically and automatically gives priority to latency sensitive applications, such as VoIP and email. Click here for a full price list.

Where are the safe tech jobs ?

By Art Reisman, CTO,

Art Reisman CTO

Art Reisman

Article Type: Opinion

As the CEO of a small (yet growing) tech company in the current recession I often get calls from former colleagues working at larger corporations. Amidst their companies insincere rhetoric, inaction, and falling revenues, good people wait around wondering who will be next to get the ax.

The underlying problem at most of these companies is that they are continue to push products into a stagnant or declining market. The only way to have any relative security is to get on board with an industry or niche with solid growth potential.

So if your wondering where to turn for potential job security here are some tips that might help

Look for a company that is doing something with real value for society and not just jumping on the latest bandwagon.

1) Renewable energy is hot , and certainly a job in renewable energy is better than selling steam engines running off coal. Renewable energy, although here to stay is being over hyped . Right now the success of renewable energy is dependent on battery technology. Fossil fuels are nothing more than the Suns energy stored up and retrieved at will when needed. For renewable (wind, solar) energy is to compete easily with traditional fossil fuels we must come up with a clean effective battery to store energy. My advice seek out a company that specializes in battery technology and then help them make a difference.

2) Network and Internet Optimization

Internet Infrastructure companies are being forced by their stock holders to turn a profit. The days of free falling bandwidth contracts are slowing down, hence the new hot market will be companies with products that optimize internet bandwidth. Bandwidth control , WAN optimization and compression although not on the front pages, are areas of value and are holding their own in the recession. Some companies to look at , are

APconnection (NetEqualizer)





3) Medical Technology,

From newer and better and MRI machines to prosthetics , Americans will spare no expense for anything that will make their lives more comfortable. So when will this party end and the associated demand for jobs in the Medical Industry flatten out?

Although I do not expect a crash in this field as we might have seen in other boom and bust industries, I do expect a slowdown. Every bubble has its end, and the Medical technology industry is due for a slow down. As consumers push back on medical care pricing, high end technology research will slow down. Still a better prospect than steam engines though.

4) Auto Industry

If you are entering into the field of Mechanical Engineering or electronics controls now would be a good time to focus on the Auto Industry. For the next 5 to 10 years I expect that auto makers will be looking for new innovative ideas in their engineering departments. They will also be looking for new talent. Don’t let the down turn discourage you this is an opportunity.

Seventeen Unique Ideas to Speed up Your Internet

By Eli Riles
Eli Riles is a retired insurance agent from New York. He is a self-taught expert in network infrastructure. He spends half the year traveling and visiting remote corners of the earth. The other half of the year you’ll find him in his computer labs testing and tinkering with the latest network technology.  For questions or comments please contact him at

Updated 11/30/2015 – We are now up to sixteen (17) tips!

Although there is no way to actually make your true Internet speed faster, here are some tips for home and corporate users that can make better use of the bandwidth you have, thus providing the illusion of a faster pipe.

1) Use A VPN tunnel to get to blocked content.

One of the little know secrets your provider does not want you to know is that they will slow video or software updates if the content is not hosted on their network. Here is an article with details on how you can get around this restriction.




2) Time of day does make a difference

During peak internet Usage times, 5 PM to Midnight local time, your upstream provider is also most likely congested.  If you have a bandwidth intensive task to do, such as downloading an update for your IPAD, you can likely get a much faster download by doing your download earlier in the day. I have even noticed that the more obscure YouTube’s and videos,  have problems running at peak traffic times. My upstream provider does a good job with Netflix and popular videos during peak hours ( these can be found in their cache), but if I get something that is not likely stored in a local copy on their servers the video will lag during peak times. (see our article on caching)

3) Turn off Java Script

There are some trade offs with doing this , but it does make a big difference on how fast pages will load. Here is an article where cover all the  relevant details.

Note: Prior to 2010  setting your browser to text only mode was a viable option, but today most sites are full of graphics and virtually unreadable in text only mode.

  • If you are stuck with a dial-up or slower broadband connection, your  browser likely has an  option to load text-only. If you are a power user that’s gaming or watching YouTube, text-only will obviously have no effect on these activities, but it will speed up general browsing and e-mail.  Most web pages are loaded with graphics which take up the bulk of the load time, so switching to text-only will eliminate the graphics and save you quite a bit of time.

4) Install a bandwidth controller to make sure no single connection dominates your bandwidth

Everything you do on the Internet creates a connection from inside your network to the Internet, and all of these connections compete for the limited amount of bandwidth your ISP provides.

Your router (cable modem) connection to the Internet provides first come/first serve service to all the applications trying to access the Internet. To make matters worse, the heavier users, the ones with the larger persistent downloads, tend to get more than their fair share of router cycles.  Large downloads are like the school yard bully, they tend to butt in line, and not play fair.

Read the full article.

5) Turn off the other computers in the house

Many times, even during the day when the kids are off to school, I’ll be using my Skype phone and the connection will break up.  I have no idea what exactly the kids’ computers are doing, but if I log them off the Internet, things get better with the Skype call every time. In a sense, it’s a competition for limited bandwidth resources, so, decreasing the competition will usually boost your computer’s performance.

6) Kill background tasks on your computer

You should also try to turn off any BitTorrent or background tasks on your computer if you are having trouble while trying to watch a video or make a VoIP call.  Use your task bar to see what applications are running and kill the ones you don’t want.  Although this is a bit drastic, you may just find that it makes a difference. You’d be surprised what’s running on your computer without you even knowing it (or wanting it).

For you gamers out there, this also means turning off the audio component on your games if you do not need it for collaboration.

7) Test your Internet speed

One of the most common issues with slow internet service is that your provider is not giving you the speed/bandwidth that they have advertised.  Here is a link to our article on testing your Internet speed, which is a good place to start.

Note:  Comcast has adopted a 15 minute Penalty box in some markets. Your initial speed tests will likely show no degradation, but if you persist at watching high-definition video for more than 15 minutes, you may get put into their Penalty box.  This practice helps preserve a limited resource in some crowded markets.  We note it here because we have heard reports of people happily watching YouTube videos only to have service degrade.

Related Article: The real meaning of Comcast generosity.

8) Make sure you are not accidentally connected to a weak access point signal

There are several ways an access point can slow down your connection a bit.  If the signal between you and the access point is weak, the access point will automatically downgrade its service to a slower speed. This happens to me all the time. My access point goes on the blink (needs to be re-booted) and my computer connects to the neighbor’s with a weaker signal. The speed of my connection on the weaker signaled AP is quite variable.  So, if you are on wireless in a densely populated area, check to make sure what signal you are connected  to.

9) Caching — How  does it work and is it a good idea?

Offered by various vendors and built into Internet Explorer, caching can be very effective in many situations. Caching servers have built-in intelligence to store the most recently and most frequently requested information, thus preventing future requests from traversing a WAN/Internet link unnecessarily.

Many web servers keep a time stamp of their last update to data, and browsers such as the popular Internet Explorer will check the time stamp on the host server. If the page time stamp has not changed since the last time you accessed the page, IE will grab it and present a local stored copy of the Web page (from the last time you accessed the page), saving the time it would take to load the page from across the Internet.

So what is the downside of caching?

There are two main issues that can arise with caching:

a) Keeping the cache current. If you access a cached page that is not current, then you are at risk of getting old and incorrect information. Some things you may never want to be cached, for example the results of a transactional database query. It’s not that these problems are insurmountable, but there is always the risk that the data in cache will not be synchronized with changes. I personally have been misled by old data from my cache on several occasions.

b) Volume. There are some 100 million Web sites out on the Internet. Each site contains upwards of several megabytes of public information. The amount of data is staggering and even the smartest caching scheme cannot account for the variation in usage patterns among users and the likelihood they will hit an uncached page.

Recommended: Related article on how ISPs use caching to speed up NetFlix and Youtube Videos.

For information on turning off caching, click here.


10) Kill your virus protection software

With the recent outbreak of the H1N1 virus, it reminded me of  how sometimes the symptoms and carnage from a vaccine are worse than the disease it purports to cure.  Well, the same holds true for your virus protection software. Yes, viruses are real and can take down your computer, but so can a disk crash, which is also inevitable.  You must back up your critical data regularly.  However, that virus software seems to dominate more resources on my desktop than anything else.  I no longer use anything and could not be happier.  But be sure to use a reliable back-up (as you will need to rebuild your computer now and then, which I find a better alternative than running a slow computer all of the time).

11) Set a TOS bit to provide priority

A TOS bit  is a special bit within an IP packet that directs routers to give preferential treatment to selected packets.  This sounds great, just set a bit and move to the front of the line for faster service.  As always, there are limitations.

– How does one set a TOS bit?
It seems that only very special enterprise  applications, like a VoIP PBX, actually set and make use of TOS bits. Setting the actual bit is not all that difficult if you have an application that deals with the network layer, but most commercial applications just send their data on to the host computer’s clearing house for data, which in turn puts it into IP packets without a TOS bit set.  After searching around for a while, I just don’t see any literature on being able to set a TOS bit at the application level. For example, there are a couple of forums where people mention setting the TOS bit in Skype but nothing definitive on how to do it.

– Who enforces the priority for TOS packets?
This is a function of routers at the edge of your network, and all routers along the path to wherever the IP packet is going. Generally, this limits the effectiveness of using a TOS bit to networks that you control end-to-end. In other words, a consumer using a public Internet connection cannot rely on their provider to give any precedence to TOS bits, hence this feature is relegated to enterprise networks within a business or institution.

–  Incoming traffic generally cannot be controlled.
The subject of when you can and cannot control a TOS bit does get a bit more involved.  We have gone over this in more detail in a separate  article.

12) Avoid Quota Penalties

Some providers are implementing Quotas where they slow you down if you use too much data over a period of time.  If you know that you have a large set of downloads to do, for example synching your device with iTunes Cloud, go to a library and use their free service. Or, if you are truly without morals, logon to your neighbor’s wireless network and do your synch.

13) Consider Application Shaping?

Note: Application shaping is an appropriate topic for corporate IT administrators and is generally not a practical solution for a home user.  Makers of application shapers include Blue Coat (Packeteer) and Allot (NetEnforcer), products that are typically out of the price range for many smaller networks and home users.

One of the most popular and intuitive forms of optimizing bandwidth is a method called “application shaping”, with aliases of “deep packet inspection”, “layer 7 shaping”, and perhaps a few others thrown in for good measure. For the IT manager that is held accountable for everything that can and will go wrong on a network, or the CIO that needs to manage network usage policies, this at first glance may seem like a dream come true.  If you can divvy up portions of your WAN/Internet link to various applications, then you can take control of your network and ensure that important traffic has sufficient bandwidth, right?  Well, you be the judge…

At the center of application shaping is the ability to identify traffic by type.  For example, identifying between Citrix traffic, streaming audio, Kazaa peer-to-peer, or something else.  However, this approach is not without its drawbacks.

Drawback #1: Applications can purposely use non-standard ports
Many applications are expected to use Internet ports when communicating across the Web. An Internet port is part of an Internet address, and many firewall products can easily identify ports and block or limit them. For example, the “FTP” application commonly used for downloading files uses as standard the well-known “port 21”. The fallacy with this scheme, as many operators soon find out, is that there are many applications that do not consistently use a standard fixed port for communication. Many application writers have no desire to be easily classified. In fact, they don’t want IT personnel to block them at all, so they deliberately design applications to not conform to any formal port assignment scheme. For this reason, any product that aims to block or alter application flows by port should be avoided if your primary mission is to control applications by type.

So, if standard firewalls are inadequate at blocking applications by port, what can help?

As you are likely aware, all traffic on the Internet travels around in what is called an IP packet. An IP packet can very simply be thought of as a string of characters moving from Computer A to Computer B. The string of characters is called the “payload,” much like the freight inside a railroad car. On the outside of this payload, or data, is the address where it is being sent. These two elements, the address and the payload, comprise the complete IP packet.

In the case of different applications on the Internet, we would expect to see different kinds of payloads. For example, let’s take the example of a skyscraper being transported from New York to Los Angeles. How could this be done using a freight train? Common sense suggests that one would disassemble the office tower, stuff it into as many freight cars as it takes to transport it, and then when the train arrived in Los Angeles, hopefully the workers on the other end would have the instructions on how to reassemble the tower.

Well, this analogy works with almost anything that is sent across the Internet, only the payload is some form of data, not a physical hunk of bricks, metal and wires. If we were sending a Word document as an e-mail attachment, guess what, the contents of the document would be disassembled into a bunch of IP packets and sent to the receiving e-mail client where it would be re-assembled. If I looked at the payload of each Internet packet in transit, I could actually see snippets of the document in each packet and could quite easily read the words as they went by.

At the heart of all current application shaping products is special software that examines the content of Internet packets (aka “deep packet inspection”), and through various pattern matching techniques, determines what type of application a particular flow is. Once a flow is determined, then the application shaping tool can enforce the operator’s policies on that flow. Some examples of policy are:

Limit AIM messenger traffic to 100kbs
Reserve 500kbs for Shoretell voice traffic

The list of rules you can apply to traffic types and flow is unlimited.

Drawback #2: The number of applications on the Internet is a moving target.
The best application shaping tools do a very good job of identifying several thousand of them, and yet there will always be some traffic that is unknown (estimated at 10 percent by experts from the leading manufacturers). The unknown traffic is lumped into the unknown classification and an operator must make a blanket decision on how to shape this class. Is it important? Is it not? Suppose the important traffic was streaming audio for a webcast and is not classified. Well, you get the picture. Although theory behind application shaping by type is a noble one, the cost for a company to stay up-to-date is large and there are cracks.

Drawback #3: The spectrum of application types is not static
Even if the application spectrum could be completely classified, the spectrum of applications constantly changes. You must keep licenses current to ensure you have the latest in detection capabilities. And even then it can be quite a task to constantly analyze and change the mix of policies on your network. As bandwidth costs lessen, how much human time should be spent divvying up and creating ever more complex policies to optimize your WAN traffic?

Drawback #4: Net neutrality is comprised by application shaping.
Techniques used in application shaping have become controversial on public networks, with privacy issues often conflicting with attempts to ensure network quality.

Based on these drawbacks, we believe that application shaping is not the dream come true that it may seem at first glance.  Once CIOs and IT Managers are educated on the drawbacks, they tend to agree.

14) Bypass that local consumer reseller

This option might be a little bit out of the price range of the average consumer, and it may not be practical logistically –  but if you like to do things out-of-the-box, you don’t have to buy Internet service from your local cable operator or phone company, especially if you are in a metro area.  Many customers we know have actually gone directly to a Tier 1 point of presence (backbone provider) and put in a radio backhaul direct to the source.  There are numerous companies that can set you up with a 40-to-60 megabit link with no gimmicks.

15) Speeding up your iPhone

Ever been in a highly populated area with 3 or 4 bars and still your iPhone access slows to crawl ?

The most likely reason for this problem is congestion on the provider line. 3g and 4g networks all have a limited sized pipe from the nearest tower back to the Internet. It really does not matter what your theoretical data speed is, when there are more people using the tower than the back-haul pipe can handle, you can temporarily lose service, even when your phone is showing three or four bars.

Unfortunately, you only have a couple of options in this situation. If you are in a stadium with a large crowd, your best bet is to text during the action.  If you wait for a timeout or end of the game,  you’ll find this corresponds to the times when the network slows to a crawl,  so try to finish your access before the last out of the game or the end of the quarter. Pick a time when you know the majority of people are not trying to send data.

Get away from the area of congestion. I have experienced complete lockout of up to 30 minutes, when trying to text, as a sold out stadium emptied out.  In this situation my only chance was  to walk about  1/2 mile or so from the venue to get a text out. Once away from the main stadium, my iPhone connected to a tower with a different back haul away from the congested stadium towers.

Shameless plug: If you happen to be a provider or know somebody that works for a provider  please tell them to call us and we’d be glad to explain the simplicity of equalizing and how it can restore sanity to a congested wireless backhaul.

16) Turn off HTTPS and other Encryption

Although this may sound a bit controversial , there are some providers that,  for sake of survival assume that encrypted traffic is bad traffic.  For example p2p is considered bad traffic, they usee be able to use special equipment to throw it into a lower priority pool so that it gets sent out at a slower speed.   Many applications are starting to encrypt p2p , face book etc…. The provider may assume that all this is “bad”traffic because they don’t know what it is, and hence give it a lower priority.

17) Protocol Spoofing

Note:  This method is applied to Legacy Database servers doing operations over a WAN.  Skip this tip if you are a home user.

Historically, there are client-server applications that were developed for an internal LAN. Many of these applications are considered chatty. For example, to complete a transaction between a client and server, tens of messages may be transmitted when perhaps one or two would suffice. Everything was fine until companies, for logistical and other reasons, extended their LANs across the globe using WAN links to tie different locations together.

To get a better visual on what goes on in a chatty application, perhaps an analogy will help.  It’s like  sending family members your summer vacation pictures, and, for some insane reason, putting each picture in a separate envelope and mailing them individually on the same mail run. Obviously, this would be extremely inefficient, as chatty applications can be.

What protocol spoofing accomplishes is to fake out the client or server-side of the transaction and then send a more compact version of the transaction over the Internet, i.e. put all the pictures in one envelope and send it on your behalf, thus saving you postage.

You might ask why not just improve the inefficiencies in these chatty applications rather than write software to deal with the problem? Good question, but that would be the subject of a totally different article on how IT organizations must evolve with legacy technology, which is beyond the scale of the present article.

In Conclusion

Again, while there is no way to increase your true Internet speed without upgrading your service, these tips can improve performance, and help you to get better results from the bandwidth that you already have.  You’re paying for it, so you might as well make sure it’s being used as effectively as possible. : )

Related Article on testing true video speed over the Internet

A great article from the tech guy regarding tips on dealing with your ISP

Other Articles on Speeding up Your Internet

Five tips and tricks to speed up your Internet

How to speed up your Internet Connection Without any Software

Tips on how to speed up your Internet

About APconnections

Created by APconnections, the NetEqualizer is a plug-and-play bandwidth control and WAN/Internet optimization appliance that is flexible and scalable. When the network is congested, NetEqualizer’s unique “behavior shaping” technology dynamically and automatically gives priority to latency sensitive applications, such as VoIP and email. Click here to request our full pricelist.

NetEqualizer Bandwidth Control Tech Seminar Video Highlights

Tech Seminar, Eastern Michigan University, January 27, 2009

This 10-minute clip was professionally produced January 27, 2009. It  gives a nice quick overview of how the NetEqualizer does bandwidth control while providing priority for VoIP and video.

The video specifically covers:

1) Basic traffic shaping technology and NetEqualizer’s behavior-based methods

2) Internet congestion and gridlock avoidance on a network

3) How peer-to-peer file sharing operates

4) How to counter the effects of peer-to-peer file sharing

5) Providing QoS and priority for voice and video on a network

6) A short comparison by a user (a university admin) who prefers NetEqualizer to layer-7 deep packet inspection techniques

ROI calculator for Bandwidth Controllers

Is your commercial Internet link getting full ? Are you evaluating whether to increase the size of your existing internet pipe and trying to do a cost trade off on investing in an optimization solution? If you answered yes to either of these questions then you’ll find the rest of this post useful.

To get started, we assume you are somewhat familiar with the NetEqualizer’s automated fairness and behavior based shaping.

To learn more about NetEqualizer behavior based shaping  we suggest our  NetEqualizer FAQ.

Below are the criteria we used for our cost analysis.

1) It was based on feedback from numerous customers (different verticals) over the previous six years.

2) In keeping with our policies we used average and not best case scenarios of savings.
3) Our Scenario is applicable to any private business or public operator that administers a shared Internet Link with 50 or more users

4) For our example  we will assume a 10 megabit trunk at a cost of $1500 per month.

ROI savings #1 Extending the number of users you can support.

NetEqualizer Equalizing and fairness typically extends the number of users that can share a trunk by making better use of the available bandwidth in a time period. Bandwidth can be stretched from 10 to 30 percent:

savings $150 to $450 per month

ROI savings #2 Reducing support calls caused by peak period brownouts.

We conservatively assume a brownout once a month caused by general network overload. With a transient brownout scenario you will likely spend debug time  trying to find the root cause. For example, a bad DNS server could the problem, or your upstream provider may have an issue. A brownout  may be caused by simple congestion .   Assuming you dispatch staff time to trouble shoot a congestion problem once a month and at an overhead  from 1 to 3 hours. Savings would be $300 per month in staff hours.

ROI savings #3 No recurring costs with your NetEqualizer.

Since the NetEqualizer uses behavior based shaping your license is essentially good for the life of the unit. Layer 7 based protocol shapers must be updated at least once a year.  Savings $100 to $500 per month

The total

The cost of a NetEqualizer unit for a 10 meg circuit runs around $3000, the low estimate for savings per month is around $500 per month.

In our scenario the ROI is very conservatively 6 months.

Note: Commercial Internet links supported by NetEqualizer include T1,E1,DS3,OC3,T3, Fiber, 1 gig and more

Related Articles

Virtual PBX revisited

Editors Note:

This article written for VOIP magazine back in 2004 is worth revisiting.

Back in 2004 when I first wrote this article for the most part there was nothing commercially available  now, Jan 2009, the market is crowded with offers claiming to be virtual PBX’s . At APconnections, we currently use an offering from  A true virtual PBX. Make sure you look under the hood at anything you evaluate.  All  the 800 service numbers call themselves virtual PBX’s; however, in our opinion, simply having a call answer service in the sky  is not a PBX. Read on for a detailed definition.

Before reposting we searched for the original but were unable to find it online.


Art Reisman

By Art Reisman, CTO, APconnections makers of NetEqualizer Internet Optimization Equipment

Outsourcing Communications with a Virtual PBX


A new breed of applications emerging from the intersection of VoIP and broadband may soon make the traditional premise-based PBX a thing of the past. Virtual PBX, hosted and delivered by today’s telcos and cable operators, is quickly becoming an option for businesses looking to outsource portions of their communications network. Rather than purchase and maintain an expensive piece of equipment, you can now sign up for a pay-as-you-go service with all of the functionality of an on-site PBX but with none of the expense.

To some, this idea may sound like a return to the past and, in a sense, it is. AT&T began delivering PBX functionality through its Centrex services in the 1970s. However, upon closer investigation, it is clear that the functionality delivered and the economics of the two approaches are very different.

The Private Branch Exchange: A Brief Primer

A PBX or private branch exchange allows an organization to maintain a small number of outside lines when compared to the number of actual telephones and users within an organization. Users of the PBX share these outside lines for making telephone calls outside the organization (external to the PBX).

Onsite PBX became popular and matured in the 1980s when the cost of remote connectivity was extremely high and the customer control of hosted PBX-like services of the time (Centrex) was limited, if it was even offered. In 1980, providing advanced, remote PBX services to a building with 100 employees would have required AT&T to run 100 individual copper lines from the local exchange to each telephone at the site.

As more and more businesses opted to install a PBX onsite, competition for customer dollars drove ever more extensive “business-class” features into these devices, further differentiating the premise-based PBX from the hosted products offered by telephone companies. Over time, PBX offerings gradually standardized into the product set that today we have come to expect when we pick up any business phone: voice-mail, auto attendant, call queuing, conferencing, call transfer, and more.

Flash forward from 1980 to 2005. Today, 100 direct phone lines can be transported from one location to another over many miles with no more than one wire. Remote access to control a PBX outside of your building is also trivial to implement with a simple Web portal. Technological advances coupled with feature stability and the broad appeal of PBX “applications” makes them a prime candidate for hosting.

A business starting today can have a full-featured hosted PBX with a single high-speed Internet connection. These virtualized services would require no additional equipment to purchase or maintain.

Defining Virtual PBX

Businesses looking to purchase such a service today can expect to find significant differences in the features and functionality available among offerings being marketed under the, often interchangeable, terms hosted or virtual PBX. To alleviate confusion and provide a starting point in your quest to outsource your communications network, the perfect, hosted PBX service would have the following features:

Auto-detectionThe PBX must dynamically detect remote stations from any place in the world and provide dial tone (As opposed to having a user dial in to obtain service. See the sidebar, Start with a Dial Tone).
Start with a Dial Tone
There are products on the market that remotely host a set of PBX services and require the user to dial in with a standard phone so the PBX can identify the caller. This is a viable approach to providing a hosted PBX with established stability. However, it does have a few restrictions not applicable to a pure hosted PBX.

  • When using the PBX services, the caller ties up a local phone line and blocks calls directly made to that line.
  • Obtaining a dial tone for an outbound call can only be done by first connecting to the PBX, or as a final alternative just using the standard phone line to dial out without going through the PBX, which takes away all of the cost and convenience benefits of the PBX.
  • A truly hosted PBX solution must provide a dial tone without first dialing in.

    Service Provisioning New service provisioning must be self-service with no expensive customer premise equipment required. For example, a customer with a credit card and access to a provider’s Web page should be able to initiate worldwide service in a matter of minutes.

    Standards Support Off-the-shelf SIP phones must be supported by the hosted service. A virtual PBX should not lock customers into using specific equipment or proprietary protocols.

    Affordable Start-up costs should be minimal and usage-based, allowing a small business to seamlessly grow and add stations as needed, without ever needing a disruptive upgrade or requiring a large capital investment.

    Level Rates Outbound and inbound toll rates should be provided at wholesale prices globally by the service provider. The customer can be assured of one published competitive price for outgoing calls and incoming calls.

    Administration Each business using the service should have access to a private portal allowing them to administer features and options. The organization’s account and services should be secure and accessible to a designated administrator 24/7.

    Bundled Applications The service must offer a minimum set of applications common to an onsite PBX. The most common of which include: transfer, conference, forward, find me, follow me, voice mail, auto attendant, basic call reporting, and inbound and outbound caller ID.

    Technology Considerations

    While the benefits to a hosted PBX solution are immediately obvious–elimination of equipment hard costs and the specialized knowledge required to keep it up and running–there are drawbacks to consider when adopting an emerging technology.

    The first point to consider is that the technology behind hosted PBX services has not yet developed to the point of large-scale enterprise deployments. Currently, the organizations that will see the most benefit from a hosted solution are small- to medium-sized businesses.

    Quality of service, the shadow that follows every voice over IP application, is the overriding technology hurdle that consumers need to be aware of when considering a hosted PBX solution. Latency can also be an issue; the different routes that IP data takes across the Internet can cause speech breaks and dropped calls.

    QoS and latency are key considerations when discussing bandwidth requirements and network architecture with potential vendors. Being undersold on bandwidth when moving to an IP communications network can create problems above and beyond being oversold.

    Selecting a Vendor

    The low barrier to entry for vendors looking to offer hosted PBX services has created a number of options for consumers and driven down costs, but customers need to be aware that not all service providers are equal.

    Existing Infrastructure Deploying a world-wide hosted PBX service as outlined above requires a significant infrastructure investment to handle the centralized switching needed to move millions of simultaneous call around the world. When investigating service providers, look for a vendor that has the knowledge to grow not only with your business but also with the broad adoption of the technology as a whole. Having a tested, existing infrastructure in place for business-class communications is key.

    Service Provider Network One method of alleviating IP voice quality issues on a regional basis is by staying within a large service provider network. For example, if an organization uses a Qwest T3 trunk service at its headquarters and an employee travels to neighboring cities with Qwest DSL service in their hotels, it is unlikely that quality problems will be experienced at the carrier level. Choosing a vendor that understands how your organization will use the service should be an important part of your selection process.


    While adoption is not yet widespread, hosted services are here and will only get better with time. As companies continue to seek the benefits of outsourcing the elements of their enterprise–from business processes to core technologies—adoption will continue to grow, making hosted PBX is a technology to keep your eye on in 2005.

    Note the author uses a solution from Aptela and has found their support to be top notch and was the main reason for switching about 4 years ago.

    %d bloggers like this: