Global Information Assurance Certification Paper
`
`Copyright SANS Institute
`Author Retains Full Rights
`
`This paper is taken from the GIAC directory of certified professionals. Reposting is not permited without express written permission.
`
`Interested in learning more?
`Check out the list of upcoming events offering
`"Security Essentials Bootcamp Style (Security 401)"
`at http://www.giac.org/registration/gsec
`
`EX1032
`Palo Alto Networks v. Sable Networks
`IPR2020-01712
`
`0001
`
`

`

`
`Christian Boniforti
`Version 1.4b Option B
`March 2003
`
`
`
` Securing a University’s Bandwidth with
`PacketShaper
`
`
`
`Introduction:
`This paper is not limited to universities and could be applied to any network
`architecture. It is meant to bring attention to the importance of securing any
`network’s bandwidth. This paper will assist the reader in the implementation,
`installation and configuration of the PacketShaper and the processes that are
`necessary to apply bandwidth utilization policies. It is important to remember that
`there is no “one size fits all” solution. I suggest using what is pertinent to your
`scenario and learn from my mistakes. I am not providing a guaranteed solution
`or an instructional paper; I am merely providing you with tools, strategies and the
`technology that I used in securing and providing reliable bandwidth to our
`institution.
`
`One must also understand that this paper is written with an emphasis on a
`university network which differs greatly from traditional corporate enterprises.
`According to Ted Udelson, academic institutions are presented with special and
`complex challenges which are not faced by commercial or government entities.
`He further lists the most common threats:
`
`They have difficulty in controlling end users.
`
`The culture cultivates free thinking and “open” access to
`information.
`
`The university serves as a research body, corporation, and Internet
`service provider. Colleges and universities must analyze each of
`these functions to determine the proper stance to take with regard
`to security (Udelson, p. 10).
`
`
`These points brought up by Mr. Udelson, present a network administrator with
`many challenging and unique tasks. It is important to first, understand the
`threats that are specific to your network environment and then develop a solution
`that will fit best for your specific scenario.
`
`Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
`
`© SANS Institute 2003,
`
`As part of GIAC practical repository.
`
`Author retains full rights.
`
`© SANS Institute 2003, Author retains full rights.
`
`0002
`
`

`

`
`Scenario: Before PacketShaper
`In late 2001, administration had received complaints from several students that
`the bandwidth that was provided to them was not adequate at times to conduct
`research. Specifically, students complained that at certain times of the day (a
`stretch between 10:00pm and 2:00am) internet access would come to a
`complete halt.
`
`This was brought up to the CIO and the concern was later passed off to me. I
`conducted some research and monitoring using MRTG tool on our single T1. My
`report of the utilization of bandwidth showed that the T1 line idled between 80%
`and 90% utilization on working hours (9-5), and reached 100% during the
`10:00pm – 2:00am stretch. Figure 1 shows the basic public network setup.
`
`
`
`
`
`
`
`
`My observation was passed along to my CIO and then onto administration. The
`problem needed to be resolved quickly and thus a very reactive decision was
`reached. Administration decided that the university should purchase an additional
`T1. This additional T1 was purchased in early 2002.
`
`
`The university decided that it would purchase a device called Linkproof by
`Radware for the integration of both T1 lines. These T1 lines would be setup to
`provide load balancing, redundancy, and a larger bandwidth capacity. Figure 2
`shows the new design that was created for the integration of the dual T1.
`
`
`Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
`
`© SANS Institute 2003,
`
`As part of GIAC practical repository.
`
`Author retains full rights.
`
`© SANS Institute 2003, Author retains full rights.
`
`0003
`
`

`

`
`
`
`
`
`The implementation of an additional T1 and the Radware Linkproof device were
`to provide the additional bandwidth needed and supply the university with some
`redundancy. The Linkproof device was able to eliminate
`. . . link congestions and bottlenecks from multi-homed networks,
`for fault tolerant connectivity and continuous availability of web
`services. By intelligently routing traffic and controlling bandwidth
`service levels across all Internet links, Linkproof enables effective
`link utilization, accelerating responsiveness, controlling bandwidth
`consumption and economically scaling operations. (LinkProof, p. 1)
`The additional T1 and Radware Linkproof solution provided the university with
`larger amount of capacity and offered the university the needed tolerance, but it
`was not able to monitor internal usage.
`
`Two weeks into the winter semester of 2002, the administration continued to
`receive complaints of slow internet access. Bandwidth monitoring was
`conducted once again and during the peak hours for the university (10:00pm to
`2:00am) bandwidth readings would burst to the 100% capacity.
`
`My first approach to this situation was to use portions of the “Defense in Depth”
`strategy and identify the business goals by the administration, faculty, students
`and the IT Department. Administration wanted a controllable, cost effective and
`quick solution. Faculty wanted guaranteed bandwidth and the Communications
`Department wanted designated bandwidth to conduct their streaming video
`
`Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
`
`© SANS Institute 2003,
`
`As part of GIAC practical repository.
`
`Author retains full rights.
`
`© SANS Institute 2003, Author retains full rights.
`
`0004
`
`

`

`projects and presentations. Students wanted everything, from peer to peer
`networks to online gaming and Xbox live gaming. The IT Department wanted a
`better solution, one that would provide filtering, control and designate bandwidth
`on a policy based system. The IT Department also needed to be able to
`implement a VOIP (Voice Over IP) solution with adequate QoS (Quality of
`Service) in the near future.
`
`It became apparent to the IT department that we could not continue to add T1’s,
`and that we needed to come up with a solution that would be able to measure,
`monitor, filter and shape the bandwidth traffic. A solution also needed to be
`backed up by an “Issue-specific Policy”. Currently the university had no specific
`internet utilization policy neither developed nor implemented.
`
`
` A
`
` New Problem:
`At around the same time we were beginning to experience constant problems
`with our firewall. At first we did not know or realize that this problem was part of
`our lack of bandwidth control and knowledge. The log files would grow at a rate
`that the OS could not handle. This would cause the firewall to either freeze and
`hang or the hardrive designated for the log files would fill up and consequently
`shut down the firewall.
`
`After researching the log files it was determined that the culprit was SMTP traffic
`initiating from internal clients (specifically students). There were two different
`options to solve this problem. Allow SMTP to go through the firewall which would
`propagate SMTP traffic to the outside world, or stop SMTP traffic at the internal
`core router. Our core router also served as our VLAN manager. We setup an
`ACL (Access Control List) to not allow student traffic to send SMTP traffic. This
`solution seemed to work. We began to experience problems with the core router
`less than a week into the implementation phase. The core router began to crash
`every 24 hours. Once the router was reloaded some SMTP traffic was still being
`filtered, but not all. It was agreed that we were going to not filter at the router
`level, and try to find the culprit students? At this point, I was not able to identify
`this problem as a miss management of bandwidth.
`
`We decided that we would try to answer the following key questions, Why?
`What ? Where? and How?. Why monitor and secure bandwidth? What were
`we going to use to measure and secure bandwidth? Where did we need to
`monitor bandwidth? And How would we enforce these solutions?
`
`Understanding the Importance of Securing Bandwidth
`Before we can understand Why we should secure and manage bandwidth we
`must define bandwidth. Scientifically speaking,
`
`
`…bandwidth is the width of the range of frequencies that an
`electronic signal occupies on a given transmission medium. Any
`
`Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
`
`© SANS Institute 2003,
`
`As part of GIAC practical repository.
`
`Author retains full rights.
`
`© SANS Institute 2003, Author retains full rights.
`
`0005
`
`

`

`digital or analog signal has a bandwidth. In digital systems,
`bandwidth is expressed as data speed in bits per second (bps). In
`analog systems, bandwidth is expressed in terms of the difference
`between the highest-frequency signal component and the lowest-
`frequency signal component. (SearchNetworking.com, p. 1)
`
`
`Generally speaking we identify bandwidth as the speed in which flow of
`information is transmitted back and forth within a network or between
`many networks. Usually the more bandwidth one has the better the flow
`of information is exchanged. This statement is generally true. We are
`going to identify some reasons Why it is important to secure your
`network’s bandwidth.
`
`The number one reason to secure your bandwidth is cost. Cost can be
`measured in a many different ways. The most obvious associated cost
`with bandwidth is your ISP costs. In our scenario, the university was
`currently using two T1 lines and one point to point WAN link. The total
`cost of the university bandwidth was about a $30,000 yearly investment.
`This investment needed to be monitored, secured and efficiently utilized.
`Once bandwidth was converted to an investment it became apparent and
`easier to convince the administration that further studies and policies
`should be implemented.
`
`Another reason to secure your bandwidth can be performance. We are
`referring to the overall performance of the university’s bandwidth.
`Bottlenecks, congestions, dropped or lost packets and unnecessary
`retransmissions are all signs of an ill performing network. Many of these
`symptoms can be traced back to poorly managed bandwidth. Optimizing
`performance on a network basically attempts to minimize negative
`effecting traffic or “less desirable” traffic (P2P, video, sharing) and provide
`or guarantee the mission-critical applications their needed bandwidth.
`
`Policy may dictate and mandate the need to secure and manage campus
`bandwidth. Our IT Department had no policies set to limit bandwidth,
`block “less desirable” traffic or manage bandwidth.
`
`What to use? PacketShaper by Packeteer – A Brief
`Description
`The next question that we needed to answer was, what were we going to use to
`measure and control bandwidth? We knew that we could setup MRTG tools and
`measure the overall bandwidth, but it was not going to help us analyze packets,
`protocols or control bandwidth. After an extensive comparison and research, we
`decided to use a product by Packeteer called PacketShaper.
`
`
`Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
`
`© SANS Institute 2003,
`
`As part of GIAC practical repository.
`
`Author retains full rights.
`
`© SANS Institute 2003, Author retains full rights.
`
`0006
`
`

`

`PacketShaper is the bandwidth-management solution that brings
`predictable, efficient performance to applications running over
`enterprise wide-area networks (WANs) and the Internet. It balances
`traffic’s demands, giving each type of traffic the bandwidth it needs
`to perform. PacketShaper protects critical traffic, paces bandwidth-
`greedy traffic, and prevents any single type of traffic from
`monopolizing resources. It provisions bandwidth to applications,
`sessions, branch offices, and/or users. (Four Steps Packeteer, p.
`3)
`
`
`PacketShaper was the device that was going to be able to monitor inbound and
`outbound traffic, as well as analyze and filter. This product would secure our
`bandwidth and we would be able to set forth “Issue-specific Policies” that could
`be enforced. Packeteer has produced a simple introductory paper on the
`PacketShaper product and how to deploy it in your network. It can be found via
`this URL:
`http://support.packeteer.com/documentation/packetguide/5.2.1/documents/4Step
`s.pdf
`
`First Step: “Classify Network Traffic”
`This first steps means allowing PacketShaper to identify traffic as it passes
`through the device. PacketShaper has the ability to identify or classify traffic by
`applications, protocols, web pages, subnets, users and many more. It has the
`ability to automatically classify known applications and protocols. Since, new
`applications are added on a daily basis Packeteer makes new classification
`features available to customers by introducing new “easy plug in” features. If a
`vulnerability or application is introduced a new plug in will be offered. After
`downloading and applying the plug in; PacketShaper is able to automatically
`classify the new application or vulnerability.
`
`PacketShaper has the ability to manually classify applications, subnets, protocols
`and other network traffic. As new applications are introduced they become
`more integrated, more bandwidth intensive and more difficult to classify under
`one category. PacketShaper has the ability to manually classify these complex
`applications that may differ from the simple IP scheme and single port
`applications. Some of the manual classification categories are as follows:
`• Web Classification: Most of the traffic today resides through HTTP traffic.
`PacketShaper is able to identify and differentiate HTTP traffic, by direction
`of traffic, web URL, server based, or host name. This allows for more
`granularities within the HTTP class.
`Intricate Port Classification: PacketShaper is able to classify and analyze
`difficult traffic that uses multiple ports or conducts in port hoping. Through
`this same classification it is able to differ classify traffic that may share the
`same port
`• File-Sharing Protocol: This category refers to the famous Napster, Kazaa,
`and Gnutella.
`
`•
`
`Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
`
`© SANS Institute 2003,
`
`As part of GIAC practical repository.
`
`Author retains full rights.
`
`© SANS Institute 2003, Author retains full rights.
`
`0007
`
`

`

`
`Second Step: “Analyze Behavior”
`PacketShaper has the ability to measure the classes of traffic that were
`previously identified. It will be able to track “…traffic levels, detects network
`trends, measures response time, and calculates network efficiency” (Four Step
`Packeteer, p. 5). This period of analysis will help answer many questions
`regarding the bandwidth traffic of an organization. PacketShaper is managed
`through a simple web interface. This interface contains many helpful tabs that
`will be useful to analyze the classified traffic. One of the helpful tabs is the
`Monitor Tab:
`
`
`
`
`This tab will identify the automatic or manually set classes on the left column, it
`also will shows such columns as Current (bps), 1 Minute (bps), and Peak (bps).
`This tab will be very helpful in pulling data on desired classes and will become an
`important gathering tool for controlling bandwidth.
`
`Third Step: “Control Performance”
`PacketShaper is able to manage application performance and guarantee a
`preset amount of bandwidth. PacketShaper controls bandwidth through the
`usage of partitions. A partition “…creates a virtual separate pipe for a traffic
`class” (Four Steps Packeteer, p. 5). One is able to set a size for the reserve link,
`define whether it can expand over the cap and control that growth. Partitions
`work much like pipes within pipes. Figure 4 shows the relationship of partitions
`within partitions:
`
`
`Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
`
`© SANS Institute 2003,
`
`As part of GIAC practical repository.
`
`Author retains full rights.
`
`© SANS Institute 2003, Author retains full rights.
`
`0008
`
`

`

`Figure 4:
`
`
`
`
`Picture from Packeteer Website at URL:
`http://support.packeteer.com/documentation/packetguide/5.2.1/documents/4Step
`s.pdf, p. 20
`
`There are different kinds of partitions that can be utilized. PacketShaper can use
`either “hierarchical partitions” or “dynamic partitions” . “Hierarchical partitions”
`enable one to preset a certain amount of bandwidth within another subset of
`partitions. For example, one could set 30% of a link designated to HTTP traffic,
`and then assign different portions of the preset 30% to web servers that utilize
`HTTP traffic. One could assign half of the 30% to all web servers, quarter to
`OWA traffic and the remaining to any HTTP traffic. “Dynamic partition”, allows
`one set partitions on a per-user basis. It allows one to manage a user’s
`bandwidth allocation across all types of applications.
`
`Step Four: “Report Results”
`The reporting capabilities of the PacketShaper allow for a quick visual and
`comprehensive analysis of the traffic flow. PacketShaper will graph bandwidth
`based on time, network efficiency, average bandwidth and peak periods. This
`ability to quickly see what is traversing the network becomes a powerful and
`helpful tool in reaching your optimal goal of securing desired bandwidth
`performance.
`
`Where to Use PacketShaper?
`Now that we understand what to use to monitor, shape and manage our
`bandwidth I had to decide where to place this device within our network. The
`placement of the PacketShaper depended on our needs, desires, budget and the
`current topology of our network. I will discuss the basic options that we had and
`the advantages and disadvantages of each placement.
`
` I
`
` took a basic and common setup of most university topologies and introduce the
`possible options of placement. Figure 5 shows the different options:
`
`
`Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
`
`© SANS Institute 2003,
`
`As part of GIAC practical repository.
`
`Author retains full rights.
`
`© SANS Institute 2003, Author retains full rights.
`
`0009
`
`

`

`
`
`
`Option 1, implements PacketShaper outside the border router. One of the
`positives to this solution is that you will be able to shape incoming and outgoing
`packets at this topology level. The other positive is that only external traffic will
`be shaped all internal traffic will not be accessed or modified. One of the
`negatives is that internal traffic will not be controlled, or managed. Another
`negative is that the PacketShaper will need a WAN or T-1 interface which will be
`more expansive and less flexible.
`
`Option 2, does not require PacketShaper as we are using the router to shape
`bandwidth. The positives to this solution are that you do not have to buy or
`manage an additional device. Another positive is that internal traffic is not
`interfered with or shaped. The negatives to this option are that you are restricted
`to router based shaping, which is very limited and less effective. The other
`disadvantage is that you will be taxing the router CPU. Routers are designed to
`route traffic not to shape it and analyze it.
`
`Option 3, implements PacketShaper internally or inside your border router. The
`positives to this solution are that you can use more flexible and less expensive
`Ethernet interfaces to manage traffic. Also, this option will allow for partitioning of
`university’s internal network and the use of multiple shapers. Some of the
`negatives include a greater amount of bandwidth will be managed which may
`require a more capable and more expensive device. Another negative is that
`internal traffic will be interfered with and shaped.
`
`Option 3, allows administrators for the most flexibility and manageability of
`bandwidth.
`
`
`Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
`
`© SANS Institute 2003,
`
`As part of GIAC practical repository.
`
`Author retains full rights.
`
`© SANS Institute 2003, Author retains full rights.
`
`0010
`
`

`

`Now that we understand Why there is a need to manage bandwidth? What
`device? And Where to place it?, we can start discussing on How to use it? For
`this explanation we will return to the scenario previously mentioned.
`
`
`Scenario: During Installation
`Since our first three questioned have been answered and explored I will move on
`to the implementation of the PacketShaper and describe what I did to deploy this
`appliance. Figure 6 shows where our IT Department decided to install the
`PacketShaper:
`
`
`
`
`After exploring all of the different options and analyzing the pros and cons, it was
`decided that in our scenario it was important to be able to manage and shape
`internal traffic. The best place to do this was to implement the PacketShaper
`between the firewall and internal router. The PacketShaper has two Ethernet
`interfaces, one labeled “In” and the other “Out”. They basically describe the flow
`of traffic. The “In” interface describes traffic flow destined towards the internal
`
`
`
`Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
`
`© SANS Institute 2003,
`
`As part of GIAC practical repository.
`
`Author retains full rights.
`
`© SANS Institute 2003, Author retains full rights.
`
`0011
`
`

`

`network. While, the “Out” interface describes traffic flow initiated from the
`internal network destined to the outside world or DMZ. In our deployment of the
`PacketShaper we will not be able to monitor, shape or manage traffic that does
`not traverse the PacketShaper. This traffic will include internal peer-to-peer
`traffic and traffic between internal servers and internal clients.
`
`Configuring PacketShaper
`Once I decided where to implement the PacketShaper I needed to figure out how
`to physically plug the cables and what cables to use. Figure 7 shows the front
`end of the PacketShaper:
`
`Figure 7
`
`
`
`
`Picture from Packeteer Website at URL:
`http://support.packeteer.com/documentation/packetguide/5.2.1/documents/PacketShaper_Getting
`_Started_v521.pdf
`
`The RJ 45 interfaces are clearly labeled “Outside” and “Inside”. The types of
`cable that will be plugged into these interfaces depend on the type of device that
`you will be plugging into the PacketShaper. In our scenario, I used the firewall
`and router. Therefore, I will need cross-over cables to plug in to both interfaces.
`Servers and uplink ports also require cross-over cables, while hubs or switches
`require straight-over cables. Once, all ports and devices are plugged in correctly
`one will see traffic begin to flow and normal connectivity will be restored.
`
`After physically connecting the PacketShaper and verifying that traffic is
`traversing the device I was able to connect to the device and log in. There are
`three simple ways to connect and configure the PacketShaper:
`• Through a direct console connection
`• Telnet
`• Through a Web Browser
`
`The first time that I connected to the PacketShaper via any of the above
`mentioned ways I had to use the default IP. This is a factory set IP address that
`has been assigned to the device. I later changed this IP address to a more
`meaningful IP address. For the purpose of this paper we are only going to be
`covering connections via Internet Explorer.
`
`
`Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
`
`© SANS Institute 2003,
`
`As part of GIAC practical repository.
`
`Author retains full rights.
`
`© SANS Institute 2003, Author retains full rights.
`
`0012
`
`

`

`
`
`ON/OFF
`ON/OFF
`ON/OFF
`
`Total bandwidth available
`Total bandwidth available
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`IP for Device
`Netmask for Device
`Next hop usually defines outbound flow
`Optional: Router which Device is plugged into
`Optional: Domains that will be monitored
`Name Servers that will be used to resolve host
`names
`
` I simply started an Internet Explorer session and typed in the default URL. The
`first time I connected I was directed straight to the basic configuration or setup
`page. In this page I was able to modify the following options:
`
`
`
`Shaping
`
`Traffic Discovery
`Easy Configuration
`
`
`IP Address
`
`NetMask
`
`Gateway
`
`Site Router
`
`Domain
`DNS Server
`
`
`
`
`Wan Settings:
`InBound Rate
`OutBound Rate
`
`Lan Settings:
`Inside Fast Ethernet NIC Mode Auto/ 100 Full/ 100 Half/ 10 Full/ 10 Half
`Outside Fast Ethernet NIC Mode Auto/ 100 Full/ 100 Half/ 10 Full/ 10 Half
`
`These are the basic configuration settings for the PacketShaper.
`I made sure to leave the Shaping option on the OFF position, because at
`•
`this point we are not going to start shaping traffic.
`• The Traffic Discovery option should be set to the ON position. This will
`allow the PacketShaper to begin discovering traffic.
`• The Easy Configuration will not be covered in this paper as it is a less
`flexible option with many limitations; I kept this option set to the OFF
`position.
`• The IP Address option is a management option. Simply select an IP
`Address that makes sense to your scenario. This depends on the
`placement of the PacketShaper. In our scenario we decided to place the
`PacketShaper behind our firewall, so we decided to go with an internal
`private IP address that made sense with our IP scheme. Remember this
`IP address option is for management and connection purposes only.
`• The Netmask option corresponds to the IP address that you decide to
`assign to your device set it accordingly.
`• The Gateway option will typically refer to the flow of traffic destined to
`outer networks. In our scenario the internal firewall network interface is
`the Gateway. Refer to Figure 6 for a better visual explanation. Typically
`the Gateway option will represent traffic destined for the outside world or
`internet.
`
`Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
`
`© SANS Institute 2003,
`
`As part of GIAC practical repository.
`
`Author retains full rights.
`
`© SANS Institute 2003, Author retains full rights.
`
`0013
`
`

`

`• Site Router and Domain options are optional settings. Site Router
`represents a router that will be used to monitor traffic and Domain can be
`used for FQDN (Fully Qualified Domain Name) or NT domain naming
`schemes. The DNS server option should be set so the PacketShaper will
`be able to resolve names to the IP address that it finds. In our scenario I
`used the NT 2000 internal DNS for both domains and the external DNS
`servers IP address.
`
`
`
`
`
`
`
`3M
`3M
`
`
`The next set of options are broken down into two separate categories, WAN and
`LAN. These are supposed to help you gauge the bandwidth that will be used
`and measured. In our scenario the WAN and LAN settings were used as
`following:
`WAN Settings:
`InBound Rate:
`OutBound Rate:
`LAN Settings:
`Inside Fast Ethernet NIC Mode 100 Full Duplex
`Outside Fast Ethernet NIC Mode 100 Full Duplex
`
`The WAN setting is used to set a maximum available rate of bandwidth. In our
`scenario we are currently using dual T1 and therefore our optimal bandwidth rate
`inbound or outbound is approximately 3.0 Meg. This will help create the pipe that
`we are going to be using to control bandwidth. If you refer back to Figure 4 we
`are creating the outer black pipe which will engulf all of our shaped traffic. The
`LAN settings are the optimal speed of your internal backbone speed and allow
`you to specify which kind of duplex mode is being used. If you know for sure the
`devices that are plugged into the PacketShaper are Full/Half or are 10/100 set it
`accordingly, if you are not sure you may use the Auto-negotiate option.
`
`Once these settings were configured I selected the apply changes button and the
`PacketShaper Basic configurations were set.
`
`Other Configuration settings that I would encourage to set are the SECURITY
`and DATE & TIME Setup Pages. The Security Setup Page will allow you to
`select a LOOK and TOUCH passwords. The LOOK mode is a read only mode
`while the TOUCH mode is write mode. Setting the DATE & TIME configuration
`will help you diagnose problems that are dependent on time and that only occur
`during specific times.
`
`Variation of the Four Step Deployment Guide
`Once I was done configuring and setting up the PacketShaper it was time to start
`deploying it and let it run on the network.
`
` I
`
` decided to follow the Four Step tutorial offered by Packeteer but I also decided
`to add two important steps to this model. As one can recall the Four Steps were
`to:
`
`Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
`
`© SANS Institute 2003,
`
`As part of GIAC practical repository.
`
`Author retains full rights.
`
`© SANS Institute 2003, Author retains full rights.
`
`0014
`
`

`

`1. Classify
`2. Analyze
`3. Control
`4. Report
`
`
`The following six steps were created;
`1. Classify-Identify and Simplify
`2. Analyze
`3. Control
`4. Report
`5. Develop Policies
`6. Recognize Unmanaged Traffic
`
`
`Step One: Classify, Identify and Simplify
`In order to analyze traffic I needed to let PacketShaper capture network traffic.
`Packeteer suggests allowing the device to analyze network traffic for 3 days, but
`I believed that it would be better to analyze traffic for a full week. By analyzing
`an entire week, you will be able to capture traffic for all seven days and a more
`accurate analyzes will be stored.
`
`The first thing that I looked at was the Monitor Tab. This tab showed all
`discovered traffic and it breaks up the traffic into two categories. The two
`categories are Inbound and Outbound. Under each category PacketShaper will
`identify classes of traffic. These classes are well known protocols such as HTTP
`and known applications like Citrix. I took some time to review and learn what
`was traveling along our network. The first thing that I did was to place the
`classes into more descriptive folders. I created a folder by going to the Manage
`Tab. This tab is similar to the Monitor tab, with all discovered classes on the left
`most side of the page. On the right side of the page there are some options that
`I needed to explore. The first button that I looked at was the Class button. This
`button allows one to create a Class folder. I did the following to add some
`classes:
`
`Select the Class Button (cid:224) Then Select the Add Folder option (cid:224) this brings up a
`window with an empty field, fill in a descriptive name (P2P) (cid:224) Select the OK
`button.
`
`The Manage tab page will now refresh itself and a new P2P Folder will appear
`under the InBound category. By simply selecting the P2P folder a new
`configuration page will display on the right side of the page. Figure 8 shows
`what the configuration page will look for all classes. The Traffic Classes are
`shown on the left panel of the web page. On the right panel of the configuration
`page are the CLASS, PARTITION, and STATISTIC buttons. I will discuss the
`CLASS button only in this particular section, the other buttons will be discussed
`later in this paper.
`
`
`Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
`
`© SANS Institute 2003,
`
`As part of GIAC practical repository.
`
`Author retains full rights.
`
`© SANS Institute 2003, Author retains full rights.
`
`0015
`
`

`

` I have already used the CLASS button to create a folder. To move an already
`existing class into a folder simply select the CLASS button and then select the
`move option. A new screen will appear. Simply select the desired class “KaZaA”
`and select the Move Class button. The “KaZaA” application will now be under
`the P2P folder. I continued to classify and organize our traffic. The more
`organized and simple you keep your traffic classes the easier it will be to set
`traffic control settings.
`
`Figure 8
`
`
`
`Now that I have described the basics of the Manage tab, I am going to share a
`simple and useful list that I created and used in organizing our Monitor Tab.
`
`
`
`
`1. Identify critical traffic. For our scenario the following were selected
`a. HTTP
`b. SSL
`c. SMTP
`d. DMZ traffic
`e. RDP
`2. Identify less desirable traffic. We decided to focus on Peer to Peer
`Networks and Video protocols
`a. eDonkey
`b. Gnutella
`c. KaZaA
`d. Napster
`
`Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
`
`© SANS Institute 20