GIlL
`CERTIFICATIONS
`
`Global Information Assurance Certification Paper
`Global Information Assurance Certification Paper
`
`Copyright SANS Institute
`Copyright SANS Institute
`Author Retains Full Rights
`Author Retains Full Rights
`
`Thk paper is lien korn the el AC dructoy at cartMed proimaionah- %mann is not pErnited Moil wpm.* writer, pwr
`This paper is taken from the GIAC directory of certified professionals. Reposting is not permited without express written permission.
`
`Interested in learning more? Interested in learning more?
`
`
`Check out the list of upcoming events offering Check out the list of upcoming events offering
`
`"Security Essentials Bootmmp Style {Security 401r "Security Essentials Bootcamp Style (Security 401)"
`
`at httpliwww.giac.ongfiegistiatbnigsec at http://www.giac.org/registration/gsec
`
`Cloudflare - Extibit 1032 page 1
`
`0001
`
`Cloudflare - Exhibit 1032, page 1
`
`

`

`Christian Boniforti
`Version 1.4b Option B
`March 2003
`
`Securing a University's Bandwidth with
`PacketShaper
`
`Introduction:
`This paper is not limited to universities and could be applied to any network
`architecture. It is meant to bring attention to the importance of securing any
`network's bandwidth. This paper will assist the reader in the implementation,
`installation and configuration of the PacketShaper and the processes that are
`necessary to apply bandwidth utilization policies. It is important to remember that
`there is no "one size fits all" solution. I suggest using what is pertinent to your
`scenario and learn from my mistakes. I am not providing a guaranteed solution
`or an instructional paper; I am merely providing you with tools, strategies and the
`technology that I used in securing and providing reliable bandwidth to our
`institution.
`
`One must also understand that this paper is written with an emphasis on a
`university network which differs greatly from traditional corporate enterprises.
`According to Ted Udelson, academic institutions are presented with special and
`complex challenges which are not faced by commercial or government entities.
`He further lists the most common threats:
`
`They have difficulty in controlling end users.
`
`The culture cultivates free thinking and "open" access to
`information.
`
`The university serves as a research body, corporation, and Internet
`service provider. Colleges and universities must analyze each of
`these functions to determine the proper stance to take with regard
`to security (Udelson, p. 10).
`
`These points brought up by Mr. Udelson, present a network administrator with
`many challenging and unique tasks. It is important to first, understand the
`threats that are specific to your network environment and then develop a solution
`that will fit best for your specific scenario.
`
`© SANS Institute 2003,
`
`Cloudflare - Exhibit 1032, page 2
`As part of GIAC practical repository.
`Author retains full rights.
`0002
`
`
`Christian Boniforti
`Version 1.4b Option B
`March 2003
`
`
`
` Securing a University’s Bandwidth with
`PacketShaper
`
`
`
`Introduction:
`This paper is not limited to universities and could be applied to any network
`architecture. It is meant to bring attention to the importance of securing any
`network’s bandwidth. This paper will assist the reader in the implementation,
`installation and configuration of the PacketShaper and the processes that are
`necessary to apply bandwidth utilization policies. It is important to remember that
`there is no “one size fits all” solution. I suggest using what is pertinent to your
`scenario and learn from my mistakes. I am not providing a guaranteed solution
`or an instructional paper; I am merely providing you with tools, strategies and the
`technology that I used in securing and providing reliable bandwidth to our
`institution.
`
`One must also understand that this paper is written with an emphasis on a
`university network which differs greatly from traditional corporate enterprises.
`According to Ted Udelson, academic institutions are presented with special and
`complex challenges which are not faced by commercial or government entities.
`He further lists the most common threats:
`
`They have difficulty in controlling end users.
`
`The culture cultivates free thinking and “open” access to
`information.
`
`The university serves as a research body, corporation, and Internet
`service provider. Colleges and universities must analyze each of
`these functions to determine the proper stance to take with regard
`to security (Udelson, p. 10).
`
`
`These points brought up by Mr. Udelson, present a network administrator with
`many challenging and unique tasks. It is important to first, understand the
`threats that are specific to your network environment and then develop a solution
`that will fit best for your specific scenario.
`
`Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
`
`© SANS Institute 2003,
`
`As part of GIAC practical repository.
`
`Author retains full rights.
`
`© SANS Institute 2003, Author retains full rights.
`
`0002
`
`Cloudflare - Exhibit 1032, page 2
`
`

`

`Scenario: Before PacketShaper
`In late 2001, administration had received complaints from several students that
`the bandwidth that was provided to them was not adequate at times to conduct
`research. Specifically, students complained that at certain times of the day (a
`stretch between 10:00pm and 2:00am) intemet access would come to a
`complete halt.
`
`This was brought up to the CIO and the concern was later passed off to me. I
`conducted some research and monitoring using MRTG tool on our single Tl. My
`report of the utilization of bandwidth showed that the T1 line idled between 80%
`and 90% utilization on working hours (9-5), and reached 100% during the
`10:00pm — 2:00am stretch. Figure 1 shows the basic public network setup.
`
`Figure 1
`
`In:erret
`
`Novel Router
`Lirk 1
`
`1,0,211
`
`DMZ
`
`Internal Ne:work
`
`My observation was passed along to my CIO and then onto administration. The
`problem needed to be resolved quickly and thus a very reactive decision was
`reached. Administration decided that the university should purchase an additional
`Tl. This additional T1 was purchased in early 2002.
`
`The university decided that it would purchase a device called Linkproof by
`Radware for the integration of both T1 lines. These T1 lines would be setup to
`provide load balancing, redundancy, and a larger bandwidth capacity. Figure 2
`shows the new design that was created for the integration of the dual Tl.
`
`© SANS Institute 2003,
`
`Cloudflare - Exhibit 1032, page 3
`As part of GIAC practical repository.
`Author retains full rights.
`0003
`
`
`Scenario: Before PacketShaper
`In late 2001, administration had received complaints from several students that
`the bandwidth that was provided to them was not adequate at times to conduct
`research. Specifically, students complained that at certain times of the day (a
`stretch between 10:00pm and 2:00am) internet access would come to a
`complete halt.
`
`This was brought up to the CIO and the concern was later passed off to me. I
`conducted some research and monitoring using MRTG tool on our single T1. My
`report of the utilization of bandwidth showed that the T1 line idled between 80%
`and 90% utilization on working hours (9-5), and reached 100% during the
`10:00pm – 2:00am stretch. Figure 1 shows the basic public network setup.
`
`
`
`
`
`
`
`
`My observation was passed along to my CIO and then onto administration. The
`problem needed to be resolved quickly and thus a very reactive decision was
`reached. Administration decided that the university should purchase an additional
`T1. This additional T1 was purchased in early 2002.
`
`
`The university decided that it would purchase a device called Linkproof by
`Radware for the integration of both T1 lines. These T1 lines would be setup to
`provide load balancing, redundancy, and a larger bandwidth capacity. Figure 2
`shows the new design that was created for the integration of the dual T1.
`
`
`Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
`
`© SANS Institute 2003,
`
`As part of GIAC practical repository.
`
`Author retains full rights.
`
`© SANS Institute 2003, Author retains full rights.
`
`0003
`
`Cloudflare - Exhibit 1032, page 3
`
`

`

`Figure 2
`
`I Irteire:
`
`Cisco 2600
`Lir k 1
`
`Irrierrel
`
`Nortel Rou:er
`Lii k 2
`
`Radware
`LirkProof
`
`Provider /1/4
`
`Provider B
`
`Fife iall
`
`DMZ
`
`Internal Network
`
`The implementation of an additional T1 and the Radware Linkproof device were
`to provide the additional bandwidth needed and supply the university with some
`redundancy. The Linkproof device was able to eliminate
`.. link congestions and bottlenecks from multi-homed networks,
`for fault tolerant connectivity and continuous availability of web
`services. By intelligently routing traffic and controlling bandwidth
`service levels across all Internet links, Linkproof enables effective
`link utilization, accelerating responsiveness, controlling bandwidth
`consumption and economically scaling operations. (Li nkProof, p. 1)
`The additional T1 and Radware Linkproof solution provided the university with
`larger amount of capacity and offered the university the needed tolerance, but it
`was not able to monitor internal usage.
`
`Two weeks into the winter semester of 2002, the administration continued to
`receive complaints of slow internet access. Bandwidth monitoring was
`conducted once again and during the peak hours for the university (10:00pm to
`2:00am) bandwidth readings would burst to the 100% capacity.
`
`My first approach to this situation was to use portions of the `Defense in Depth"
`strategy and identify the business goals by the administration, faculty, students
`and the IT Department. Administration wanted a controllable, cost effective and
`quick solution. Faculty wanted guaranteed bandwidth and the Communications
`Department wanted designated bandwidth to conduct their streaming video
`
`© SANS Institute 2003,
`
`Cloudflare - Exhibit 1032, page 4
`As part of GIAC practical repository.
`Author retains AA rights
`0004
`
`
`
`
`
`
`The implementation of an additional T1 and the Radware Linkproof device were
`to provide the additional bandwidth needed and supply the university with some
`redundancy. The Linkproof device was able to eliminate
`. . . link congestions and bottlenecks from multi-homed networks,
`for fault tolerant connectivity and continuous availability of web
`services. By intelligently routing traffic and controlling bandwidth
`service levels across all Internet links, Linkproof enables effective
`link utilization, accelerating responsiveness, controlling bandwidth
`consumption and economically scaling operations. (LinkProof, p. 1)
`The additional T1 and Radware Linkproof solution provided the university with
`larger amount of capacity and offered the university the needed tolerance, but it
`was not able to monitor internal usage.
`
`Two weeks into the winter semester of 2002, the administration continued to
`receive complaints of slow internet access. Bandwidth monitoring was
`conducted once again and during the peak hours for the university (10:00pm to
`2:00am) bandwidth readings would burst to the 100% capacity.
`
`My first approach to this situation was to use portions of the “Defense in Depth”
`strategy and identify the business goals by the administration, faculty, students
`and the IT Department. Administration wanted a controllable, cost effective and
`quick solution. Faculty wanted guaranteed bandwidth and the Communications
`Department wanted designated bandwidth to conduct their streaming video
`
`Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
`
`© SANS Institute 2003,
`
`As part of GIAC practical repository.
`
`Author retains full rights.
`
`© SANS Institute 2003, Author retains full rights.
`
`0004
`
`Cloudflare - Exhibit 1032, page 4
`
`

`

`projects and presentations. Students wanted everything, from peer to peer
`networks to online gaming and Xbox live gaming. The IT Department wanted a
`better solution, one that would provide filtering, control and designate bandwidth
`on a policy based system. The IT Department also needed to be able to
`implement a VOIP (Voice Over IP) solution with adequate QoS (Quality of
`Service) in the near future.
`
`It became apparent to the IT department that we could not continue to add Tl's,
`and that we needed to come up with a solution that would be able to measure,
`monitor, filter and shape the bandwidth traffic. A solution also needed to be
`backed up by an "Issue-specific Policy". Currently the university had no specific
`internet utilization policy neither developed nor implemented.
`
`A New Problem:
`At around the same time we were beginning to experience constant problems
`with our firewall. At first we did not know or realize that this problem was part of
`our lack of bandwidth control and knowledge. The log files would grow at a rate
`that the OS could not handle. This would cause the firewall to either freeze and
`hang or the hardrive designated for the log files would fill up and consequently
`shut down the firewall.
`
`After researching the log files it was determined that the culprit was SMTP traffic
`initiating from internal clients (specifically students). There were two different
`options to solve this problem. Allow SMTP to go through the firewall which would
`propagate SMTP traffic to the outside world, or stop SMTP traffic at the internal
`core router. Our core router also served as our VLAN manager. We setup an
`ACL (Access Control List) to not allow student traffic to send SMTP traffic. This
`solution seemed to work. We began to experience problems with the core router
`less than a week into the implementation phase. The core router began to crash
`every 24 hours. Once the router was reloaded some SMTP traffic was still being
`filtered, but not all. It was agreed that we were going to not filter at the router
`level, and try to find the culprit students? At this point, I was not able to identify
`this problem as a miss management of bandwidth.
`
`We decided that we would try to answer the following key questions, Why?
`What ? Where? and How?. Why monitor and secure bandwidth? What were
`we going to use to measure and secure bandwidth? Where did we need to
`monitor bandwidth? And How would we enforce these solutions?
`
`Understanding the Importance of Securing Bandwidth
`Before we can understand Why we should secure and manage bandwidth we
`must define bandwidth. Scientifically speaking,
`
`...bandwidth is the width of the range of frequencies that an
`electronic signal occupies on a given transmission medium. Any
`
`© SANS Institute 2003,
`
`Cloudflare - Exhibit 1032, page 5
`As part of GIAC practical repository.
`Author retains full rights.
`0005
`
`projects and presentations. Students wanted everything, from peer to peer
`networks to online gaming and Xbox live gaming. The IT Department wanted a
`better solution, one that would provide filtering, control and designate bandwidth
`on a policy based system. The IT Department also needed to be able to
`implement a VOIP (Voice Over IP) solution with adequate QoS (Quality of
`Service) in the near future.
`
`It became apparent to the IT department that we could not continue to add T1’s,
`and that we needed to come up with a solution that would be able to measure,
`monitor, filter and shape the bandwidth traffic. A solution also needed to be
`backed up by an “Issue-specific Policy”. Currently the university had no specific
`internet utilization policy neither developed nor implemented.
`
`
` A
`
` New Problem:
`At around the same time we were beginning to experience constant problems
`with our firewall. At first we did not know or realize that this problem was part of
`our lack of bandwidth control and knowledge. The log files would grow at a rate
`that the OS could not handle. This would cause the firewall to either freeze and
`hang or the hardrive designated for the log files would fill up and consequently
`shut down the firewall.
`
`After researching the log files it was determined that the culprit was SMTP traffic
`initiating from internal clients (specifically students). There were two different
`options to solve this problem. Allow SMTP to go through the firewall which would
`propagate SMTP traffic to the outside world, or stop SMTP traffic at the internal
`core router. Our core router also served as our VLAN manager. We setup an
`ACL (Access Control List) to not allow student traffic to send SMTP traffic. This
`solution seemed to work. We began to experience problems with the core router
`less than a week into the implementation phase. The core router began to crash
`every 24 hours. Once the router was reloaded some SMTP traffic was still being
`filtered, but not all. It was agreed that we were going to not filter at the router
`level, and try to find the culprit students? At this point, I was not able to identify
`this problem as a miss management of bandwidth.
`
`We decided that we would try to answer the following key questions, Why?
`What ? Where? and How?. Why monitor and secure bandwidth? What were
`we going to use to measure and secure bandwidth? Where did we need to
`monitor bandwidth? And How would we enforce these solutions?
`
`Understanding the Importance of Securing Bandwidth
`Before we can understand Why we should secure and manage bandwidth we
`must define bandwidth. Scientifically speaking,
`
`
`…bandwidth is the width of the range of frequencies that an
`electronic signal occupies on a given transmission medium. Any
`
`Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
`
`© SANS Institute 2003,
`
`As part of GIAC practical repository.
`
`Author retains full rights.
`
`© SANS Institute 2003, Author retains full rights.
`
`0005
`
`Cloudflare - Exhibit 1032, page 5
`
`

`

`digital or analog signal has a bandwidth. In digital systems,
`bandwidth is expressed as data speed in bits per second (bps). In
`analog systems, bandwidth is expressed in terms of the difference
`between the highest-frequency signal component and the lowest-
`frequency signal component. (SearchNetworking.com, p. 1)
`
`Generally speaking we identify bandwidth as the speed in which flow of
`information is transmitted back and forth within a network or between
`many networks. Usually the more bandwidth one has the better the flow
`of information is exchanged. This statement is generally true. We are
`going to identify some reasons Why it is important to secure your
`network's bandwidth.
`
`The number one reason to secure your bandwidth is cost. Cost can be
`measured in a many different ways. The most obvious associated cost
`with bandwidth is your ISP costs. In our scenario, the university was
`currently using two T1 lines and one point to point WAN link. The total
`cost of the university bandwidth was about a $30,000 yearly investment.
`This investment needed to be monitored, secured and efficiently utilized.
`Once bandwidth was converted to an investment it became apparent and
`easier to convince the administration that further studies and policies
`should be implemented.
`
`Another reason to secure your bandwidth can be performance. We are
`referring to the overall performance of the university's bandwidth.
`Bottlenecks, congestions, dropped or lost packets and unnecessary
`retransmissions are all signs of an ill performing network. Many of these
`symptoms can be traced back to poorly managed bandwidth. Optimizing
`performance on a network basically attempts to minimize negative
`effecting traffic or "less desirable" traffic (P2P, video, sharing) and provide
`or guarantee the mission-critical applications their needed bandwidth.
`
`Policy may dictate and mandate the need to secure and manage campus
`bandwidth. Our IT Department had no policies set to limit bandwidth,
`block "less desirable" traffic or manage bandwidth.
`
`What to use? PacketShaper by Packeteer — A Brief
`Description
`The next question that we needed to answer was, what were we going to use to
`measure and control bandwidth? We knew that we could setup MRTG tools and
`measure the overall bandwidth, but it was not going to help us analyze packets,
`protocols or control bandwidth. After an extensive comparison and research, we
`decided to use a product by Packeteer called PacketShaper.
`
`© SANS Institute 2003,
`
`Cloudflare - Exhibit 1032, page 6
`As part of GIAC practical repository.
`Author retains full rights.
`0006
`
`digital or analog signal has a bandwidth. In digital systems,
`bandwidth is expressed as data speed in bits per second (bps). In
`analog systems, bandwidth is expressed in terms of the difference
`between the highest-frequency signal component and the lowest-
`frequency signal component. (SearchNetworking.com, p. 1)
`
`
`Generally speaking we identify bandwidth as the speed in which flow of
`information is transmitted back and forth within a network or between
`many networks. Usually the more bandwidth one has the better the flow
`of information is exchanged. This statement is generally true. We are
`going to identify some reasons Why it is important to secure your
`network’s bandwidth.
`
`The number one reason to secure your bandwidth is cost. Cost can be
`measured in a many different ways. The most obvious associated cost
`with bandwidth is your ISP costs. In our scenario, the university was
`currently using two T1 lines and one point to point WAN link. The total
`cost of the university bandwidth was about a $30,000 yearly investment.
`This investment needed to be monitored, secured and efficiently utilized.
`Once bandwidth was converted to an investment it became apparent and
`easier to convince the administration that further studies and policies
`should be implemented.
`
`Another reason to secure your bandwidth can be performance. We are
`referring to the overall performance of the university’s bandwidth.
`Bottlenecks, congestions, dropped or lost packets and unnecessary
`retransmissions are all signs of an ill performing network. Many of these
`symptoms can be traced back to poorly managed bandwidth. Optimizing
`performance on a network basically attempts to minimize negative
`effecting traffic or “less desirable” traffic (P2P, video, sharing) and provide
`or guarantee the mission-critical applications their needed bandwidth.
`
`Policy may dictate and mandate the need to secure and manage campus
`bandwidth. Our IT Department had no policies set to limit bandwidth,
`block “less desirable” traffic or manage bandwidth.
`
`What to use? PacketShaper by Packeteer – A Brief
`Description
`The next question that we needed to answer was, what were we going to use to
`measure and control bandwidth? We knew that we could setup MRTG tools and
`measure the overall bandwidth, but it was not going to help us analyze packets,
`protocols or control bandwidth. After an extensive comparison and research, we
`decided to use a product by Packeteer called PacketShaper.
`
`
`Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
`
`© SANS Institute 2003,
`
`As part of GIAC practical repository.
`
`Author retains full rights.
`
`© SANS Institute 2003, Author retains full rights.
`
`0006
`
`Cloudflare - Exhibit 1032, page 6
`
`

`

`PacketShaper is the bandwidth -management solution that brings
`predictable, efficient performance to applications running over
`enterprise wide-area networks (WANs) and the Internet. It balances
`traffic's demands, giving each type of traffic the bandwidth it needs
`to perform. PacketShaper protects critical traffic, paces bandwidth -
`greedy traffic, and prevents any single type of traffic from
`monopolizing resources. It provisions bandwidth to applications,
`sessions, branch offices, and/or users. (Four Steps Packeteer, p.
`3)
`
`PacketShaper was the device that was going to be able to monitor inbound and
`outbound traffic, as well as analyze and filter. This product would secure our
`bandwidth and we would be able to set forth "Issue-specific Policies" that could
`be enforced. Packeteer has produced a simple introductory paper on the
`PacketShaper product and how to deploy it in your network. It can be found via
`this URL:
`http://support.packeteercom/documentation/packetguide/5.2.1/documents/4Step
`s.pdf
`
`First Step: "Classify Network Traffic"
`This first steps means allowing PacketShaper to identify traffic as it passes
`through the device. PacketShaper has the ability to identify or classify traffic by
`applications, protocols, web pages, subnets, users and many more. It has the
`ability to automatically classify known applications and protocols. Since, new
`applications are added on a daily basis Packeteer makes new classification
`features available to customers by introducing new "easy plug in" features. If a
`vulnerability or application is introduced a new plug in will be offered. After
`downloading and applying the plug in; PacketShaper is able to automatically
`classify the new application or vulnerability.
`
`PacketShaper has the ability to manually classify applications, subnets, protocols
`and other network traffic. As new applications are introduced they become
`more integrated, more bandwidth intensive and more difficult to classify under
`one category. PacketShaper has the ability to manually classify these complex
`applications that may differ from the simple IP scheme and single port
`applications. Some of the manual classification categories are as follows:
`( Web Classification: Most of the traffic today resides through HTTP traffic.
`PacketShaper is able to identify and differentiate HTTP traffic, by direction
`of traffic, web URL, server based, or host name. This allows for more
`granularities within the HTTP class.
`Intricate Port Classification: PacketShaper is able to classify and analyze
`difficult traffic that uses multiple ports or conducts in port hoping. Through
`this same classification it is able to differ classify traffic that may share the
`same port
`( File-Sharing Protocol: This category refers to the famous Napster, Kazaa,
`and Gnutella.
`
`(
`
`© SANS Institute 2003,
`
`Cloudflare - Exhibit 1032, page 7
`As part of GIAC practical repository.
`Author retains full rights.
`0007
`
`PacketShaper is the bandwidth-management solution that brings
`predictable, efficient performance to applications running over
`enterprise wide-area networks (WANs) and the Internet. It balances
`traffic’s demands, giving each type of traffic the bandwidth it needs
`to perform. PacketShaper protects critical traffic, paces bandwidth-
`greedy traffic, and prevents any single type of traffic from
`monopolizing resources. It provisions bandwidth to applications,
`sessions, branch offices, and/or users. (Four Steps Packeteer, p.
`3)
`
`
`PacketShaper was the device that was going to be able to monitor inbound and
`outbound traffic, as well as analyze and filter. This product would secure our
`bandwidth and we would be able to set forth “Issue-specific Policies” that could
`be enforced. Packeteer has produced a simple introductory paper on the
`PacketShaper product and how to deploy it in your network. It can be found via
`this URL:
`http://support.packeteer.com/documentation/packetguide/5.2.1/documents/4Step
`s.pdf
`
`First Step: “Classify Network Traffic”
`This first steps means allowing PacketShaper to identify traffic as it passes
`through the device. PacketShaper has the ability to identify or classify traffic by
`applications, protocols, web pages, subnets, users and many more. It has the
`ability to automatically classify known applications and protocols. Since, new
`applications are added on a daily basis Packeteer makes new classification
`features available to customers by introducing new “easy plug in” features. If a
`vulnerability or application is introduced a new plug in will be offered. After
`downloading and applying the plug in; PacketShaper is able to automatically
`classify the new application or vulnerability.
`
`PacketShaper has the ability to manually classify applications, subnets, protocols
`and other network traffic. As new applications are introduced they become
`more integrated, more bandwidth intensive and more difficult to classify under
`one category. PacketShaper has the ability to manually classify these complex
`applications that may differ from the simple IP scheme and single port
`applications. Some of the manual classification categories are as follows:
`• Web Classification: Most of the traffic today resides through HTTP traffic.
`PacketShaper is able to identify and differentiate HTTP traffic, by direction
`of traffic, web URL, server based, or host name. This allows for more
`granularities within the HTTP class.
`Intricate Port Classification: PacketShaper is able to classify and analyze
`difficult traffic that uses multiple ports or conducts in port hoping. Through
`this same classification it is able to differ classify traffic that may share the
`same port
`• File-Sharing Protocol: This category refers to the famous Napster, Kazaa,
`and Gnutella.
`
`•
`
`Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
`
`© SANS Institute 2003,
`
`As part of GIAC practical repository.
`
`Author retains full rights.
`
`© SANS Institute 2003, Author retains full rights.
`
`0007
`
`Cloudflare - Exhibit 1032, page 7
`
`

`

`Second Step: "Analyze Behavior"
`PacketShaper has the ability to measure the classes of traffic that were
`previously identified. It will be able to track "...traffic levels, detects network
`trends, measures response time, and calculates network efficiency" (Four Step
`Packeteer, p. 5). This period of analysis will help answer many questions
`regarding the bandwidth traffic of an organization. PacketShaper is managed
`through a simple web interface. This interface contains many helpful tabs that
`will be useful to analyze the classified traffic. One of the helpful tabs is the
`Monitor Tab:
`a grades: FocketShaper
`
`SOD
`
`• Microsoft
`
`Internet Explore.
`
`: • I- 4.•
`
`-
`
`mi 1472
`
`iCic Ca ,,IF
`
`Femeitos
`
`lattodo 0
`
`Z.
`
`rV
`
`PacketShaper
`!uti trt
`neconiter
`
`MONITOR TRAFFIC
`
`upde
`
`• sta....)
`• Nue
`
`asplay 141 classes
`r
`
`PACKETEER
`
`Ski
`
`Intbsek
`
`prikotpuldt
`
`CH' '41454 sins
`
`• Ousel velum shown u5OREEN.
`
`1=111
`
`Go to Monitor EVC114
`M044144 Remccue Tine
`
`ft 4144 Ct.
`
`Weer
`o
`
`pal/
`
`Mt 17;4 ft. 444.4 ern
`
`IIIZ/t
`2142032031
`Stui4
`M.
`
`Wral
`241
`5010
`0
`4368
`0
`4368
`0
`0
`1401
`1401
`0
`0
`653
`0
`1011
`I%3
`
`I Mkt
`C14211
`144
`73.7k
`0
`2537
`0
`2537
`4
`4
`I PM
`1.44
`3
`0
`623
`4
`1 311
`343
`
`37
`0
`0
`"4
`
`5
`IS
`
`727
`
`20345
`1237/7
`
`20305
`121777
`
`6
`6231926
`143647
`96
`
`6
`NA
`1433647
`NA
`
`NA
`TM
`NA
`0
`NA
`11935
`PA
`12411
`124C1643 1247645
`6484
`6633813
`NA
`1642
`0
`NA
`914
`NA
`I
`NA
`4
`NA
`0
`NA
`143
`NA
`1312
`NA
`2364
`NA
`NA
`4:733
`
`e9.12
`11/01.1
`
`PM
`
`I
`
`Pao .
`141211168
`
`PoSc
`Ivo*lPti I
`
`Too Iiime
`Anoteids.
`
`..1(44446144.41.4144
`
`Pboriiv(6
`
`Ili=
`
`ps.(00.216
`
`6,4.1116-754
`
`Ett4t0.0
`bagakial
`
`Os
`
`IDA
`2055
`192k
`355
`139k
`4k
`1780
`7934
`244
`!At
`0
`134
`34 50
`29/1
`I33k
`2381
`0
`412k
`9420
`691
`0
`3614
`1524
`204
`1271:
`
`trice moor.
`
`This tab will identify the automatic or manually set classes on the left column, it
`also will shows such columns as Current (bps), 1 Minute (bps), and Peak (bps).
`This tab will be very helpful in pulling data on desired classes and will become an
`important gathering tool for controlling bandwidth.
`
`Third Step: "Control Performance"
`PacketShaper is able to manage application performance and guarantee a
`preset amount of bandwidth. PacketShaper controls bandwidth through the
`usage of partitions. A partition "...creates a virtual separate pipe for a traffic
`class' (Four Steps Packeteer, p. 5). One is able to seta size for the reserve link,
`define whether it can expand over the cap and control that growth. Partitions
`work much like pipes within pipes. Figure 4 shows the relationship of partitions
`within partitions:
`
`@ SANS I nstkute 2003,
`
`Cbudflare - Exhibit 1032, page 8
`As part at GIAC practical repository.
`Author retains full lights.
`0006
`
`
`Second Step: “Analyze Behavior”
`PacketShaper has the ability to measure the classes of traffic that were
`previously identified. It will be able to track “…traffic levels, detects network
`trends, measures response time, and calculates network efficiency” (Four Step
`Packeteer, p. 5). This period of analysis will help answer many questions
`regarding the bandwidth traffic of an organization. PacketShaper is managed
`through a simple web interface. This interface contains many helpful tabs that
`will be useful to analyze the classified traffic. One of the helpful tabs is the
`Monitor Tab:
`
`
`
`
`This tab will