While it has become more affordable to acquire lots of bandwidth, it’s still a sizable cost. Substantial bandwidth bumps often don’t yield the expected improvements because “bad” traffic grabs a lot of the new capacity. Traffic shaping technology can make whatever bandwidth you have work much better. Assure mission critical applications perform reliably and predictably. Lastly, deliver better value than the ongoing costs of higher bandwidth.
Many better firewalls provide some level of what they call traffic shaping. For one, they typically don’t look any further than the port number of the traffic, and assume if traffic is running on some standard port (ie. 80 for HTTP) that is indeed that protocol. Because of this, many types of traffic that you may commonly wish to restrict disguises itself on commonly used ports to slip by firewall policies, known as port hopping. This can be really bad traffic, like malware, or of a more recreational nature that employers wouldn’t want employees doing on the job, or at least not impacting business use. Shaping on firewalls often adds latency, to the detriment of audio and video. Firewall performance falls dramatically as more features are turned on.
How about something that inspects deep into the packets, and correctly identifies the traffic, even if it is not on the normal port for that application or protocol? How about identifying even encrypted protocols with near perfect accuracy?
If you haven’t accurately identified traffic to begin with, then shaping rules can actually increase unwanted traffic by guaranteeing it bandwidth. Getting it all correctly identified is a critical first step.
Once identified correctly, a good traffic shaper can shape flows much more flexibly and dynamically than a firewall. A firewall, working with inaccurate information to begin with, typically cannot effectively allocate bandwidth. You may cap FTP at 5Mbps, for instance, but not be able to allow it to go faster if there’s unused bandwidth. Prioritization partially addresses that, but not very well. Also, the queuing mechanisms in firewalls and routers tend to be inferior and can cause problems when throttling apps, often playing games with TCP/IP windowing.
Sophisticated traffic shapers offer many benefits for high performance networks. The good ones are out of the reach of small users, but many service providers, universities, and enterprises use traffic shaping and bandwidth management to effectively manage the huge flows they generate. Every bandwidth upgrade they can avoid or postpone saves big in all the associated equipment upgrades plus ongoing bandwidth costs. Traffic shaping is also coming on strong in the data center.
Some also use shapers as security devices in environments where outbound traffic needs to be scrutinized. Correct identification of traffic regardless of port can stop many exploits that can otherwise sneak traffic out past corporate firewalls, whether from compromised systems or rogue employees. It’s very tough to control outbound traffic on a firewall without really onerous rules. One example is restricting VPNs initiated by internal hosts, regardless of port or whether it’s a known VPN application.
Most commonly shaping is performed on Internet links, but private WANs can benefit as well. We have devices that can handle both Internet links and internal WAN links in the same box to reduce costs. Call us to discuss your situation and the possibilities.