|
|
Security Basics
Managing Network bandwidth Jan 11 2012 04:08PM Peter Odigie (peterquid gmail com) (8 replies) Re: Managing Network bandwidth Jan 16 2012 06:36PM security (at) stealthnodes (dot) com [email concealed] (security stealthnodes com) (1 replies) |
|
Privacy Statement |
> In my organization, we have had to upgrade our internet bandwidth two
> times last year 2011.
As a gas will expand to fill the available space, so will your internet traffic expand to consume the available bandwidth.
Start with a cheap / free / open-source monitoring solution to double-check your ISP's reports (1).
If there are no complaints of slowness, latency, dropped connections, etc, do nothing. But if there are, the cause is oftentimes misuse. Large file downloads, streaming internet radio, video snacking, etc, all conspire to overwhelm whatever bandwidth you allocate, reducing what's available for legitimate business use (2).
These are largely social problems, with primarily social solutions. First set policy that restricts users from misbehaving. If they refuse to behave / they are management, then enforce that policy with technology if needed. Oracle dba needs a 7GB patch file? Please schedule it for off-peak hours. Or use a download manager to throttle the bandwidth, and/or schedule it for later (3).
Block what torrent and peer-to-peer file sharing protocols you can at the firewall if you find them to be a problem. You'll need some amount of application-layer awareness, or "deep packet inspection" (tm). Some firewalls will do this natively, others need help (4).
Users can't keep themselves away from youtube / hulu / xm radio / pandora / netflix? Transparently proxy their traffic and block the domain(s). Last I checked, Squid was the de facto open source solution (5). It's been a while, but I understand Squid can be a challenge to seamlessly integrate with back-end auth systems. (I've used it, but I'm far from an expert on Squid.)
I don't know if there are Squid extensions that will perform QOS-style bandwidth management tasks. I've had excellent results from Blue Coat products in our relatively homogeneous Windows / AD environment. You might also try Microsoft Forefront TMG (nee, ISA Server). Lots of other solutions - both commercial and open source - exist in this space. What fits for you will depend heavily on your environment, your budget, and how much time you're willing to commit to shaping the solution to your needs.
Good luck!
- Dan
(1) Cheap monitoring:
http://oss.oetiker.ch/mrtg/
http://cacti.net/
http://humdi.net/vnstat/
http://www.paessler.com/prtg
(2) See "The War Between Mice and Elephants":
http://web.cs.wpi.edu/~rek/DCS/D04/MiceElephants04.pdf
(3) Automating downloads:
http://www.freedownloadmanager.org/
http://sourceforge.net/projects/dfast/
http://download.oracle.com/docs/cd/B19306_01/rac.102/b28759/softpatch.ht
m
http://www.gnu.org/software/wget/
(4) Blocking bittorrent:
http://www.lowth.com/rope/BlockingBittorrent
(5) Proxy internet traffic:
http://www.squid-cache.org/
Dan Lynch, CISSP
Information Technology Analyst
County of Placer
Auburn, CA
------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
------------------------------------------------------------------------
[ reply ]