Layer 7 inspection is crucial. Once upon a time, we mapped ports to protocols, but that simple solution no longer works. For instance, nowadays almost everything runs over Port 80, the standard HTTP port. There is a good chance traffic over Port 80 will be allowed to pass through the firewall. The best example of this problem is P2P (peer-to-peer) software, which is notorious for generating a huge amount of traffic. Ask any college IT administrator: P2P is clogging schools' WAN links like cafeteria burgers clog arteries. Say you're in a situation where P2P is dominating and you want to allocate more bandwidth for Web browsing. If the P2P client runs, by default, on Port 80, and your traffic shaper inspects only at Layer 4, you have a problem. P2P traffic will fall under the same policy as Web traffic (for more on the legal aspects of P2P traffic, see "Politics, Law and the Traffic-Shaping Admin"). We replicated this problem by running non-HTTP traffic on Port 80 and finding it classified as HTTP. We also found that traffic shapers do a better job at Layer 7 inspection than others. Bandwidth-management capabilities refer to the various methods of implementing QoS. There are several ways to control bandwidth, including TCP rate shaping and queuing. Packeteer and Sitara use TCP rate shaping, which entails intercepting and manipulating TCP window sizes. The other entries we tested use queuing. For a primer on queuing types and other shaping schemes see "Traffic Management Techniques."
Take the number of signatures a product claims to support with a grain of salt. Some of what is called a signature really means, "We know the default port it uses." And some protocols may support more than one signature--Packeteer counts Kazaa as one application signature but can identify and set granular policies on Kazaa uploads, downloads and searches independently. So while Kazaa is just one protocol, it has three data payload signatures. We tested this capability by running the Hotline Internet bulletin board system on Port 80 rather than on Port 5500, where it normally runs. All the products except Packeteer initially identified Hotline traffic as HTTP. When we added a rule called "http-authenticated," Allot's NetEnforcer performed deeper inspection of Port 80 and identified Hotline as non-HTTP traffic, while Sitara's QoSWorks QWX-10000 pegged the traffic as "other-content-type." Lightspeed and Radware couldn't perform deeper identity checks.
Why a Dedicated Device?
Lately it seems like everything but the kitchen sink is getting QoS capabilities. Firewalls, VPNs, routers, switches, and even some consumer and small-office products, such as the FortiNet FortiGate (see "FortiGate Fortifies Your Traffic Security") claim to have some form of QoS. However, sometimes the "jack-of-all-trades, master-of-none" syndrome applies--if you plan to use an add-on QoS capability, here are a few things to check:
CBQA: technique that combines classification and queuing of data packets based on rules defined by an administrator. Packets are divided into a hierarchy of classes based on any combination of IP address, protocol and application type. Each class is assigned a set of bandwidth priorities. Find more on queuing types here.