SBN

Application Control and Traffic Shaping: key factors to consider

If you’re like me, then you’ve been pretty busy lately coping with the new world in which we find ourselves.

Regardless, the team and I have made some interesting observations, which I want to share with you.

As I’m sure you know, continuing concerns about health and safety in the face of the coronavirus pandemic have seen many businesses transform from traditional operations to remote working environments. Logically, network traffic related to video conferencing and other business applications has surged and network administrators are seeing a dramatically increased load and congestion on networks as more of us work each day from home and other remote locations.

Yet, most network administrators learned long ago that simply adding more bandwidth is not a cost-effective solution. No matter how much bandwidth is provided, today’s applications and users will demand more.

 

Adding bandwidth and limiting traffic is not effective

Many network admins are inclined to solve congestion problems by limiting specific traffic in a “brutally” excessive way without taking into consideration the digital experience or fairness for end users. We know that many apps, like YouTube, adapt dynamically to network conditions. If more bandwidth is added, the network conditions will improve but also the video quality, which in consequence, as a direct effect, will consume more bandwidth. (That is why they are called “bandwidth hungry” apps).

Sometimes, in order to avoid congestion, network admins will forego fairness and will force a limit to the streaming apps (using network elements already on hand, like next-generation firewalls or SD-WAN routers). Under such limitations, the first user that connects will take all the available bandwidth and will have a great digital experience, but the next one to connect will not have any resources and will have a bad digital experience.

As a side note, smarter solutions (like those from Allot) can guarantee fairness in those bandwidth-limited conditions, allocating network resources to each user while, at the same time, maintaining a good digital experience. (For some people, network Quality of Experience is relative).

 

What about SD-WAN routers and security devices?

Another phenomenon that the team and I are seeing is that enterprises are relying more and more on security devices or SD-WAN routers for bandwidth management. However, what network admins at these enterprises are forgetting is that these types of devices are not capable of guarantying QoS of incoming WAN and Internet traffic, which can represent 70% of the total traffic. They are using policing to rate limit the traffic, which, we know will adversely and significantly impact the digital experience.

To precisely control both incoming and outgoing traffic on the network, a sensible combination of Per Flow Queuing and Smart Queue Scheduling is a must. (Having policies that are based on a variety of criteria, including, when needed, specific data characteristics of the traffic, need to be in place.)

As another “shortcut,” some creative network administrators are tampering with the standard TCP protocol by changing the TCP window size, or using policing on-the-fly, which can cause unpredictable behavior of different TCP stacks with a direct impact on user satisfaction.

 

Impacts on the digital experience

Basically, the bottom line is that, when dealing with network congestion, improvements to quality and reliability of business-critical applications can’t be attained by simply upgrading bandwidth or implementing field-expedient shortcuts.

Furthermore, among our enterprise customers, we see a lot of applications that consume relatively little bandwidth, yet impact digital experience quality because they open many connections. Such applications can be encrypted, making interception challenging, and some can even be involved in Denial-Of-Service attacks.

A good example of this is cryptojacking, which is the illegal practice of accessing and using the resources of a target computer, mobile device, or server to mine cryptocurrencies. Such behavior might affect the digital experience quality of business-critical applications while consuming a very low bandwidth. So, no matter how much bandwidth you have, the problem will not be solved.

Operational tasks, such as Windows updates, server backups, antivirus update, and the like also have the potential to congest network traffic. If updates and backups like these are performed in the middle of the day (maybe a critical update that needs to be done by the IT team, for example), they can cause network issues, even if the bandwidth is relatively high.

 

Important factors to consider

Therefore, the next generation of bandwidth management, traffic shaping, and application control solutions must have sophisticated capabilities, including:

  • Advanced visibility, which is key to providing robust control capabilities
  • Control over the number of connections per user, or per application, in a dynamic way
  • Network and Host Behavior Anomaly Detection (NBAD/HBAD) to guard against outbound and inbound DDoS attacks that might affect the LAN and WAN networks
  • In-line classification of encrypted applications
  • Real-time monitoring of users and applications for immediate action and troubleshooting on issues caused by applications and their usage.

Another important factor to consider is a focus on the digital experience. Traditional network devices (like next-generation firewalls), when used for bandwidth management or application control, have reports that are typically focused on packet flow to measure congestion, but they avoid focusing on the digital experience. Even if there is available bandwidth and no congestion, users can still be frustrated. Adding more Quality of Experience (QoE) dimensions like retransmissions, latency, and packet loss, can indicate an issue with a delivery content server long before users start complaining. QoE score matrices, rather than mere bandwidth reports, are fundamental for an accurate global picture and real time-troubleshooting.

Additionally, we hear from the field that these qualities are important factors, too: simple management, detailed network analytics, TCP optimization, and all-in-one functionality, and integration.

For these reasons, Broadcom recently entered into a partnership with Allot to offer PacketShaper customers a smooth transition path to the Allot Traffic Intelligence and Assurance Platform, which provides all the important key factors mentioned above. Our application control, traffic shaping, and bandwidth management solutions receive industry recognition as the recommended alternative for the PacketShaper EOL.

As more enterprise functions migrate from centralized operations to multi-site, remote, and even work from home (WFH) practices, it’s more important than ever to address network issues with advanced traffic intelligence and application control solutions.

More resources on the topic are available on our website, and you can contact us anytime.

*** This is a Security Bloggers Network syndicated blog from Allot Blog authored by Eduardo Ramirez. Read the original post at: https://www.allot.com/blog/application-control-traffic-shaping-key-factors/