TN2065: Configuring Quality of Serviceseguridad10.com/descargas/Clavister-qos-config.pdf · Feature Brief: Quality of Service (April 2007) Clavister CorePlus™ Administration Guide,

Technical Note

Clavister SSP™ Security Service Platformfirewall • VPN termination • intrusion prevention • anti-virus

content filtering • traffic shaping • authentication

Protecting Values

Configuring Quality of ServiceJune 2007

www.clavister.com Copyright © 2007 Clavister AB. All rights reserved.

IntroductionThis technical note describes how to setup and configure various scenarios of Quality of Service (QoS) with Clavister Security

Gateway. You should be running Clavister CorePlus™ version 8.80.02 or higher to take full advantage of examples presented in this

document.

The following topics are covered:

Introduction

Overview

Traffic Shaping Basics

Examples

Summary

Prerequisites

This technical note assumes a thorough understanding of Clavister FineTune™ administration and network security. Please use the

information provided in the section Further Reading to gain the required knowledge.

Further Reading

More information on Clavister administration can be found in the Clavister FineTune manual and in the Clavister CorePlus™ manu-

al that came with your product. Another source of information is the Clavister Service and Support section, which can be found at

http://www.clavister.com/support/index.html. For more information on related subjects, please visit the following Web resources:

Feature Brief: Quality of Service (April 2007)

Clavister CorePlus™ Administration Guide, version 8.80.02

OverviewOne of the major drawbacks of TCP/IP, the protocols used for communication over networks like Internet, Local Area Networks

(LAN) and Wide Area Networks (WAN), is the lack of true QoS functionality. QoS in networks is the ability to guarantee and limit

bandwidth for certain services and users. Protocols such as the Differentiated Services (DiffServ) have been designed to try and

solve the QoS problem in large networks by using information in packet headers to provide network devices with QoS information.

Clavister CorePlus™ provides support for DiffServ by forwarding the 6 bits which make up the Diffserv Differentiated Service Code

Point (DSCP), as well as copying these bits from the data traffic inside VPN tunnels to the encapsulating packets.

Although Clavister support the DiffServ protocol, it is not an optimal solution to offer QoS in large networks. Several other

solutions have be proposed but none have reached a high enough standard for large-scale usage.

Another fact is that most of the current QoS solutions are application-based, that is, they work by having applications supplying

the network with QoS information. From a security standpoint, it is of course unacceptable that the applications, i.e. the users,

decide the priority of their own traffic within a network. In security-sensitive scenarios, where the users cannot be trusted, the

network equipment such as the Clavister Security Gateway should be the sole arbiter of priorities and bandwidth allocations.

Clavister provides QoS functionality by applying limits and guarantees to the network traffic itself, rather than trusting applica-

tions and users to make these choices for themselves. It is hence well suited to manage bandwidth for a LAN as well as in one or

more chokepoints in large Metropolitan Area Networks (MAN) or WANs.

•

•

•

•

•

•

•

Protecting Values

www.clavister.comCopyright © 2007 Clavister AB. All rights reserved.

Traffic Shaping BasicsThe simplest way to obtain QoS in a network, from a security perspective as well as a functionality perspective, is to have the

components in the network, not the applications, be responsible for network traffic control in well-defined chokepoints such as

the point between the Internet and the internal network.

Traffic shaping in Clavister Security Gateway works by measuring and queuing IP packets, in transit, with respect to a number of

configurable parameters. Differentiated rate limits and traffic guarantees based on source, destination and protocol parameters

can be created; much the same way gateway policies are implemented. Traffic shaping works by:

Applying bandwidth limits by queuing packets that would exceed configured limits, and sending them later when the momentary demand for bandwidth is lower.

Dropping packets if the packet buffers are full. The packet to be dropped should be chosen from those that are respon-sible for the “jam”.

Prioritizing traffic according to the administrator’s choice; if the traffic in a higher priority increases while a communica-tions line is full, traffic in lower priorities should be temporarily limited to make room for the high-priority traffic.

Providing bandwidth guarantees. This is typically accomplished by treating a certain amount of traffic (the guaranteed amount) as a higher priority, and traffic exceeding the guarantee as the same priority as “any other traffic”, which then gets to compete with the rest of the non-prioritized traffic.

Well-built traffic shapers do not normally work by queuing up immense amounts of data and then sorting out prioritized traffic

to send before sending non-prioritized traffic. Rather, they attempt to measure the amount of prioritized traffic and then limit the

non-prioritized traffic dynamically so that it won’t interfere with the throughput of prioritized traffic.

Clavister Security Gateway has an extensible traffic shaper integrated in the firewall core. Since a firewall is a central and vital part

of a network, there are many benefits of having the firewall handle traffic control.

The traffic shaper in Clavister Security Gateway has the following key features:

Pipe-Based Traffic Shaping

Close Integration with the Firewall Rule Set

Traffic Prioritizing and Bandwidth Limiting

Grouping

Dynamic Bandwidth Balancing

Pipe Chaining

Traffic Guarantees

IPsec Integration

The following sections will explain the details of these key features and give examples on how to best use these features to

achieve an optimal QoS configuration.

Pipe-Based Traffic Shaping

Traffic shaping in Clavister Security Gateway is handled by a concept based on “pipes”, where each pipe has several prioritizing,

limiting and grouping possibilities. Individual pipes may be chained in different ways to construct bandwidth management units

that far exceed the capabilities of one single pipe.

Pipes are fairly simplistic, in that they do not know much about the types of traffic that pass through them, and they know noth-

ing about direction. A pipe simply measures the traffic that passes through it and applies the configured limits in each precedence

and/or user group. Figure 1 below shows the concept of pipes.

•

•

•

•

•

•

•

•

•

•

•

•


Pipe

Pipe

Pipe

Rule Set

IncomingPackets

Figure 1: Pipes

Inbound network traffic is first filtered within the firewall ruleset, and is then passed to the pipe or pipes specified in the matching

rule. In the pipe, traffic is limited with respect to the configuration of the pipe and is then forwarded to its destination, or to the

next pipe in a chain.

As usual, the traffic is recognized by source interface, source address, destination interface, destination address and service. These

parameters are used in the pipe rules section for mapping traffic into a certain pipe, or chain of pipes, on a certain precedence

level.

Pipe Limits/Precedence Levels

There are 8 precedence levels, matching the 3 bit field in the IP header describing different traffic priorities. The Type of Service

(ToS) field will map each IP packet to its respective precedence level.

Precedence levels are the priority levels used in a pipe scenario. Precedence 0 has the lowest precedence and this level handles all

left-over traffic. Precedence 7 has the highest precedence. In the remainder of the text we will refer to precedence 0 to 7 as P0 to

P7.

Note: If there is more traffic in a given precedence level than that which is guaranteed at that level, then the remaining traffic is forced down to P0, where it has to compete for any remaining capacity.

You can also specify a total maximum amount of traffic a pipe can manage. The value is expressed in kilo bits per second (kbps).

This value can not be overridden by the values entered as precedence. To give you an example, if the total maximum amount for a

pipe is 1000 kbps it will have no effect to set P7 to the value 2000 kbps, since the total maximum amount for a pipe is 1000 kbps.

When defining a pipe, three precedence values can be set: Minimum, Default, and Maximum. They limit what precedence levels

a pipe can have and what the default value should be. If you configure a pipe rule for the first pipe to use the Default settings

as precedence, you should read the pipe rule as: “If pipes are chained, then this traffic is moved to the Default precedence of the

first pipe”.

Close Integration with the Firewall Rule Set

Each firewall rule may be assigned to one or more pipes, on an individually basis.

Traffic Prioritizing and Bandwidth Limiting

Each pipe contains a number of priority levels, each with its own bandwidth limit, specified in kilobits per second (kbps) and/or

packets per second. Limits may also be specified for the total of the pipe.

Protecting Values


Grouping

Traffic through a pipe can be automatically grouped into pipe users, where each pipe user can be configured to the same extent

as the main pipe. Traffic may also be grouped with respect to a number of parameters, such as source IP network or destination IP

network, IP address, or port number.

The benefit of using grouping is that additional bandwidth controls may be applied to each group. This means that if grouping is

performed on, for example, on IP address, the firewall can limit and guarantee bandwidth per IP address communicating through

the pipe. There are also precedences in user groups. Bandwidth may be limited per precedence, as well as for each group as a

whole.

Grouping is used for fairness between the different users/applications that use the pipes at any given moment. It avoids the prob-

lem of one user taking all traffic in a precedence level, leaving nothing guaranteed for the other users, with the result that their

traffic will be forced down to P0 even though they should be qualified for a higher precedence level.

You configure the Clavister Security Gateway to perform this fairness calculation by using the Grouping drop down box. It sup-

ports values such as Per DestNet, Per DestIP, Per DestPort, and so on. Normally the in-pipe is grouped Per Dest-

Net and the out-pipe is grouped Per SrcNet.

Bandwidth control first occurs per user and then continues with the pipe as a whole. Figure 2 shows a pipe with grouping enabled.

192.168.123.5

192.168.123.7

192.168.123.18

Pipe Total

Figure 2: Grouped Pipes

Dynamic Bandwidth Balancing

The traffic shaper in the Clavister Security Gateway can be used to dynamically balance the bandwidth allocation of different pipe

users if the pipe as a whole has exceeded its limits. This means that available bandwidth is evenly balanced with respect to the

chosen grouping for the pipe.

This allows you to get the maximum performance out of your network without sacrificing the benefits from guaranteed band-

width to critical resources.

Pipe Chaining

When pipes are assigned to rules, up to eight pipes may be connected to form a chain. This permits filtering and limiting to be

handled in a very sophisticated manner. Pipe chaining means that two pipes are connected together at one end, so traffic first

flows through one pipe, and then it flows through to the next pipe. This can be used to shape the traffic in many ways, for ex-

ample to move traffic to another precedence level, or to limit the total amount of a certain traffic type.


Traffic Guarantees

With the proper pipe configuration, the traffic shaping in Clavister Security Gateway may be used to guarantee bandwidth and

thereby quality, for traffic through the firewall.

IPsec Integration

If the optional IPsec VPN support is used in the firewall, bandwidth and priorities may be configured for VPN tunnels as well as for

ordinary firewall rules.

ExamplesThe following section contains a number of example configurations that demonstrates various QoS scenarios. Please feel free to

try them out and experiment.

Tools: There are a number of useful tools, BWTest and SimpSrv, which can be used to verify the configurations. You will find

them at:

http://www.clavister.com/support/downloads.html

The first example will limit all traffic, both incoming and outgoing, to 1 Mbps using two pipes.

The reason we are using two separate pipes, is that it is easier to match to the physical capacity, especially when faced with asyn-

chronous capacities, such as 8/0.5 Mbps ADSL network or similar.

If we were to only use one pipe we would have to use 1+1=2 Mbps, and that would not match the capacity of the physical link,

hence it would not work so well. So, in order to achieve the desired result, we will create two pipes, one for incoming traffic and

one for outgoing traffic. We will also limit the total capacity to 1000 kbps per pipe.

Configuring Pipes

Follow the instructions below:

1. Start your Clavister FineTune application, if it is not already started, and select the Security Editor from the Tools menu.

2. Right-click on the Security Gateway to bring up the contextual menu and select Version Control > Check Out. You can also select the Security Gateway and use Ctrl-O.

3. Expand the Security Gateway by clicking on the + (plus) sign. Expand the Traffic Management folder by clicking on the + (plus) sign. Expand the Traffic Shaping folder by clicking on the + (plus) sign.

4. Right-click on the Pipes icon to bring up the contextual menu and select New Pipe…. You can also select the Pipes icon and use Ctrl-N.

5. The Pipe Properties dialog is show. Select the Pipe tab and enter the following information for our first pipe:

Name: in-pipeMinimum Precedence: 0Default Precedence: 0Maximum Precedence: 7Grouping Network: Per DestNetNetwork Size: 24Enable Dynamic Balancing: Yes

6. Select the Pipe Limits tab and enter the following information:

Total: 1000

7. Click OK to accept the changes.

8. Repeat step 4 above for our second pipe. Select the Pipe tab and enter the following information for our second pipe:

Protecting Values


Name: out-pipeMinimum Precedence: 0Default Precedence: 0Maximum Precedence: 7Grouping Network: Per SrcNetNetwork Size: 24Enable Dynamic Balancing: Yes


Total: 1000


Configuring Pipe Rule

Now it is time to create a Pipe Rule using the pipes. This rule will force all traffic to the default precedence level and by the use

of pipes, limit all traffic to 1 Mbps. Since we have enabled Dynamic Balancing our users will get a fair amount each of the 1 Mbps

capacity. The users are located on the LAN interface on the LAN net (192.168.1.0/24), and we are limiting their connection to the

WAN interface to all IP traffic.


1. Right-click on the Pipe Rules icon to bring up the contextual menu and select New Pipe Rule…. You can also select the Pipe Rules icon and use Ctrl-N.

2. The Pipe Rule Properties dialog is show. Select the Pipe Rule tab and enter the following information:

Name: All _ 1MbpsSource Interface: lanSource Network: lannetDestination Interface: wanDestination Network: all-nets

3. Select the Service tab and enter the following information:

Pre-defined: All

4. Select the Traffic Shaping tab and enter the following information:

Forward Chain: out-pipeReturn Chain: in-pipe

You select the pipes from the drop down boxed under respective chain.


NOTE: Forward Chain and Return Chain are labeled Forward Pipes and Return Pipes in the Pipe Rule listing.

6. Right-click on the Security Gateway to bring up the contextual menu and select Version Control > Check In. You can also select the Security Gateway and use Ctrl-I.

7. Click on button Deploy Configuration to the deploy the newly created configuration. You can also use Ctrl-D.

After checking in and deploying this configuration, it is time to test the setup. Either simply try to surf and download files from a

site near you, or use the Clavister supplied tools mentioned earlier. The throughput can easily be verified by using the Real-Time

Monitor function in Clavister FineTune.

1. Select the Real-Time Monitor from the Tools menu.

2. Right-click on the Real-Time Monitor window to bring up the contextual menu and select Add Counter….


3. Select the Security Gateway and expand the WAN section by clicking on the + (plus) sign and check the following coun-ters:

Bps received

Bps sent

That concludes the first of our traffic shaping example.

Several Precedence LevelsIn this example we will use several different precedence levels, one each for VoIP, Citrix, Other and Web surfing, where Web surfing

has the lowest priority (P0) which it shares with eventual traffic of the other kinds, not fitting in their respective precedence level.

It can be wise to separate the levels used if we later wants to insert a new kind of traffic in between existing ones.

This is the scenario for a headquarter. They have a 2/2 Mbps (symmetric) link to the Internet. We can continue from our previous

example and modify the in-pipe and the out-pipe, plus modify and create a few new rules that force the traffic into their

respective precedence levels.

We are going to assign 500 kbps to precedence 6 for VoIP, 250 kbps to precedence 4 for Citrix, and 1000 kbps to precedence 2 for

other traffic. We are also going to modify the total limit to 2000 kbps.

Configuring Pipes





4. Double-click the pipe named in-pipe to bring up the Pipe Properties dialog. Select the Pipe Limits tab and enter the following information:

Precedence 6: 500Precedence 4: 250Precedence 2: 1000Total: 2000


6. Double-click the pipe named out-pipe to bring up the Pipe Properties dialog. Select the Pipe Limits tab and enter the following information:

Precedence 6: 500Precedence 4: 250Precedence 2: 1000Total: 2000


Configuring Pipe Rules

Now we need to create the needed services used in this example. VoIP uses the pre-defined service name H323 and Citrix uses Port

1494. We also need to create pipe rules that corresponds to the desired behavior. Remember that the rules are read top-to-bot-

tom. That means that the WebSurfing rule must be above the Other (All services) rule, or it will not have a chance to

trigger.

Protecting Values


NOTE: For traffic shaping to work well, no traffic can bypass the pipes, or it will render the traffic shap-ing effort useless. The reason for this is that TCP/IP is a greedy protocol and will take everything it can.


1. Start by removing the previous pipe rule named All _ 1Mbps by right-click on the rule in the list to bring up the con-textual menu and select Delete. You can also select the rule in the list and press Delete.

2. Confirm the deletion.



Name: WebSurfingSource Interface: lanSource Network: lannetDestination Interface: wanDestination Network: all-nets


Pre-defined: http-all


Forward Chain: out-pipeReturn Chain: in-pipeUse Fixed: 0

You select the pipes from the drop down boxed under respective chain.7. Click OK to accept the changes.



Name: VoIPSource Interface: lanSource Network: lannetDestination Interface: wanDestination Network: all-nets


Pre-defined: H323






Name: CitrixSource Interface: lanSource Network: lannetDestination Interface: wanDestination Network: all-nets



Pre-defined: http-all






Name: OtherSource Interface: lanSource Network: lannetDestination Interface: wanDestination Network: all-nets


Pre-defined: All









Pipe ChainingNow let us modify the previous example to chain several pipes. What we want to achieve is that the P2 (Other) is restricted to

1000 kbps. The effect will be that P2 is not allowed to “spill over” traffic to P0. This is achieved by using pipe chaining, where we

introduce a pipe with a total limit of 1000 kbps and we modify the Other rule to use both the in-pipe and the in-other pipe in

series for the inbound traffic, and the out-pipe and the out-other pipe in series for the outgoing traffic.

Configuring Pipes

Create an in-other pipe and an out-other pipe and in the Pipe Limits tab for both pipes (we’re reserving the same amount in

both directions in this example), enter:




Protecting Values



4. Select the in-pipe row and right-click to bring up the contextual menu and select Copy…. You can also select the Pipe Rules icon and use Ctrl-C.

5. Press Ctrl-V to paste a copy of the in-pipe. It will be named in-pipe _ copy.

6. Rename in-pipe _ copy to in-other and press ALT-Enter to bring up the Pipe Properties dialog.


Total: 1000


9. Repeat step 5 above but this time copy the out-pipe and renamed that pipe out-other.


Now we need to modify the Other pipe rule to use both pipes.


1. Select the Other pipe rule and press ALT-Enter to bring up the Pipe Rule Properties dialog.


Forward Chain: out-other, out-pipeReturn Chain: in-other, in-pipeUse Fixed: 2

Select the out-other pipe from the drop down box under the Forward Chain list. Use the Up/Down buttons to position the out-other pipe before the out-pipe. Repeat using the in-other pipe for Return Chain.







NOTE: The in-other and out-other pipes must be first in the pipe chain in both directions. That is because we want to limit the traffic immediately, before it enters the in-pipe and the out-pipe, where it competes with VoIP, Citrix and WebSurfing traffic,

SAT and PipesIf you are using Static Address Translation (SAT) for your traffic, for example, to a web server, or an FTP server, you need to force

that traffic into pipes as well. Otherwise it will go “outside” of your pipes and ruin your QoS setup. To accomplice this, you also

need to reverse the order of the pipes: as forward pipe is your in-pipe, as return pipe is your out-pipe, due to the fact that the

traffic is initiated from the outside.


A simple method is to just put a “catch-all-inbound” rule at the bottom of your pipe rule list, but select the external interface

(wan) as source, to avoid traffic from the inside to your external ip being put into the pipes.


About Clavister

Clavister - a Swedish privately owned company developing IT security products, including its award-winning Clavister Security Service Platform (SSP™). This service-oriented framework enables organizations to monitor network traffic, protecting critical business assets and blocking undesirable surfing. It will also protect you against intrusion, viruses, worms, Trojans, and overload attacks. It requires minimal servicing, with central administration, and has exceptionally flexible configuration possibilities. Its seamless scalability makes it easy to provision the perfect solution for any customer; be it small organizations, large Internet Service Providers, Man-aged Security Service Providers, or multimedia-ready telecom operators.

Clavister was founded 1997 in Sweden, with R&D and headquarters based in Örnsköldsvik and Sales and Marketing based in Stockholm. Its solutions are marketed and sold through International sales offices, distributors, and resellers throughout EMEA and Asia. Clavister also offers its technology to OEM manufacturers.

For more information, please visit us at www.clavister.com.

Limitation of Responsibilities

The information in this document represents the current view of Clavister AB on the issues discussed as of the date of publication. Because Clavister must respond to changing conditions, it should not be considered to be a commitment for Clavister, and Clavister cannot guarantee the accuracy of any information presented after the date of publication. This document is for informational purposes only. CLAVISTER MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the written permission of Clavister. Clavister may have trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Clavister, the furnishing of this document does not give you any license to these trademarks, copyrights, or other intellectual property.




Name: All _ IncomingSource Interface: wanSource Network: all-netsDestination Interface: coreDestination Network: all-nets


Pre-defined: All


Forward Chain: in-pipeReturn Chain: out-pipeUse Fixed: 0




NOTE: If your SAT is from an IP using Address Resolution Protocol (ARP), you need to have the WAN interface as destination.




That concludes our final traffic shaping example.

FeedbackClavister Product Marketing is always interested in feedback from our readers. Please direct suggestions, comments or questions

regarding this document to [email protected]. Please include the title of the document in your e-mail.

mailto:[email protected]

Documents

TN2065: Configuring Quality of Serviceseguridad10.com/descargas/Clavister-qos-config.pdf · Feature Brief: Quality of Service (April 2007) Clavister CorePlus™ Administration Guide,