Security and QoS Unite

January 19, 2004 (Computerworld) -- Until recently, quality-of-service and network security technologies lived in separate worlds. But they have something important in common. Certain types of attacks on network security affect application performance -- and ensuring application performance is the main mission of QoS.
So the two technology camps have begun joining forces to stave off network attacks that degrade or halt network performance.
The enemies at the gate are worms, viruses, Trojan horse programs and denial-of-service attacks. These invasions rapidly replicate pieces of code or application service requests to the point where they overload a system's memory or CPU.
Firewalls and intrusion-detection systems (IDS) are typically used to identify unauthorized traffic based on known malicious bit patterns or limited parameters in an IP header. At the same time, sophisticated traffic-management capabilities -- available as appliances and as software capabilities in network routers -- recognize traffic based on application, protocol, user, media access control address, IP address and other granular variables.
Network implementers are recognizing common ground and the benefits of some integration work. For example, security and QoS products already tap common access control lists (ACL) for rules on how to treat traffic. And if further integrated, an IDS that discovers abnormal traffic patterns could alert a QoS system to treat that traffic according to those rules.
"The fact that firewalls, IDSs and QoS overlap gives you multiple ways to find and fight infections," says Joe Walton, a principal at VistaOne IT Services, a value-added network reseller based in Richmond, Va.
QoS's primary purpose is to manage the performance of multiple applications contending for bandwidth on a converged network link. To do this, QoS products identify what traffic is on the network, then classify and treat it according to the enterprise's network policy. For example, you could tune your network to "always allocate 20Kbit/sec. to Citrix," "limit streaming-media traffic to 128Kbit/sec." and "block all Kazaa traffic" to give the various traffic streams their appropriate due.
Once you have the power to identify and control traffic this way, you can apply QoS to also detect traffic anomalies, then set policies to automatically mitigate their effects. A firewall is a first line of defense, usually deployed at the WAN edge to permit or deny access based on ACLs. An IDS monitors packet streams in the background in search of traffic patterns that have already been identified as malicious -- then alerts you if it finds one.
QoS can do a little of each function, while also enabling network forensics and immediate treatment of suspicious traffic, says Walton. "QoS helps you track down where an infection originated within your internal network. Then you can go back and alert that site that they are infecting everybody," Walton explains.
The University of California, Irvine, uses Packeteer Inc.'s PacketShaper QoS appliance in part for this capability.
"PacketShaper identifies where [an unnaturally large volume of] connections are coming from," says Ted Roberge, manager of residential network services. "I can block or shape those IP addresses down to a tiny amount of bandwidth to minimize the impact on network and server resources."
Larry Roth, vice president of OnlyInternet.Net, an Internet service provider in Bluffton, Ind., has used Allot Communications Ltd.'s NetEnforcer QoS appliance in a similar manner: to fight viruses. "When Blaster came out on [TCP] Port 135, we put in rules and regulations for minimizing traffic that could use that port," explains Roth, who also uses firewalls and IDSs. "We saw an immediate 40% drop in Blaster being spread."
Oded Nahum, a senior systems engineer at Allot, says his company's gear has been used quite a bit by Internet service providers lately for handling network-aware viruses. "ISPs have such a broad reach, a virus can cause a lot of damage" if not checked, he says.
Interim Protection
QoS products often serve as "interim" defenses until viruses become known, IDSs are programmed to identify them, and patches are created and deployed on host systems.
Amir Khan, a director of product marketing at Cisco Systems Inc., says, "QoS plays a major security role here. When Kazaa [a peer-to-peer file-sharing application] hit enterprise networks, for example, it took many days to develop and implement patches."
Cisco's Network-Based Application Recognition classification engine, however, was able to flag Kazaa. Users could then decide to give it the lowest priority or drop it, he says.
Adding QoS to the security arsenal provides another line of defense against network attacks that affect performance. Meanwhile, further integration will enable QoS and security features to communicate with one another. When a network policy configured using one feature can trigger appropriate corresponding behavior in the other -- capabilities likely to become available next year - this integration and automation will enhance and simplify the network administrator's ability to implement policy-based rules to manage network behavior.
Wexler is a freelance writer in California's Silicon Valley. Contact her at joanie@jwexler.com.