Hillstone T-Series Intelligent Next-Generation Firewall Whitepaper: Enhanced Intelligent QoS

Transcription

1 Hillstone T-Series Intelligent Next-Generation Firewall Whitepaper: Enhanced Intelligent QoS Keywords: Hillstone T-Series Intelligent Next-Generation Firewall (ingfw), Enhanced Intelligent QoS (iqos),, Two-Layer and Eight-Level, Application-based Differentiated Service, Monitoring, Allocation of Remaining Bandwidth, Traffic Shaping, Bandwidth Management. Abstract: This paper describes the unique Enhanced Intelligent QoS (iqos) capabilities of the Hillstone T-Series Intelligent Next Generation Firewall (ingfw). Compared to traditional QoS, iqos is equipped with rich features including two-layer and eight-level tunnel embedding, tunnel monitoring, prioritybased differentiated services and allocation of remaining bandwidth. These QoS features can be deployed flexibly to realize traffic shaping based on organizational structure, to implement traffic shaping decisions based on application and user, to guarantee the successful operation of key services, and to utilize bandwidth resources to their full extent. The iqos features help the network administrator maximize network performance and maintain business service levels. 1 Overview Network traffic is increasingly complex and diverse. Modern enterprises are distributed across multiple locations, both large and small, as well as remote employees who access the network from various locations at any given time. Extremely large files may be sent between different departments or regions and can waste precious network bandwidth, slow down critical services and inadvertently increase operational costs. Traditional traffic shaping devices can often not meet increasing demands at the user level, including the: Inability to perform flexible, multi-layer embedded traffic shaping based on organizational structure, or based on application or user. Inability to perform traffic shaping with fine granularity. Most existing QoS solutions support only traditional 5-tuple (including source IP address, source port number, destination IP address, destination port number, protocol) traffic shaping. Lack of QoS management visibility, and easy-to-use dashboards. Phone:

2 Difficulty in prioritizing key services. Inefficient bandwidth utilization. The Hillstone ingfw system includes patented Enhanced iqos features which enable two-layer, eight-level embedded tunnel traffic shaping with fine granularity in identifying and treating applications and users. These features meet the demands of hierarchical network deployment and modern addressing characteristics which are often left unaddressed by traditional QoS technologies. 2 Hillstone Intelligent QoS (iqos) Capabilities The ingfw system includes unique, patented Enhanced iqos capabilities that provide the network administrator with superior quality of service traffic handling and management features, including: Traffic shaping based not only on traditional 5-tuple traffic attributes, but also based on applications and users. The iqos unified configuration offers the ability to make (or change) traffic configurations and includes a dashboard to monitor the impact of these configurations in real time. Priority-based categorization of application traffic based on service criticality. Flexible bandwidth management for all applications to guarantee bandwidth to key services, and to better utilize existing bandwidth. 2.1 Application Traffic Control The Hillstone iqos technology offers two layers of traffic shaping, and each layer supports four levels of embedded tunnel control. Together, this offers granular two-layer, eight-level network application control Two-Layer Traffic Shaping The two layers of traffic shaping enable traffic shaping in different dimensions such as users and applications. For example, general requirements for an enterprise network may include the following: Cap the financial director s bandwidth use at 50Mbps Cap regular financial office employees aggregate bandwidth use at 30Mbps Cap overall peer-to-peer (P2P) download traffic at 30Mbps With only one layer of traffic shaping available, possible configurations for the network may be: 1. Restrict the financial director s bandwidth at 50Mbps, and restrict his P2P download bandwidth to 20Mbps 2. Restrict regular employees bandwidth to 30Mbps, and their P2P download bandwidth to 10Mbps This configuration meets the requirement of capping aggregate P2P download bandwidth at 30Mbps, but it offers no flexibility in terms of the end user. If the financial director is using only a small portion of his allocation of 20Mbps P2P traffic, that remaining unused P2P bandwidth cannot be used instead by the other financial employees (who are capped at 10Mbps P2P traffic).

3 In a two-layer traffic shaping model, the first layer can be used for control in the user dimension, while the second layer is used for control in the application dimension. Considering the earlier enterprise network example again, the user dimension requires capping the financial director s bandwidth at 50Mbps and regular employees bandwidth at 30Mbps. The first layer of traffic control is used to enforce these user-based limits. The second traffic shaping layer is then used to cap aggregate P2P application bandwidth to 30Mbps, regardless of which user uses it. This configuration is much more flexible and does not require restricting application (P2P) traffic per user. Figure 1 shows the operation of two-layer traffic shaping. Level 1 Traffic Shaping Level 2 Traffic Shaping Level 1 Level 2 Level 1 Level 2 Level 2 Level 2 Traffic Inbound Traffic Outbound Level 1 Default Default Figure 1: Two-Layer Traffic Shaping Four-Level Embedding in a Single Layer The Hillstone iqos feature set supports four levels, or tunnels, embedded in each layer of traffic shaping. The configuration specifies the bandwidth allocated to each tunnel. Unallocated bandwidth is given to a pre-defined default tunnel. Each level, or tunnel, has rules governing its traffic shaping behavior. Traffic that matches the rules is controlled according to the traffic shaping plan. These rules may include the following: Source security domain Source port Source address entry Destination security domain Destination port Destination address entry User, or user group Service, or service group Application, or application group Type of Service (TOS) value set for the traffic

4 Virtual Local Area network (VLAN) identifier Traffic can be managed according to a certain rule with a single entry, such as the source address. Traffic can also be managed according to a combination of rules (with AND logic), for example based on matching all of: source port, destination address entry, and application HTTP. Traffic matching this combined rule will include HTTP traffic from a certain source port to a certain destination address. This allows very granular traffic shaping for traffic streams. Moreover, each tunnel can have multiple rules. Traffic matching any of the rules is managed according to the configured traffic shaping behavior. Figure 2 shows an example of traffic rule configuration. Figure 2: Rule Configuration Figure 3 illustrates how multiple tunnels can be embedded to provide a hierarchy of traffic control. At level 1, a top-level tunnel can be constructed based on geography, separating out the traffic from different locations or branch offices. Level 2 can be used to separate out traffic control organizationally, that is by department such that there is granular control of the traffic from the R&D department within each specific branch location. Additional tunnel levels can be used to control traffic at the user (IP address) level, and lastly by application (per user). Figure 3: Rule Logic Traffic Shaping Behavior

5 The ingfw iqos feature set supports bandwidth control, bandwidth guarantees and various traffic shaping behaviors to optimize network traffic. These capabilities include: Minimum bandwidth guarantees for specific applications or users Maximum bandwidth restrictions for specific applications or users Bandwidth restrictions for non-critical applications Bandwidth guarantees and quality of service for critical applications Inbound, outbound or bidirectional bandwidth control and management Different traffic shaping strategies for traffic flowing to different destination addresses Different bandwidth services during different time periods for specific applications such as P2P traffic 2.2 Monitoring In addition to traditional traffic monitoring based on applications and users, the Hillstone ingfw system supports tunnel-specific monitoring and unifies the configuration and monitoring of tunnels. monitoring provides traffic ranking, as well as the percentage of traffic observed in each tunnel inside both layers 1 and 2. Ranking can be done based on conditions such as tunnel status, traffic direction, segmentation by time, ranking order, and is shown as a graphic display. The display also shows a comparison between traffic in different tunnels, abandoned traffic, and traffic in different directions. In addition, the tunnel detailed pages display traffic ranking related to users, historical trends based on applications, and trends in abandoned traffic. Figure 4 shows the tunnel configuration of an example company conducting traffic shaping for different branch offices: Figure 4: iqos Configuration igure 5 shows the level 1 (root tunnel) display of Layer 1 traffic for each branch office of the company.

6 Figure 5: Traffic Monitoring of the First Layer, Level 1 s Figure 6 shows the level 2 tunnel display of Layer 1 traffic for the Hong Kong branch office of the company. Figure 6: Traffic Monitoring of the First Layer, Level 2 s Figure 7 shows the level 3 tunnel display of Layer 1 traffic control for each group in the Hong Kong R&D department of the company. Figure 7: Traffic Monitoring of First Layer, Level 3 s

7 Figure 8 shows the level 4 tunnel display of each application in group1 of the Hong Kong R&D department of the company. Figure 8: Traffic Monitoring of First Layer, Level 4 s 2.3 Differentiated Service Based on Application Profile Traditional traffic shaping devices often do not differentiate between application complexity or type, or if they have the ability to do this, they often cannot determine the bandwidth consumed by non-critical applications such as P2P or multi-threaded downloads. To address this gap, enterprises have to keep increasing bandwidth to meet application demand. The Hillstone iqos feature set supports differentiated services based on seven levels of priority categorization. Application types can be identified and monitored to achieve the following results: Identify applications that must be guaranteed bandwidth at high priority Identify applications that must be controlled at low priority Identify applications that must be blocked When the bandwidth use of each application type is determined, a prioritized application strategy can be created to allocate bandwidth at higher priority to key applications. 2.4 Full Bandwidth Utilization The ingfw iqos feature set offers flexible bandwidth management for all applications, including the option to restrict high-bandwidth applications (P2P applications), to guarantee bandwidth for key services in the network, and better utilize existing bandwidth. The ingfw affects traffic control based on tunnel configuration. Any remaining bandwidth can be allocated to sub-tunnels to fully utilize all available bandwidth. If there are multiple sub-tunnels with the same priority, the remaining bandwidth is allocated on a first-come, first-served basis. If different priorities exist between the sub-tunnels, they share the parent bandwidth according to their priorities, thus providing more bandwidth for higher priority applications. This operation guarantees that bandwidth is utilized predictably and efficiently.

8 3 Conclusion The Hillstone T-Series ingfw Enhanced iqos feature set provides superior quality of service capabilities in handling and monitoring network traffic. The iqos features include the following specific advantages: Two-layer, eight-level embedded tunnel traffic shaping with flexible bandwidth management Fine granularity in network traffic segmentation and separation Priority-based differentiated service guarantees to applications, and therefore guarantees to high priority key business services Full utilization of all bandwidth resources by offering flexible allocation of remaining bandwidth The ingfw iqos capabilities significantly enhance management and monitoring of network traffic, the quality of service offered to specific users and applications, as well as maximizes bandwidth management efficiency. 292 Gibraltar Drive, Suite 105, Sunnyvale, CA Tel: Stay Connected