In-Depth

Case Study: Securing Network Bandwidth

A packet-shaping tool can help handle worm outbreaks.

• By Mathew Schwartz
• 12/01/2004

When it comes to detecting viruses and worms, waiting for them to do something flashy isn’t the ideal solution. That’s why at biomedical manufacturer Beckman Coulter, network analysts and the network operations center staff keep an eye on a network traffic-monitoring tool.

For example, when a pie chart listing network activity skews toward NetBIOS, “you know that someone is either doing a huge amount of file transferring between, say, a PC and a file server in a WAN [wide area network] location, or potentially you have a virus outbreak,” says Steve Campbell, group manager for network services at Beckman Coulter.

Beckman Coulter, however, didn’t get into traffic-shaping tools for reasons of security, but rather practicality. When it decided to upgrade in 1999 from a mainframe- and minicomputer-based information system to a global ERP system, “it became clear, early on, that the WAN was going to need to be enhanced significantly to be able to run these applications on a centralized basis, and just increasing bandwidth was seen as not sufficient,” notes Campbell.

If the company wasn’t going to just open the network pipes, then it needed to monitor and throttle bandwidth utilization. “You had to be able to control those applications that were aggressive consumers of bandwidth to keep them from overcoming the business applications,” he says.

Beckman Coulter’s case isn’t unique, and today’s enterprise applications require adequate bandwidth to function at full strength. When there are network latency problems, “in many cases, throwing bandwidth at the problem is not the optimum solution,” says Gartner analyst Mark Fabbi. Rather, he advises optimizing available bandwidth. “In at least 95 percent of situations,” he says, using a WAN-optimization tool “reduces costs, improves application performance, and reduces deployment complexity.”

To monitor its WAN and enable the new ERP system to function at full capacity, Beckman Coulter adopted PacketShaper from Cupertino, Calif.-based Packeteer. Besides monitoring network utilization, “Packeteer itself has a variety of mechanisms that allow you to prioritize traffic,” notes Campbell, though he says setting this up can be intimidating at first. Beckman Coulter checked its home-brewed rules with Packeteer to be safe. Later, with more experience, “we ultimately developed a global template, then we’d tweak that for special situations at a site.”

Today, he says, Beckman Coulter uses Packeteer “for traffic management, for prioritization, for reporting and network help, and troubleshooting—and sometimes as a supplement to the security program.”

Bandwidth: A Scarce Commodity

Rather than being an alternative to more bandwidth, Campbell views PacketShaper more as “something that I would want on my WAN links even if bandwidth were not an issue per se, and that’s because of its measurement and control capabilities.” Because bandwidth is “a scarce commodity,” he says, “it’s just very useful to see what’s going across the wire, what’s going across the network, even if you don’t need to do traffic shaping and prioritization.”

Even seemingly benign applications, he notes, can be bandwidth hogs. “One of the applications that consumes the most bandwidth on the network is Lotus Notes, and that is our internal e-mail system.” Of course, any e-mail application will consume noticeable amounts of bandwidth, but “Notes is usually the one that will step on other things—it’s very aggressive, and it will get the bandwidth that’s needed if you don’t limit it.”

Besides Lotus Notes, Campbell says Web browsers consume a lot of bandwidth. To deal with those, he prioritizes access to critical servers.

That late-1990s scourge of network administrators—push applications—still exist today as well. “Some people like to use Windows Media player and listen to the radio. We tend to discourage that,” he says.

Guarding the WAN

On the security front, PacketShaper helps arrest virus and worm outbreaks before they cause denial-of-service conditions, especially at remote locations. “If you get a few infected PCs at some site on your LAN, it doesn’t take very many machines to generate enough traffic to overwhelm the WAN link,” says Campbell. By watching the traffic with PacketShaper, Beckman Coulter gets an early warning something is wrong.

One network red flag: when something accesses infrequently used ports. Blaster, for example, attempted to use TCP port 4444. “Now it’s not always that easy, because virus writers have done a really good job of exploiting Microsoft’s NetBIOS over IP ports,” says Campbell.

The packet-shaping tool can help handle worm outbreaks until they can be remediated. Last year, for example, when the Nachi (a.k.a. Welchia) worm hit, it would begin sending an ICMP echo request—or PING—to find other machines to infect, which could quickly bring a network down. For Nachi, “we did not shut down PING, but we did clamp it,” Campbell says. “What you’re able to do is allow a very small amount of PING traffic through, and you can see who’s doing all the PINGing by going to your top list of talkers.” So while employees needing PING capability still had it, the worm couldn’t cause a denial-of-service attack.

While PacketShaper has the ability to set alarms when things get out of control, “basically today we just keep an eye on it,” says Campbell. In the future, he’d like to set alarms, but as part of a broader initiative to implement Nagios, an open-source host, service, and network-monitoring program. “It’s an amazing set of tools that’s just freeware. If you have somebody who’s really bright and has a lot of time, you can replace several million dollars of HP OpenView—if you have enough time.”

Related Articles

Thwarting Next-Generation Denial-of-Service Attacks
http://www.esj.com/Security/article.aspx?EditorialsID=1162

Q&A: Mitigating the Denial of Service Threat
http://www.esj.com/news/article.aspx?EditorialsID=730