"Packet Shapers"

Michael Shields shields at crosslink.net
Fri Jul 31 19:55:25 UTC 1998

In article < at max.ibm.net.il>,
Hank Nussbacher <hank at ibm.net.il> wrote:
> 7) Platform: Look at the OS platform.  Packeteer using a proprietary OS,
> others may package Linux or NT.  None have done any OS hardening on the
> system so it is best to run something like ISS against the packet shaper
> to determine what security holes exist.  Imagine you start using a
> packet shaper in production only to have the hackers hack it and set
> their own super-duper policies.

The risk is worse than that -- a malicious party having access to a
box which can view and modify 100% of your outside traffic is a very
ugly scenario.

There is of course much more to security than running ISS.

> 10) ToD: All boxes have the ability to control based on source IP,
> destination IP and port.  Not all have the ability to control based on
> time of day.  Suppose you want incoming news to be limited to 128kb
> during the day but open it up from 2-8am to 800kb.  Packeteer has a line
> command called "schedule".  Look for GUI's to do this.

I would hope anything with this suppport also runs NTP.

> 12) Graphs: you want the ability for realtime graphs for each policy so
> you can see how your rule changes have affected the bandwidth.
> Packeteer has this capability.

And hopefully all the data would be SNMPable so you can do your own
graphs as well.

As with all networking products, the key for an ISP environment is not
to provide an all-in-one solution but to provide something with good
plugs so it integrades well with the rest of your network.
Shields, CrossLink.

More information about the NANOG mailing list