EditAttachWiki Help
r4 - 12 Oct 2005 - 18:23:30 - JaredRhineYou are here: OSAF >  Journal Web  > BandwidthShapingEval

Bandwidth shaping solution evaluation

Overview

At OSAF, the office network is all behind a 2.3Mbps SDSL line. This works well, but since there is no throttling, proxying, or bandwidth shaping, the network can get congested by any single box transferring "too much too fast" from any server.

We've undertaken a project to add bandwidth shaping and management to the office network.

Background

Evaluation matrix

Rank Feature m0nowall pfSense PIX Homegrown
MUST Reliable full featured stateful firewall y ? y ?
MUST Revertability during rollout y y y y
MUST Documented administration y y y y
MUST Ability to manage bandwith usage y y y y
SHOULD Provides network flow Information y y y y
SHOULD No modifications to existing infrastructure (Kahu) y y y y
SHOULD Intelligent Throttling when bandwith available n y y y
SHOULD Legacy configuration support (DNAT, etc) y y y y
SHOULD Change controlled configuration y ? y y
SHOULD Easy HA/redundancy n y y ?
SHOULD Easy to administer / GUI y y y ?
NICE Rollout consists of 'baby steps' y y y y
NICE Supports VPN integration y y y y
NICE Open & Free y y n y

Applications

Consolidate

  • Bandwidth shaping

Open issues

  • Routing
    • Firewall rules
    • Inter-subnet routing
    • SNAT/DNAT
    • VPN (IPsec)
    • DMZ
    • ARP/RARP/Proxy ARP
    • 802.1Q VLAN trunking
  • Bandwidth management
    • HTTP proxy
  • Services
    • DHCP
    • DNS
    • DDNS
    • RADIUS
  • Analysis
    • nFlow collector
    • Traffic analysis
    • Bandwidth measurement
    • rrdtool (MRTG/Cricket)
    • Consolidate syslog
    • SNMP for traffic
    • ntop
  • Security
    • Port knocking
    • Wireless supplicant
  • Reliability
    • CARP/VRRP

Separate box

  • Intrusion detection
  • Intrusion prevention
  • Wireless network routing

Not needed

  • PPPoE
  • VPN (PPTP)
  • FTP server
  • HTTP server
  • MTA
  • Spam/virus filtering

Product notes 

-------------------------------------------------
M0n0wall ( http://m0n0.ch/wall/features.php )
+ reliable/tested firewall (currently v1.2)    
+ focus on stability, embedded hw, and ease of use
+ easy to deploy/manage (can be cd or flash based)
+ cheap/supported hardware available: (http://www.logicsupply.com/default.php/cPath/73)
+ provides full firewall, vpn, and traffic shaping 
- traffic shaping is 'minimal', not advanced
- VPN requires separate user management      
- no direct HA support (tho config backup is possible)

pfSense ( http://www.pfsense.com/index.php?id=26 )
+ m0n0wall++
+ most adv features for both fw/vpn/traffic shaping
+ focus on adv features and extensibilty
+ allows vpn integration into AD   
+ easy HA configuration
+ more adv monitoring
- ***alpha software (not tested)

Cisco PIX ( http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/index.html )
+ reliable, tested, supported product
+ adv vpn support
+ adv traffic shaping 
+ easy to use GUI   
+ easy HA configuration
- costly (not free)
- requires knowledge of IOS

Homegrown (iptables/pf + fwbuilder)
+ very flexible 
+ most adv vpn and traffic shaping capabilities
- hard to manage/upgrade/support
- most time intensive to setup/debug/troubleshoot
          
-------------------------------------------------
Others:
redwall: http://www.redwall-firewall.com/index.php?option=com_content&task=view&id=14&Itemid=29
netscreen: http://www.juniper.net/products/integrated/
netboz: http://www.netboz.net/
ipcop: http://www.ipcop.org/
astaro: http://www.astaro.com/
pfsense packages: http://www.pfsense.com/packages/All/
m0n0wall device: http://www.netgate.com/product_info.php?products_id=209
Edit | WYSIWYG | Attach | Printable | Raw View | Backlinks: Web, All Webs | History: r4 < r3 < r2 < r1 | More topic actions
 
Open Source Applications Foundation
Except where otherwise noted, this site and its content are licensed by OSAF under an Creative Commons License, Attribution Only 3.0.
See list of page contributors for attributions.