JANET Bandwidth Management Advisory Service

BMAS Home | About BMAS | Bandwidth Management | Technology Papers and Guidance | Product Evaluations | Calls for Partipation

PacketHound

Overview

Palisade systems manufacture a product for bandwidth management called the PacketHound. It is a centrally managed box that sits out of band on your network constantly monitoring the traffic flows. Once installed the PacketHound can be used to monitor traffic, log events and then carry out bandwidth restrictions according to rules specified by the administrator. The PacketHound is able to recognise and control peer-to-peer traffic, including those which are able to dynamically change ports in an attempt to circumvent firewalls and access control lists. It also has the ability to control traffic depending on time of day, IP address, IP range and many other parameters.

Below is a brief guide to getting a PacketHound set up on a network and the options available to an administrator who is trying to improve their network performance by installing a PacketHound.

Installation and Configuration

The PacketHound JANET-BMAS used for testing in the lab was a 1U rack mounted box. It was easily mounted onto the rack, although it should be noted that the PacketHound is quite a long device and will stick out the back of the rack a little, so this may need consideration for people with limited space in their switch rooms. Our test box measured 61cm in length.


(Click image to enlarge)


(Click image to enlarge)

Before the box is mounted in the rack it is best to carry out the initial set up options, as this will require a monitor and keyboard being plugged into the device. On its first boot the box will ask for a password to be set along with the usual parameters such as IP and gateway settings. This part of the set up is very easy and will only take a couple of minutes to complete.

The standard PacketHound has 2 network interfaces (one for management and one for the traffic control). The traffic controlling port must be attached to either a hub or a switch that is capable of replicating many ports onto one port (known as a SPAN port on Cisco hardware). Although this sounds a little more complicated than installing an in-line box such as the Packeteer or NetEnforcer, it does mean that the box will not act as a single point of failure on your network and will be harder to locate by a possible hacker. For a technical description of how the PacketHound makes use of the span port to control traffic, please read the Technical Note at the bottom of this page. One problem that was encountered at this stage was that it was difficult to identify which of the 2 network interfaces was the management port and which was the control port. The only way to identify them was by just plugging the box in and seeing which one worked (though this only added about 1 minute to the set up time).

Using the PacketHound

Once installed the PacketHound can be accessed via 3 separate interfaces, each with its own purpose plus the standard command line. A web interface is provided for general maintenance of the box: setting IP's, passwords, basic log viewing, etc. The PacketHound appliance also comes with a CD that contains a program for administration: rule creation/deletion, live traffic statistics, etc and a program for report viewing. User manuals and help files are also included on the CD.

Web Interface

Below is a screen shot of the first page that will greet a user on a new install of a PacketHound:


(click image to enlarge)

Here the administrator can choose to either administer the box or view the online reports and logs. Below is a screen shot of what options are available on the administration page. The amount of options here is very pleasing to see and the layout of the interface is very useable by both beginners and experts. The more basic options are easily found and altered whilst a more advanced user wanting more control will be more than happy with the options available to them.


(click image to enlarge)

The web based reporting is available more as a 'quick check' facility rather than an in depth tool, as the main reporting features can be found within the stand-alone program provided on the PacketHound CD. Below is a screenshot of the pre-made reports available, also note that the PacketHound keeps a short history of the most recently run reports for quick recall:


(click image to enlarge)

Once the report is selected there is a short wait while the statistics are gathered and the user is then shown the report results:


(click image to enlarge)

The web interface is very useful for the day-to-day administration of the PacketHound and the reports available are quite adequate for checking up on how the appliance is performing. Once the box is fully configured and is recognising traffic, the administrator will most likely then switch to the stand-alone programs to obtain more in depth reports and to add rules that control the network traffic flows.

Management Interface

The stand-alone management interface is used to get a good view of the current traffic flows going through the PacketHound, and to then apply rules to the flows in order to control them.

Below is a screen shot of the initial view of the interface. At the top of the screen is a selection of buttons which are used for actions such as adding / deleting rules and uploading the rules to the appliance. The central section of the page shows all current rules and their settings such as when they will be active and what they will do when activated. Finally the bottom of the page shows the current traffic flows. This is one of the most useful sections as this gives an administrator a very good view of what is happening on their network and where rules may need applying.


(click image to enlarge)

Creating a rule on the PacketHound is a very simple task (though more advanced options are available for users looking for a higher level of granularity in their rule sets). Each rule is based upon a protocol and the administrator just needs to tell the box what to do with the protocol (restrict/block) and when to apply the rule. Below are two screen shots showing both the basic and the more advanced settings for creating a rule based on the BitTorrent peer-to-peer protocol.


(click image to enlarge)


(click image to enlarge)

Reporting Interface

Finally, the reporting interface for the PacketHound provides a very in-depth tool that connects directly to the database on the box. The setup of this program does require a little bit of configuring of some ODBC settings within Windows, but a very easy to follow guide is provided within the user manual.

Below is a screen shot of the first screen that is shown when the program is loaded. Here the user can choose from a selection of 20 pre-configured reports and the time scale they want that report to cover.


(click image to enlarge)

Once the report is selected the interface will connect to the PacketHound and will gather the data needed. After a short wait (wait times are dependant on the complexity and amount of data needed) the report is shown. Here is an example of a report:


(click image to enlarge)

Conclusions

Overall the PacketHound is an excellent box for keeping a tight reign on the uses of your network. It is more geared towards stopping peer-to-peer traffic than most appliances available and does lack the feature of promoting traffic flows as well as curtailing them. But if you want a solution that can help you in your fight against those P2P applications then you can't go far wrong with Palisade's PacketHound.

Technical Note

Recently there have been reports on the vulnerability within the TCP protocol that means spoofed RST packets can be used to launch malicious attacks against network nodes. This vulnerability has now been patched by vendors of network infrastructure, and as the PacketHound uses RST packets to control network flows they were asked to comment on how this would affect their product. Palisade's response was as follows:

PH 3.0's blocking will operate well unless it is being used in a totally isolated environment with all hosts updated to restrict acceptance of RSTs (to my knowledge, Microsoft has not issued patches for Windows to make its acceptance of RSTs more restrictive). Updated router software will have no effect because the RST issue affects the endpoints of the connection, not the routers between the endpoints.

PacketHound is able to generate accurate RSTs because it sees the traffic between the endpoints. Yes, if an attacker were able to observe the traffic between the endpoints, she too would be able to generate accurate RSTs and terminate connections. The attack to which http://www.uniras.gov.uk/vuls/2004/236929/ refers is a blind attach, that is, the attacker is not able to observe the traffic but knows the IP addresses of the two endpoints, knows one of the port numbers, can guess at the other port number, and then can blindly spoof 2^16 (or fewer) RSTs and successfully terminate the connection.

The vulnerability of TCP to blindly spoofed packets has been acknowledged since 1988 (Bellovin, "Security Problems in the TCP/IP Protocol Suite", Computer Communications Review Vol. 19 No. 2, pp. 32-48, April 1989). The RST message is an essential component of the TCP protocol. It is used to terminate communication between hosts when a serious error has occurred, such as a reboot of an endpoint or a connection request to a port which is not open. So, it is not possible to eliminate RSTs from the TCP protocol specification, but just restrict how the end systems accept RSTs. The IETF draft I mentioned below greatly improves an endpoint's resistance to blindly spoofed RSTs, and this approach is believed to be good enough for continued operation of the Internet. The approach used by the major Internet providers to protect the backbone was to secure their router's TCP connections to other routers using RFC 2385 TCP MD5 message digests to verify authenticity of the TCP packets in the BGP connections, making it nearly impossible to spoof any TCP packets in those particular connections. However, TCP MD5 message digests do not scale to the Internet at large and thus are not a general solution to the spoofed traffic issue.

So, for the forseeable future, RSTs will remain a valid method for PacketHound to terminate TCP connections.

Good Practice

To give good practice recommendations for appliances such as the PacketHound is a difficult task, as it is a box that can be adapted to many different solutions and people will use it for varying reasons. The best advice to give is to arrange a trial with a box and look at what is really running on your network (you may be surprised) and then look at what actions you can take with the PacketHound that could help improve your end-user's experience on your network.

Links

If you are interested in the PacketHound and would like more information or to request a trial of a Palisade product, either email BMAS or follow one of these links:

Palisade Systems - http://www.palisadesys.com
PacketHound Information - http://www.palisadesys.com/products/packethound/
BroadChart (reseller) - http://www.broadchart.com

 

 

 

 

 

Privacy Policy | Web Admin
© The JNT Association,
JANET(UK), Lumen House, Library Avenue
Harwell Science and Innovation Campus, Didcot, Oxfordshire
OX11 0SG