Until recently, quality of service (QoS) and network security technologies lived in separate worlds. But they have something important in common. Certain types of attacks on network security affect application performance - and ensuring application performance is the main mission of QoS.

So the two technology camps have begun joining forces to stave off network attacks that degrade or halt network performance.

The enemies at the gate are worms, viruses, Trojan horse programs and denial of service (DoS) attacks. These invasions rapidly replicate pieces of code or application service requests to the point where they overload a system's memory or CPU.

Firewalls and intrusion detection systems (IDS) are typically used to identify unauthorised traffic based on known malicious bit patterns or limited parameters in an IP header. At the same time, sophisticated traffic-management capabilities - available as appliances and as software capabilities in network routers - recognise traffic by application, protocol, user, MAC address, IP address and other granular variables.

Network implementers are recognising common ground and the benefits of some integration. For example, security and QoS products already tap common access control lists (ACLs) for rules on how to treat traffic. And if further integrated, an IDS that discovers abnormal traffic patterns could alert a QoS system to treat that traffic according to those rules.

"The fact that firewalls, IDSs and QoS overlap gives you multiple ways to find and fight infections," says Joe Walton, a principal at VistaOne IT Services, a value-added network reseller based in Virginia.

QoS's primary purpose is to manage the performance of multiple applications contending for bandwidth on a converged network link. To do this, QoS products identify what traffic is on the network, then classify and treat it according to the enterprise's network policy. For example, you could tune your network to 'always allocate 20Kbit/sec to Citrix,' 'limit streaming-media traffic to 128Kbit/sec' and 'block all Kazaa traffic' to give the various traffic streams their appropriate due.

Detecting traffic anomalies
Once you have the power to identify and control traffic this way, you can also apply QoS to detect traffic anomalies, then set policies to automatically mitigate their effects. A firewall is a first line of defence, usually deployed at the WAN edge to permit or deny access based on ACLs. An IDS monitors packet streams in the background in search of traffic patterns that have already been identified as malicious, then alerts you if it finds one.

QoS can do a little of each function, while also enabling network forensics and immediate treatment of suspicious traffic, says Walton. "QoS helps you track down where an infection originated within your internal network. Then you can go back and alert that site that they are infecting everybody," he explains.

The University of California, Irvine, uses Packeteer's PacketShaper QoS appliance in part for this capability. "PacketShaper identifies where [an unnaturally large volume of] connections are coming from," says Ted Roberge, its manager of residential network services. "I can block or shape those IP addresses down to a tiny amount of bandwidth to minimise the impact on network and server resources."

Larry Roth, VP of OnlyInternet, an ISP in Indiana, has used Allot Communications's NetEnforcer QoS appliance in a similar manner, to fight viruses. "When Blaster came out on [TCP] Port 135, we put in rules and regulations for minimising traffic that could use that port," explains Roth, who also uses firewalls and IDS. "We saw an immediate 40 percent drop in Blaster being spread."

Oded Nahum, a senior systems engineer at Allot, says his company's gear has been used quite a bit by Internet service providers lately for handling network-aware viruses. "ISPs have such a broad reach, a virus can cause a lot of damage," he says.

Interim Protection
QoS products often serve as interim defences until viruses become known, at which point the IDS can be programmed to identify them and patches can be created and deployed on host systems.

"QoS plays a major security role here," says Amir Khan, a director of product marketing at Cisco Systems. "When Kazaa hit enterprise networks, for example, it took many days to develop and implement patches."

However, Cisco's Network-Based Application Recognition classification engine was able to flag Kazaa. Users could then decide to give it the lowest priority or drop it, he says.

Adding QoS to the security arsenal provides another line of defence against network attacks that affect performance. Meanwhile, further integration will enable QoS and security features to communicate with one another.

When a network policy configured using one feature can trigger appropriate corresponding behaviour in the other - capabilities likely to become available next year - this integration and automation will enhance and simplify the network administrator's ability to implement policy-based rules to manage the network.