Historic

Outsourcing is a business concept that has been receiving much attention in the new millennium. According to Dictionary.com (2008) the term outsourcing means to obtain goods or services from an outside source. The process of outsourcing a portion of a business’ work or material needs to an outside provider or subcontractor has been occurring for a long time. The information technology industry and outsourcing have been the focus of editorials and commentaries regarding the movement of technical jobs from the United States to overseas providers. The globalization of business through expanding voice and data communication has forged new international partnerships and has increased the amount of outsourcing happening today. Businesses in the U.S and Europe spend billions in outsourcing agreements with overseas service providers. According to Sharma (2008), spending for outsourcing in the European Union is almost $150 billion (GBP) in 2008. The overriding goal in outsourcing work to a local or overseas provider is to reduce the operations cost for a particular part of the business. Many countries, such as India and China have lower wages and businesses in the U.S. and Europe can save money by hiring an overseas contractor to perform a portion of their work. Outsourcing is gaining popularity in the information age by assisting information technology companies in performing some of their business tasks. This can include data processing, and call routing and handling. With the growth of the technology industry also comes the problem of maintaining and protecting private information about the details of individuals, such as medical history or financial data. Many countries such as the United States and Europe have mandatory personal data privacy laws. These laws do not automatically translate to national laws where the outsourcing service provider is located, or potentially the service provider’s subcontractors. This paper discusses the issues of outsourcing work to an overseas provider when personal data is involved in the outsourced tasks. It presents several solutions to help manage the risk of data breaches caused by disparate laws in countries currently popular for information technology outsourcing. The most common types of work outsourced to overseas service providers include bulk data processing, call center handling, and also paralegal outsourcing. The last example of overseas outsourcing can include work such as legal research, contract and brief writing, and transcription. Outsourcing firms typically do not have a U.S. law license, which limits the extent of their involvement in legal work. The United States is expanding national information protection laws. Two of the most common laws are the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLB). The U.S. Congress enacted the HIPAA act in 1996. It is related to the protection of health information that can be used to identify someone or disclose a medical condition. “The data privacy and security requirements of HIPAA apply to health plans, health care providers, and health care clearinghouses. Among its many requirements, HIPAA mandates the creation and distribution of privacy policies that explain how all individually identifiable health information is collected, used, and shared.” (Klosek, 2005). U.S. Congress enacted the GLB act in 1999. The Financial Privacy Rule of the Act is related to documenting and auditing the processes used by an organization for assuring privacy of information that can identify persons, as in HIPAA, and private data about their finances. Both HIPAA and GLB require the organization to publish the information privacy policy and notify the consumer each time it changes. “[…] The GLB Act focuses upon privacy of the non-public information of individuals who are customers of financial institutions.” (Klosek, 2005). The U.S. is not considered at the forefront of privacy protection laws. Likewise, many countries have absolutely no privacy protection laws for their citizens. The European Union is one of the strictest regions with respect to data privacy and outsourcing work that handles private information. The privacy directive for the entire EU was passed in 1998. It specifies a minimum standard for all member countries to follow in handling private personal data and transferring it between companies inside and outside of the European Union. “The EU privacy directive 1998 aims to protect the privacy of citizens when their personal data is being processed. […] One of the provisions of this directive […] addresses the transfer of personal data to any country outside of the EU.” (Balaji, 2005). In most cases, European companies transferring personal data to an overseas outsourcing provider would need to assure the contractor follows the EU rules for handling and processing the data. The EU is also in the process of pre-certifying certain countries for properly handling personal data according the directive standards. Businesses in the Philippines have been providing outsourcing solutions for information technology businesses for over a decade. Estavillo (2006) states the government has increased its focus on keeping the outsourcing landscape fertile in the Philippines. It has created an optional certification program for local businesses based on the government’s own guidelines for protection of information used in data processing and communications systems. The government hopes to continue to expand its reach into enforcing data protection by penalizing unlawful activities such as data breaches and unauthorized access to data intensive systems. Recently ISO has started an international certification effort called ISO 27001. The purpose of the certification is to prove a company documents and follows information security practices and controls. Ely (2008) points out that an ISO 27001 audit is against the processes of the outsourcing provider’s choosing, and to make sure the outsourcing firm follows the industry’s best practices and compliance guidelines of the home country and it deeply understands them. Often an overseas company will adopt HIPAA or Payment Card Industry (PCI) standards for handling of personal data and be certified against that standard for ISO 27001. Any size company can be certified under this standard, and there are no international restrictions regarding who may be certified. Outsourcing work in the information technology industry almost always includes the access or transfer of data between the client organization and the outsourcing provider. Voice conversations and movement of data over an international connection can be subject to interception and monitoring by U.S. and foreign surveillance programs. Ramstack (2008) finds that “[…] paralegal firms in India are doing a booming business handling the routine legal work of American law firms, such as drafting contracts, writing patents, indexing documents or researching laws.” A lawsuit was filed in May of 2008 that requests a hold on new legal outsourcing work until outsourcing companies can provide assurances that data transferred overseas can be protected against interception by U.S. and foreign intelligence collection agencies. The fear is that private legal information about citizens could be transferred from intelligence agencies to law enforcement agencies in the same or allied countries. The mix of international standards and laws offer little hope of legal action across borders when personal data is misused or illegally accessed. The flood of competition among overseas outsourcing companies does offer some hope that reputations are extremely important for sensitive outsourcing agreements. Once an outsourcing provider has been tainted with a bad reference for bulk data processing of foreign citizen’s medical information, for example, it will limit the firm’s financial upside until its reputation can be rebuilt. All of the focus should not be only on the outsourcing provider. It is important for an organization to define and understand its own processes involving data privacy internally before beginning an outsourcing agreement. People within the business who work around and regularly handle private data should be included early in the process of defining the requirements about outsourcing information-related work. These contributors can include the IT and business controls staff members and staff supporting the efforts of the CIO’s office. A cross-company team should define the conditions needed to work with private data regardless of the outsourcing group - local or overseas. They can also help define constraints placed on the outsourcing service provider. “Ensure that the contractual arrangement covers security and privacy obligations. Include language in the contract to articulate your expectations and stringent penalties for violations. Review your provider’s organizational policies and awareness training for its employees.” (Balaji, 2004). Large outsourcing providers may chose to outsource their work to smaller companies in their local country. It is important to be able to control the primary outsourcing company’s ability to subcontract work to other providers or to require that data handling standards in the contract are transitive to all subcontractors who may become involved, at the risk of the original outsourcing provider. In this case it is also important to have the outsourcing service provider identify in advance all or most of the subcontractors involved to obtain references. It is important to define in the outsourcing contract what happens when the relationship terminates. The transition plan for the end of the outsourcing agreement must include a process for obtaining control of data transferred to the outsourcing provider from the customer organization. There should be a way to return the data to the customer organization or assure its destruction on the outsourcing provider’s information systems. Although it has been a part of business for as long as there has been business, outsourcing in the information age brings with it new risks as well as opportunities for business cost optimization and scaling. Risks in outsourcing information services for private data can be mitigated partially through a detailed contract in addition to outsourcing vendor transparency. The best way to ensure compliance to contractual terms is to be sure the customer organization understands their own data privacy standards and treats all outsourcing situations with the same requirements followed internally. The customer organization should perform or obtain third-party audit reports of the outsourcing provider’s processes and systems for ongoing reassurance of proper handling of private data. References Balaji, S. (2004). Plan for data protection rules when moving IT work offshore. Computer Weekly. 30 November 2004, Pg. 26. Ely, A. (2008). Show Up Data Sent Offshore. INFORMATIONWEEK, Tech. Tracker. 2 June 2008, Pg. 37. Estavillo, M. E., Alave, K. L. (2006). Trade department prods outsourcing services to improve data security. BusinessWorld. 9 August 2006, Pg. S1/1. Klosek, J. (2005). Data privacy and security are a significant part of the outsourcing equation. Intellectual Property & Technology Law Journal. June 2005, 17.6, Pg. 15. Outsourcing. (n.d.). Dictionary.com Unabridged. Retrieved June 23, 2008, from Dictionary.com website: http://dictionary.reference.com/browse/outsourcing. Ramstack, T. (2008). Legal outsourcing suit spotlights surveillance fears. The Washington Times. 31 May 2008, Pg. 1, A01. Sharma, A. (2008). Mind your own business. Accountancy Age. 14 February 2008, Pg. 18.

This research paper describes a telecommunications standard called Signaling System 7 (SS7). This technology defines a signaling system for control and routing of voice calls between telephone switches and switching locations. SS7 uses out-of-band signaling to place and control calls. It replaces an older system of in-band signaling to control telephone equipment. In-band signaling means the audio channel is used as a control channel for telephone switches. Operators would use tones over the audio channel to connect switches and open paths to the call destination. The use of out-of-band signaling means that control of creating an audio path through telephone switches is performed through a separate data channel that connects the switches together. The caller does not have access to this signaling channel, as they do for in-band signaling. SS7 can also carry data to switching locations about the calls they route. This data can include information for purposes of billing network time back to the call’s originating network and the caller’s account. “Signaling System 7 (SS7) is a set of telephony signaling protocols that are used to set up and route a majority of the world’s land line and mobile public switched telephone network (PSTN) telephone calls.” (Ulasien, 2007). SS7 provides more efficiency and reliability for call handling than in-band signaling. SS7 controlled calls can verify that the audio path for a call is ready to initiate, for example, and not create the audio path until the call is answered at the other end. Another example is if the destination phone number returns a busy signal, no audio path needs to be established and the switch directly connected to the caller can generate the busy sound. The strategy of delaying the creation of the audio path until the last moment prevents wasted bandwidth within the switching infrastructure. This scenario would not be possible with in-band signaling, since in-band signaling depends on having an audio path established prior to anyone answering the other end of the call. SS7 allows the creation of innovative customer features and the use of rules-based capabilities for call routing that were previously impossible with in-band signaling technology. Signaling System 7 began development in the 1970s and saw wide deployment beginning in the early 1990s. The technology research and development was sponsored by AT&T and originally named the Common Channel Signaling System (CCSS). AT&T proposed it to the International Telecommunications Union as a standard beginning in 1975. SS7 was issued as a standard in 1980 and has been refined three times since. The ITU Telecommunications Standardization Sector (ITU-TS) develops global SS7 standards. The ITU allows different countries or organizations to make their own refinements and extensions to the global SS7 standard. The American National Standards Institute (ANSI) and Bellcore define a regional SS7 standard for North America and Regional Bell Operating Companies (RBOCs). Before the adoption of Signaling System 7, the only path between telephone switches was the audio channel. Telephone operators would use in-band signaling to set up long distance calls, or route international calls over cable or satellite using touch-tones. Maintenance crews would put telephone switches into special modes using sequences of tones to turn off accounting or allow operations a normal user would not be able to perform. In-band signaling is not just used to control telephone switches. We encounter in-band signaling often through the use of telephone-based services from vendors. Call routing through most of today’s large corporate phone systems require extensive use of the touch-tone keypad. Most voicemail systems require us to enter our personal identification numbers using tones to access messages. Your bank might provide a system to check your balances or transfer money through a phone-based system that uses touch-tones to enter your account information and direct your choices. In-band signaling works well for low-bandwidth situations, such as entering an account code or choosing a menu. Routing instructions to telephone switches can result in a complex series of tones representing access codes and phone numbers. Although it is useful for vendors in providing self-service capabilities to customers, in-band signaling for mission-critical systems such as unprotected telephone switching networks, have been exploited. Exposure of the signaling channel meant that sometimes callers would discover and record the in- band signaling tones used to route calls and control switches. Sometimes the audio signals were discovered completely by accident. During the 1970s and 1980s people such as John Draper (Captain Crunch) were known for their little home-built boxes that could connect to telephone jacks and send sequences of tones to obtain free long distance calls. These were known as black boxes or blue boxes. A whistle that came as a prize in his cereal inspired John Draper’s blue box creation. “The box blasted a 2600-Hz tone after a call had been placed. That emulated the signal the line recognized to mean that it was idle, so it would then wait for routing instructions. The phreaker would put a key pulse (KP) and a start (ST) tone on either end of the number being called; this compromised the routing instructions, and the call could be routed and billed as a toll-free call. Being able to access the special line was the basic equivalent to having root access into Bell Telephone.” (Cross, 2007). Signaling System 7 moves the signaling channel out of the audio channel, and is no longer is accessible to the parties participating in the call. SS7 specifies that telephone switches connect together using a dedicated digital network used only for signaling and managing calls. The signaling network among switches is similar to a traditional computer network. The signaling network can be designed for redundancy and does not need to take the same physical path as the voice data paths. In addition to relocating the signaling channel, the protocol allows for the creation of new and innovative features related to how calls are controlled and routed through the network. The Intelligent Network is a telecommunications industry term and described by Zeichick (1998) as having more reliance on digital technologies, more contextual information about calls in addition to the voice data, and more control provided to the end user for controlling how their telephone experience works. Caller ID works, for example, because the originating caller information is passed from switch to switch through the signaling channels. As mobile phone callers move around, SS7 signaling protocol helps switches find the proper route for calls to this person’s phone. The destination switch for a mobile phone moving in a train or automobile can change quickly. Call routing between switches is optimized with SS7’s definition of shared databases that are accessed through the signaling network. The databases contain rules about how calls should be routed to their destination. Switches on an SS7 network can query shared databases to find out which provider owns a phone number and how to route the call to that number. The databases can also contain feature-specific information. This aspect of the SS7 implementation has been characterized as client-server, meaning the switches act as clients to the shared databases with rules and other information for managing calls. “SS7 links the telephone system with a client-server computer architecture to create a distributed, efficient and easily modified telephone infrastructure. The computers use information from common databases to control call switching and to allow the transfer of messages within the system.” (Krasner, 1997). New technologies are testing the longevity of the Signaling System 7 protocol. Packet switched voice over IP is causing some disruption in SS7 space. However, there is more emphasis on integration and signaling gateways than replacement of existing SS7 infrastructure with something more recent. Session Initiation Protocol (SIP) is a signaling protocol for controlling audio and video connections over Internet Protocol networks. It can be implemented in hardware or software. SIP can be used for voice, video conferencing, and instant messaging and other types of streaming multimedia. H.323 is another streaming multimedia signaling protocol used for audio and video over Internet packet networks. Microsoft’s NetMeeting application uses H.323 as its protocol to connect NetMeeting nodes together in a wide-area conference. H.323 is also a recommendation by the ITU-TS. The business value of SS7 is that it provides opportunities for security, efficiency and optimization of call routing, and it provides the foundation to build innovative features for call handling using contextual information about calls and shared databases. It is a standards-based protocol and has been used throughout the world’s established telecommunications providers for over a decade. The protocol defines the means by which telephone switches exchange call routing and feature information - it does not assume voice data is carried on any particular medium as calls are transferred through the system. This simple abstraction with SS7 allows it to work with new technologies as they arrive in the mainstream. It is possible for SS7 to work within a mixed-technology environment including circuit-switched and packet-switched data networks. Ulasien (2007) says that the extensibility of SS7 allows the incremental migration of an organization from circuit switched to packet switched calls. The voice network is turning into the streaming media network and SS7 will continue to be tested in its role of connection maker and gateway to more recent communication technologies such as VOIP and video conferencing. References Cross, Michael. (2007). Developer’s Guide to Web Application Security. Syngress Publishing 2007. ISBN:9781597490610. Hewett, Jeff. (1996). Signaling System 7: the mystery of instant worldwide telephony is exposed. Electronics Now. 67.n4 (April 1996): 29(7). Krasner, J. L., Hughes, P. & Klapfish, M. (1997). SS7 in transition. Telephony. 233.n14 (October 6, 1997): 54(4). Ulasien, Paul. (2007). Signaling System 7 (SS7) Market Trends. Faulkner Information Services. Document 00011475. July 2007. Zeichick, Alan. (1998). Lesson 125: Signaling System 7. Network Magazine. December 1, 1998: NA.

This essay describes the concepts and value of the “4+1” View Model of Software Architecture described by Philippe Kruchten in 1995. The purpose of the 4+1 view model is to provide a means to capture the specification of software architecture in a model of diagrams, organized into views. Each view represents a different concern and diagrams within each view use a diagramming notation suitable for that diagram’s purpose. The answers provided in each view answer questions related to the structure, packaging, concurrency, distribution, and behavior of the software system. The “+1” is a view of the scenarios and behavior of the software being described. This view drives development of the other views. The value the 4+1 view model approach brings to software architecture is that it is not specific to any class of software system. The principles behind the 4+1 view model can be applied to any scale of software system, from embedded software to web applications distributed across many collaborating servers. The software architecture of business IT systems can be represented using the 4+1 view model. What is a model? “A model plays the analogous role in software development that blueprints and other plans (site maps, elevations, physical models) play in the building of a skyscraper.” (OMG, 2005) Software can be specified using just textual requirements or it can be shown as a model of collections of diagrams with textual notes describing specific details. Models provide a filter for humans to deal with a lot of information at one time. Models give us a big picture, just like a blueprint does. Diagrams within a model can be organized by subject, purpose, or locality within a system. For building construction, a single page in a roll of blueprints might describe the routing plan for plumbing or electrical conduits. A different page might detail the foundation. Likewise, a diagram within a model might show us the structure of the database. A different diagram will show where each piece of the software runs on a network. The content of diagrams in models can be at any level of “zoom” to describe parts of the software. Simple data structures can be described in a diagram, as can complex scenarios carried out by several servers in synchronization. Kruchten’s purpose in the 4+1 view model is to capture and document the software’s architecture using diagrams organized in several views. What is software architecture? “Software architecture is the principled study of the overall structure of software systems, especially the relationship among subsystems and components.” (Shaw, 2001) I interpret the word “relationship” in this context to mean many possible kinds of relationships. One kind of relationship between subsystems is where one subsystem relies on the services of another subsystem. There can be a behavioral relationship among subsystems, where the protocol of messages between them must be documented. Another type of relationship among subsystems is collocation - how do they communicate? Can they communicate? What is the mechanism used to store transaction data and are the interfaces and support code packaged within each subsystem to allow data storage to happen? These are all questions answered by information at the level of software architecture. “Software architecture is concerned with the high-level structures of a software system, the relationships among them, and their properties of interest. These high-level structures represent the loci of computation, communication, and implementation.” (Garlan, 2006) A driving force behind the 4+1 view model is that a single diagram cannot communicate information about all the different kinds of relationships within a software system. A diagram that showed all the different concerns of a software’s architecture simultaneously would be overwhelming. Each view in the 4+1 view model has a different concern or subject. Multiple diagrams can exist within each view, like files exist within a folder by subject. Modeling and diagramming tools are used to create diagrams and organize them when applying the 4+1 view model. Many tools exist to build diagrams, including Microsoft Visio (VISIO, 2008), Enterprise Architect (EA, 2008) and Rational Software Architect (RSA, 2008). Kruchten uses a notation called the Booch notation in his paper to capture information in his diagrams for each view. Since Kruchten wrote his paper over ten years ago, the Booch notation has been refined and was contributed into the Unified Model Language specification from the Object Management Group. The 4+1 views are the logical view, process view, development view and physical view. The “+1” view contains the scenarios that represent the system’s interaction with the outside world. The scenarios are requirements. They drive the development of the other views of the architecture. The logical view contains the decomposition of the system into functions, structures, classes, data, components and layers. Kruchten points out that several different types of diagrams might be necessary within the logical view, to represent code, data, or other types of decomposition of the requirements. Mainly the scenarios, or “+1” view influences development of this view. The logical view is needed by the development and process views. The process view is concerned with the actual running processes in the deployed system. Processes are connected to each other through communication channels, like remote procedure calls or socket connections. Elements within the logical view run on processes, so there is traceability from the process view back to the logical view. Some projects, like the development of a code editor, will not require a process view since there is only one process involved. The third view is the development view. The scenarios and the elements in the logical view drive the contents of the process view. The development view documents the relationships and packaging of the elements from the logical view into components, subsystems and libraries. Diagrams within a development view might show which classes or functions are packaged into a single archive for installation. The diagrams within the development view should allow someone to trace back from a package of code to elements in the logical view. Dependencies among packages of code are documented in this view also. The fourth view is the physical view and it is created from the scenarios, process view and development view. The fourth view shows the allocation of packages of code and data, and processes to processing nodes, e.g. computers. The relationship between nodes is also shown in this view, usually in the form of physical networks or other physical data channels that allow processes on different nodes to communicate. The final “+1” view is the scenarios, which represent requirements for the behavior of the system. Kruchten’s paper shows examples using object scenario and object interaction diagrams. One could also use classic flow charts, use cases or UML activity diagrams to capture the scenarios of the software system. At a minimum, the scenarios should document how the system behaves and interacts with the outside world, either with people or with other systems. The information captured within a “4+1” View Model of Software Architecture is common to all software systems and can be applied as a general approach to document and communicate about information systems. Business information systems are very often database-centric, and use fat-client or web-based interfaces to enter, search, update and remove data. A business system can enforce a workflow of approvals before it allows a transaction to complete. Data warehousing solutions exist to archive, profile and find patterns in data for new. Many businesses are deploying self-service web sites for customers to interact with their business without constraining the customer to specific times a transaction can take place. Each of these qualities of business systems can be captured with one or more views of the “4+1” model. A logical view can be used to document the database schema, code modules, and even individual pages of content within a web solution. The development view for a J2EE solution would document how HTML files, JSP files, and Java code is packaged into archive files before deployment to the application server. The process view for a client-server database system would show code modules assigned to the user’s application process. The database schema and stored procedures would be assigned to the relational database server processes. Finally, a physical view of a web-based database application would show separate servers for the web and database. The web server process from the process view would be assigned to the web server node, as would the packages of HTML, CGI and other code in the development view. The physical view would also show a similar traceability for the database server node. The value of “4+1” View Model of Software Architecture is that it serves as general guiding principles to answer the question of what needs to be documented at a minimum when describing software architecture. Each view within the model has a well-defined subject or concern for the diagrams that are organized within the view. All software can be described in terms of behavior, structure, packaging and where it executes. These are the basic qualities the 4+1 view intent to document for easier human consumption. There are no official constraints to the notation styles that can be used by diagrams in each view. When applied to larger systems the logical view will contain many types of diagrams. The notation independence makes it a very flexible approach to use for many styles of software. When it is taught to a team along with diagramming skills, it can be used as significant form of communication and provide clarity among software project team members when creating new or documenting legacy IT projects. References Garlan, D., Schmerl, B. (2006). Architecture-driven Modeling and Analysis. 11th Australian Workshop on Safety Related Programmable Systems (SCS ’06). Kruchten, P. (1995). Architectural Blueprints - The “4+1” View Model of Software Architecture. IEEE Software 12 (6), 42-50. Object Management Group. (2005). Introduction to OMG UML. Retrieved May 10, 2008 from http://www.omg.org/gettingstarted/what_is_uml.htm. Rational Software Architect product page. (2008). Retrieve May 10, 2008 from http://www-306.ibm.com/software/awdtools/architect/swarchitect. Shaw, M. (2001). The Coming-of-Age of Software Architecture Research. IEEE. 0-7695-1050-7/01. Sparx Systems home page. (2008). Retrieved May 10, 2008 from http://www.sparxsystems.com.au.

In this article I will discuss my configuration for traffic shaping using m0n0wall. My goals for traffic shaping include giving priority for VOIP traffic leaving my network and limit the combined incoming traffic speed destined for my servers. Some of my assumptions are that you know how to configure your LAN and WAN networks in m0n0wall, you have NAT configured for your outbound LAN network traffic, and you are using the DHCP server for your LAN. The following image shows my LAN network configuration. From m0n0wall The DHCP server for my LAN network is configured to offer addresses from 192.168.85.100-192.168.85.199. I can’t ever imagine having more than 100 clients on my network. I use the addresses below .100 for static assignments on my LAN. My three servers are configured for static addresses on the LAN - they do not use DHCP. In addition to the three servers, the wireless access points are configured for static LAN addresses and the VOIP telephone adapter uses a fixed DHCP LAN address. I use inbound NAT for my Internet services to redirect HTTP, HTTPS and SMTP from the public firewall IP address to the desired server on the LAN. The following image shows the inbound NAT configuration. You will see HTTP and HTTPS are redirected to one server and SMTP is redirected to another server. In addition to these rules, m0n0wall will add rules to the firewall to allow this traffic to pass. From m0n0wall The VOIP telephone adapter uses DHCP by default and I wanted to maintain the provider’s default configuration for the device. My strategy was to determine the network MAC address of the VOIP device and set the m0n0wall DHCP server to always offer the device the same LAN IP address. The following image shows the settings for the m0n0wall DHCP server for the VOIP adapter. From m0n0wall From this configuration, I can now create rules in the traffic shaper to manage inbound and outbound traffic speed based on the LAN IP address. The first task is to define the pipes that will control inbound and outbound traffic. I have two pipes defined - one for all outbound traffic and one for inbound server traffic. I was able to verify my outbound Internet speed at about 1.5 Mbit. I subtracted about 6% from that and came up with 1434 Kbit. I talk about why you should do this in a previous article. The basic idea is that you only want to queue packets in your m0n0wall and prevent packets from queuing in your ISP router or any other device before the packet leaves your location. The only way to be sure is to throttle-down your outbound speed by a few percent. Your connection may need more or less, and you should experiment and re-test your settings once or twice a year. The second pipe is used to limit the maximum speed of incoming data to the servers. I want to limit the combined inbound traffic to all three of the servers to about 1 Mbit. The traffic that would pass through this pipe includes incoming mail delivery and incoming requests to the web server. This pipe will not impact web server responses, i.e. page content returned. Mail delivery between servers on the Internet happens asynchronously, so the client workstations will not care if a message delivery takes 1 second or 15 seconds to occur. Client workstations are interacting with servers on the local network, so they will not feel any of the shaping. From m0n0wall The strategy for outbound traffic is to give top priority for VOIP, second priority to workstations and last priority to outbound server traffic. To accomplish this I need three queues in the m0n0wall traffic shaper section. The three queues relate to the three outbound priorities previously mentioned. The first queue is for VOIP and has a weight of 50. The second queue is for workstation traffic and has a weight of 40. The last queue is for outbound server traffic and has a weight of 10. The total weight for all three queues adds up to 100 and the weights are completely relative. All three queues are connected to the outbound 1434 Kbit pipe. If there is no outbound VOIP and workstation traffic, the server queue with the weight of 10 will get the entire 1434 Kbit outbound pipe. See the following image for the queues. From m0n0wall The reality is that the VOIP traffic only takes about 100 Kbit of the outbound traffic when in use. Even though the weight of the high priority queue is set to 50, it will never use 50% of the 1434 Kbit outbound pipe, and all it does is guarantee that the VOIP service will get all the outbound bandwidth it needs. The final piece of the traffic shaping strategy is the rules that place outbound packets in a specific queue, or place inbound server traffic into the server pipe. Inbound VOIP and workstation traffic does not get shaped. The rules I use are based on traffic leaving a specific interface. Traffic leaving the WAN interface is traffic sent out to the Internet. Traffic leaving the LAN interface is traffic received from the Internet. With that, see the following image. From m0n0wall The first five rules are for outbound traffic destined for the Internet. Rule 1 places outbound VOIP traffic in the queue with weight 50. Rules 2-4 place outbound server traffic in the queue with weight 10. Rule 5 is a catch-all and places all other outbound traffic in the medium priority queue with weight 40. Rules 6-8 are for traffic leaving the LAN interface, in other words, inbound traffic from the Internet. These rules place traffic destined for my three servers into the 1 Mbit inbound pipe. These rules will constrain the combined inbound traffic to these servers to 1 Mbit. Only the inbound server traffic is shaped. With these pipes, queues and rules, I’ve accomplished my goal - VOIP traffic leaves first, workstation traffic leaves second, and server traffic leaves last, and inbound server traffic is limited to 1 Mbit. How can I tell if these rules are working? m0n0wall has a status.php page and you can see the byte and packet counts on these rules. To see these statistics, sign-in to your m0n0wall web console. Add status.php to the browser address. The page you will see is just a textual dump of various internal statistics. The statistic you want to review is the ipfw show listing. The following image shows the statistics for my traffic shaper rules. From m0n0wall In this image you can see the queue and pipe rules with their packet and bytes counts. Take note of the out via dc0 and out via dc1 parts of the rules, which are my WAN and LAN network adapters. The first two rules and very last rule are automatically added by the m0n0wall software. You can see the queue 1 rule for high priority outbound VOIP traffic, coming from a specific LAN address. The next three rules for queue 3 are for low priority outbound server traffic, again based on LAN address. The queue 2 rule is the catch-all rule for outbound workstation traffic at medium priority. The next three rules are for inbound server traffic that is sent to the 1 Mbit pipe. All other inbound traffic is not shaped and matches the last rule.

In this article I will discuss the hardware used in my home-brewed firewall and what I did to bootstrap the firewall with the m0n0wall software image. My m0n0wall firewall is based on an older Dell Dimension V400. To get an idea of the machine age, this photo shows the original stickers promoting the Pentium II, Windows NT and Windows 98. From m0n0wall This machine has a 400 MHz processor and 128 MB of RAM. I removed the hard disk and disconnected the floppy drive. The older CD-ROM drive was replaced with a spare Sony CD-RW. The tray on the original CD-ROM started to make grinding noises and stopped opening when the button was pressed. The machine started with one network adapter and I added two more Linksys LNE-100 PCI adapters. You can see all three 100 Mb PCI network adapters in the following photo. From m0n0wall The most educational part of the project for me was the installation of the compact flash IDE adapter and memory card. This device plugs directly into the IDE cable connector on the motherboard and can be used in place of a hard disk. A compact flash device won’t suffer a head crash or any other type of physical damage associated with a moving, mechanical hard disk. I wanted to eliminate the primary causes of a firewall crash, so it was this approach or a pair of mirrored hard disks. The memory card solution was much less expensive and provided me with some experience if I wanted to move to a Soekris or LogicSupply solid-state PC later. I used a compact flash IDE adapter from StarTech, model IDE2CFINT. You can find them for less than $20. I bought mine from Amazon with a 2 GB memory card. StarTech’s site has several good close-up images of the adapter. In the following photo, you can see the compact flash IDE adapter plugged into the PC’s motherboard IDE cable connector. Along the right side of the compact flash IDE adapter is the memory card, which is plugged into a pin header. Above the memory card is a floppy drive power cable. The power for the adapter can come from the motherboard or from a floppy drive power cable. There is a jumper on the adapter to specify the source of power. I set it up initially this way, and it worked, so I left it. From m0n0wall This machine has two IDE channels, the first is used by the compact flash IDE adapter. The second channel is used by the CD-RW drive. You can see in the blurry background of the above photo the CD-RW cable connected to the motherboard’s second IDE channel below the compact flash IDE adapter. The cable comes up to the left of the compact flash IDE adapter and continues up to the CD-RW. The next step was to power up the machine and see what the Dell’s BIOS thought of these hardware changes. After I the powered the machine and entered the setup screen, the BIOS automatically detected the compact flash IDE adapter and memory card as a 2 GB hard disk. It also recognized the Sony CD-RW. That’s it! Save settings and exit. The next interesting task was to write the m0n0wall software image to the memory card in the PC. I have the one compact flash IDE adapter, so my approach to load the software was somewhat improvisational based on the machine I was using and the resources I had available to me the evening I decided to take this on. For me to be able to load the m0n0wall software, I had to boot the machine with an operating system from the CD-RW and then transfer the m0n0wall image directly from some media to the compact flash IDE adapter. I decided the easy approach would be to boot a FreeBSD or Linux installation disk, enter a rescue mode and get to a command prompt where I would have the basic tools available. For example, the CentOS 5.1 rescue mode on disk 1 has the dd and gunzip utilities I need to write the m0n0wall software image to the memory card. What media would I get the m0n0wall software image from? At this point it was sitting on my PowerBook’s file system after downloading it from the m0n0wall web site. The Dell PC I am using for the firewall has two USB connectors on the back. Since I didn’t want to create a custom boot CD, I decided to try to boot from the CentOS 5.1 disk in the CD-RW and use a USB memory stick with a FAT file system to contain the m0n0wall software image file. I formatted a USB memory stick with a FAT file system and simply copied the m0n0wall generic PC image to it. I plugged the USB memory stick into the back of the Dell and booted the CentOS 5.1 disk 1 from the CD-RW. I selected the rescue mode and made my way to a Bash command prompt after a couple of questions. Once at a command line, I used the dmesg command to see if the kernel had recognized USB memory stick during boot and if it had been assigned a device name. The kernel did find it and created it as a pseudo-SCSI device. The next step was to mount the FAT file system of the USB stick into the rescue file system. The root of the CentOS rescue file system is a RAM disk so this was no problem. I created a directory called /tmp/usb and mounted the USB device there. I could see the m0n0wall image file now. Section 3.2.2 of the m0n0wall handbook provides the basic template for the dd command in Linux to write the image to the memory card. I needed to take note of the different device names and location of the file containing the m0n0wall image. gunzip -c /tmp/usb/generic-pc-1.2XX.img | dd of=/dev/hdX bs=16k This took just a few seconds to complete. During the transfer of data, I could see the activity light on the StarTech IDE2CFINT flickering, so I knew something was really happening. I got a prompt back and summary from dd of how much data was written. I pulled the CentOS disk from the CD-RW and removed the USB stick from the back of the PC, and rebooted. I watched the Dell POST complete and soon after I saw the familiar spinning cursor of the FreeBSD boot loader, followed by kernel messages, and finally a m0n0wall console menu. The Dell PC booted from a compact flash memory card and m0n0wall was ready to be configured.

Are you a software engineer? Today is a good day. Have you read the news? Read here for a quick review about the SM-3 missile versus the USA-193 satellite smack-down that took place over the Pacific Ocean. This event was not exciting to me because it was a demonstration of American military capability - I mean, it was that, but my interests in the event have a different motivation. It was exciting to me because this was a hammering success for the software engineers that modified the Navy’s systems to pop that satellite over a hundred miles above the planet without a warhead. It wasn’t like the Navy had to get close enough to detonate the missile. They had to be dead on because this was a kinetic kill at closing speeds over 20,000 MPH. This event was a strong example of software as a differentiator. Missiles and rockets are becoming commodity items. Russia has them, China has them, and the Middle East has them or is testing them. In fact, most countries with a vowel in their name have missile capabilities. A missile is not a big deal - a tube with propellant. Light it off, it might go up, sideways, spin wildly or just fall over and explode. The SM-3 has been around for a few years, but the military has never admitted to trying to use it to shoot down a satellite in orbit. The SM-3 was originally designed to go nose-to-nose with incoming short and medium range missiles. The exciting story-behind-the-story for me is that software brought that satellite down and the SM-3 missile provided a reliable and high-performance lift for the software to find it’s target.Today software is the key differentiator in a world of commodity technology. Think about it. A majority of us have cell phones. They are shrinking in size and expanding in capability. Where does that capability ultimately come from? Why would you buy one phone over another? I select a phone and carrier based on features. Where do the features come from? Is it in the case, the antenna, the battery, the screen, or the memory card? All cell phones have these in one form or another. What differentiates them from one another is the software. The phone’s software realizes the capability to share a chat in your social network, send a ring tone to a friend, find an archived text message from your sibling, and to learn about the latest discounts at the stores in your area reported by the GPS.Have you seen Ford’s new commercials recently? They are touting the Sync system. In fact, they are spending a lot of money showcasing that and not MPG, crash tests, 60-0 stopping ability, etc. Whether or not that is a good idea is yet to be seen. The hardware that goes into Sync goes into a lot of in-car entertainment and phone systems: speakers, radio, CD, MP3 player, microphone, antenna, LCD screen and little buttons on the steering wheel. Big deal. Commodity items. What differentiates Sync is the voice recognition system and the integration of pieces inside and outside the system. So, what is Sync? It is the software that realizes the features and value proposal of the Sync concept.Today software is what differentiates individual pieces and parts from something innovative that creates new value. My final example is the Toyota Prius. It has something called Hybrid Synergy Drive. It not enough to say it is a gas and electric hybrid. That wouldn’t do it justice. It is a drive-by-wire system, and at it’s heart: software making the decisions when to go electric, gas, recharge, and much more. A human tasked with driving and making these continuous decisions on how to generate power most efficiently from all the available choices would not be practical or possible.Today is one more good day for software engineers - the people behind the Wizard’s curtain. Well done. I’ll see you at the bar for a toast. Without you, it’s just a box of pieces and parts.

Some time ago my employer asked if I would like to participate in a pilot of AT&T CallVantage from my office. This service is a competitive offering to Vonage’s VOIP service. With CallVantage, you get to pick a phone number in an area code of your preference, they send you a telephone adapter in the mail and off you go. The telephone adapter connects over the Internet to the phone company, bypassing the local carrier’s wires. Within the week I had the telephone adapter. Getting the CallVantage service up and running was no trouble at all. There is a web portal to customize the service, like recording voice mail greetings and setting up a do-not-disturb schedule. You can review call history through the portal and place numbers into a phone book. You can also initiate calls from the web site. The service will ring your phone, wait for you to answer and then ring the other party’s phone.The telephone adapter I received in the mail was manufactured by D-Link. It is actually a combination telephone adapter and firewall, if you choose to use it that way. The network here was already equipped with a firewall, so I decided to use up one of my static IP addresses and place the adapter outside the firewall. The first time the adapter connected over the Internet with AT&T, it spent a few minutes downloading new code and rebooted a couple of times, and when it was ready for service the phone connected to it rang once. The status lights on the adapter showed all green.I had been using CallVantage for a few days and everything was working great until … one day I was on a VOIP call and hosting a screen sharing session with some of my co-workers around the country. I was doing a code review, paging through an editor, showing some diagrams and talking about the design. From the network point-of-view there was a large amount of constant outbound traffic, some consisting of the screen data and some consisting of my VOIP data. Every couple of minutes someone would ask me to repeat something I said, because my voice had broken up for a brief moment. They described it as sounding similar to a cell phone breaking up, and other times they said I just went to dead air for a few seconds. I knew exactly what was happening - there was competition between VOIP and non-VOIP traffic and there was no control over which would leave my network first at any given time. It was time to seriously consider a solution to prioritize network traffic.The D-Link adapter has the ability to prioritize traffic if you use it as a pass-through device. You can configure the D-Link as a NAT router or a bridge, placing it between your ISP’s router and your private network or existing firewall. The D-Link adapter will give priority to packets for VOIP and slow down or drop packets from your network devices to accomplish a poor man’s QoS. I call it a poor man’s approach because I don’t actually think D-Link put a lot of thought and effort into it. I was always suspicious that the telephone adapter had a 10 Mbit network port on the WAN side. They put 100 Mbit ports on the LAN side. The WAN port speed was just a little too close to the upper bandwidth of the Internet connection here. There are days we get well over 10 Mbit on the inbound side of our connection, so this just seemed like a bad idea. In fact, it was a bad idea after I tried it. There was no improvement in the number of voice drop-outs. The next strategy was to move the D-Link adapter behind the firewall, reconfigure it for DHCP and use more robust approach for traffic shaping and prioritization. The D-Link adapter would only be the source and destination for VOIP traffic. No other traffic would move through it. The solution I eventually adopted is open source. I will talk more on the actual implementation in a future post.The first thing to understand about VOIP audio quality is that you can only prioritize and shape outbound traffic. This is traffic leaving your network heading for your VOIP provider. I mean, you can prioritize inbound traffic on the receiving side, but by the time this happens, the traffic has already traversed your connection and has used up some portion of bandwidth. Prioritizing inbound traffic on the receiving side will rarely improve the audio quality you hear. There are reasons beyond VOIP to prioritize and shape inbound traffic on the receiving side, like slowing down the person downloading ISO files all day on Friday. A good example from the real world is highway traffic control. Traffic signals are placed at the on-ramps to the highway, not the off-ramps. Your Internet connection is like a point-to-point highway between your ISP and your site. If you want to prioritize inbound traffic for the purposes of VOIP audio quality, talk to your ISP (the on-ramp for the traffic coming to you) so they prioritize packets before sending them to your place. What about packets traveling between the VOIP provider and your ISP? Anything can happen there and it’s out of your control. Usually these interconnections are so fast, it’s not a significant factor in quality.The next bit of knowledge about prioritizing network traffic is to have only one device at your end making the determination about which packets go out first. This means you don’t want to flood your DSL or cable router with packets, because it’s queuing strategy might undo the order of packets you send to it. The only way to be sure the packet order is maintained is to reduce your outbound bandwidth slightly to make sure only one device on your end is queuing packets in the order you specify. You want to send packets just a little slower than your connection’s upper limit, to keep all the other device queues empty. If your ISP router gets a packet and it’s queue is empty, it can send that packet right out.We will use my office setup as an example. The outbound connection speed at my office is about 1.5 Mbit. We specify to our traffic shaping device to limit outbound speeds to about 1.4 Mbit. If you don’t do some amount of reduction and just blast packets to your ISP router at full speed, it may reorder them based on it’s internal rules, or it may just start dropping packets because the manufacturer designed it with a shallow queue. Because these are usually closed, proprietary devices, you just have to accept that you don’t know what it will do as packets queue up. For our case we have the traffic shaping device reduce our outbound speed by about 6.5%. You might need more or less of a reduction, and experimentation and tuning is a required step. Re-tuning should be done once or twice a year.Next, you need a way to identify traffic from specific devices on your network and determine what the classes of priority should be. In our network we have three classes of priority for outbound traffic. The highest priority traffic comes from the VOIP devices. Medium priority traffic comes from workstations. Lowest priority traffic comes from servers. Remember these priorities are only for traffic leaving the network for the Internet. Our internal network is 100 Mbit wired or 54 Mbit wireless, so workstations connecting to the local SMTP server don’t feel any of this prioritization. The reason servers are at the lowest priority is because there are a few non-essential web sites hosted here and an SMTP server that relays outbound mail. We really don’t care if it takes 5 seconds or 20 seconds to relay an outbound email, because it is all done as background work. The VOIP devices and servers are given internal, static addresses by the DHCP server, so we can determine a packet’s priority by source IP address.The device or software you choose to prioritize your traffic may have constraints on how traffic can be identified. For example, it may only be able to identify traffic based on source and destination IP port numbers, or protocol. A simple hardware device may prioritize traffic based on physical network port connections. I have a small consumer firewall that has five 100 Mbit LAN ports, and each port can be assigned a low, medium, or high priority. Do your research and work out your strategy before committing to a solution.I decided on an open source solution called m0n0wall and a basic Dell PC with multiple network adapters. I stripped out the hard disk and floppy disk, kept the CD-ROM, added an IDE compact flash reader and a couple of extra fans just in case. I will go into details about my m0n0wall firewall and shaper settings in the next post.

My ISP is Comcast and I couldn’t be happier. “What!?” you say. I know, I know. Realize that most people deal with Comcast as a residential customer and the horror stories I hear are typically related to that class of service. There is another Comcast - the business services group. I am not sure at what point in the corporate hierarchy the two groups separate.Comcast provides an a la carte business service called Comcast Workplace. I have this service at my office. I pay monthly for two things: a connection that averages 10 Mbit inbound and 1.5 Mbit outbound, and a block of static IP addresses. Actually, the service agreement is for about 9 Mbit, but some days we get upwards of 12 Mbit. That’s it, no bundles, no block of useless email addresses, no free web storage, no browser toolbars, nothing. I am paying for exactly what is needed - bandwidth and addresses - no more. This is a business connection, and I run web and email servers here for a few low traffic domains. Inbound and outbound VPN is almost always running. The catch? In terms of paying for exactly what you need and obtaining a phone number directly to network engineers, expect to pay 2-3 times what you pay for residential cable Internet service. “What!?” you say again.A positive example of the service I get was when I needed to change the reverse lookup on the IP addresses. The customer support person at Comcast knew exactly what needed to happen and replied, “Please hold while I transfer you to network engineering.” The process took about 10 minutes on the phone and about 6 hours later the changes were live. After having the service in place since January 2006, the connection has been down once for a total of about 2-3 hours. That outage was due to a deep freeze here in Denver and that impacted equipment at Comcast’s location. They were attentive enough to send someone to my office within 45 minutes of reporting the outage to work the problem back to their site.For now, the office is happy and Comcast stays.

It really has been about 1.5 years since my last post. I have been busy and now have plenty to write about. A few months ago I deployed a dedicated system running m0n0wall at the edge of my network. I needed to find a firewall and router that could do the usual firewally things. I needed support for inbound and outbound NAT, DHCP and DNS for LAN clients, and inbound VPN when I am away. I did not want the firewall to rely on any other system in the network aside from the ISP’s router. Last year a new requirement surfaced in that the office needed shaping and prioritizing of traffic to and from the Internet. There is a VOIP adapter here for AT&T CallVantage. Skype is also used periodically. Real time traffic needs priority over everything else. Traffic related to the web and email servers need to run at the lowest priority. Services like SMTP don’t need the full bandwidth of my connection here in either direction. I often find bursts of incoming SMTP can cause drop-outs on the VOIP calls. The several workstations on the network here need reasonable connectivity - high priority than the servers but less than the VOIP traffic. Finally, if a class of service is not competing with any other, that service should get the bulk of available bandwidth regardless of priority. Here is a high-level diagram of my network. From m0n0wall With the next few postings, I will go into detail of how I successfully deployed m0n0wall on this network to satisfy these requirements.

I recently updated my PGP/GPG keys. I uploaded the public key to the MIT key server and a Google Sites page. MIT Server Google Drive