Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: Managing Device-Upgrade Bandwidth Use?

Posted by timothy on from the selective-enforcement dept.

First time accepted submitter wallydallas writes "I'm close to a solution, but I wonder how other people block their many devices and operating systems from updating in working hours. For example: I'm the IT guy who blocks iPads from updating when school is in session because we are in a rural location. 3mbps is the best WAN we can buy. Devices can update after hours just fine. We do this with our router (DDWRT) by blocking MESU.APPLE.COM. Many guests bring in Windows 7 laptops, and I want to welcome them, but not their updates. How can I block updates on Android Phones and Linux Laptops? I have a 4G device at home, and I'd like to apply the same tricks 24 hours a day so that I don't use up the bandwith from my vendor. And my many home visitors should have their updates blocked."

20 of 159 comments (clear)

  1. For Windows by jones_supa · · Score: 5, Informative

    For Windows, you could try blocking the addresses listed in the Microsoft Knowledge Base article 818018.

    1. Re:For Windows by Anonymous Coward · · Score: 2, Informative

      That is not a complete list. We setup our DNS to return 127.0.0.1 for all of those hostnames, and Microsoft still found a way to do a forced update to MSIE10 that broke all of the Dell desktops running Windows in our office. We had to reimage all of Dells to get them running again. We found the IP addr Microsoft was using for their abuse and blocked it, but then about four months later Microsoft found another way to do yet another forced update and breaking of our desktops. Again, we had to reimage to get the systems to boot.

      Again, that list is not complete. If you block just those, Microsoft will still find a way to break your systems.

  2. It depends on your environment. by Anonymous Coward · · Score: 2, Informative

    If there are a lot of people that want to do the updates, AND you have the space, a cacheing service can ease the pain. The first time an update is done, the cache (proxy) saves the reply, then when someone else asks for the update, it is supplied locally rather than downloading it again.

    1. Re:It depends on your environment. by CohibaVancouver · · Score: 2

      So if a solution is not 100% perfect, it has to be thrown into trash can?

      Of course. This is Slashdot - Where the edge use case wins, every time - Where perfect is the enemy of good.

  3. Pfsense by bhenson · · Score: 5, Informative

    Use PFsense and use the package squidguard(or dansguardian) and use the software downloads list.

  4. pfSense by Anonymous Coward · · Score: 4, Informative

    http://www.pfsense.org/

    install pfsense plus squid and block the update sites.

    pfsense wan goes to the modem
    pfsense lan goes to the access point.

  5. Don't block it, QoS it. by phizi0n · · Score: 5, Interesting

    There's no reason to avoid using your bandwidth when you can use QoS to deprioritize it so that they can still update any time the bandwidth is available. Most any linux router can do this with tc and iptables, or sometimes with less configurability through their GUI's.

    At home you have control over the devices and can just disable them from automatically updating.

    1. Re:Don't block it, QoS it. by Port-0 · · Score: 3, Informative

      I did IT work for a private university for 14 years, I managed bandwidth by blocking certain protocols to various networks and hosts until Naptster, and the following peer to peer protocols, after a couple of years trying to manage bandwidth by blocking protocols, sites, advertising, etc. I gave up on that. Ultimately all of that damages the user's experience, and increased my work load. It puts the IT guy in the position of chasing the users behaviors, always responding to the latest fire and worse it put the IT guy in the position of determining what is important to the users, which it turns out is different to each class of user. So next I tried using one of the many products that allow the IT guy to create classes of users, and classify traffic, apply rules by class, build QoS rules based on all classes. Turns out this is the same nightmare with a prettier UI. I ultimately found the Net Equalizer (netequalizer.com) it is an elegant solution at a fraction of the cost. If you want to be the network nazi and control who uses what protocol, this isn't for you. But if you want to forget about bandwidth problems, this is it. It took about an hour to read the manual, play with options and plug it in, then I only touched it when we increased our bandwidth beyond its capacity a few years later. I don't work for the company or anything like that. It is just one device I bought that performed way beyond my expectations. Their web site has all the info about what it does and how. I would encourage everyone check this out if you have less bandwidth than you feel you need.

    2. Re:Don't block it, QoS it. by Anonymous Coward · · Score: 2, Insightful

      I don't work for the company or anything like that.

      Really? Because in your entire post, while you praised the device (Service? Software?) plenty, you never actually said what it does.

  6. Re:3Mbps?!?? by The_Wilschon · · Score: 5, Funny

    Wasn't 3 Mbps "high-speed" ten years ago?

    --
    SIGSEGV caught, terminating

    wait... not that kind of sig.
  7. Consider caching instead by nemesisrocks · · Score: 5, Informative

    Since you're in such a remote area, your visitors very likely also have slow connections at home too. Why not cache the updates instead? You'll be contributing towards a safer, more secure internet.

    The first person who downloads them would cause a drain on the network, but at least all future attempts would be served up from your cache. You could even have a spare machine downloading the updates overnight, pre-populating the cache for your visitors, to reduce the burden updates cause during the day.

    I've used the instructions here with great success on Squid: http://wiki.squid-cache.org/SquidFaq/WindowsUpdate

    Apparently Apple iOS updates can be cached too, e.g.: http://lkrms.org/caching-ios-updates-on-a-squid-proxy-server/

    1. Re:Consider caching instead by mysidia · · Score: 2

      Since you're in such a remote area, your visitors very likely also have slow connections at home too. Why not cache the updates instead? You'll be contributing towards a safer, more secure internet.

      Not only that.... but malware can suck up your bandwidth just as fast, or faster than updates; the consequences of failing to update can over time be adverse to your own network's performance.

  8. Why just device updates? by ChaseTec · · Score: 3, Informative

    Any particular reason you've singled out device updates? Seems like you'd be want to block or QoS all large or multi-range binary transfers. You should have a transparent caching proxy server in place (which is where you'll be able to inspect and block large transfers).

    --
    My Hello World is 512 bytes. But it's also a valid Fat12 boot sector, Fat12 file reader, and Pmode routine.
  9. Re:3Mbps?!?? by lactose99 · · Score: 2

    Hell, I still think the FCC counts it as high-speed even now in their broadband reports.

    --
    Fully licensed blockchain psychiatrist
  10. It's not the updates, it's the cloud sync by whoever57 · · Score: 2

    On our network, we have seen one Apple machine running at 20Mbps to the Internet for hours on end. I believe this is a cloud sync. Looking at QoS to throttle this, but the external IP addresses appear to be a disparate and unknown set, so will have to throttle the firewall -> LAN IP connection.

    --
    The real "Libtards" are the Libertarians!
  11. Re:3Mbps?!?? by queazocotal · · Score: 3, Interesting

    They are good for 30 miles - if there is a clear path.
    This is not just line of sight - but slightly more than this - the path cannot go just past obstacles.
    http://www.proxim.com/products/knowledge-center/calculations/calculations-fresnel-clearance-zone

    For a 30 mile link, the fresnel zone reaches 100 feet in the middle of the link - if anything is in this zone, then the signal will be severely affected.
    Add to this the limitation of sight due to a non-flat horizon - 150 feet towers are needed just to get minimum line of sight.
    For flat land with trees up to 30 feet in places in the middle, for example, that adds up to a total of (100/2)+30+150 =
    230 feet towers.

    If one end is at altitude - you still may need a significant tower in order to clear the fresnel zone.

  12. Wide scale blocking. by Lumpy · · Score: 3, Interesting

    I strongly suggest you also block all the common advert servers such as doubleclick as they consume far more bandwidth than the updates do.

    --
    Do not look at laser with remaining good eye.
  13. Local update server by LMariachi · · Score: 2

    Mavericks Server has Caching Server 2, which I haven't personally used but their blurb for it sounds like exactly what you want, at least as far as Apple devices.

  14. Ditch the WRT by kroby · · Score: 4, Informative

    WRT is great for tinkering and home users, but good god, please don't put it in a production network. Get something like a SonicWALL or a FortiGate, learn to use it, and thank me later. QoS will get you nothing, there is no such thing as QoS on the internet. However, bandwidth management and throttling could help a lot. Before you can prioritize traffic you need to be able to identify it, and this is where life becomes much easier with a UTM appliance. You can prioritize by device type (MAC address), source, destination, protocol, or application. With application awareness you can easily see what is sucking up the most bandwidth, and it classifies all the traffic for you automagically based on signatures ran against deep packet inspection. A caching proxy, as mentioned in other posts, would help speed up the internet and reduce bandwidth consumption. Something like Squid would work here, or you could go the appliance route. Bonus, with a UTM device you also get IDS/IPS, botnet filtering, gateway antivirus, spam filtering, RBL filter, content filtering, application control, SSL VPN, wireless controller, and more. They cost money, but you will not find these features for free, and if you do it is going to be a nightmare to manage.

  15. Re:it may not be available by mysidia · · Score: 2

    I just checked, and there are towns in my province (canadian prairies) that only have 1.5 mbps connectivity and most of the smaller places max out at 5mbps.

    Virtually... in any town; small or not, there is plenty of fiber and other Telecommunications infrastructure. The telephone company essentially needs large digital trunks, just to deliver basic phone service.

    If there are providers delivering 1.5 and 5 megabit connections to residents then they Do have high-speed links in the area --- the provider has to have access to some high speed links in the first place in order to be able to offer 5 megabit connections in the first place....

    If significant bandwidth is available over wireless 4G, then again there must be nearby 4G towers in range of the area area that also must have access to high-speed links.

    I'm not buying "the infrastructure is not there" argument, for those areas.

    Now: it may be unavailable for political reasons, or the school not willing to spend more than a few $100 a month for a 100 megabit private circuit to an IP transit provider.