The days of the fat, dumb pipe are over. Server applications and storage have been shouldering the intelligence and security burden for too long. It’s time for the network infrastructure itself to add some smarts. After all, when it comes to intelligence, the real beauty of the network is that it touches everything.
“The network is the one common element across the infrastructure,” says Rob Redford, vice-president of marketing for Cisco Systems Inc. “If it had more capability to look deeper inside application traffic, it would give us a better idea of what is being transacted and what information is flowing where, and it could play a more active role in helping organizations meet their business objectives.”
But what does network intelligence mean? According to Gartner research vice-president Mark Fabbi, it’s mostly about application awareness or what he calls “application fluency.”
“An application-fluent network knows not only what application is running; it also has knowledge of the syntax and semantics of the application and the elements of the transaction,” Fabbi says. “And it knows who is connecting, how they’re connecting, and with what device.”
The network already provides some intelligence today, say the infrastructure vendors, but mostly it’s on a piecemeal basis, with scores of specialized devices targeting local security, performance, and application issues. In the next five years, however, we may see a lot of these pieces come together, producing managed networks that are more intelligent from end to end.
“If you’re consolidating lots of servers and applications, you really have to start optimizing the delivery of traffic back out,” Fabbi says, adding that this is particularly true in an environment that favors browser-based applications. “These applications put a tremendous burden on the underlying network protocols and servers. Generic network design simply doesn’t work.”
Dealing with application delay
“Throwing bandwidth at the problem doesn’t solve the fundamental global network performance issue today, which is latency,” says David Willis, a Gartner senior analyst. “In cross-continental WANs, round-trip time can be as high as 50ms to 75ms, compared to 10ms on a LAN, while in a global network it could reach more than 250ms. When you consider that a single Web page can require as many as 10 or 20 different requests and responses, and then multiply that by thousands of Web pages and users with different connections and devices, you get the picture.”
Gartner estimates that in typical global networks running Web-based applications, WAN latency, not bandwidth, can be responsible for 50 per cent to 95 per cent of the total application delay. But performance isn’t the whole story.
“On day zero of a new worm, software and intrusion prevention systems that rely on signatures don’t know anything about it,” says Brice Clark, worldwide director of strategic planning for HP’s ProCurve networking line. The network infrastructure can be a complementary layer of defence that detects traffic anomalies and halts malware propagation using rate limiting and connection delay.
Jason Needham, product manager for F5 Networks, says the network is also a good place for user authentication and authorization. “If I’m a financial institution, it’s OK to do authorization at the application server. But wouldn’t I rather block unauthorized users before they get to the door?”
The proliferation of XML and SOA promises to magnify performance and security issues. XML is verbose and inefficient, bringing new security issues. In fact, Cisco, HP, and vendors of network-based XML acceleration and security devices, such as Sarvega and Reactivity, will tell you that the network could offload a lot of XML processing, translation, and security from beleaguered servers. It could even take over some of the classic application and data-integration burden.
A new networking direction
The move toward network intelligence is actually coming from two directions: Leading the charge on one path are the established giants, while specialty vendors are marching up another front.
HP’s Clark describes his company’s ProCurve Adaptive EDGE architecture as a two-pronged approach. “You start with intelligence at the edge, where it needs to be located to support mobility and next-generation applications. Command comes from the centre, configuring the network continuously on the fly based on the identity of the user, the application, the connection, and the device.”
The ProCurve IDM (Identity Driven Manager) is unique to HP’s line. It enables the application of security, access control, QoS, VLAN enrollment, and performance settings based on the authenticated user or group of users, including their locations, the time of day, and other factors.
HP has also incorporated optional intelligent capabilities for its ProCurve 5300 series switches, including WLAN client authentication, WLAN access-point-to-access-point connection handoff, virus throttling, and encryption — features that were formerly offered only in dedicated WLAN switches. Clark says the next step will likely be deeper packet inspection to recognize applications and apply policies accordingly, even triggering packet-processing applications hosted in the switch, based on the user, device, or application.
“You can transcode a video stream for a PDA on the switch, rather than at the server, or encrypt a financial transaction,” Clark says. “The network is good at packet processing. Servers and operating systems aren’t.”
Cisco, on the other hand, has announced a three- to five-year plan for what it calls Application-Oriented Networking. Later this year, the company plans to provide AON blades for its Catalyst data-centre switches, as well as branch office routers that can actually read application-to-application messages (such as purchase orders) and route them intelligently according to predefined policies. So, for example, a US$50 order could be routed to a different server or get a different quality of service than a multimillion-dollar order would.
AON blades will also be able to take on much of the integration and translation normally performed by application middleware, thanks to partnerships with integration players like TIBCO Software and IBM, as well as integrated XML processing, translation, and security functions.
Cisco’s Redford also points out that the ability to inspect and route messages will lead to better visibility into transactions, resulting in improved security, compliance, and business-intelligence capabilities.
AON will also offer load balancing, caching, and compression services. Although all these services could slow down network traffic to some extent, Redford claims that the benefits would include much improved application performance and significantly lower integration costs (because any integration changes would be made on the switch, rather than across all the various interacting systems).
Smaller vendors, specialized gear
The networking giants, however, aren’t the only game in town. Smaller players in the load-balancing Layer 4-7 switch market, which include F5, FineGround, NetScaler, Radware, and Redline, offer products they call ADCs (application-delivery controllers) or WOCs (WAN Optimization Controllers). Many of these vendors have already been involved in application intelligence for several years and claim to have the corner on that kind of expertise.
ADC boxes sit in the data center in front of banks of servers. Originally they provided application load balancing and health checking, but over time their capabilities have grown to include off-loading communications-specific tasks, which general-purpose operating systems don’t do well, according to Joe Skorupa, research director at Gartner.
Many ADCs off-load functions like SSL termination and acceleration and TCP setup and shutdown, and they provide transaction security, application firewalls, caching, and compression. Often, these devices can be fine tuned to optimize the performance of specific back office applications, such as SAP, and can monitor and troubleshoot individual transactions.
“F5’s hardware can watch a request come in and, if the transaction fails, it can trap the error, send the message to the server administrator saying, ‘This transaction failed to this client from this server at this time, and here’s the code,’” Skorupa says. “Then it replays the transaction with another server. The user never sees the error.”
Vendors such as Allot Communications, Expand Networks, Packeteer, and Peribit Networks market WAN optimization controllers, which sit on the network at both the corporate headquarters and remote offices and use compression and TCP-acceleration tricks to overcome latency and other problems on the WAN. Skorupa says that the functions of these boxes will eventually be incorporated into ADCs and branch office routers. You can read more about WAN optimization appliances in “ Wide-area Slowdown.”
Still another group of hardware and chip vendors are concentrating on the XML and Web-services space, working to incorporate the XML processing capabilities currently available in specialized XML processing appliances from such players as Reactivity and Sarvega.
In fact, the range of product offerings from smaller vendors is compelling enough that the major networking vendors have launched a buying spree, with Cisco acquiring FineGround, Juniper engulfing Redline Networks and Peribit Networks, and Citrix scooping up NetScaler. But there’s still plenty of room for innovation outside the traditional networking vendors.
Whether network intelligence will eventually rest in switches or as an overlay of specialized devices depends on who you talk to. The appeal of incorporating these features into existing switches is obvious, but networking vendors have had trouble keeping up with the features offered by specialized appliance vendors in the past.
“Five years ago many people predicted that Packeteer would die because Cisco would take over much of its functionality,” says Gartner’s Willis.
“But it is still very much around. Changes in applications are faster than Moore’s Law and the specialized box companies are often better at keeping up.”