As SSL acceleration and load-balancing technologies have matured, the locus of their operations has moved from the server to network devices. And established vendors such as Cisco Systems Inc. have integrated the functionality of these technologies into their application switches. Now, packet inspection is giving birth to a host of new capabilities, including rate limiting, QoS (quality of service), and security functions, thanks to even deeper content-and application-awareness.
The promise of packet inspection has drawn the attention of both startups and existing switch vendors. For example, Vernier Networks Inc., a Mountain View, Calif. company spun off last year from Palo Alto, Calif.-based Packet Design Inc., has developed a special-purpose edge switch that effectively allows a network administrator to provision users based on a wide set of policies. Using what the company calls a Packet Inspection engine, Vernier’s AM 6000 Access Manager platform increases security and control by inspecting and filtering packets at high speeds, based on any packet-level attribute.
Salt Lake City-based startup Forum Systems is also in deep with packet switching. The one-year-old company’s Sentry 1500 appliance is designed to provide security in the world of Web services. Through packet inspection and proprietary software techniques, the Sentry 1500 is able to add selective encryption to XML data in transit, thus ensuring the data is secure and cannot be read while it passes through the server. Mamoon Yunus, CTO of Forum Systems, fully expects this type of technology to be found one day in switches, although it is just now being pulled from the server.
“I envision Cisco Systems and others anticipating this need, too, and then adding PCI cards to switches like they did with SSL and VPN,” Yunus says. Initial data switching attempts will be done by trying to bring XML-awareness to existing switching devices, he adds. But Yunus warns that it won’t be easy, at least initially. “Deeper inspection will cause more latency,” Yunus explains. “But the real bottleneck will be in the parsing of data.”
Future switches will parse the XML data in order to identify and validate it. So from a security perspective, enterprises will be able to ensure that the data being transmitted is what it claims to be. Such verification will become increasingly important as Web services proliferate and more and more applications follow the distributed model. To keep backlog at a minimum, the burden of performing this type of inspection and validation will have to be shouldered by a dedicated processor, but that would require the creation of new ASICs – something few startups would embark on today, especially as switching standards and techniques are still being created, Yunus says. Nonetheless, he believes that down the road core parsing will be done in next-generation switches to determine what is being switched and to ensure that the data-sharing process be done quickly, because software processes often add to latency.
Piling it on
On the traditional switch-vendor side, much of today’s design efforts focus on rate limiting or bandwidth control. Enterasys Networks Inc., for example, is using IEEE’s 802.1p standard in its SmartSwitch 2000 and SmartSwitch 6000 products. With 802.1p, a network administrator can limit the traffic coming into or out of any given port. Done in increments of between 0.5Mbps and 1Gbps, rate limiting is useful in enterprise switches to guarantee delivery of a particular application by prioritizing its traffic from both an inbound and outbound perspective. In essence, rate limiting is a QoS function done at Layer 2.
Along with rate limiting, packet switching, and improved security, companies are looking to pile more functionality into switches at the edges of their networks and into related devices, including appliances that augment routing protocols in order to take advantage of multiple service providers, lower costs, and improve performance. With networks becoming even more critical to business, handing off additional tasks to switches would be a step toward improving efficiency and optimizing the flow of network traffic.
But Judy Estrin, former CTO of Cisco Systems and a co-founder of Packet Design, cautions against adding more smarts to switches.
“I think there is a big risk in adding more features,” Estrin explains. “Many of the features are not needed, and it will only add management complexity. We can’t add technology for the sake of technology.”
According to Estrin, during the past five years, router and switch manufacturers have been focusing on enhancing performance by designing ASICs that make everything run faster. Instead, Estrin agrees with the approaches currently being undertaken by many startups, which add only important functionalities that won’t cause a bigger headache.
Forum Systems’ Yunus agrees. “We are concerned about complexity,” he says. “We’re trying to isolate features that don’t add management complexity but need to be removed from applications because they are commodity functions.”
F5 Networks couldn’t agree more. In a move similar to those of Forum Systems and Vernier Networks, F5 has opted for the software approach, adding functionalities to its family of appliances as customer requirements change.
“Customers want deeper inspection,” says Eric Giesa, director of product marketing at F5 Networks Inc. in Seattle. Giesa explains that the company is working on advanced security functions at the edge, going beyond SSL. “Customers want to provide access based on policy, and they want application-level security.”
Giesa adds that established switch vendors have expertise in hardware switching and therefore typically opt to design functionalities into their ASICs rather than use a software approach. In other words, it will be some time before established switch vendors get the hang of integrating functions that work on the application layer – Layer 7 – into their switches.
“Some of these larger companies will be a bit slow to get these technologies into switches,” Forum Systems’ Yunus says. He explains that vendors, such as Nortel Networks Corp. and Cisco, that focus on Layer 2 through Layer 5 will have to work hard to get their switches to quickly examine more than the first 64 bytes of the packet header in order to perform deeper inspection. “Hopefully that means an opportunity for us,” he adds.
The architecture of next-generation switches is still not known, but the work being done by startups is a good place to look for clues. Enterprises desire efficiency, and the idea of “smarter” network hardware that can take care of additional tasks makes sense in a tough economy. Although making switches content-or application-aware will not be easy, as these capabilities become more critical to business relationships, the changes will come.
Any discussion of next-generation switches and routers is bound to be confused by the fact that the next generation of network infrastructure devices has already begun to morph way beyond what could simply be called switches and routers.
Furthermore, the time has already come when it is pointless to differentiate between what constitutes a switch and what constitutes a router; they are essentially the same thing, although optimized for their distinct tasks. Routers are designed to direct traffic between networks, whereas switches direct traffic to specific network segments within a given network. But this is not a hard and fast rule. Switches, for example, may in some cases be used to move traffic between networks.
What’s going to happen in the next generation is that most remaining differences between switches and routers will disappear. In addition, these devices will gain new capabilities; eventually, they will become network infrastructure devices that will perform all of the functions of switches and routers. But they will move in other directions as well. For the most part, these new capabilities come just from where you’d expect: faster silicon. With switches and routers, new capabilities mean faster and more capable ASICs, although new network processors, such as those from Intel, are also adding significant processing capacity to network devices.
Naturally, these advances have improved the packet inspection capabilities of current network devices. In addition to keeping track of the state of a session, today’s devices can make sure that some types of sessions (such as e-commerce secure connections) are maintained so that the commerce activity isn’t interrupted. Likewise, today’s devices can look at packet contents to see what type of request it contains, and then direct the request to the appropriate destination, thus ensuring that requests for streaming media content, for example, go to a server that handles steaming media.
Good examples of the future of networking hardware are already being unveiled in the form of Layer 7 devices such as the NetScaler Inc. Request Switch 9000 iON. The Request Switch uses its Layer 7 inspection capabilities to select the Web server to which a particular HTTP request should be sent. It can tell whether the session is looking for an SSL server, handle SSL processing, detect security problems, and short-circuit DoS (denial of service) attacks.
What is this device? NetScaler calls it a switch, but it has attributes of an SSL appliance, a load balancer, a security appliance, and a router. It performs packet inspections and it can off-load some functions of a firewall. So what should we call it? Well, it’s one of the first of a coming wave of next-generation network infrastructure devices that are more than switches or routers and that use their capabilities of seeing inside packet payloads to manage and direct traffic.
Of course, there’s more to next-generation convergence than packet payloads. One good example is the Enterasys X-Pedition ER16 High-Capacity Switch Router. The very name of this device screams convergence, and a look at its features supports this conclusion. Starting at Layer 4, the ER16 supports QoS (quality of service) processing so that traffic can be prioritized. The switch can perform application load balancing and bandwidth allocation, and it can perform traffic filtering according to security access lists. And this is just the beginning.
When will we start seeing these capabilities in the switches, routers, or other devices in the corporate network? The answer is that they’re already on the way. Some products, such as the NetScaler switch, are already at the leading edge, and some, such as the Enterasys ER16, aren’t far behind. It won’t be long before the next generation of network devices will be the norm, and when that happens, the differences between switches and routers will be no more.