• Business Analyst - Integration
• CHANNEL ACCOUNT MANAGER $ 210K...
• Marketing Manager
• ACCOUNT MANAGER
• General Manager- IT Operations

Raising your network's IQ

Leon Erlanger, Information Age

14/10/2005 15:24:29

The days of the fat, dumb pipe, are over. Servers, applications and storage have been shouldering the intelligence and security burden for too long. It's time for the network infrastructure itself to add some smarts. After all, when it comes to intelligence, the real beauty of the network is that it touches everything.

"The network is the one common element across the infrastructure," says Rob Redford, vice president of marketing for Cisco Systems. "If it had more capability to look more deeply inside application traffic, it would give us a better idea of what is being transacted and what information is flowing where, and it could play a more active role in helping organisations meet their business objectives."

But what does network intelligence mean? According to Gartner research vice president Mark Fabbi , it's mostly about application awareness or what he calls "application fluency" . "An application-fluent network knows not only what application is running; it also has knowledge of the syntax and semantics of the application and the elements of the transaction," Fabbi says. "And it knows who is connecting, how they're connecting, and with what device."

The network already provides some intelligence today, say the infrastructure vendors, but mostly it's on a piecemeal basis, with scores of specialised devices targeting local security, performance and application issues. In the next five years, however, we may see a lot of these pieces come together, producing managed networks that are more intelligent from end to end.

"If you're consolidating lots of servers and applications, you really have to start optimising the delivery of traffic back out," Fabbi says, adding that this is particularly true in an environment that favours browser-based applications. "These applications put a tremendous burden on the underlying network protocols and servers. Generic network design simply doesn't work."

It pays to think smart "Throwing bandwidth at the problem doesn't solve the fundamental global network performance issue today, which is latency," says David Willis, a Gartner senior analyst. "In cross-continental WANs, round-trip time can be as high as 50ms to 75ms, compared to 10ms on a LAN, while in a global network it could reach more than 250ms. When you consider that a single Web page can require as many as 10 or 20 different requests and responses, and then multiply that by thousands of Web pages and users with different connections and devices, you get the picture." Gartner estimates that in typical global networks running Web-based applications, WAN latency, not bandwidth, can be responsible for 50 to 95 per cent of the total application delay. But performance isn't the whole story.

On day zero of a new worm, software and IPSs that rely on signatures don't know anything about it," says Brice Clark, worldwide director of strategic planning for HP's ProCurve networking line. The network infrastructure can be a complementary layer of defence that detects traffic anomalies and halts malware propagation using rate limiting and connection delay.

Jason Needham, product manager F5 Networks, says the network is also a good place for user authentication and authorisation. "If I'm a financial institution, it's OK to do authorisation at the application server. But wouldn't I rather block unauthorised users before they get to the door?"

The proliferation of XML and SOA promises to magnify performance and security issues. XML is verbose and inefficient, bringing new security issues. In fact, Cisco, HP and vendors of network-based XML acceleration and security devices, such as Sarvega and Reactivity, will tell you that the network could offload a lot of XML processing, translation, and security from beleaguered servers. It could even take over some of the classic application and data-integration burden.

A new networking direction The move toward network intelligence is actually coming from two directions: Leading the charge on one path are the established giants, while specialty vendors are marching up another front.

HP's Brice Clark describes his company's ProCurve Adaptive EDGE architecture as a two-pronged approach. "You start with intelligence at the edge, where it needs to be located to support mobility and next-generation applications. Command comes from the centre, configuring the network continuously on the fly based on the identity of the user, the application, the connection and the device."

The ProCurve IDM (Identity Driven Manager) is unique to HP's line. It enables the application of security, access control, QoS, VLAN enrolment, and performance settings based on the authenticated user or group of users, including their locations, the time of day, and other factors. HP has also incorporated optional intelligent capabilities for its ProCurve 5300 series switches, including WLAN client authentication, WLAN access-point-to-access-point connection handoff, virus throttling, and encryption -- features that were formerly offered only in dedicated WLAN switches.

Clark says the next step will likely be deeper packet inspection to recognise applications and apply policies accordingly, even triggering packet-processing applications hosted in the switch, based on the user, device or application.

"You can transcode a video stream for a PDA on the switch, rather than at the server or encrypt a financial transaction," Clark says. "The network is good at packet processing. Servers and operating systems aren't."

Cisco, on the other hand, has announced a three- to five-year plan for what it calls Application-Oriented Networking. Later this year, the company plans to provide AON blades for its Catalyst data-centre switches, as well as branch office routers that can actually read application-to-application messages (such as purchase orders) and route them intelligently according to predefined policies. So, for example, a $50 order could be routed to a different server or get a different quality of service than a multimillion-dollar order would.

AON blades will also be able to take on much of the integration and translation normally performed by application middleware, thanks to partnerships with integration players like TIBCO Software and IBM, as well as integrated XML processing, translation and security functions. Cisco's Redford also points out that the ability to inspect and route messages will lead to better visibility into transactions, resulting in improved security, compliance, and business-intelligence capabilities. AON will also offer load balancing, caching, and compression services. Although all these services could slow down network traffic to some extent, Redford claims that the benefits would include much improved application performance and significantly lower integration costs (because any integration changes would be made on the switch, rather than across all the various interacting systems).

Smaller vendors, specialised gear The networking giants, however, aren't the only game in town. Smaller players in the load-balancing Layer 4-7 switch market, which include F5, FineGround, NetScaler, Radware and Redline, offer products they call ADCs (application-delivery controllers) or WOCs (WAN Optimization Controllers). Many of these vendors have already been involved in application intelligence for several years and claim to have the corner on that kind of expertise.

"We're the only ones that can inspect the entire flow, headers, and payload in both directions," says F5's Needham. ADC boxes sit in the data centre in front of banks of servers. Originally they provided application load balancing and health checking, but over time their capabilities have grown to include off-loading communications-specific tasks, which general-purpose operating systems don't do well, according to Joe Skorupa, research director at Gartner.

Many ADCs off-load functions like SSL termination and acceleration and TCP setup and shutdown, and they provide transaction security, application firewalls, caching, and compression. Often, these devices can be fine-tuned to optimise the performance of specific back-office applications, such as SAP, and can monitor and troubleshoot individual transactions.

"F5's hardware has the ability to watch a request come in and, if the transaction fails, it can trap the error, send the message to the server administrator saying, 'This transaction failed to this client from this server at this time, and here's the code,'" Skorupa says. "Then it replays the transaction with another server. The user never sees the error."

Vendors such as Allot Communications, Expand Networks, Packeteer and Peribit Networks market WAN optimisation controllers, which sit on the network at both the corporate headquarters and remote offices and use compression and TCP-acceleration tricks to overcome latency and other problems on the WAN. Skorupa says that the functions of these boxes will eventually be incorporated into ADCs and branch office routers.

Still another group of hardware and chip vendors are concentrating on the XML and Web-services space, working to incorporate the XML processing capabilities currently available in specialised XML processing appliances from such players as Reactivity and Sarvega.

Multiple strategies In fact, the range of product offerings from smaller vendors is compelling enough that the major networking vendors have launched a buying spree, with Cisco acquiring FineGround, Juniper engulfing Redline Networks and Peribit Networks, and Citrix scooping up NetScaler. But there's still plenty of room for innovation outside the traditional networking vendors.

Whether network intelligence will eventually rest in switches or as an overlay of specialised devices depends on to whom you talk. The appeal of incorporating these features into existing switches is obvious, but networking vendors have had trouble keeping up with the features offered by specialised appliance vendors in the past.

"Five years ago many people predicted that Packeteer would die because Cisco would take over much of its functionality," says Gartner's Willis. "But it is still very much around. Changes in applications are faster than Moore's Law and the specialised box companies are often better at keeping up." Gartner's Skorupa agrees. "You can put a blade in a switch, but that alone is not compelling," he says. "You have to ask yourself whether buying an integrated product gives you more benefit than a standalone solution with more features." For now it makes sense to take a targeted approach that solves the specific problems you're trying to solve, with an eye on how initiatives like HP's Adaptive EDGE and Cisco's AON develop.

Application-level standards are another piece missing from the puzzle. But despite the hurdles yet to overcome, the intelligent network train is definitely out of the station. It's just not clear what its final destination will be.

[sidebar] The dumb remote office

Management, compliance, and security concerns have made consolidation all the rage in large organisations, which have increasingly moved their applications and data from globally dispersed servers to a few centralised, tightly secured data centres. With the trend toward intelligent networks, we may one day see remote offices with very little intelligence of their own.

"We're finding that organisations want to pull more and more of their persistent data back into the data centre," says Joe Skorupa, research director at Gartner. "Whether the reason is Sarbanes-Oxley or the need to reduce operating overhead, they want as little as possible in the branch office."

As networks become better at managing application delivery and performance over the WAN, the prospect of moving just about everything into the data centre becomes much more practical.

"You'll no longer run any SQL Server or Microsoft Exchange in the branch," Skorupa says. "Instead, the branch office server may wind up running only DNS, DHCP, print services, and a domain controller. With the leftover processing, perhaps it can do some non-file-based caching or it can push for content delivery."

This will also become more practical as Microsoft starts allowing customers to build Windows servers with only the components they need. This will allow you to strip out some of the functionality that you don't need or components that may pose a security issue or administrative problem, Skorupa says.

Take this a little further, however, and maybe you don't need that Windows or Linux server at all. WOCs (WAN Optimization Controllers) are mostly built using off-the-shelf, PC-based platforms, because vendors lack the money for dedicated, optimised hardware platforms. At the central site, the WOC might be integrated into the application-delivery controller. At the branch office end it could be built right into the branch office router as a blade, and could conceivably take over DNS, DHCP, and print services, as well as caching, and TCP optimisation. The result is a dumbed-down, serverless branch office and a battle between former allies.

"You may see Cisco, Juniper, and HP competing with Microsoft, IBM, and Sun for control of the branch office," Skorupa speculates. "Cisco could say, 'Get rid of your branch office servers, plug this blade in your router, and we'll make the whole thing easier to integrate and manage.'" Sounds a little like the mainframe days, doesn't it?