Building the intelligent network

Smart networks are sussed

The days of the fat, dumb pipe are over. Servers, applications and storage have been shouldering the intelligence and security burden for too long. It’s time for the network infrastructure itself to add some smarts. After all, when it comes to intelligence, the real beauty of the network is that it touches everything.

“The network is the one common element across the infrastructure,” says Rob Redford, vice president of marketing for Cisco Systems. “If it had more capability to look more deeply inside application traffic, it would give us a better idea of what is being transacted and what information is flowing where, and it could play a more active role in helping organisations meet their business objectives.”

But what does network intelligence mean? According to Gartner research vice president Mark Fabbi, it’s mostly about application awareness — or what he calls “application fluency”.

“An application-fluent network knows not only what application is running, it also has knowledge of the syntax and semantics of the application, and the elements of the transaction,” Fabbi says. “And it knows who is connecting, how they’re connecting and with what device.”

The network already provides some intelligence today, say the infrastructure vendors, but mostly it’s on a piecemeal basis, with scores of specialised devices targeting local security, performance and application issues. In the next five years, however, we may see a lot of these pieces come together, producing managed networks that are more intelligent from end-to-end.

“If you’re consolidating lots of servers and applications, you really have to start optimising the delivery of traffic back out,” Fabbi says, adding that this is particularly true in an environment that favours browser-based applications. “These applications put a tremendous burden on the underlying network protocols and servers. Generic network design simply does't work.”

It pays to think smart

“Throwing bandwidth at the problem doesn’t solve the fundamental global network performance issue today, which is latency,” says David Willis, a Gartner senior analyst. “In cross-continental WANs, round-trip time can be as high as 50ms to 75ms, compared to 10ms on a LAN, while in a global network it could reach more than 250ms. When you consider that a single web page can require as many as ten or 20 different requests and responses, and then multiply that by thousands of web pages and users with different connections and devices — you get the picture.”

Gartner estimates that in typical global networks running web-based applications, WAN latency, not bandwidth, can be responsible for 50% to 95% of the total application delay. But performance isn’t the whole story.

“On day zero of a new worm, software and IPSs that rely on signatures don’t know anything about it,” says Brice Clark, worldwide director of strategic planning for HP’s ProCurve networking line. The network infrastructure can be a complementary layer of defence that detects traffic anomalies and halts malware propagation using rate limiting and connection delay.

Jason Needham, product manager at F5 Networks, says the network is also a good place for user authentication and authorisation. “If I’m a financial institution, it’s okay to do authorisation at the application server. But, wouldn’t I rather block unauthorised users before they get to the door?”

New networking direction

The move toward network intelligence is actually coming from two directions. Leading the charge on one path are the established giants, while specialty vendors are marching up another front.

HP’s Brice Clark describes his company’s ProCurve Adaptive EDGE architecture as a two-pronged approach. “You start with intelligence at the edge, where it needs to be located to support mobility and next-generation applications. Command comes from the centre, configuring the network continuously on the fly based on the identity of the user, the application, the connection and the device.”

Clark says the next step will likely be deeper packet inspection to recognise applications and apply policies accordingly, even triggering packet-processing applications hosted in the switch, based on the user, device or application.

“You can transcode a video stream for a PDA on the switch, rather than at the server or encrypt a financial transaction,” Clark says. “The network is good at packet processing. Servers and operating systems aren’t.”

Cisco, on the other hand, has announced a three- to five-year plan for what it calls Application-Oriented Networking. Later this year, the company plans to provide AON blades for its Catalyst datacentre switches, as well as branch office routers that can actually read application-to-application messages (such as purchase orders) and route them intelligently according to predefined policies. So, for example, a $50 order could be routed to a different server or get a different quality of service than a multimillion-dollar order would.

AON blades will also be able to take on much of the integration and translation normally performed by application middleware, thanks to partnerships with integration players like TIBCO Software and IBM, as well as integrated XML processing, translation and security.

Cisco’s Redford also points out that the ability to inspect and route messages will lead to better visibility into transactions, resulting in improved security, compliance and business-intelligence capabilities. AON will also offer load balancing, caching and compression services. Although all these services could slow down network traffic, Redford claims the benefits would include much improved application performance and lower integration costs (because any integration changes would be made on the switch, rather than across all the various interacting systems).

Smaller vendors

The networking giants, however, aren’t the only game in town. Smaller players in the load-balancing Layer 4-7 switch market, which include F5, FineGround, NetScaler, Radware and Redline, offer products they call ADCs (application-delivery controllers) or WOCs (WAN optimisation controllers). Many of these vendors have already been involved in application intelligence for several years and claim to have the corner on that kind of expertise.

“We’re the only ones that can inspect the entire flow, headers and payload in both directions,” says F5’s Needham.

ADC boxes sit in the datacentre in front of banks of servers. Originally they provided application load balancing and health checking but over time their capabilities have grown to include offloading communications-specific tasks which general-purpose operating systems don’t do well, according to Joe Skorupa, research director at Gartner. Many ADCs offload functions like SSL termination and acceleration, and TCP setup and shut down, and they provide transaction security, application firewalls, caching and compression. Often, these devices can be fine-tuned to optimise the performance of specific back office applications such as SAP and can troubleshoot individual transactions.

“F5’s hardware has the ability to watch a request come in and, if the transaction fails, it can trap the error and send the message to the server administrator saying: ‘This transaction failed to this client from this server at this time, and here’s the code,’” Skorupa says. “Then it replays the transaction with another server. The user never sees the error.”

Vendors such as Allot Communications, Expand Networks, Packeteer and Peribit Networks market WAN optimisation controllers which sit on the network at both the corporate headquarters and remote offices and use compression and TCP-acceleration tricks to overcome latency and other problems on the WAN. Skorupa says these functions will eventually be incorporated into ADCs and branch office routers.

Still another group of hardware and chip vendors are concentrating on the XML and web services space, working to incorporate the XML processing capabilities currently available in specialised XML processing appliances.

Multiple strategies

In fact, the range of product offerings from smaller vendors is compelling enough that the major vendors have launched a buying spree, with Cisco acquiring FineGround, Juniper engulfing Redline Networks and Peribit Networks, and Citrix scooping up NetScaler. But there’s still plenty of room for innovation.

Whether network intelligence will eventually rest in switches or as an overlay of specialised devices depends on who you talk to. The appeal of incorporating these features into existing switches is obvious, but networking vendors have had trouble keeping up with the features offered by specialised appliance vendors in the past.

“Five years ago many people predicted that Packeteer would die because Cisco would take over much of its functionality,” says Gartner’s Willis. “But it is still very much around. Changes in applications are faster than Moore’s Law and the specialised box companies are often better at keeping up.”

Gartner’s Skorupa agrees. “You can put a blade in a switch, but that alone is not compelling,” he says. “You have to ask yourself whether buying an integrated product gives you more benefit than a standalone solution with more features.” For now it makes sense to take a targeted approach that solves the specific problems you’re trying to solve, with an eye on how initiatives like HP’s Adaptive EDGE and Cisco’s AON develop. Application-level standards are another piece missing from the puzzle. But despite the hurdles yet to overcome, the intelligent network train is definitely out of the station. It’s just not clear what its final destination will be.