In my last article, I wrote about different types of virtualization and which is best for ADC. SoftADC, is a software version of ADC product. It can be classified further into
1) Software that can be run as a virtual appliance on a generic hardware on top of hypervisor like vmware, xen or hyper-v
From Vmware's website, three vendors provide softADC.
- Zeus
- JetNexus
- Citrix Netscaler
2) Software that can be run on a environment that provides virtualization customized to run networking appliances.
- Nortel/Radware Virutal services switch
Most of ADC vendors have shown inclination towards the first type of softADC. The customized virtualization environment solution seems to have not been successful so far. The reason could be the attempt is not so well executed or due to Nortel financial crisis. I will leave that to your analysis.
But, I back the idea of the customized networking virtualization as it is designed to provide high efficiency for networking virtual appliances like firewalls, SSL acceleration, Application Delivery controllers, IPS etc.,
- Built in Hardware support for SSL acceleration
- Advantage of Resource virtualization and network virtualization
- Simplified hyervisor to suit networking appliances, so less overhead.
- Ability to run thread of virtual appliances for a given client connection ( For example: Firewall - SSL - Firewall - IPS - SSL)
SoftADC has its own advantages. The fact that is running on generic hardware and work with established cloud computing infrastructure, it is simple to configure and manage from administrator point of view. The performance it could generate suits for small to medium scale businesses. And, it is also scalable by adding more cores and gain the performance.
Some softADCs seems to have identified the bottlenecks associated when running on generic hardware. For example, Zeus has support for SSL acceleration on hardware when used.
SoftADC are here to stay especially in this era of cloud computing. The business requirements will define what type of SoftADC to deploy.
Showing posts with label application delivery controller. Show all posts
Showing posts with label application delivery controller. Show all posts
Friday, December 18, 2009
Wednesday, March 11, 2009
Future talk - What ADCs need to replace IDP?
Few weeks back there was a question in load balancing mailing list.
"What is the difference between ADC and Load balancer?" I would say
the ADCs are next generation Load Balancers. ADCs are capable of
doing more jobs than just Server Load Balancing. The present generation
of ADCs are implementing
a) Application compression and optimization
b) Application validation by protocol anomaly detection
c) Improving network utilization by TCP connection pooling
d) XML parsing and validation
Some implementations went beyond and started application data
modification based on user inputs. In summary, the ADC products
are doing sort of doing application protection like Intrusion
Detection and Prevention devices (IDP).
With all these features, ADCs became multi functional.
And, the market and experts too feels that its end of load balancing
and emerging ADC market.
First generation of load balancers were not using TCP stack.
They were not vulnerable to TCP/IP exploits and fortunately,
that way they gained huge performance with no stack and in some
cases Operating system overheads. The current generation load balancers
called ADC are running application proxies. The ADCs required
a network stack and as well as application intelligence to does the
application processing, compression, validation etc., All these
features now opened up many vulnerabilities. All the cross site
scripting (XSS), TCP vulnerabilties etc., now started appearing in
ADC products.
Check out the BigIP and Netscaler vulnerabilities. ADCs should
be written following secure coding standards and not leave any scope
for buffer overflow and other stack exploits and evolve further.
ADC does have protocol anomaly detection. But, its not as classic
as IDP devices. ADC do have the potential to replace the IDP provided
they implement the following to evolve into next league
a) Statistical anomaly detection
b) Protocol anomaly detection algos
c) Signature based detection
d) Automatic Live updates for the signatures and software updates
e) Useful reporting to detect zero day attacks
Most of the ADCs in the market do have protocol anomaly. That is not
sufficient but should also have live signature updates to stop newly
found application exploits before the admins patch up the server
applications. Currently, admins still depend up on the IDP to prevent
from exploits even with ADCs having application firewalls and protocol
anomaly detection. There is not much time we would see ADCs competing
with IDP devices..
"What is the difference between ADC and Load balancer?" I would say
the ADCs are next generation Load Balancers. ADCs are capable of
doing more jobs than just Server Load Balancing. The present generation
of ADCs are implementing
a) Application compression and optimization
b) Application validation by protocol anomaly detection
c) Improving network utilization by TCP connection pooling
d) XML parsing and validation
Some implementations went beyond and started application data
modification based on user inputs. In summary, the ADC products
are doing sort of doing application protection like Intrusion
Detection and Prevention devices (IDP).
With all these features, ADCs became multi functional.
And, the market and experts too feels that its end of load balancing
and emerging ADC market.
First generation of load balancers were not using TCP stack.
They were not vulnerable to TCP/IP exploits and fortunately,
that way they gained huge performance with no stack and in some
cases Operating system overheads. The current generation load balancers
called ADC are running application proxies. The ADCs required
a network stack and as well as application intelligence to does the
application processing, compression, validation etc., All these
features now opened up many vulnerabilities. All the cross site
scripting (XSS), TCP vulnerabilties etc., now started appearing in
ADC products.
Check out the BigIP and Netscaler vulnerabilities. ADCs should
be written following secure coding standards and not leave any scope
for buffer overflow and other stack exploits and evolve further.
ADC does have protocol anomaly detection. But, its not as classic
as IDP devices. ADC do have the potential to replace the IDP provided
they implement the following to evolve into next league
a) Statistical anomaly detection
b) Protocol anomaly detection algos
c) Signature based detection
d) Automatic Live updates for the signatures and software updates
e) Useful reporting to detect zero day attacks
Most of the ADCs in the market do have protocol anomaly. That is not
sufficient but should also have live signature updates to stop newly
found application exploits before the admins patch up the server
applications. Currently, admins still depend up on the IDP to prevent
from exploits even with ADCs having application firewalls and protocol
anomaly detection. There is not much time we would see ADCs competing
with IDP devices..
Application Delivery Controller and cloud integration
My colleagues ask me this question "what is needed to integrate
application delivery controllers in cloud computing data centers?"
I happen to read about a switch vendor claiming cloud computing ready
layer2 switches. After going through their website, I felt there
is nothing special they do when compared to their competitors but
market it with eye catching cloud computing terms.
Coming to the load balancer market, vendors show up to the customers
that application intelligence, optimization, providing complex
configuration tools are needed for cloud computing. There are some
specialized devices to do those jobs. Let the application delivery
controller not mess up with applications by talking its language.
In my opinion, any network vendors claiming cloud ready should
have the following.
Scalability: Generally, load balancers have up to 1024 real servers.
That is not enough to position a load balancer in cloud data centers.
There will be several thousand of servers running. The load balancer
must be scalable to several thousand of real servers, virtual servers,
IP interfaces etc.,
The load balancer must not be a bottle neck to the cloud performance.
For example, the load balancer should be able to do health checks for
thousands of servers with out its CPU going 100%
It should be able to support a huge routing table and session table to
support huge traffic that is expected in cloud data centers.
Ease of configuration: The load balancers must support a simple XML
interface to allow external management applications configure the
load balancer settings. For example, many LB vendors came up with
applications to work with vmware's virtual Center(VC). Those tiny
applications work with VC and adds new servers to server farm when
there is huge traffic. Cloud data centers does not just have load
balancers and servers. It comprises of many network devices and
all these network devices are to be managed in a simple way.
Instead of independently making a decision to add new server to
server farm, load balancers must provide a simple XML interface
for more capable external applications that can understand and talk
to much more network devices. Load balancers must evolve to be
virtualization vendor independent.
Virtualized CLI and reports: The CLI must be remotely administered
and integrated with cloud computing management tool of choice. CLI
should be virtualised and subscriber of cloud data centers can see
only their settings as if a dedicated box for them. The reports
generated must be customized per subscriber. That gives easiness
for the administrators to manage it easily. For example, the admin
may would like to decommission it after a specific job is completed.
If the reports are customized then it enables the admins to calculate
the cost involved per subscriber based on the usage of the services,
bandwidth consumed etc.,
Above explained are few things that are mandatory for the load balancers
to immediate deploy them in cloud computing data centers.
application delivery controllers in cloud computing data centers?"
I happen to read about a switch vendor claiming cloud computing ready
layer2 switches. After going through their website, I felt there
is nothing special they do when compared to their competitors but
market it with eye catching cloud computing terms.
Coming to the load balancer market, vendors show up to the customers
that application intelligence, optimization, providing complex
configuration tools are needed for cloud computing. There are some
specialized devices to do those jobs. Let the application delivery
controller not mess up with applications by talking its language.
In my opinion, any network vendors claiming cloud ready should
have the following.
Scalability: Generally, load balancers have up to 1024 real servers.
That is not enough to position a load balancer in cloud data centers.
There will be several thousand of servers running. The load balancer
must be scalable to several thousand of real servers, virtual servers,
IP interfaces etc.,
The load balancer must not be a bottle neck to the cloud performance.
For example, the load balancer should be able to do health checks for
thousands of servers with out its CPU going 100%
It should be able to support a huge routing table and session table to
support huge traffic that is expected in cloud data centers.
Ease of configuration: The load balancers must support a simple XML
interface to allow external management applications configure the
load balancer settings. For example, many LB vendors came up with
applications to work with vmware's virtual Center(VC). Those tiny
applications work with VC and adds new servers to server farm when
there is huge traffic. Cloud data centers does not just have load
balancers and servers. It comprises of many network devices and
all these network devices are to be managed in a simple way.
Instead of independently making a decision to add new server to
server farm, load balancers must provide a simple XML interface
for more capable external applications that can understand and talk
to much more network devices. Load balancers must evolve to be
virtualization vendor independent.
Virtualized CLI and reports: The CLI must be remotely administered
and integrated with cloud computing management tool of choice. CLI
should be virtualised and subscriber of cloud data centers can see
only their settings as if a dedicated box for them. The reports
generated must be customized per subscriber. That gives easiness
for the administrators to manage it easily. For example, the admin
may would like to decommission it after a specific job is completed.
If the reports are customized then it enables the admins to calculate
the cost involved per subscriber based on the usage of the services,
bandwidth consumed etc.,
Above explained are few things that are mandatory for the load balancers
to immediate deploy them in cloud computing data centers.
Subscribe to:
Posts (Atom)