Easing the load at the edge 

Nearly a decade ago, I opened a box that had arrived by FedEx. There, buried in Styrofoam dunnage, was a Proctor-Sylex “toaster,” emblazoned with the name of a firewall manufacturer. The implication was that installing their firewall was about as difficult as installing a toaster: All you had to do was plug it in and it would work.

The firewall company didn’t last very long — their product was a lot harder to use than a toaster and the results weren’t nearly as tasty. But the age of networked appliances had begun. Unfortunately, the makers of these appliances clung to the fiction of toaster-like ease of use for years.

Now, at least, reality has set in and overcome that fiction. It’s not that appliances are necessarily hard to use, but their real strength is in what they’re designed to do. In short, a properly designed appliance can do one thing very, very well. In fact, it may be able to do its one thing so well that there’s nothing else nearly as good for that task.

The problem with appliances in general is that they must be set up and configured, and they must be managed. Normally, this isn’t particularly difficult to accomplish, as long as you look at each appliance on its own terms. But when you consider an entire enterprise, where appliances may be present in large numbers and great variety, the picture changes. This is because for the most part, each appliance has its own unique means of setup and configuration and its own management interface. The possibilities for misconfiguration and other errors can grow to immense proportions.

So why bother using an appliance for something you can do just as easily with applications for Windows or Linux? The answer usually boils down to performance and cost. Because an appliance is designed to do one thing well, all its actions have one purpose. And because you’re getting exactly the hardware and software you need with no extras, costs can be kept down.

An edge appliance, however, is more than just a large container of ASICs that handle whatever task the design mandates. Classifying appliances as pure hardware implies a stable, reliable, and secure solution. In reality, most appliances that we see in the Test Center these days are the same 1U Intel-based servers that you see for general purpose Windows, Linux, or Unix servers. The difference is purely in the software, oftentimes just an application running on a specialized Linux or Unix OS (usually one that has had all functionality removed but what the appliance requires). Occasionally you’ll even see appliances that, deep down inside, run Windows.

So what do these devices actually do? As is the case with everything else involving appliances in this world, that depends on their specific purpose.

Security Devices

Most likely, you already know about edge-security appliances. The firewalls that live on the edge of your network between your enterprise and the barbarians on the Internet are probably appliances. Because they must be fast enough to handle all of the traffic between your company and the outside world, a purpose-built device is normally needed.

But that doesn’t mean you always get the standard 1U solution. Checkpoint, for example, will send you a CD-ROM, and you create your own firewall appliance by popping it into an Intel-based computer you already own, and turn the computer on. Nearly as fast as you can say “Shazzam!” you have your firewall.

But security devices are more than just firewalls. There are intrusion-detection appliances, intrusion-prevention appliances, and packet-inspection appliances. Right now, the hot new items are appliances that constantly monitor the entities attached to your network, ranging from servers to switches, for suspicious changes that might have been caused by worms, viruses, or hackers.

Management Devices

Sometimes a full-fledged management framework, such as OpenView or Tivoli, isn’t right for your network or for your cash flow. On the other hand, you still need to keep up with basic network operations. Network management appliances consolidate the management tasks and the events-monitoring tasks and present them such that you can keep an eye on everything.

One interesting approach in appliances of this type was with NOCPulse (see “Monitoring health,” July 22, page 23). After you set up a NOCPulse appliance, NOCPulse monitors your network and reports the results to an off-site management center. NOCPulse’s management center staff can alert you when something goes wrong, and you can monitor your network yourself from the company’s Web site. Because of NOCPulse’s design, the monitoring center can keep tabs on your network both from the inside (because the appliance sends reports through your firewall) and from the outside, where those barbarians are doing their evil deeds.

Performance Enhancement

It’s sobering to see what happens to a Web server once it’s asked to also handle SSL. The process of decrypting SSL immediately soaks up about 90 percent of the server’s CPU capacity. To handle the same traffic load you handled pre-SSL, you’ll need 10 times as many servers. Ouch.

Intel developed an early SSL accelerator a few years ago that, for a few hundred dollars, would decrypt an SSL session and pass the information to the Web server in clear text. Since then, SSL acceleration has become a standard part of many appliances ranging from application firewalls to load balancers. Those devices now frequently contain the ability to perform XML acceleration as well, taking care of the additional load XML places on the Web server’s CPU.

Traffic Management

If you’re going to enhance performance, it helps to also know what traffic needs enhancement and what traffic does not. A class of appliances that manages your traffic by sending the right types to the right destinations can do a lot to keep your network performing up to snuff.

Products such as the NetScaler Request Switch can inspect the contents of traffic entering your network, and then — depending on what it finds — direct it to the proper server or appliance (see “Switching and beyond,” /article/02/08/02/020805fenetscaler_1.html). This allows you to aim traffic at the devices that can best handle it, improving your overall network efficiency.

Load Balancers

Whereas traffic management devices sort traffic according to the characteristics of what’s inbound, load balancers take their cues from what’s happening on the servers. These appliances can monitor the performance of a server — and in some cases, the cost of the route to that server — and choose a destination that will maximize performance or minimize cost, or both.

Because of the volume of traffic that must pass through these devices, load balancers must have very high performance. Going forward, the line between traffic management devices and load balancers will likely blur, because their functions are so complimentary that a combination of the two tasks makes sense for users.

Storage

You have to keep all of that information somewhere, and one solution is to offload storage processing from the servers to specialized storage appliances. These devices may be something as commonplace as the NAS devices from iOmega (see “Storage made simple,” July 29, page 36); or they may be specialized SQL managers, where you’re most likely to see a Windows solution in an appliance.

Taking the plunge

Just about any application that can be tweaked to perform well and work on a 1U Intel server can be turned into an appliance. You’ll find dozens of industry-specific appliances ranging from telephony to manufacturing, all of which promise to perform better and cost less than a similar product that might run on a standard general purpose computer.

The question then becomes whether you really need an appliance. In some cases, that’s pretty easy to figure out: Yes, you need a firewall, and you probably want an appliance to do that at the point where your network and the Internet come together. On the other hand, if you don’t do SSL or XML, then you obviously don’t need an accelerator for that. Do you need an intrusion detection appliance or is a copy of SNORT running on a Linux box sufficient?

Decisions on other appliance types depends on the demands of your network, and your willingness to get involved with the inner workings of your solution. Again, it comes down to cost (time and resources) vs. performance gains.

Regardless of the appliance you’re considering, it pays to learn in detail what’s required to make the appliance part of your enterprise. How exactly does it work? What exactly does it do? How hard is it to manage? Does it have the performance required for your network? Can you handle the implementation yourself?

Once you’ve answered those questions, you can approach appliances intelligently. Done right, an appliance can dramatically improve the operation of your network. Done wrong, it won’t.