While the IC’s research organization looks into adding security to cloud environments, in the here and now, intelligence agencies are sharing more data.
Web applications, e-mail attachments and files can quickly consume WAN bandwidth when a network must serve users at many locations, and slowdowns can lead to demands for expensive upgrades.
One of the best ways to reduce the cost of supporting IT services at multiple locations and branch offices is server consolidation, especially when combined with server virtualization. After all, consolidating multiple branch-office servers into one or a few machines can result in significant and easy-to-tally savings.
But how can agencies accommodate growth in bandwidth demand and support projects that promise cost savings, such as server consolidation, while holding spending down? And what can IT do to appease users who want swifter response times and faster file transfers?
The answer is to use a combination of bandwidth management, WAN optimization and application acceleration techniques. Together, they can significantly reduce bandwidth demands and improve service. WAN optimization controllers (WOCs) combine these tools, and many major network manufacturers produce WOC devices, including Blue Coat Systems, Cisco Systems, Citrix Systems, Juniper Systems and Riverbed Technology.
The most significant way that WOCs reduce bandwidth is by a technique called dictionary compression. Dictionary compression reduces the bandwidth needed to send files and large amounts of data by a factor of 10 to 30. It’s the key to successful server consolidation.
Dictionary compression works by learning patterns in the data. The WOC automatically monitors the traffic flow, learning short sequences of data and storing them. When it sees a pattern it has learned, it removes the pattern and substitutes a reference number. A receiving WOC, which is automatically learning the same patterns and reference numbers, removes the reference number and puts the data pattern back in the packet.
For example, the first time the file is sent there is no reduction as both WOCs learn the pattern. When someone else requests the same file or a file that has the same patterns, the WOC is able to substitute a series of reference numbers for the patterns. If there was a change to the file, then only the changes are sent, along with the reference numbers for the patterns that didn’t change.
TCP/IP traffic is optimized by adjusting the flow control parameters. Application protocols, such as the Common Internet File System, are also optimized by the WOC. The problem with CIFS is that it can slow file transfers over the WAN. CIFS was created for use over LANs. But with server consolidation, it now comes into play on WANs, and latency creates inefficiencies. Microsoft is aware of the problems with the protocol and has improved it in the latest version, but WOCs can still bump up performance.
WOCs reduce the bandwidth requirements of web applications and speed their delivery by caching objects. Static objects are easiest to cache, and WOCs can do so automatically.
The first time someone in a branch office requests a static object, the WOC passes the request on to the server. When the object is delivered, the WOC stores a copy of it. The next time someone requests the same object, the WOC intercepts the request and sends the stored version. This greatly reduces transmission time and eliminates the latency effect on WAN bandwidth.
Some WOCs can also provide this service for dynamic objects. This is possible because many dynamic objects do not change constantly but do change over longer periods of time. The WOC can store an object for a set period of time before refreshing it. This feature requires that the IT team understand the dynamic objects in order to determine the appropriate time-out values.
Just buying a WOC and turning it on does not guarantee the benefits. Here are seven steps to get the most out of a WOC deployment:
1. Know what is running on your network
The first step in reducing bandwidth and providing better service is to understand what is flowing over the network. Optimizing without knowing what types of traffic are using the network is wasted effort. It is important to know how much and what type of nonessential traffic flows over the network. (It is always surprising how much non-mission traffic moves through the pipes.)
Network monitors traditionally have concentrated on the number of packets, the ports being using and link utilization. Successful WOC implementations require an understanding of the traffic at a deeper level, at the application layer.
Knowing how much traffic is using Port 80 (HTTP) doesn’t tell you much because an increasing amount of both critical and nonessential traffic uses a web interface. It is important to understand what applications are in use. Is it SharePoint, SAP or some peer-to-peer application?
It is also important that any monitoring solution updates its list of applications often. New applications become available constantly, especially non-work apps. Without regular updates, a WOC’s monitoring program will lump the unknown apps into a common bucket.
2. Apply QOS
The next step is to implement Quality of Service controls. This will ensure that the critical mission traffic receives priority attention and non-mission traffic does not consume bandwidth.
IT can implement QOS on the router, the WOC or both. The biggest obstacle to implementing QOS is how difficult it is to specify.
A WOC should allow QOS policies to be set up easily based on the monitoring results, provide default settings for most applications and interface with existing QOS policies.
3. Set bandwidth management parameters
The next step is to decide how much bandwidth each app should receive. WOC bandwidth management lets network administrators set controls on how much of the available bandwidth an application receives. This guarantees that less critical traffic can’t crowd out critical apps; it’s a must-have feature on any WOC.
This way, an agency can prioritize traffic based on its QOS policies. For example, if users are allowed to access consumer sites such as Amazon, bandwidth management can be used to restrict the amount of bandwidth allowed, ensuring it doesn’t affect critical applications. The amount can also be adjusted depending on the time of day to allow greater access after hours or during lunch, perhaps.
4. Decide what should be optimized
It is tempting with the acceleration and optimization provided by a WOC to turn it on for all traffic. It is a good idea to turn it on for file transfers, web traffic and most essential traffic but not for everything.
Voice over Internet Protocol traffic should not be optimized as the process will slow it down and provide little benefit. TCP/IP protocol optimization can help video traffic, but running it through dictionary compression provides no benefit and can degrade the WOC’s performance.
Virtual desktop infrastructure and virtual application techniques are good candidates, but watch out for problems. Print jobs, files and data sent at startup all benefit from dictionary compression, but running small back-and-forth messages can slow them down with little bandwidth savings in return. Additionally, if VDI traffic is encrypted, most WOCs provide no benefit.
5. Understand the process for encrypted files
WOCs are unable to apply many of their techniques on encrypted data. But they overcome this problem for Secure Sockets Layer traffic by learning the keys and decrypting the data, and then re-encrypting before sending it back out on the network.
How they learn and store the keys differs from product to product and is something network managers need to understand. Decryption is important — without it, the WOC benefits are limited to QOS and bandwidth management, and there is no bandwidth reduction benefit.
6. Plan a strategy for monitoring and security
One of the ways WOCs optimize data flow is by collecting all the packets between the central WOC and the branch office WOC in one connection, then hiding the individual connections. Because the data in the packets is replaced with reference numbers, deep packet inspection of application data becomes impossible. This can create a problem if security and monitoring devices are placed on the network after the WOC.
One solution is to place the security and monitoring equipment before the WOC. Additionally, WOC manufacturers offer various techniques to mitigate the connection problem, but it is important that IT learn how these processes work and if there are any downsides for their agencies’ particular security requirements.
7. Involve the security group.
Any WOC deployment should be coordinated with the security group. There are several areas that concern security, including the decryption process, hidden individual connections and changing the data in the packet.
Additionally, if hackers gain access to the dictionary compression database, they might be able to reconstruct files. There are solutions to most of these challenges, but the IT security team needs to know how the technology affects the agency’s overall data assurance and infrastructure protection practices.
Ultimately, a WOC can reduce bandwidth requirements, often significantly delaying the need for a major WAN upgrade. Plus, it can keep users satisfied by keeping data flowing and minimizing app response time.