SMK NEGERI 1 GEMPOL : WAN Optimization White lists and Blacklists
I've been working on a survey of best practices for acquiring WAN optimization solutions; it'll appear as a Burton Group paper and also be used as the basis for a talk at the upcoming Burton Group Catalyst Conference on July 27-31 in San Diego. It's been fun to talk to folks about what worked and what didn't work in their efforts to bring WAN optimization technology into their enterprises.
The papers and speech won't be out for another month or so, but meanwhile there's a very important point about this technology that I want to get out here: Yes, optimization is a fantastic way of saving money and creating really happy customers at the same time, but it doesn't work flawlessly for all applications.
The advanced dictionary-based compression component seems to be foolproof; it works and saves you, oh, 50% and up of your bandwidth at the same time that it usually makes a major improvement in performance that'll have the users loving you. So networking organizations that are primarily concerned with saving bandwidth expense and that dread having to work with users or application developers will usually choose optimization devices that are almost purely compression-based, and that don't fiddle much, or at all, with the protocols. They'll get a lot of performance improvement also -- especially if the same files are sent back-and-forth across the network with minor changes, or if they contain internal duplications, or if there's a lot of commonality among files -- and they'll never break an application, no matter how badly it's programmed.
But some enterprises really need the massive performance improvements that WAN optimization can provide for some common situations, such as access to remote fileshares using the Microsoft CIFS or Unix NFS protocols, or applications using SQL queries, or web browsers, or email. For those situations, fiddling with ("accelerating" or "spoofing") the underlying TCP, file, and application protocols can create simply unbelievable improvements in the performance seen by end users. But when the WAN optimization device starts interacting with protocols, some applications will break. It's almost never the optimization device's fault, because the optimizer engineers are experts in the protocols and carefully design their devices to squeeze every bit out of them without violating the protocol standards. But a surprising number of enterprise programmers don't know those standards very well.
The result is that protocol acceleration typically works flawlessly for broadly-used applications, such as access to remote fileshares by Excel, or use of web browsers, or SharePoint. But weird, custom-built client-server applications with embedded TCP socket calls that were built by overworked programmers under horrible deadline pressure who have no previous experience with TCP or other protocols? Well, that explains the "your accelerator broke my application" telephone calls. Truth is, the application was already broken, but its failures were usually rather rare and were attributed to "cosmic rays" or similar nonsense. When the optimizer starts really exercising the protocol, however, the breaks in the protocol become more obvious, and the irate telephone calls start.
And that brings me to the point of this blog entry: most enterprises quickly find that whitelists are wonderful tools for managing WAN optimization. They use whitelists to tell the optimizers which applications should be given protocol acceleration in addition to advanced compression. Applications that aren't on the whitelist are compressed, but their protocols are passed through the optimzers unchanged. At initial rollout, the network organization puts broadly-used applications, such as Excel, Internet Explorer and SharePoint, on the whitelist. Then, as time goes by, additional applications can be tested and added to the whitelist. By using whitelists, all of those weird applications that you didn't even know existed will not get into trouble. (By the way, organizations that try blacklists usually find that they have dozens, or hundreds, of applications that they didn't know about and that have mistakes in their use of TCP or other protocols. They find that out as a result of enraged telephone calls from the applications' users. Use whitelists instead.)
Some WAN optimization vendors have extensive deep packet inspection systems that can help in creating whitelists, but that's not truly necessary in all cases. Just filtering by IP address, hostname, or similar simple mechanisms may be all that you need.
So: don't fear optimization! You can save buckets of money and make your customers happy at the same time! But use whitelists when you do that rollout
The papers and speech won't be out for another month or so, but meanwhile there's a very important point about this technology that I want to get out here: Yes, optimization is a fantastic way of saving money and creating really happy customers at the same time, but it doesn't work flawlessly for all applications.
The advanced dictionary-based compression component seems to be foolproof; it works and saves you, oh, 50% and up of your bandwidth at the same time that it usually makes a major improvement in performance that'll have the users loving you. So networking organizations that are primarily concerned with saving bandwidth expense and that dread having to work with users or application developers will usually choose optimization devices that are almost purely compression-based, and that don't fiddle much, or at all, with the protocols. They'll get a lot of performance improvement also -- especially if the same files are sent back-and-forth across the network with minor changes, or if they contain internal duplications, or if there's a lot of commonality among files -- and they'll never break an application, no matter how badly it's programmed.
But some enterprises really need the massive performance improvements that WAN optimization can provide for some common situations, such as access to remote fileshares using the Microsoft CIFS or Unix NFS protocols, or applications using SQL queries, or web browsers, or email. For those situations, fiddling with ("accelerating" or "spoofing") the underlying TCP, file, and application protocols can create simply unbelievable improvements in the performance seen by end users. But when the WAN optimization device starts interacting with protocols, some applications will break. It's almost never the optimization device's fault, because the optimizer engineers are experts in the protocols and carefully design their devices to squeeze every bit out of them without violating the protocol standards. But a surprising number of enterprise programmers don't know those standards very well.
The result is that protocol acceleration typically works flawlessly for broadly-used applications, such as access to remote fileshares by Excel, or use of web browsers, or SharePoint. But weird, custom-built client-server applications with embedded TCP socket calls that were built by overworked programmers under horrible deadline pressure who have no previous experience with TCP or other protocols? Well, that explains the "your accelerator broke my application" telephone calls. Truth is, the application was already broken, but its failures were usually rather rare and were attributed to "cosmic rays" or similar nonsense. When the optimizer starts really exercising the protocol, however, the breaks in the protocol become more obvious, and the irate telephone calls start.
And that brings me to the point of this blog entry: most enterprises quickly find that whitelists are wonderful tools for managing WAN optimization. They use whitelists to tell the optimizers which applications should be given protocol acceleration in addition to advanced compression. Applications that aren't on the whitelist are compressed, but their protocols are passed through the optimzers unchanged. At initial rollout, the network organization puts broadly-used applications, such as Excel, Internet Explorer and SharePoint, on the whitelist. Then, as time goes by, additional applications can be tested and added to the whitelist. By using whitelists, all of those weird applications that you didn't even know existed will not get into trouble. (By the way, organizations that try blacklists usually find that they have dozens, or hundreds, of applications that they didn't know about and that have mistakes in their use of TCP or other protocols. They find that out as a result of enraged telephone calls from the applications' users. Use whitelists instead.)
Some WAN optimization vendors have extensive deep packet inspection systems that can help in creating whitelists, but that's not truly necessary in all cases. Just filtering by IP address, hostname, or similar simple mechanisms may be all that you need.
So: don't fear optimization! You can save buckets of money and make your customers happy at the same time! But use whitelists when you do that rollout
0 comments:
Post a Comment