eBook 10 Critical Requirements for Optimizing Application Delivery Introduction Generic load balancing using disparate networking and security products is insufficient A rapidly accelerating number of complex Web 2.0 client requests for content is threatening to overwhelm your data center. Mobile users, e-commerce customers, offsite employees and remote cloud-based applications need assurance that the servers they access are constantly online. The information they seek must be received almost instantaneously. The communication links and applications themselves must be secure. You need a way to manage application delivery to ensure timely content availability and security at any scale. The problem you face is that legacy solutions aren’t designed to handle any of these tasks very well, much less all of them. Attempting to work within such a framework is overly complicated and prohibitively expensive. It doesn’t scale, can’t provide the policy granularity to optimize delivery from today’s rich applications and services, and lacks the visibility to secure content and defend against multi-vector threats. ADC A10 | 10 Critical Requirements for Optimizing Application Delivery | 2 | 6 24 7 8 135910 123 8 9 7 4 56 Solving the problem requires next-generation solutions with advanced L4-L7 support, known as application delivery controllers (ADCs). ADCs fully integrate a broad array of modules to address extensive networking and security concerns tied to enterprise application delivery. Powerful multi-core designs enable processing at carrier grade rates, while deep packet inspection combined with delayed binding methods dramatically scale data center resources, speed server response times and stop hacker attacks in their tracks. ADCs are deployed deep in the enterprise data center’s network, near the web and application servers. This is the ideal location to invoke intelligent traffic management, ensure Service Level Agreements (SLAs) and protect key resources. ADCs with the following critical capabilities are the only way to optimize applications while keeping overall expenses at a minimum. The ability to meet the following 10 capabilities should be a critical component of your selection criteria when evaluating ADCs. A10 | 10 Critical Requirements for Optimizing Application Delivery | 3 | 1 Intelligent Traffic Management Problem A critical requirement of any data center is the need to manage all incoming requests for content. Queries must be fully inspected and forwarded to the appropriate server. If such intelligent traffic management is lacking user submissions may be needlessly redirected among the server farm. Application resources are overtaxed and unnecessary latency is added. IT is forced to duplicate application and database servers and curtail enhanced value added services. ADC Solution ADCs provide visibility into inbound requests at the application layer and identify precisely how to optimally forward their packets. Advanced load-balancing algorithms, persistent connection methods and high capacity request multiplexing combine to accelerate response times. To prevent requests going to “dead servers,” customizable health checks are leveraged that ensure applications are functioning. This content switching method helps cut server farm needs in half when compared to rudimentary load balancers. ADCs also enable ‘premium’ services such as allowing select clients to be assigned higher powered servers for superior SLAs. A10 | 10 Critical Requirements for Optimizing Application Delivery | 4 | 2 Global Load Balancing Problem Global organizations require localized data center operations to enable redundancy, business continuity, scalability and faster content distribution. But this creates operational and performance issues. Internet sessions may not be efficiently routed to the server farm best able to respond and this results in poor response times. If one site should fail, user requests may not be properly or transparently redirected to an alternate location. Solution An effective enterprise ADC deployment solves these problems through integrated Global Server Load Balancing (GSLB), enabling more intelligent traffic management and data center failover for reliable disaster recovery. Interconnected ADCs are continuously updated with relevant information about each individual node’s local content, optimal routing details and server status. Geographic and network proximity policy metrics help optimize multi-site deployments. Leveraging DNS Proxy or DNS Server methods further improve implementation flexibility and deployment simplicity. Maintain worldwide operational integrity 24x7x365 A10 | 10 Critical Requirements for Optimizing Application Delivery | 5 | 3 Expedited Data Retrieval = Problem Modern Web 2.0 applications employ a rich set of complex protocols with dozens of components underlying each webpage. These applications are often inefficiently designed, and when combined with the client to server WAN distances involved, result in delayed response times with curtailed user productivity. Without acceleration techniques to offset these limitations, the remote application will run slowly, if at all. Solution ADCs leverage a variety of capabilities to overcome communication latency and ensure a fast and responsive experience for maximum user satisfaction. Techniques include: • Gzip compression to reduce transmission size by 3-5x for reduced bandwidth demands • In-memory caching that eliminates backend server delays by storing frequently requested content • Interoperability with advanced SPDY and HTTP/2 Internet standards • Support for WAN optimization standards such as Selective Acknowledgment and Client keep-alive 1 Because of $ Second of webpage delay Amazon could potentially lose up to $1.6 Billion per year Source: GetElastic 2012 A10 | 10 Critical Requirements for Optimizing Application Delivery | 6 | 4 Application and Data Protection Problem Data centers are being breached at an alarming rate. Yet legacy security solutions such as traditional and next-generation firewalls, intrusion prevention systems and network access control no longer deliver adequate protection. Hackers employ zero-day malware, cross-site scripting, cookie poisoning, SQL injection and other methods to bypass traditional perimeter security solutions and exploit specific application vulnerabilities. And once the targeted applications are breached, they give attackers direct access to the underlying databases and their confidential data. Solution Enterprise ADCs protect against targeted and zero-day exploits using rapidly deployed, fully integrated Web Application Firewall (WAF) modules. ADC WAFs employ machine learning to profile expected application behavior and automatically generate configuration settings that augment user-defined security policies. This delivers advanced protection by leveraging session-aware protections with bi-directional inspection to block sophisticated session-based attacks, including HTML form field consistency, cookie tampering and tag-based cross-site request forgery. $181,700 Avg. cost associated to an hour of data center downtime. Source: http://www.studyweb.com/outrageous-costs-data-center-downtime A10 | 10 Critical Requirements for Optimizing Application Delivery | 7 | 5 Customized Policies by Application Problem When it comes to networking and security rules, one size rarely fits all. ADC policy configurations should be customized with granular rules that optimize traffic delivery tied to each of the functional modules in use (compression, caching, content switching and more). In addition, it is beneficial to dedicate a unique set of ADC policies for each application, service or class of user for a better user experience. Solution To support such fine-grained policies, the ADC platform must be capable of very high “instance density.” Effectively, one appliance is divided into numerous independent “sub ADCs” where each has its own set of policies. Now a given application, service or user can receive tailor-made processing to its own specifications. As hundreds of unique web-based applications and end-user classifications may be present, multi-tenant support should allow density levels that can exceed a thousand such instances. Expand one ADC into Hundreds at No Charge! A10 | 10 Critical Requirements for Optimizing Application Delivery | 8 | 6 Centralized Access Management and Single Sign-on Problem Authentication, Authorization, and Accounting (AAA) is a critical component in supporting online communications, validating both client and intended recipient identities. The growing volume of access requests creates the need to scale the AAA infrastructure; yet placing authentication software on every application server is not a practical approach. Solution ADCs are ideally located to manage multiple facets of AAA, because they process key portions of the authentication task to reduce the need for AAA servers. This eliminates separate authentication points, simplifies the network and provides a system-wide view. ADCs also support setting granular access policies by application. For a streamlined user experience, single sign-on (SSO) is critical, and the ADC must handle SAML assertions, other critical protocols and authentication methods, and be proven interoperable with multiple AAA servers. SSO Leverage Single Sign-On to secure web access while eliminating passwords for Cloud Apps A10 | 10 Critical Requirements for Optimizing Application Delivery | 9 | 7 Multi-Level DDoS Protection Problem Distributed Denial of Service (DDoS) attacks have become widespread, targeting organizations of all sizes and in all industries. They overwhelm network resources and interrupt critical communications, eventually incapacitating a wide range of system resources for catastrophic effect. To protect servers and ensure content availability, ADCs with built-in high capacity DDoS prevention need to be deployed. The Cost of DDoS Attacks is Solution ADCs facilitate deep traffic visibility to spot anomalies across the traffic spectrum. They also protect against multiple classes of attack vectors, including volumetric, protocol and application-layer assaults. Protocol and application checks combined with authentication verify if client communications are valid, or if the traffic is scripted botnet traffic. In addition, a programmable policy engine allows customizable actions. per hour Source: Ponemon 2015 A10 | 10 Critical Requirements for Optimizing Application Delivery | 10 | 8 Security for DNS Infrastructure Problem Nearly every aspect of Internet communications depends on DNS name resolution. Any interruption to the DNS infrastructure, like a Denial of Service (DoS) attack, can render critical network resources useless, disrupting operations and causing extensive financial and reputational damage. Attackers can also hijack DNS servers by poisoning routing tables to redirect users to nefarious sites. Solution Enterprise ADCs with built-in DNS Application Firewalls (DAFs) protect your DNS infrastructure from a variety of threat vectors such as buffer overflows, malformed DNS requests and DDoS amplification. Added DAF benefits include: • DNSSEC pass-through to prevent DNS spoofing and cache poisoning • Policy-based server load balancing with IP reputation and other blacklists to limit access to trusted sources PORT 53 Most firewalls leave port 53 open, which is used for DNS queries • DNS Server load balancing and caching to allow the ADC to scale resources as needed • Unified architecture that reduces infrastructure requirements and operating overhead A10 | 10 Critical Requirements for Optimizing Application Delivery | 11 | 9 Support for Software Deļ¬ned Data Centers Problem Networking environments have a large scale, shared infrastructure, yet the architecture is typically static. When IT provisions a new application or increases network capacity, they usually need to reconfigure and or update their policies to deploy the application or add additional capacity. The network doesn’t have the ability to automatically change traffic flows or scale on demand. Software Defined Networks (SDN) help solve these concerns by dynamically provisioning networking infrastructure to optimize resource use, adapt throughput needs, and performing traffic engineering with an end-to-end view of the network. To get the most out of SDN, IT needs to deploy networking and security services that have the requisite app visibility. SD N Controller Solution ADCs help realize the goal of a dynamic “app aware” network with advanced capabilities. These appliances provide a top level blueprint that is both user and application centric. SDN enables administrators to leverage service insertion and service chaining to dynamically steer traffic flows through a sequence of physical or virtual ADCs ADCs work hand in hand with SDN controllers to realize an ‘application aware’ dynamic data center with L4-L7 services. A10 | 10 Critical Requirements for Optimizing Application Delivery | 12 | 10 Cloud-Friendly Deployment Problem Modern data centers are undergoing a revolutionary shift. Legacy IT operations have been bound within one or more locations all under the auspices of one private overarching control center. Going forward, compute resources, networking and storage are evolving to take advantage of the flexibility, lower cost and scalability of cloud computing. Whether the cloud is fully private, public or hybrid in nature, the various elements of IT operations must be able to adapt. The networking and security services afforded by modern ADCs must similarly be capable of operating in these environments. Solution Organizations are moving to leverage cloud services by using them for DevOps and through offloading some or all of their IT infrastructure. With cloud services such as Amazon AWS and Microsoft Azure growing in stature, the same ADC capabilities of a locally installed physical, virtual or multi-tenant appliance must be able to run as a virtual appliance in these and other cloud scenarios. Lower Cost Scalable Flexibility A10 | 10 Critical Requirements for Optimizing Application Delivery | 13 | Conclusion If your IT operations fall short, you could suffer a catastrophic network outage or security breach. To get the best out of your IT infrastructure means deploying advanced services offered by an ADC with these ten critical criteria. Relying on a system that doesn’t measure up to these requirements means you are likely to come up short on delivering requested content in a timely manner with appropriate security. It could mean loss of business and reputation. It could mean costly server sprawl. It could mean a massive security rupture. It could mean your job is on the line. A10 Networks’ line of Application Delivery Controllers provide you with a fully integrated networking and security solution that supports all these ‘Top Ten’ capabilities and much more. They are available in a broad array of scalable platforms and form factors for any environment. A10 ADCs allow your organization to: • Insure server availability through intelligent traffic management on a local and global scale • Accelerate content delivery and make applications appear to run locally regardless of location • Protect network resources against multi-variant attacks aimed at web, applications and DNS servers • Support data center transformations including shifts to SDN and cloud-based infrastructures A10 | 10 Critical Requirements for Optimizing Application Delivery | 14 | To learn more visit a10networks.com/adc ©2016 A10 Networks, Inc. All rights reserved. The A10 logo, and A10 Networks are trademarks or registered trademarks of A10 Networks, Inc. in the United States and other countries. All other trademarks are property of their respective owners. Part Number: A10-EB-14102-EN-01 April 2016 10 Critical Requirements for Optimizing Application Delivery