While the IC’s research organization looks into adding security to cloud environments, in the here and now, intelligence agencies are sharing more data.
Web applications, e-mail attachments and files can quickly consume backbone bandwidth when serving users at many locations, and slowdowns can lead to demands for expensive upgrades.
One of the best ways to reduce the cost of supporting IT services at multiple locations and branch offices is server consolidation, especially when combined with server virtualization. After all, consolidating multiple branch-office servers into one or a few machines can result in significant and easy-to-tally savings.
But how can agencies accommodate growth in bandwidth demand and support projects that promise cost savings, such as server consolidation, while holding spending down? And what can IT do to appease users who want swifter response times and faster file transfers?
The answer is to use a combination of bandwidth management, WAN optimization and application acceleration techniques. Together, they can reduce bandwidth demands and improve service. WAN optimization controllers (WOCs) combine these tools, and many major network manufacturers produce WOC devices, including Blue Coat Systems, Cisco Systems, Citrix Systems, Juniper Systems and Riverbed Technology.
The most significant way that WOCs reduce bandwidth is by a technique called dictionary compression. Dictionary compression reduces the bandwidth needed to send files and large amounts of data by a factor of 10 to 30.
Dictionary compression works by learning patterns in the data. The WOC automatically monitors the traffic flow, learning short sequences of data and storing them. When it sees a pattern it has learned, it removes the pattern and substitutes a reference number. A receiving WOC, which is automatically learning the same patterns and reference numbers, removes the reference number and puts the data pattern back in the packet.
For example, the first time the file is sent there is no reduction as both WOCs learn the pattern. When someone else requests the same file or a file that has the same patterns, the WOC substitutes a series of reference numbers for the patterns. If there’s a change to the file, then only the changes are sent, along with reference numbers for unchanged patterns.
TCP/IP traffic is optimized by adjusting the flow control parameters. Application protocols, such as the Common Internet File System, are also optimized by the WOC. The problem with CIFS is that it can slow file transfers over the WAN. CIFS was created for use over LANs. But with server consolidation, it now comes into play on WANs, and latency creates inefficiencies. Microsoft is aware of the problems with the protocol and has improved it in the latest version, but WOCs can still bump up performance.
Simply buying a WOC and turning it on will not guarantee benefits. Here are steps to get the most from a WOC deployment:
The first step in reducing bandwidth and providing better service is to understand what is flowing over the network. Optimizing without knowing what types of traffic are using the network is wasted effort. It is important to know how much and what type of nonessential traffic flows over the network. (It is always surprising how much non-mission traffic moves through the pipes.)
Knowing how much traffic is using Port 80 (HTTP) doesn’t help IT much because an increasing amount of both critical and nonessential traffic uses a web interface. It’s important to understand the applications in use. Is it SharePoint, SAP or some peer-to-peer application?
It’s also important that any monitoring tool updates its list of apps often. New apps become available all the time, especially nonwork apps. Without regular updates, a WOC’s monitoring program will lump unknown apps into a common bucket.
The next step is to implement Quality of Service controls. This will ensure that the critical mission traffic receives priority attention and non-mission traffic does not consume bandwidth.
IT can implement QOS on the router, the WOC or both. The biggest obstacle to implementing QOS is how difficult it is to specify. A WOC should allow QOS policies to be set up easily based on the monitoring results, provide default settings for most applications and interface with existing QOS policies.
The next step is to decide how much bandwidth each app should receive. WOC bandwidth management lets network administrators set controls on how much of the available bandwidth an application receives. This guarantees that less critical traffic can’t crowd out critical apps; it’s a must-have feature on any WOC.
This way, an agency can prioritize traffic based on its QOS policies. For example, if users can access consumer sites such as Amazon, bandwidth management can control the amount of bandwidth allowed, ensuring it doesn’t affect critical applications. The amount can even be adjusted depending on the time of day.
It’s tempting with the acceleration and optimization provided by a WOC to turn it on for all traffic. It is a good idea to turn it on for file transfers, web traffic and most essential traffic but not for everything.
For instance, Voice over Internet Protocol traffic should not be optimized as the process will slow it down and provide little benefit. TCP/IP protocol optimization can help video traffic, but running it through dictionary compression provides no benefit and can degrade WOC performance.
WOCs are unable to apply many of their techniques on encrypted data. They overcome this problem for Secure Sockets Layer traffic by learning the keys and decrypting the data, and then re-encrypting before sending it back out on the network.
How they learn and store the keys differs from product to product and is something network managers need to understand. Decryption is important — without it, the WOC benefits are limited to QOS and bandwidth management, and there is no bandwidth reduction benefit.
One of the ways WOCs optimize data flow is by collecting all the packets between the central WOC and the branch office WOC in one connection, then hiding the individual connections. Because the data in the packets is replaced with reference numbers, deep packet inspection of application data becomes impossible. This can create a problem if security and monitoring devices are placed on the network after the WOC.
One solution is to place security and monitoring equipment before the WOC. Additionally, WOC manufacturers offer techniques to mitigate the connection problem, but it is important that IT learn how these processes work and if there are any downsides for their particular needs.
Any WOC deployment should be coordinated with the security group. There are several areas that concern security, including the decryption process, hidden individual connections and changing the data in the packet.
Additionally, if hackers gain access to the dictionary compression database, they might be able to reconstruct files. There are solutions to most of these challenges, but the IT security team needs to know how the technology affects the agency’s overall data assurance and infrastructure protection practices.
Ultimately, a WOC can reduce bandwidth requirements, often significantly delaying the need for a WAN upgrade. Plus, it can satisfy users by moving data and minimizing app response time.