SecureAppDeliveryTM
How to Bring Back Productivity with Secure Application Delivery
9/29/2009

Agenda
Enterprise Requirements for Access
− Differences between Mobile, non-Mobile users and partners
Application Delivery
− Problems and Solutions
− Key component technologies
Tying them all together
Summary
9/29/2009 2

Enterprise Requirements
No information access, no productivity
Your Most Valuable Asset Business-Critical Processes
February
9/29/2009 29, 2008 3

Who Needs Access?
Mobile Non-Mobile Partners
Employees Employees − Need to access
− Corporate-issued − Non-corporate PCs at certain applications
t i li ti
laptops home − Not trusted enough
− WAN speed − Used to LAN speed to put them on your
network
− Daily to constant − Seldom to never
remote access remote access − Have access
solutions to partner
− Small fraction of − Large percentage of
networks but not to
the corporate corporate employees
y
your network and
employee body
your applications
9/29/2009 4

Business Continuity
When disasters strike, can your employees have access to
enterprise information so they can continue to provide services to
your customers?
Harvard study: two-thirds of businesses surveyed could not
maintain normal operations if half of their workers were out for
two weeks.
k
February
9/29/2009 29, 2008 5

Anatomy of Application Performance
Number of Hops matter
Distance matters, routing matters
Amount of traffic matters
Quality of network matters
− Congestion and Packet Loss
Number of people on the network matters
Type of applications in use on the network matters
Where they access from and what they access matters
9/29/2009 6

Today’s Enterprise Workforce
Permanently Remote /
Mobile Workforce
Remote or Mobile Corporate WAN Daily to Constant
USER TYPE REMOTE PC TYPE NETWORK SPEED ACCESS FREQUENCY
Non-Mobile
Non Mobile Non-Corporate
Non Corporate LAN Never
Non-Mobile Workforce
9/29/2009 7

Mobile Worker
Permanently Remote Employees (office at home or offsite)
Highly Mobile Employees (road warrior)
Corporate-issued laptops, sometimes desktops
Accustomed to WAN speeds
Daily to constant access of corporate resources
Small fraction of corporate employee body
USER TYPE REMOTE PC TYPE NETWORK SPEEDS ACCESS FREQUENCY
Remote or Mobile Corporate WAN Daily to Constant
9/29/2009 8

Non-Mobile Workers
Deskbound Employees (situated in the office)
Non-corporate PCs when working remotely
Accustomed to LAN speeds
Do not remotely access corporate resources
Large percentage of corporate employee body
USER TYPE REMOTE PC NETWORK SPEEDS ACCESS FREQUENCY
Campus Worker None or LAN Never
Or Day Extender
Da E tender Non-Corporate
Non Corporate
9/29/2009 9

Business Continuity
Allow extra users to log in seamlessly during emergencies
q
No IT intervention required
One-time license fee for small number of days
Burst up to a pre-defined concurrent user count
100
90
80
70
60
50
40
30
20
10
0
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31 33 35 37 39 41 43 45 47 49 51 53 55 57 59 61 63 65 67 69 71 73 75 77 79
September
9/29/2009 29, 2009 10

DesktopDirectTM : An illustration
1. Browse (https://mydesktop.arraynetworks.net)
2. Sign in
g
3. Click, automatically turn on the office PC if it is off
4. Work
Only 30kbps!!
9/29/2009 11

Partner Access: Security Risk
Information to share
Partner Network
Information to protect
Your Network
September
9/29/2009 29, 2009 12

SiteDirectTM: Third Party Access
Information to share
Partner Network
Resource
Publishing
P blishing
Information to protect
IP conflict is resolved automatically
Your Network SSL on port 443, No NAT/Firewall
Only necessary resources are exposed
y y p
User level control on remote site access
September
9/29/2009 29, 2009 13

Application Delivery Problems and Solutions
9/29/2009 14

Evolution of Application Delivery
Server Load Balancing
− directs traffic to healthiest server
Application Accelerator
− SSL offload
Application Delivery Controller
− connection multiplexing and application acceleration
Was primarily useful for websites
− before growing demand for web-based applications
Mature technology now delivers any application
− in production networks for over a decade
9/29/2009 15

App Delivery Challenges
Server could be oversubscribed
− CPU, RAM, network interface overload
− Too many requests at once
− High amount of SSL traffic
− Too many connections to a single server
Server could stop responding
− Hardware failure
− Power outage
− Operating system crash
In line
In-line devices could stop responding
− Hardware failure
− Power outage
− Other issue
9/29/2009 16

Technology Overview
High Availability
− Server load balancing
− Device redundancy
− Global server load balancing
Application Acceleration
− Secure Sockets Layer offload
− TCP connection multiplexing
Best-Practice Security
− Application level protection
Application-level
9/29/2009 17

High Availability
Server Load Balancing
Real IP
Address 1
Real IP
Address 2
traffic
health
checking
flow
Virtual IP
Address
Real IP
Address 3
Real IP
Address 4
9/29/2009 18

High Availability (One Data center)
Device Redundancy
Device A
Replaced
Device A
Device A
Maintenanced
Active Again
Active
Device B
Active
A ti
9/29/2009 19

High Availability (Multiple Sites)
GSLB
DNS
S DNS
S
primary backup
data
d t center
t data center
global
traffic
health
local
flow
checking
health
checking
9/29/2009 20

High Availability (Branch Office)
• Current Infrastructure
•Costly 2 Mbps to 8 Mbps links shared
by 100 to 300 people
•Bandwidth per user less th 100
B d idth l than
kbps, sometimes as low as 10kbps
•Some large offices with T3 or up to
100 Mbps
•People working from home with 256
p g
kbps broadband or higher
• Solutions •Lack of redundancy, susceptible for
network failures
• Link Loadbalancing
• Combine multiple DSLs to improve overall throughput, performance &
availability at lower cost
• QoS / Priority Queueing / monitoring / filtering
• WAN optimization / Acceleration
• Compression & Caching
• Data reduction / de-duplication
9/29/2009 21

Acceleration (SSL)
SSL Offload
digital
certificates
ssl encrypted
unencrypted
t d
overload of
end-to-end
ssl sessions
9/29/2009 22

Acceleration (Caching)
Caching offloads web server utilization by over 40%
Deliver content
From memory cache
9/29/2009 23

Acceleration (Compression)
Compression reduces bandwidth usage by 30%+
Compresses text, ppt
On the fly
9/29/2009 24

Acceleration (TCP)
Connection Multiplexing reduces server conns by 100:1
3-way TCP
3
handshake 3-way TCP
open TCP
connection
handshake
3-way TCP
handshake too many
TCP connections
ti
3-way TCP
handshake
3-way TCP
handshake
h d h k
9/29/2009 25

Best-Practice Network Security
Application-Level Protection
DoS attack
attacker
9/29/2009 26

Best-Practice Network Security
Application-Level Protection
http://malformed_url
malformed
URL dropped
malformed
URL attack
attacker
9/29/2009 27

App Delivery from the Cloud
9/29/2009 28

Cloud: Virtualization And Scalability
Mobile
employees Data Center Applications
pp
Desktops
Resources
to share
with
partners
Partners
P t
Public or Private
Public or Private
Networks
Networks
Data Center
Non-mobile
• Many virtual portals
employees • Large number of concurrent users
• One URL among multiple data centers
• Supports real or virtual desktops
• Secure applications in the Cloud
9/29/2009 29

Conceptual Architecture
9/29/2009 30

SecureAppDeliveryTM
How to Bring Back Productivity with Secure Application Delivery
9/29/2009