Application - aware networking emerges but has far to go

Application awareness is emerging on firewalls and WAN optimization devices,but efforts fall short of a network-wide strategy,especially at Layers 2 and 3.

This article can also be found in the Premium Editorial Download: IT in Europe: Adopting an application-centric architecture

In a business environment dominated by cloud computing, mobility and Web-based applications, enterprises need smarter, application-aware networks to ensure performance.

But while application awareness is emerging on individual Layer 4-7 network components, such as firewalls and WAN optimisation appliances, there’s still a way to go in generating application-intelligent policy across these components. What’s more, application intelligence in Layers 2 and 3, where it could be most crucial, is a way off.

Why the need for application-aware networks now?

Ten or 15 years ago, Layer 4 visibility was application-aware enough. If a router could see the port destination, it could make a decent guess about the nature of the application and apply quality of service (QoS) policy. With the same information, a firewall could decide whether to allow or deny traffic. If it was headed for Port 80, for example, it was pretty clear that it was HTTP traffic. It was a best-effort affair.

But today, best effort isn’t good enough. Hundreds of applications are running over HTTP, including video conferencing, SalesForce.com and even hosted SAP applications, and the network needs to get smarter and go deeper into these applications in order to enable high performance. “How does video within a conferencing session with a potential client look relative to highlights from a football game?” said Christian Moses, chief technology officer of E.K. Riley Investments, an independent brokerage and investment advisory firm headquartered in Seattle.

“In a traditional network, it just looks like video data, but from a business standpoint we all know that people are going to be watching video on YouTube in the corporate network. You have to take that into consideration; otherwise you are prioritising slacker time.”

Layers 4-7 application awareness is here, but must evolve

WAN optimisation and application delivery controllers have become increasingly application-aware and more sophisticated about how they optimise and accelerate applications, which is well understood and appreciated by network engineers. Meanwhile, firewalls have moved up the OSI stack to Layer 7 in order to adapt to the evolving threat landscape.

“[Legacy] firewalls are dead. There is no firewall anymore,” said Doug Tamasanis, chief IT architect and director of networks and security for Kronos Inc., a Chelmsford, Mass.-based workforce management solutions company. “You open up three or four ports, and you might as well throw out your firewall. So the only hope you have is going up the stack to start looking at applications.”

To secure and optimise his network, Tamasanis is adopting technology that looks beyond ports and protocols with new application-aware firewalls from Palo Alto Networks and new WAN optimization appliances from Silver Peak that can do packet-level optimisation. All three classes of network appliances—firewalls, application delivery controllers and WAN optimization controllers—are managing traffic based on application awareness, but they quite often exist as islands within the infrastructure, which lessens their overall effectiveness.

“It would be great if you could say, ’here is an application and I want all three classes of tools in my network to recognise that application is important, and I want to apply a consistent set of policies around it regardless of where I’m seeing it,’” Frey said. “There is some argument that you won’t see all the same applications at each of those viewpoints, and that’s probably true. But with a select group of critical applications, you could.”

Citrix Systems, whose products include NetScaler application delivery controllers, Branch Repeater WAN optimisation products, and Access Gateway SSL VPN controllers, envisions a future where the service and application delivery fabric formed by its products could become a control plane for the rest of the network.

“In a heterogeneous fabric, you can envision components talking to each other using a protocol that is a variation on OpenFlow,” said Sunil Potti, vice president of product management and marketing at Citrix. “Today, OpenFlow is a protocol that allows heterogeneous switches to be controlled using a particular standard, but it’s only Layer 2/Layer 3.”

Citrix is exploring ways to make the rest of the network more application-aware by decoupling the control plane of its NetsScaler ADCs and applying it to Layer 2 and Layer 3 infrastructure, much like OpenFlow allows a server to serve as the control plane of a Layer 2/Layer 3 network. The NetScaler SDX model, for instance, has a builtin hypervisor that allows companies to run third-party network services within the same box.

“If you have a have a NetScaler SDX in the data centre and a wireless LAN controller in the campus, you could instantiate that wireless LAN controller on the SDX and exchange control protocols with it,” said Potti. “We [Citrix NetScaler] recognise that a virtual desktop infrastructure (VDI) session is emanating from the data centre: Typically when it goes to the wireless network, it has no clue about that.

What if you are able to construct protocols that go to the wireless data network and say, ’hey, this is a VDI session’? Then you can apply a lot of QoS and other policies.”

Application-awareness at layer 2 and layer 3 not just for service providers

While application awareness for Layers 4-7 is emerging, intelligence at Layer 2 and Layer 3 could take longer and could be more costly. “The application awareness stuff is not cheap in terms of resources.

You need to do deep packet inspection to drag part of a HTTP header or decode part of an FTP string. That’s a heavier resource requirement, which means that application awareness capabilities are typically found in higher-end devices that have more processors and more programmable silicon. In the access layer, there’s not a lot of unused silicon. This is a real problem because of the interest in monitoring the wireless mobile access layer of networks, where you have a lot of people coming in with Internet-enabled devices,” said Adam Powers, CTO of Lancope, which sells the StealthWatch NetFlow analysis product.

Cisco Systems has also expanded the number of devices in its portfolio that support NetFlow v9 and IPFIX, the network flow protocols that allow switches and routers to export application-aware information to the management tier. The 2-terabit version of the Catalyst 6500, the Catalyst 3750-X and Catalyst 4500 all export this programmable NetFlow.

In fact, Cisco considers application-aware networking so fundamental that it is bringing carrier grade deep packet inspection (DPI) capabilities to its entire portfolio of enterprise routers. “We think application awareness has to become a core attribute of that edge [router] device at remote sites and central sites,” said Scott Harrell, senior product director of network systems at Cisco. “We launched the first phase of that on the ASR series in July, and we’re going to bring it to the whole portfolio of access routers in November.”

Cisco’s Application Visibility and Control (AVC) solution will roll out to the company’s popular Integrated Services Router (ISR) line this fall, integrated into the router’s operating system.

“In the old world—the Layer 3/ Layer 4 world—having port-based visibility was sufficient. I could use that to tell a lot about what the application was. I could decide how to apply controls to it and how to apply optimisation to it. As you fast forward and everything becomes Web-enabled, you need to be more and more Layer 7-aware and application-aware and to be able to apply all your network services on that layer. We’re also looking to populate the ability to recognise different media streams, not just application flows but also video traffic, so that you can prioritise and appropriately treat those streams,” Harrell said.

“If I am in a branch today and have an ISR connected to an ASR at the head end, and I have a QoS policy that says HTTP is best effort, my problem is that my SAP Business Objects is on the Web. My video communications is on the Web,” he said. “That’s all on Port 80. I don’t want that traffic to be scavenger class. I want to be able to differentiate traffic within that class and treat it differently based on the business value. Today that is a very difficult thing to do and not well suited to the Web, which is constantly changing.”

Read more on IT architecture