As IT organizations continue to employ new cloud and hybrid cloud architectures, enterprise security professionals are increasingly leveraging virtual firewalls or next-gen firewalls in order to meet the new challenges these modern architectures generate. Unfortunately, many times these virtual security appliances face serious performance problems when deployed on commercial off-the-shelf (COTS) servers.
Array’s AVX Series network functions platform gives enterprises an appliance that enables them to deploy multiple virtual security appliances and deliver excellent performance combined with the agility of virtual platforms. These network functions platforms allow enterprises and service providers to deploy quickly, reduce hardware costs and right-size virtual appliances based on customer requirements.
Depending on the model, the AVX Series runs up to 32 fully independent virtual appliances in a single hardware platform. Dedicated CPU, SSL, memory, and I/O resources serve each virtual appliance. As a result, the AVX Series offers the equivalent of up to 32 dedicated physical appliances in two rack units, in which security and networking services can be assured of guaranteed and demonstrable performance.
In order to showcase just how good the performance can be with the AVX Series, Array Networks commissioned The Tolly Group to benchmark performance and scaling characteristics of the AVX platform using next-gen firewall (NGFW) virtual appliances from a market-leading vendor as an example application. In comparing the results of the test to the NGFW vendor’s own data sheet, engineers noted that the actual performance of the VAs in the test exceeded the expected performance throughput levels by significant amounts.
Test results showed that even when the AVX platform was fully loaded, each virtual appliance instance consistently delivered at least 61% higher throughput than the NGFW vendor’s datasheet advertised throughput specifications. Per-VA transactions per second (TPS) scaled linearly. In addition, aggregate system throughput and transactions per second (TPS) were remarkably consistent.
For a multitenant platform, it is important that the hardware and software resources be used efficiently. A measure of that is for aggregate system throughput to remain consistent across various configurations of virtual appliances. Tests of small, medium and large instances of NGFWs delivered aggregate data throughput and transaction rate performance that was highly consistent.
We’re proud that Array is able to provide a cost-effective and high-performance solution that’s an alternative to adding expensive dedicated security appliances or accepting less-than-optimal performance from virtual appliances. For the full test results, download The Tolly Group’s report.
The Array Management Platform (AMP) has a number of new enhancements in the latest release, version 2.1. Announced just last year, AMP provides centralized configuration, monitoring and analytics for Array application delivery controllers (ADCs) and SSL VPNs deployed in private clouds. AMP also provides instant insight into user behaviors for audit and analysis, and at-a-glance visualization of trends and performance issues among devices and services.
New in AMP 2.1 are service statistics for monitored AG and vxAG SSL VPN gateways. Visitor information includes time, method, agent and other information. The latest version also includes application statistics that display the applications visited by users. The latter information is searchable by time span.
AMP 2.1 also adds user, application and URL statistics for monitored APV and vAPV ADCs providing server load balancing services. Detailed user statistics include time, request method, status code, user agent and other information. Information on user visits to applications is aggregated and searchable by time span. The URL statistics of the real servers are displayed in a convenient table format, allowing administrators to view status such as average delay, request and response status, and other information.
AMP provides a valuable tool for network administrators to manage, configure and update Array ADCs and SSL VPNs, as well as real-time visibility into the managed devices and the services that are associated with them. With the new enhancements, admins have even greater visibility into user behaviors and system performance for regulatory compliance and to improve overall operations.
Contact your Array Networks reseller or regional sales representative to learn more today!
As the volume of data traffic continues to explode on today’s enterprise networks, IT is working harder than ever to balance the often competing priorities of performance, availability, and security. One relatively new phenomenon has emerged that presents a new wrinkle for IT to consider as new networks are architected; the new “normal” that is encrypted traffic.
Specifically, SSL/TLS traffic has come to dominate the majority of network traffic. The current percentage of encrypted traffic is 80 percent versus 20 percent non-encrypted traffic as of 2018 and the percentage of encrypted traffic is likely to grow. The problem for IT arises when bad actors incorporate malware as a means of bypassing security measures. For any enterprise that is using software-defined or “virtual” security appliances like Web-Application Firewalls (WAFs), Next-Gen Firewalls (NGFWs), Intrusion Detection and Prevention Systems (IDS/IPS) or other functionality to inspect this traffic, the network can face serious performance and availability issues.
This is because these security appliances need to decrypt the SSL/TLS traffic in order to inspect it and apply policy before re-encrypting it and sending the traffic on its way to the application server. Furthermore, advances in cryptography, key sophistication, and new emerging protocols like ECC are continuing to raise the bar in terms of the compute resources necessary to handle this traffic load. The end result is the process essentially makes the security devices almost unusable or, worse, allows uninspected traffic to pass through uninspected into the heart of the network; neither option is acceptable for any reasonable organization.
While we’re sure this makes sense logically, the next question is “How much of an issue is this performance hit really?” We had a good idea that it was indeed a big deal and have heard many anecdotes from our customers, but we needed hard numbers. We decided to enlist the help of third-party testing leader The Tolly Group to help us discover not only how big of an impact this issue has on performance and scale, but also how our own network functions platform, the AVX series, could help enterprises overcome this issue without resorting to costly network brokers or additional dedicated security appliances.
In summary, The Tolly Group conducted tests using the AVX in three separate scenarios and with two different popular security appliances. The first appliance was a well-known WAF and other a very popular NGFW. The first scenario included clear unencrypted traffic running through the virtual appliance loaded onto the AVX. The second tested encrypted traffic running through the same virtual security appliance on the AVX but without using SSL/TLS offload, a function that accelerates the decryption and re-encryption of SSL/TLS traffic. The third and final testing scenario measured encrypted traffic across the VA on the AVX with SSL/TLS offload engaged.
In brief, when forced to cope with encrypted traffic without SSL offload, the performance of both the WAF and the NGFW slowed to a glacial pace – as few as 117 transactions per second, a whopping 90 percent degradation. This would either essentially kill access to the application or, worse, engage the bypass function that would allow uninspected and potentially dangerous traffic into the network core. By contrast, with SSL offload engaged on the AVX9800 platform, WAF transactions increased by 67 times more than without this functionality. WAF data throughput increased by 46 times compared to the scenario without SSL offload. Similar results were seen with NGFW traffic, with transactions per second increasing five times over the alternative.
So why were the results so dramatically different? Array’s SSL offloading, acting as a proxy, decrypts SSL traffic to allow 3rd-party security appliances to perform inspection, then re-encrypts the traffic before forwarding it to its final destination. The AVX incorporates a purpose-built SSL/TLS stack that engages onboard hardware SSL/TLS accelerators to offload compute-intensive SSL/TLS processing, allowing security appliances to operate at their peak performance level.
In the SSL/TLS offloading process, the Array appliance plays the role of an ingress node to intercept and decrypt SSL traffic, and the role of an egress node to forward inspected traffic to the data center servers. When there are two or more security devices deployed, the Array appliance supports load balancing of decrypted traffic to the security devices. SSL offloading supports a variety of deployment combinations based on the security device’s distribution mode, deployment layer and network topology.
We’ve posted previously about how our AVX Series Network Functions Platforms are part of the next big step in networking, similar to the changes brought about by the advent of the smartphone in our personal and business lives. Like smartphones, the Network Functions Platforms bring three important changes – consolidation, convenience, and workflow enhancement – to networking and security. The old days of dedicated, single-function networking or security appliances dominating the data center are fading away, much as the flip phone has.
Just as smartphones support multiple apps like GPS, weather, camera and more, the Network Functions Platforms can consolidate multiple dedicated appliances (like ADCs, FW/NGFWs, WAFs and others) into just a 1U or 2U platform. This capability consolidates the infrastructure and increases efficiency and return on investment.
The platforms replace the large footprint of the traditional networking appliances with a smaller number of agile platforms that consume far less space, power, cooling and cabling costs. Network Functions Platforms allow IT teams to flexibly support the diverse needs of multiple departments, partners, customers and other communities of interest.
Even more importantly, the Network Functions Platforms enable future proofing, because almost any desired networking or security functionality can be added in the future, much like downloading new apps onto a smartphone.
Under The Hood
To go a bit further under the hood, Array’s multitenant platform supports network functions from Array, like virtual application delivery controllers and SSL VPNs, but third-party and open-source virtual appliances are also supported if they can run on KVM, Ubuntu or CentOS. And the AVX Series provides guaranteed performance in a shared environment, a capability that is lacking in traditional virtual environments.
The platform is architected to extend Array’s virtualization technology all the way down to the hardware level. It reserves dedicated resources for each virtual network function, and includes the unique ability to partition resources including CPU, hardware SSL resources, network interfaces and memory. With this type of resource allocation and reservation, you can achieve performance with virtual appliances that equals or is sometimes even greater than that of standalone, dedicated hardware appliances.
For ease of use, the AVX platform offers four standard instance sizes: large, medium, small and entry-level. This is similar to selecting an instance size on AWS or Azure, for example. Each instance size provides a set amount of system resources. So if you wanted to run a virtual ADC instance, and specify a large instance size, automatically the number of CPU resources will be allocated, as well as the amount of hardware SSL resources, number of network interfaces and the amount of memory.
This automatic allocation means that you’re able to deploy in minutes, not weeks or months.
Hardware And Software Resource Layers
Further under the hood, in the diagram below there are multiple layers:
As shown in the diagram, the NIC layer sits at the bottom and offers 1GE, 10GE, or 40GE connectivity to the external world.
RAM and hard disks comprise the memory and storage layer.
The latest–generation, high-density multi-core crypto processors provide the SSL layer. This layer enables high-capacity SSL encryption, decryption, offload and inspection capabilities.
The CPU layer consists of the latest Intel Xeon processors, and provides compute capacity.
The top layer is the Array operating system which does much of the heavy lifting. The multi-threaded ArrayOS includes the KVM virtualization layer, upon which virtual appliances run. The ArrayOS has several critical innovations such as no-lock scheduling, SR-IOV, DPDK, NUMA boundary, CPU pinning, and zero-copy optimizations. ArrayOS also includes an automation component that relieves IT staff of the tedious and error-prone tasks related to the virtual appliance lifecycle.
When a specific instance size is selected, for example a medium instance (Virtual Appliance 1 as shown at left), the Array OS automatically assigns CPU, memory, SSL and I/O resources. It also automates the SR-IOV provisioning, CPU pinning and NUMA boundary settings, as well as the physical-to-virtual port mapping.
If a different size instance is selected, the Array OS automatically assigns resources and performs the underlying setup (SR-IOV, CPU pinning, NUMA boundaries, etc.) as specified for that particular instance size.
How Is This Architecture Unique?
The unique architecture of Array’s AVX Series network functions platform provides significant advantages compared to a commercial off the shelf (COTS) server.
A COTS server employs a shared PCIe bus architecture that causes significant resource contention for networking and security workloads. In addition, constant kernel interrupts slow down the packet processing capabilities, thereby reducing the overall system performance and scalability. This is similar to a road that gets severely congested when a large number of vehicles tries to go in different directions at the same time.
By contrast, the dedicated resource architecture of Array’s AVX Series ensures that every virtual appliance has dedicated I/O resources using SR-IOV. The architecture enforces strict Physical Function (PF) to Virtual Function (VF) boundaries, and minimizes kernel interrupts, resulting in improved performance and scale. This is similar to drag racing tracks where cars run at very high speed in their respective lanes, without affecting others.
Take Steps To Evolve Your Networking And Security
Just as smartphones brought about enormous changes in the way we communicate, work, play, and navigate the world, network functions platforms are changing the way IT deploys, manages and uses networking and security virtual functions. By enabling data center consolidation, by speeding time to deployment, and by enhancing workflows, network functions platforms are bringing revolutionary change to networking.
Last Friday was officially DNS Flag Day. Going forward, DNS software and service providers will remove workarounds for non-compliant systems in order to improve DNS efficiency, and to support new mechanisms for DDoS protection. This change will affect servers that do not comply with the original DNS standard (RFC1035) or the EDNS standard (RFCs 2671 and 6891).
If you’re using Array’s APV Series application delivery controllers with the latest software updates, however, there’s no need to worry. DNS Flag day has no impact on APV Series appliances regardless of whether SDNS is used as your authoritative servers or server load balancing is used to for your DNS servers.
If you use SDNS as your DNS authoritative servers, APV versions 8.6 and 8.6.1 and later with the Full DNS function enabled will properly return DNS replies when DNS queries are received, either with or without EDNS extensions. If DNS queries with EDNS extensions are received, SDNS ignores the extensions and returns DNS replies without them.
If you are using the most recent software release (APV 22.214.171.124 or later), SDNS will process DNS queries with the DNSSEC and Client Subnet extensions, then return the DNS queries with the corresponding EDNS extensions. This option requires that you enable the APV Series’ SDNS DNSSEC function (described in the APV user guide).
Similarly, if you are using the APV Series’ server load balancing for your DNS servers, no other configuration than DNS SLB is needed. There is, however, a limit of 512 bytes on DNS replies. If you encounter DNS failures due to the limitation, contact your Array reseller or representative for information on an alternative method to DNS SLB.
Some older-model APV Series ADCs, and all previous-generation TMX and TM Series ADCs, cannot be upgraded to the latest software releases however. Contact your Array representative or reseller for information on upgrade programs.
The latest APV versions also support IPv6 transition, as well as 2048 and 4096-bit encryption keys. Combined with the changes to DNS, these technologies are helping keep networks accessible and more secure for the future. Happy DNS Flag Day, everyone!
Recently, Array’s virtual vAPV application delivery controller and vxAG virtual SSL VPN achieved re-validation with the latest version of the Nutanix hypervisor, AHV 5.5. Our ADC and SSL VPN products first attained ‘Nutanix Ready’ status in 2015. We see great synergies between our products; the Nutanix Enterprise Cloud converges server, storage and virtualization resources, while Array provides the essential application delivery functions to scale and optimize business-critical applications as well as providing secure remote and mobile access.
Array offers three deployment models with Nutanix to give enterprises flexible options in their infrastructure deployment:
Array’s ADC and SSL VPN virtual appliances may be deployed directly in a Nutanix AHV environment to provide agile, flexible on-demand load balancing, application delivery and secure remote/mobile access whenever and wherever it is needed.
Virtual ADC and SSL VPN can be deployed as instances on our AVX Series Network Functions Platform to front-end Nutanix. The AVX Series offers a hyperconverged-like environment with dedicated compute, memory, I/O and SSL resources per instance for the guaranteed performance that networking and security functions need, combined with the agility afforded by virtual appliances.
For maximum scalability, dedicated Array appliances can be deployed as a front-end to Nutanix environments. This option can provide the highest levels of performance for high application traffic loads
All three ADC options can also offload compute-intensive SSL processing from other networking and security appliances, freeing their resources for their core functionality. In addition, all Array ADC appliances options can offer SSL intercept. In this scenario, SSL-encrypted traffic is decrypted by one Array ADC, passed to NGFWs, WAFs and other devices for their respective inspections, then re-encrypted by a second Array ADC before forwarding to the final destination.
Applications and services running in a Nutanix environment typically require Layer 4 through 7 services to ensure applications have the availability, performance and security needed to meet requirements. Array’s virtual ADC and SSL VPN streamline operations and optimize applications and services running in Nutanix hyperconverged infrastructure.
Array is a member of the Nutanix Elevate Technology Alliance Program, and is committed to delivering the application delivery services needed by Nutanix customers.
As IT organizations adopt cloud and web-scale principles for their data centers, they are increasingly turning to Nutanix for their infrastructure. Our application delivery controllers give businesses and systems integrators the ability to address availability, performance and security requirements for their Nutanix environments in flexible and cost-efficient ways.
Today we have a new honor and distinction to report. Throughout Array’s history we’ve used industry-leading Intel technologies as the foundation for our various product lines, and the AVX Series is no exception.
Last week, Intel announced the first ever Intel® Network Builders Winners’ Circle, which recognizes organizations and solutions that deliver technical leadership, advance open-source standards and collaborate with end-users to drive innovation. Array Networks was named to the solution partner category from a diverse field of nearly 250 technologies, programs and services.
We’re extremely pleased and gratified to receive this accolade for our submission of the AVX Series in recognition of our ability to deliver agility without compromising performance, support data center consolidation, and enhance the effectiveness of security through service chaining.
Array’s Network Functions Platforms are unique in the industry, and are designed from the ground up to support networking and security functions like next-gen firewalls, ADCs, SSL VPNs, WAFs and similar solutions. AVX Series offers the agility of virtual appliances with the guaranteed performance of dedicated appliances. The AVX Series accomplishes this by dedicating resources to each VA, including CPU cores, memory, network interfaces, and SSL hardware. AVX management and hypervisor are allocated their own resources to minimize contention with network functions. To ensure multitenant security, each VA instance is fully independent, a capability that is particularly valuable for regulatory compliance and in high-security environments.
All AVX Series Network Functions Platforms include Intel Xeon or Xeon Gold processors (depending on AVX model) and Intel® Ethernet 700 Series Converged Network Adapters, as well as Intel® Virtualization Technology (Intel® VT). In addition, Array’s platforms leverage Open vSwitch and the Data Plane Development Kit (DPDK), an open standard that was originally developed by Intel.
With its innovative capabilities, the AVX Series addresses key concerns for enterprises, managed service providers (MSPs) and resellers as the IT world moves increasingly toward virtualization. With dedicated resources per instance, the AVX Series overcome the performance penalties of virtual appliances, and by using an open-source hypervisor (KVM), licensing costs are minimized. Dedicated resources also eliminate resource contention, which heavily impacts the performance of networking and security in standard virtualized environments. SSL processing, essential for high-volume network and security devices, is provided by the AVX Series’ on-board SSL hardware.
In addition, the AVX Series automates and abstracts the complicated configurations required for virtual networking and security appliances, such as SR-IOV, NUMA pinning, port mapping, CPU pinning, etc. Thus networking and security VAs can be put back under the control of the networking and security teams, and under their respective budgets.
There’s much more to the AVX Series story, of course. If you’re confronting the challenges of managing virtualized networking and security appliances running on standard commercial off-the-shelf (COTS) hardware, or if you’re considering a virtualization strategy, call or email us for a demo of this award-winning technology today.
Intel is a registered trademark of Intel Corporation or its subsidiaries in the U.S. and/or other countries. All Rights Reserved.
Technology in our professional and personal lives is constantly evolving, and has been since the very first products were introduced. Today, we’re on the cusp of the next big step in the evolution of networking, a leap so large that it could well be considered a revolution.
For perspective, think back on how your parents (or grandparents) prepared for a road trip, such as Disneyland, Disney World or a similar attraction. First, they had to find and buy road maps (remember AAA maps?) and plan out their route. Watching TV or listening to radio for weather reports would be important. Of course they’d need to pack a camera, probably a flashlight in case of emergency, and if kids were involved, games, music and possibly movies to keep them occupied. Credit cards and a watch would be important too, and possibly a journal or diary if they were so inclined.
Now, we just carry a smartphone. It not only has maps, it has GPS –and can even show current traffic conditions and calculate the fastest route. You can get a current weather forecast, right down to the microclimate of the specific location. Games, movies, music, and other apps are either pre-installed or just a download away.
Smartphones have fundamentally enhanced our daily lives. A smartphone is essentially a smart platform that is agile, simple, compact, future-proof, and consolidates many functions. We’ve made the switch to a smart platform in our personal lives, and now we’re beginning to make the exact same switch in networking and security technology.
Like the Disneyland road trip analogy, networking is evolving yet again, and the next big step will bring much the same changes – consolidation, convenience, and workflow enhancement – brought about by smartphones.
Historically, IT staff has had to deal with trade-offs in networking and security gear. Choose a single-function, dedicated (physical) appliance and sacrifice flexibility while paying the price in rack space, power and cooling. Or opt for a virtual appliance and gain flexibility, but lose a great deal of performance. Or, select a ‘combo’ dedicated appliance with multiple functions, with the understanding that the add-on functions are probably not best-of-breed, and will suffer in performance as workloads increase.
Now, the old days of trade-offs are gone and, just as smartphones fundamentally changed the way we live and work, networking is making a very similar change.
The Network Functions Platform consolidates multiple networking and security functions just as a smartphone does. Rather than racks and racks of numerous single-function appliances, now multiple virtual appliances can run on a few network functions platforms, with dedicated resources for guaranteed performance. This significantly consolidates the infrastructure while increasing efficiency and return on investment. Now IT teams can support the diverse needs of multiple departments, partners, customers and other interests with an agile, simple, compact and future-proof platform that consumes far less space and power.
Naturally, Array’s Network Functions Platform supports virtual appliances from Array, including application delivery controllers, SSL VPNs, WAN optimization and web application firewalls. In addition though, the Network Functions Platform can support almost any Virtual Appliance (VA) that runs on KVM – including third-party software from other vendors like Silver Peak, Fortinet and others. If you wish to try open-source software, absolutely it can be run on the platform, so long as the VA runs on KVM.
How does guaranteed performance in a shared environment work? Array’s virtualization technology extends all the way down to its hardware level, and reserves dedicated resources – CPU, memory, I/O and SSL hardware – per instance. Resources are allocated based upon the instance size (entry-level, small, medium or large) to ensure performance levels and support SLAs.
Essentially, you can think of the Network Functions Platform as a hyperconverged infrastructure designed specifically for the needs of networking and security VAs. In a standard virtualized environment (in which resources are shared across multiple, competing functions), the performance of these types of appliances can suffer greatly, rendering these critical functions far less effective. In addition, Array’s solution offers an easy entrée to network functions virtualization (NFV) by abstracting and automating complex operations. Rather than spending weeks or months on an NFV implementation, admins can simply enter a few key parameters similar to the ones they enter on AWS or GCP, and be up and running within an hour.
In addition, a Network Functions Platform supports service chaining, an NFV concept that can maximize the efficacy of security and other functions. For example, inbound traffic can be routed through a load balancer for decryption of SSL traffic, then to a next-gen firewall, followed by antivirus, then IDS/IPS, then DDoS protection, and finally to another load balancer for SSL re-encryption and routing to the final destination server.
Like the revolution in our personal lives brought about by the advent of the smartphone, the Network Functions Platform are revolutionizing networking and security functions, providing the agility, performance, consolidation and ROI enterprises and MSPs need to compete and thrive.
All product names, logos, and brands are the property of their respective owners. Use of these names, logos, and brands does not imply endorsement.
Last week, we announced a new software version (version 10.2.x) as well as new hardware platforms (the x800 Series) for our APV Series application delivery controllers. The new APV x800 Series physical appliances (APV1800, 2800, 5800, etc.) offer industry-leading performance across multiple metrics, 40 Gig-E interfaces, and enhanced SSL performance. Depending on the model, performance has been improved in the 40- to 50-percent range over that of the APV x600 Series.
While the new x800 Series offers clear advantages, the APV x600 dedicated appliances (APV1600, 2600, 3600, etc.) have been our flagship load balancer platforms for more than seven years, and are deployed worldwide by customers large and small. Because the x600 Series has such a loyal and widespread following, we will continue to offer and support it and its software versions well into the foreseeable future.
Both product series offer options for high-performance processing of elliptic curve cryptography (ECC) transactions, though the x800 Series includes an option for ECC for the smallest model, the APV1800. The latest software versions for both product lines (10.2x and 8.6.x) include some important new features and capabilities, including:
Enhanced SSL Intercept and DDoS Protection A number of enhancements have been added for the SSL Intercept capability, which is used to decrypt SSL-encrypted traffic to allow third-party security devices full visibility. In addition, the DDoS protection capability, included at no additional charge, has been enhanced with machine learning of traffic patterns to detect anomalous traffic that may indicate an attack. Automatic (based on machine learning) or manual setting of threshold values is supported, and a host of other new features are also included.
Global Server Load Balancing To further expand the APV Series’ support for data centers that include private, public and cloud resources, new capabilities support multi-site redundancy and geographical routing for optimum server performance. Other new features support mixed health checks across diverse servers, and improved resolution services.
For APV x800 Series Only: Secure Application Access and AAA The new hardware architecture and software version 10.2 has allowed us to round out our vision for end-user security vis-à-vis cloud-based applications. It has become increasingly common for enterprise applications to be hosted in the cloud, which reduces overall costs but comes with a price for employees. Managing strong passwords across dozens of web apps can quickly become a daunting prospect, and can even hinder productivity.
With Array’s SAA and AAA, users can securely log on just once, and gain access to all the applications that they’re authorized to use. The APV x800 Series and v10.2 software work together with AAA servers using multiple protocols, and multiple AAA methods can be used to enhance security through crosschecking prior to authentication.
What It Means for You If you’ve currently deployed our APV x600 Series load balancers, you can expand your deployment with additional x600 models without concern – they’re still available, and will be supported for years to come. You’ll still get the high performance, features and capabilities you rely upon, and, where possible, we’ll continue to add new enhancements.
If you’re interested in the new x800 Series with even higher performance, we’ve included two options – each system includes a partitioned hard drive to allow you to run either version 8.6 you’re familiar with, or the new version 10.2, which will be our main development focus going forward.
With either option, Array application deliver controllers offer you the very best in availability, scalability, performance, security and control.
Earlier today, Array announced a completely redesigned and revamped architecture for our WAN Optimization Controller product line. Along with the new architecture, we’ve also added a number of new features to simplify deployment and day-to-day operations, and major upgrades to the Configuration Management System (CMS). And in addition to these major changes, we’ve also renamed the product line – formerly called aCelera, it’s now called the WAN Series.
WAN Series includes innovative features like stream-based data differencing, single instance store and application blueprints for widely used enterprise applications like SharePoint, Office, SAP, NetApp NAS, Oracle and many others.
With the new version, we’ve released DHCP for zero-configuration deployment. Through DHCP, a peer auto-discovery function automatically detects remote WAN Series devices at branch or remote locations, sets up a connection and automatically begins accelerating traffic to and from the main location.
vWAN, the virtual edition of the WAN Series, also now has support for Array’s AVX Series Network Functions Platforms, giving enterprise and xSP users yet another option for NFV deployment. In addition, support has been added for AWS, Azure, and other cloud environments. Other refinements include adding support for new routing protocols to support multiple WAN routers, and support for new compression algorithms.
The WAN Series CMS, as mentioned, has also had major upgrades. Now, from a single WebUI, you can manage thousands of remote WAN Series devices with zero touch deployment, configuration and monitoring.
The WAN Series WAN Optimization Controllers include options to fit nearly any scenario, including a virtual appliance or Windows-based software for small branch or remote offices, as well as a desktop-sized version – the WAN1100 – that offers more throughput. A mobile version is available for road warriors and similar situations. And the hardware-based WAN Series appliances can provide up to 1Gbps throughput and support up to 100,000 concurrent accelerated TCP connections.
If your organization’s productivity relies upon employees being able to access data, or if meeting data replication goals is a problem due to low bandwidth or large data sizes, consider the new WAN Series WAN Optimization Controllers from Array.
Traditionally, network functions virtualization and software-defined networking have been parallel concepts – with NFV widely adopted by major telcos, while SDN has been much more the focus of enterprises. In 2018, we believe that we will begin to see a major shift as enterprises begin to explore the business and operational benefits that NFV can provide.
Some of the biggest enterprise IT initiatives for 2018, reported by industry analysts and others, include cloud (public, private, and hybrid), digital transformation, blockchain and others. If you look at these trends from a 30,000-foot view, you can easily see that the majority of them will be heavily reliant on the underlying network infrastructure to meet their respective potentials.
Within the IT infrastructure, networking and security functions like routing/switching, load balancing, NGFW, WAF and others are critical to the performance of the overall network and thus the ability of the larger initiatives to achieve performance objectives.
In the past, IT professionals would automatically turn to hardware-based appliances for the optimal performance and throughput for these functions. More recently, virtual appliances have gained a great deal of traction; however while the virtual editions of networking and security appliances offer much greater agility, their performance is typically much lower than that of dedicated, hardware-based appliances.
The performance deficit of networking and security virtual appliances is due in large part to the use of general-purpose hardware within virtual (and hyperconverged) environments, resource contention with other VAs, and the lack of specialized hardware – such as SSL processors.
NFV has the potential to overcome the issues of performance, scalability, agility and/or robustness of all of these options; however, industry analysts have reported that enterprise IT departments have been slow to adopt NFV due to concerns about potential for organizational disruptions, skills deficits among existing staff members, and the lack of ability to accurately foresee return on investment.
There is a bright spot in the future of NFV, though.
A new class of products, called Network Functions Platforms or virtualized/multitenant appliances, has recently arisen, designed to help enterprises address critical concerns about NFV adoption, along with the negative aspects of both dedicated and virtual appliances.
A Network Functions Platform is designed to abstract and automate the complex configurations required by NFV so that any IT team – networking, server or virtualization focused – can easily and accurately deploy networking and security functions with almost no training needed. These platforms include an intuitive WebUI that simplifies creation of service chaining, for example one or more application delivery controller instances set up to load balance traffic to a DDoS prevention instance, and then to a WAF or NGFW instance.
With a Network Functions Platform, performance is guaranteed through dedicated resources (memory, I/O, SSL and compute) for each instance. The performance-crushing ‘hypervisor tax’ is minimized by providing separate resources for hypervisor overhead. In addition, by focusing on a narrower use case – networking and security functions that central to supporting the performance of business-critical initiatives – ROI and TCO are now far easier to calculate.
While Network Functions Platforms may be just a first step toward achieving widespread adoption of NFV, we believe they are an important steppingstone for enterprises that can have an immediate impact and pave the way for wider NFV deployments.
Will 2018 be the year that enterprise NFV begins to take flight? Share your opinion in the comments section below.
Update May 23, 2018 – U.S. CERT and the Department of Homeland Security have announced additional vulnerabilities under TA18-141A: Side-Channel Vulnerabiity Variants 3a and 4. As with the original Meltdown and Spectre vulnerabilities detailed below, Array products listed in this article are not affected.
By now, most members of IT staff and management have read about the latest vulnerabilities to make major headlines: Meltdown and Spectre, which affect Intel, AMD and other CPUs developed over the last couple of decades.
Array products exclusively use Intel processors. In regards to both Meltdown and Spectre, though, Array’s AVX Series network functions platforms, APV Series application delivery controllers, and AG Series SSL VPNs are not affected.
As our researchers explain, “In order to exploit these vulnerabilities, an attacker must be able to run forged code on an affected appliance. Array Networks’ APV and AG Series have strict remote management access control and users have no opportunity to execute custom malicious code on the appliance.”
Array’s vAPV virtual load balancer and vxAG virtual SSL VPN, while not directly affected by these vulnerabilities, may be affected if the hosting environment (i.e. VMware, KVM, etc.) are vulnerable.
In other words, there is no opportunity for an attacker to upload forged or malicious code to these Array products for execution.
Similarly, the AVX Series network functions platform itself is not affected by Meltdown; however, if it is running a vulnerable third-party appliance, there is a possibility that that VA (or VNF) could be exploited to attack other VAs running on the AVX Series platform. Thus, Array recommends using only our own vAPV and vxAG VAs or VNFs, or third-party virtual appliances provided by Array-certified vendors. (See our 3rd-Party Ecosystem page for more information.)
As always, we monitor security and vulnerability announcements closely, and if new information comes to light we will provide software updates if needed to further harden the systems. Read the full security advisory here (requires Array Support Portal login credentials).
On a side note, this is one more example of Array’s extreme focus on the security, and security hardening, of our products. Our standard practice is to expose only that which we must, and to wall off everything else, thus keeping it secured. Production traffic is segregated from management traffic to further reduce risk. And we developed our own SSL stack rather than using OpenSSL as most of our esteemed competitors do, thus protecting our products, and our users, from the many high-severity vulnerabilities that have been reported in OpenSSL – including Heartbleed, Bash and others.
In addition, our proprietary SSL stack has allowed us to include only the functions that are required for the tasks that our products perform. In this way, we can keep our code much more agile and flexible, and provide much higher performance by virtue of much lower overhead.
If you have any questions or concerns, or would like to receive a copy of the full security advisory via email, please reach out to your Array sales representative or authorized reseller.
Channel Partners, one of the premier media covering indirect sales channels that serve the tech industry, ran a poll on their site on December 13 that asked in part, “What’s the next big ‘software-defined’ sales opportunity?”
By a wide margin, respondents chose the trend toward NFV and virtual network functions (VNFs) replacing dedicated appliances such as load balancers, firewalls and edge devices.
Array’s AVX Series Network Functions Platform is designed specifically for this use case; it abstracts and automates the complex configurations required for NFV, while providing dedicated resources to each VNF (or VA) to guarantee performance.
Image Credit: Channel Partners Online
What’s your take? Do you agree with the poll’s findings? Use the Comment button below to share your opinion.
Recently, Array released software version 126.96.36.199 of our ArrayOS for the APV Series application delivery controllers. This new version offers a number of major new features and enhancements, which will help customers and partners expand load balancing capabilities to new use cases.
First and foremost, APV 188.8.131.52 adds custom-tailored support for Oracle Tuxedo. Tuxedo (Transactions for Unix, Extended for Distributed Operations) is middleware that is widely used in the banking, telecommunications and other industries worldwide, and supports applications written in C, C++, COBOL, Python, PHP, Ruby and Java. It is commonly used to support legacy applications that are being re-platformed from mainframe to virtual or cloud environments, or for newer applications that for various reasons use multiple code bases of different types.
In Array’s latest ADC software version, new CLI commands have been added to support load balancing between the Tuxedo workstation client (WSC) and the workstation listener (WSL) in the appropriate Tuxedo group, based upon configured mapping policies and table. The mapping table is automatically updated on the APV appliance based upon the response from the workstation handler (WSH). This new software version not only simplifies Tuxedo deployment and setup, by eliminating the need for complex and error-prone scripting, but also improves overall performance.
Load balancing Tuxedo traffic supports high availability and scalability by evenly distributing loads across servers, monitoring server health, and seamlessly routing around servers that have become overburdened or unresponsive. With Array load balancing, user experience and productivity are enhanced.
In addition to Tuxedo support, APV 184.108.40.206 also adds support for Layer 2 bridging, an implementation of IEEE 802.1D transparent bridging which allows the APV Series appliance to be added to the network without requiring any network segment changes. Array’s implementation includes the ability to define filter rules to separate traffic for delivery to different destinations. In an SSL interception use case, for example, SSL-encrypted traffic can be decrypted by the APV Series, forwarded to security appliances such as a next-generation firewall, IDS/IPS or deep packet inspection for further evaluation, then re-encrypted before being distributed to application servers. Traffic that does not match the filter rules will be forwarded transparently out of the bridge.
Additional minor enhancements to the default global root CA certificate list, global server load balancing, and high availability features of the APV Series are also included in this latest software release.
According to Wikipedia, application delivery controllers (a.k.a. load balancers) began to hit the IT market around 2004. Array was founded in 2000; as company legend has it, one of our earliest engineers became frustrated at the lack of server resources to demonstrate a project he was working on – as a startup, budgets were pretty tight back then.
Determined to achieve his goals, the engineer came at the problem from a different angle, and developed a method convert a large number of short connections into just a few connections that needed more throughput, thus maximizing server performance. This capability was dubbed connection multiplexing, and led to a new product class – a traffic manager, a.k.a. load balancer – which became the precursor to today’s modern ADC.
Given our long history and experience with load balancing and ADCs, we talked with our tech support team about what they see as the most important ‘gotchas’ when customers deploy our APV Series application delivery controllers. Support team members came up with three key deployment scenarios, and a number of things to watch out for on each:
Server Load Balancing (SLB) is by far the most common deployment case for Array’s ADCs; this capability distributes workloads evenly across servers while maintaining session persistence and a seamless user experience should one or more servers become overburdened or unresponsive. In addition, SLB provides scalability and high availability for applications, web sites and cloud services by monitoring the health of servers and distributing workloads accordingly.
All real services for an individual virtual service must run the same web application
Determine if the web application requires session persistency. If it does, you’ll need to set the SLB overload setting to prevent the SLB cookie methods from being restricted by the maximum connection number of the real service.
The method by which clients access the SLB virtual service can greatly affect the load distribution among the SLB real services. If clients are accessing the virtual service through a mega proxy, for example, then SLB persistent IP will have a poor distribution among the real services.
The SLB virtual service and real service must be configured with the same underlying protocol (http/https, ftp/ftps, tcp/tcps, etc.).
Setting the SLB protocol as HTTP/HTTPS will allow more functionality and control through the Array appliance. Supported features with HTTP protocol, for example, are compression, caching, http redirect, http rewrite, etc.
Ensure that your backend real service can handle the maximum load defined from the SLB real service setting.
The appropriate health check type needs to be selected to match the type of service from the real server.
Global Server Load Balancing (GSLB) is used to load balance traffic across geographically dispersed offices or data centers. Array ADCs with the GSLB feature option can intelligently direct traffic based on server location, load and health to enable faster application response times and provide multi-site failover in the event that one or more data centers become unavailable or unresponsive.
GSLB requires that each geographical location has an Array appliance to properly manage the smart DNS calculation.
GSLB setup requires that Non-Authoritative DNS forwards DNS requests to the Array appliance for GSLB DNS decision making.
It is not recommended to use the Array APV Series appliance as your main authoritative DNS server. The Array DNS service can only perform limited functionality to support GSLB.
Link Load Balancing (LLB), while less commonly deployed than the previous two use cases, provides a vital service in situations where multiple WAN connections are required – oftentimes in remote or branch offices. Array’s LLB implementation provides advanced failover and bandwidth management for multiple internet connections, allowing business operations to continue even if one or more ISP links becomes slow to respond or unavailable.
To avoid a mismatch between the connection request and respond between the returning path with link load balancing, you can use the Array Return to Sender (RTS) feature.
These are just a few simple tips that were top-of-mind among the tech support team. If you’re looking to deploy ADCs/load balancers, we hope you find these tips helpful. Array’s sales engineers and tech support team are always available if you have questions about your own ADC deployment.
Virtual switch enhancements, including support for Spanning Tree Protocol (STP), VLAN, multi-queue and port mirroring, as well as support for a unique and fixed MAC for every virtual port. In particular, multi-queue support offers an approach to scale up network performance as the number of vCPUs increases, and port mirroring (a.k.a. SPAN) supports traffic monitoring and inspection by 3rd party devices.
A newly redesigned, sleek and user-friendly WebUI which supports service topology view with WYSIWYG editing and topology-based management. This release also includes advanced VA management and monitoring functions such as Web VNC console, VA status monitoring and management, and detection of connecting status between Array vAPV and vxAG instances.
Pay-as-you-go license packs, which enable you to purchase Array products like vAPV virtual ADCs and vxAG virtual SSL VPNs incrementally in multiples of four.
DHCP assignment of IP addresses to the management ports of VA instances, and support for SNMP traps.
In addition, a number of enhancements are included in this new release, including support for log filtering, support for allocation of Site2Site tunnels for vxAG instances, and enhanced display of port mapping relationships between VAs and the AVX Series.
AVX version 2.5 is available on the U.S. Support site, as well as international support sites.
In a recent email, an esteemed co-worker* typed ‘could era,’ when he/she intended to write ‘cloud era.’ Or perhaps they were the victim of another one of those unfortunate spell-check autocorrects like ‘covfefe’ may have been – or not. It’s best to leave that to the political pundits to try to decipher.
But that coworker’s innocent typo is food for thought. How many IT managers out there are still wrestling with maximizing the potential of private, public or hybrid clouds? What is keeping them from getting from a best-effort ‘could’ to a fully optimized, powerhouse ‘cloud’ that supports critical business initiatives while streamlining the network?
Network Functions Virtualization (NFV) has been identified as an important step in full cloud optimization. However, a recent survey found several factors inhibiting the adoption of NFV. The leading factor cited was the lack of a compelling business case. Certainly it is hard to quantify the return on investment (ROI) of ‘soft’ benefits like reducing the time needed to deploy new services, achieve greater flexibility in network management, and to improve the end-user experience. However, many of these variables can be recast into pure CAPEX and OPEX numbers that will help prove the case.
We’ve also heard from numerous IT managers that implementing NFV, and SR-IOV in particular, is difficult to the point of hair-pulling frustration. On this and the previously mentioned concern, Array can help.
Array’s AVX Series Network Functions Platform is the first product of its kind to fully address the problems of deploying network functions virtualization, specifically in the realm of networking, security and application delivery virtual appliances (VAs) and virtualized network functions (VNFs).
In terms of building the business case, the AVX Series offers several capabilities that can be directly tied to CAPEX, OPEX and ROI. For example:
Consolidate the functions of multiple (and expensive) physical/dedicated appliances (such as next-gen firewalls, SSL VPNs, load balancers and WAFs) into a single, one- to two-RU platform – saving rack space, power, cooling and other costs
Deploy best-of-breed VAs or VNFs on the fly, with a streamlined configuration and the ability to service chain functions (more on that later)
Pay-as-you-grow – rather than investing all at once and up front, you can purchase Array licenses singly, or in 4, 8, 16 or 32-packs. (Depending on the model and instance sizes, the AVX Series supports up to eight, 16 or 32 instances.) So if you need just a few instances of networking or security functions now, you can easily upgrade later to support more instances
Choose the size instance that meets your needs, and receive guaranteed performance per instance. For example, you might select a small instance size for an SSL VPN VA that receives fairly light usage (like IT staff remoting in to a management console), but choose a large instance size for a NGFW function that is a main security measure protecting multiple servers and other assets
Select best-of-breed technologies. While there are a number of “combo” products available that combine two or more functions on a single dedicated appliance, typically two key issues arise: First, the manufacturer may specialize in one function, while others are afterthoughts that cannot really be seen as best of breed. Second, every physical appliances has limits on the amount of resources (compute, I/O, etc.) available. It’s not uncommon to see performance issues for the ‘afterthought’ technologies that can impact user experience, due to resource contention
Demystifying and streamlining NFV and SR-IOV deployment is another area where Array’s Network Functions Platform shines. As mentioned above, one of the factors that have slowed NFV adoption is the sheer complexity of deployment. Adding to the problem is that IT staff retraining and reskilling are costly and time-consuming.
The AVX Series abstracts and streamlines the complexity of NFV deployment and management, and offers an easy-to-use WebUI to further simplify set-up and deployment. VA/VNF licenses for Array and other best-of-breed products (such as Fortinet FortiGate NGFW and Positive Technologies’ WAF at present) can be ordered directly from the interface.
Instances can be created or modified size-wise on the fly. Set-up of SR-IOV for instances is similarly simplified. All required configurations are accomplished with just a click or two. Service chains or topologies can also be set up with just a few clicks. For example, traffic could first be routed through a next-gen firewall VA, then to one or more application delivery controller VAs for load balancing across multiple servers, all within the AVX Series.
NFV is a goal for many organizations worldwide. With the AVX Series Network Functions Platform, getting from ‘could’ to ‘cloud’ has never been easier.
In the IT world, it’s become sort of a dystopian new normal to see massive, headline-grabbing network attacks, often on a global scale. The latest of these, just over a month ago, was WannaCry – which was estimated to have infected more than 200,000 computers worldwide in its first wave*. This ransomware/worm is particularly insidious as all it takes is one person on the network clicking on an email attachment or web link to launch it; once inside the network, it quickly spreads to other vulnerable devices on the intranet and internet.
However, ransomware like WannaCry, as well as certain other malwares, share a point of commonality that IT managers can leverage to better defend against them: In many cases, they exploit an operating system vulnerability. In the case of WannaCry, it is a Microsoft Windows vulnerability in the Server Message Block implementation (MS17-010).
Microsoft issued an advisory and patch for MS17-010 more than two months before WannaCry was ever detected, meaning that IT managers who were diligent about enforcing patch updates within their organization were for the most part immune.
That’s the good news. The not-so-good news is twofold. WannaCry is still out there; there have been reports of new attacks as recently as June 8th and 9th. In addition, remote and mobile workers, contractors, vendors still need access to the corporate network, and often you don’t (or can’t) control their devices. If they’re not patched, any of them can be a conduit that lets WannaCry and other ransomware into the network.
If you’re using an enterprise-class SSL VPN like Array’s AG Series, however, you have a security tool that can defend against unpatched and insecure devices getting onto your network and exposing your corporate resources to ransomware. The AG Series includes host checking, which can pre-scan devices before they ever connect to the network to ensure that the required service packs, firewalls, antivirus, and/or antispyware are present and up to date. In addition, custom rules can be written, and different communities of interest can be assigned different host check requirements (for example, remote workers versus vendors).
If a device fails the host check, network access is denied. Through the AG Series, ransomware like WannaCry is blocked before it ever gets onto the network.
Unfortunately, this dystopian ‘new normal’ of ransomware is not going to go away. Ransomware attacks will continue to cause an untold amount of damage to valuable corporate resources as well as draining IT time and budgets. Fortunately, there are ways to strategically protect against WannaCry as well as against unauthorized and unsecure access.
Broadcast satellite provider DirecTV last year ran an amusing ad series called “The Settlers” in which a pioneer-style family – complete with log cabin, 19th century clothing and horse-drawn farming equipment – chose cable TV service in order to preserve their values as settlers. Their surrounding neighbors, with modern suburban homes and all the accompanying conveniences, all subscribe to DirecTV of course.
We don’t in any way, shape or form intend to equate highly skilled and savvy IT staff members with the simplistic “Settlers” caricature in the ad series. However, enterprise and service provider IT managers for many years have had to make difficult compromises in order to move to agile, software-centric virtualized networks.
Virtualization is great for a large majority of mission-critical applications. Bring VMs up or down, move or reassign them, pretty much meet any requirement, all on the fly. However, network and security virtual appliances, like application delivery controllers, next-gen firewalls, SSL VPNs, application firewalls, and IDS/IPS, are a different story entirely.
They’re very compute-intensive, and process thousands if not millions of traffic streams per day or hour. Throwing additional VM compute, memory and I/O resources at them to meet performance objectives just adds cost and complexity (and directly contradicts the benefits of virtualization). To top it off, these appliances utilize software SSL processors for SSL-encrypted traffic, rather than the high-performance hardware SSL resources used by their physical appliance counterparts.
“But wait!” you’re probably thinking. “I can just deploy physical appliances instead for these functions.” Well, that leads to trade-offs too, unfortunately. You’ll lose the nimbleness of virtual appliances, and increase space, power and cooling requirements in order to gain high performance.
In short the choice has been VAs with lower CAPEX, space, power and cooling costs, with high agility but much lower performance, vs. the exact opposite for physical appliances. With either choice, scaling can be a problem. And setting up network functions virtualization (NFV) can be a real headache.
But now, you don’t have to compromise.
Array’s AVX Series is a new breed of appliance, called a network functions platform. It combines the agility of virtualization with the performance of dedicated appliances – think of it as agility at scale – and streamlines NFV set-up.
Choose from a variety of best-of-breed Array and 3rd party networking and security solutions, like application delivery controllers, web application firewalls, DDoS protection, SSL VPN and more. Choose the size instance you wish to use per VA and rest assured that performance is guaranteed through dedicated CPU, memory, I/O and SSL resources per instance. Choose an AVX appliance based on your needs in ¼, ½, or ¾ increments, and expand capacity later as required.
You’ll find that you can reduce costs versus either multiple VAs or dedicated appliances by up to half, while getting the performance you need to meet business requirements. You’ll reduce rack space, cooling and power requirements by up to a factor of 16 – two rack units versus 32 for 1RU dedicated appliances.
A 3rd-party ecosystem of networking and security solutions that are certified for use with the AVX Series gives you a wide range of choices in best-of-breed products to deploy. Further, you get a streamlined path to NFV – the ArrayOS Resource Manager abstracts the complexity of virtual and physical port mapping, CPU pinning, NUMA boundary settings, SR-IOV and drivers.
You don’t have to settle for making the difficult choice between agility and performance. With the AVX Series network functions platform, you can settle for more.
We’ve blogged fairly frequently about our AVX Series over the past couple of years. In its initial incarnations, this multi-tenant, virtualized appliance supported multiple Array virtual appliances (load balancing and SSL VPN, primarily) with guaranteed performance and variable-sized instances. Many of our IaaS, SaaS and enterprise customers have embraced the AVX Series for its ability to reduce rack space, power and cooling costs, and offer better overall resource utilization and ease of provisioning – all while assuring the performance of Array virtual appliances.
That last point is key.
In talking with our customers and channel partners, many expressed their frustration with the performance of other compute-intensive networking and security products, such as NGFWs, DDoS protection, Web application firewalls and IDS/IPS virtual appliances. The commonality among these seemingly diverse products is that all of them use SSL, which with the advent of the 2048-bit standard has become highly compute-intensive (roughly 5x the demands of the previous 1024-bit standard).
Another commonality is that all of these solutions were originally designed to run on dedicated hardware appliances, in which it is fairly simple to allocate resources to ensure adequate performance. This is not the case in virtual environments; memory and compute resources are shared across multiple VAs. Further compounding the problem: Shared I/O resources. In order to process network traffic at the high performance levels needed for satisfactory QoS, I/O access cannot be constrained. One option is to use SR-IOV (single root input/output virtualization), supported by many hypervisors, which is designed for high performance. However, it is notoriously difficult to source and configure the correct NIC to support a given VA, and moving a VA typically requires a complete reconfiguration.
Some of our customers and partners have attempted to surmount these challenges by turning to “combo” (or integrated) appliances – NGFW combined with SSL VPN, for example. Many of the same problems still exist in this model – resource contention, for example. And rarely, if ever, can all solutions combined in an integrated appliance be considered best of breed.
From the beginning, we envisioned the AVX Series as an open platform that would address these challenges by giving IT managers a choice – of the best-of-breed solutions, as well as of the system resources to ensure performance and quality of services, all while allowing easy provisioning and management. Essentially, the agility of cloud and virtualization, with the performance of dedicated hardware, or, in other words, a network functions platform.
We’ve also implemented SR-IOV within the AVX Series network functions platforms in a manner that resolves the sourcing and configuration headaches posed by virtual environments. Each instance within an AVX appliance has its own guaranteed I/O resources, so there can be no ambiguity in assigning NICs. Further, using our ArrayOS operating system, we’ve abstracted and streamlined the process of SR-IOV configuration.
To complete the vision, Array has begun testing and verifying best-of-breed third-party networking and security appliances to run on the AVX Series network functions platform. Earlier this week, we announced the first validated product in the AVX Series ecosystem – Positive Technologies’ Application Firewall (AF). The PT AF is the only product listed as a Visionary in the Gartner Magic Quadrant for Web Application Firewalls, and features correlation mechanisms to focus on major threats; instant, targeted protection; and evolving security to protect even against zero-day exploits.
For Array customers and partners, the AVX Ecosystem offers the assurance of tested and proven, high quality network and security solutions to mix and match as needed within the AVX Series environment. Deployment and integration guides will provide step-by-step assistance in rolling out these certified third-party solutions.
Our testing with networking and security VAs like Fortinet’s FortiGate next-gen firewall has proved that the AVX Series can deliver between 4x and 5x improvement in performance and throughput over that provided in a virtualized environment using commodity servers, I/O and other resources. In addition, the next AVX version will support management and provisioning of third-party devices via either console (if available) or Virtual Network Computing (VNC) connection using a VNC client such as VNC Viewer.
Better yet, the AVX Series and its ecosystem allows you to consolidate network and security appliances, saving rack space, power and cooling costs as well as overall costs. Our consolidation ROI analysis is below for a scenario involving 32 customers or applications, each requiring about 4 Gbps throughput. Note that we’ve based the analysis on Array ADCs running on an AVX10650; third-party ecosystem VAs may differ slightly:
Virtual ADC (VA)
Physical ADC (HW)
AVX Series (Platform)
# of ADC Instances
2x more ($10K/instance)
1.5x more ($7K/instance)
½ to ¾ the cost
Additional Server Cost
Add’l Hypervisor Cost
Portable & Fungible
Imagine the possibilities that the AVX Series and its ecosystem can deliver for your network. We’re interested in your input; drop us a line in the comment box below and let us know which third-party network and security appliances you’d like to see running on the AVX, or send us any questions or comments you may have.
Today there are more deployment models than ever before for load balancing and application delivery. The trick is know which one, or which combination of these models, is the best fit for your needs. As in any choice in networking deployment models, there can be trade-offs that need to be evaluated carefully – typically performance versus agility, at the first-order level. Following are some quick rules-of-thumb.
If you are building your IT or application infrastructure in a public cloud such as AWS or Azure, virtual load balancers with utility consumption make a lot of sense. Bring load balancing capabilities up or down as needed, on the fly, while paying only for what you use. Or, you can use a Bring Your Own License (BYOL) model, depending on your needs.
If you have built a private cloud, and have invested heavily in virtual servers and infrastructure, virtual load balancers with perpetual licenses will give you maximum agility with the biggest bang for the buck. Virtual load balancers with perpetual licenses are also good to have on hand for development and non-production environments. Array’s virtual ADCs can also be ordered on a monthly or annual subscription model for even more flexibility.
Where there is high-volume traffic and/or where there is heavy utilization of compute-intensive functions such as SSL offloading, traffic inspection or complex scripts, dedicated hardware remains the preferred solution. In these cases, scaling out using general-purpose servers and virtual load balancers is simply not efficient or cost-effective. Array’s dedicated ADCs also support multi-tenancy through virtual IPs (VIPs) for use cases where multiple end-customers or communities of interest are involved.
Dedicated ADCs can also be used to augment virtual load balancers in situations where the agility of virtual is required, but SSL processing needs outstrip the capabilities of the software SSL resources provided by virtual ADCs. Using a hybrid model, the heavy lifting of SSL offloading can be outsourced from the virtual ADCs to one or more dedicated load balancers, preserving the agility of the virtual model while augmenting it with the hardware SSL resources present in dedicated ADCs.
For use cases where it is necessary to support more than one customer or application and where performance and scalability remain a primary consideration, virtualized dedicated hardware becomes a compelling solution. For instance, in a public or private cloud, where customers or business-critical applications have SLAs, using a virtualized appliance provides cost efficiencies, cloud agility and the ability to ensure guaranteed performance in a shared environment.
In recent years, it has become increasingly common to mix these deployment models. For example, dedicated hardware is installed in a private data center with burst capability to a public cloud platform that features virtual load balancing with utility consumption. Or, dedicated hardware is used for production traffic, and virtual load balancing with perpetual licenses is used for development and testing.
In addition, the recent rise in SSL-encrypted traffic has made load balancing ever more important for enterprise networks. Often, in-depth inspection appliances – whether virtual or dedicated – lack the ability to decrypt SSL traffic, with the result that this traffic bypasses inspection, posing a risk to corporate networks and sensitive business information. By using Array’s SSL Intercept capability, in virtual, dedicated, or virtualized appliances, encrypted traffic can be decrypted and passed through to security appliances, then re-encrypted if required before proceeding to its final destination.
As the market stands, physical and virtual load balancers and application delivery appliances are driving purchase decisions in most cases, with public cloud and virtualized hardware solutions acting as capabilities customers are looking for in order to ensure they are purchasing a future-proof solution.
With the advent of highly processor intensive applications and protocols (like 2048-bit SSL), load balancing is increasingly a necessity in enterprise networking environment. These tips, as well as a careful evaluation of your organization’s needs, can serve as a guideline for your next application delivery controller deployment.
Welcome to a New Year! 2016 was a tumultuous year in IT and as usual, industry publications, bloggers and others are rolling out their reviews of the previous year and their predictions for the coming year.
Array has a unique vantage point on networking and security, as our products interface with one or more infrastructure elements to ensure application throughput, network security, WAN efficiency and other functions that enable users to remain productive while keeping networks and resources safe.
Given our vantage point, there are a few IT predictions for 2017 we can shed some additional light on.
First, a new solution that you’ll hear a lot more about in 2017 – network functions platforms – will solve the last conundrum of cloud and virtualization: the tradeoff between agility and performance.
As we discussed in a recent blog post, cloud and virtualization may not be the panacea that many seem to proclaim. For application workloads, general-purpose virtual environments will function just fine. However, virtual functions like ADCs, SSL VPNs, Web application firewalls and others require hardware-based SSL processing to perform at their best.
You can easily see this for yourself – just compare the published performance specs for hardware-based products against their virtual appliance version. In almost all cases, the software-based products’ SSL performance will be less than that of the dedicated appliances.
The network functions platform will provide an alternative to general-purpose virtualized environments, an alternative that assigns dedicated CPU, SSL, memory and interfaces to each VM. We believe this solution will see greater adoption due to its ability to solve the problem of agility at scale.
Second, there will be continuing proliferation of attacks and malware in 2017. The breaches of 2016 were staggering. Account information for 400 million FriendFinder users was exposed. Multiple medical facilities were hit with ransomware attacks. Yet another major OpenSSL vulnerability was discovered. In 2017, hackers will continue to develop new methods to steal lucrative personal and corporate assets, and IT managers will do well to maintain a strong security posture, and continue to investigate new strategies and technologies to thwart attacks and malware.
This comes with a proviso, however: Even mature technologies can have vulnerabilities that lie undetected for years until they’re either discovered by security researchers or become known via a malevolent exploit. For example, RDP is a great remote access strategy, as it limits network exposure; However, just recently, a new malware called Trojan.sysscan was detected that can compromise RDP. And it’s not the first RDP vulnerability; a remote code execution bug was found in 2015, for example.
For any strategy or technology you employ, considered a layered security approach. For RDP for example, if you have an SSL VPN in place for remote and mobile employees, put your RDP server behind it so that the extra authentication and SSL secure pipe will help protect the server. In addition, once connections are authenticated, SSL VPNs can use a full reverse proxy that completely masks the RDP server from attackers. What they can’t see, they’re going to have a really hard time trying to crack.
Third and rounding out the list is the Internet of Things (IoT). Industry analyst firm IDC estimates that U.S. enterprises and others invested more than $200 billion in IoT hardware, software and accouterments in 2016. While much of this investment was by industrial and transportation businesses looking to streamline smart grids, manufacturing operations, freight monitoring and other use cases, IDC and others expect the insurance, retail and healthcare industries to rapidly adopt IoT as well. Clearly, IoT has hit the inflection point just as cloud and virtualization have.
As IoT adoption increases, it will unleash a torrent of new data traffic and applications like remote health management and insurance telematics. The most efficient way to assure performance of the critical applications that are the ‘home port’ of these new IoT deployments is to be prepared with technologies like application delivery controllers to ensure scalable performance and high availability.
These are the trends we’ll be watching closely in 2017. Join the conversation – tell us your predictions or trends by filling out the comment form below.
The cat-and-mouse game of network security is constantly evolving, as hackers come up with new ways to get to the ‘cheese’ – the lucrative personal and corporate financial, tax and banking information that can pay off handsomely for the bad guys, while wreaking havoc on unwitting victims.
One of the latest malware/attack variants, disclosed just last month, is Trojan.sysscan. The scheme begins with brute-force attacks against Microsoft Remote Desktop Protocol (RDP) servers to steal credentials. Once successfully logged in, the Trojan itself is installed and then sets all RDP ports to remain open, thus allowing at-will access for theft of credentials, personal and corporate financial information, and more. Reports indicate the Trojan can easily evade detection, making this exploit even more dangerous.
RDP is very popular as a means of giving users access to their desktop PCs anywhere, anytime via their mobile or other remote endpoint. However, this means that RDP ports are left open, often 24/7, to allow access by staff as needed. Compounding the problem, RDP servers are often connected directly to the Internet, without a front-end protection mechanism.
Various news articles on Trojan.sysscan advocate simply enforcing strong passwords to ‘declaw’ the entry method for this hack: the brute-force attack. However, the human factor of network security comes into play with this strategy. All it takes is one – just one – slip by an end user, and you could be spending hours or days remediating this Trojan.
Fortunately, there are a couple of methods that can eliminate the threat of RDP Trojans completely. If you’re using an SSL VPN to authenticate and control access to your network, simply put your RDP servers behind it. As a bonus, Array’s AG Series SSL VPN adds a couple of extra layers of protection. First, it doesn’t expose the standard RDP port, thus veiling it from attackers. Second, once users authenticate with the AG Series, connections are proxied to the now-internal RDP server, meaning that RDP resources are neither exposed to nor connected directly to the Internet.
Another tactic to consider is eliminating Microsoft RDP entirely from your network. Array’s DesktopDirect remote desktop access solution, an add-on module for the AG Series SSL VPN, protects data in transit via a custom remote desktop protocol as well as SSL encryption. With DesktopDirect, data never leaves the corporate network, and never resides on the remote device, so it is always secure. Users can see and work with their files and network resources similar to how they use Microsoft RDP, and the interface is so simple to use that no training is required.
DesktopDirect can also eliminate many of the headaches associated with managing and using Microsoft RDP. For example, user self-registration makes it easy for network administrators to roll out. Users can power up their office computer remotely via DesktopDirect’s Wake-on-LAN technology.
In the old Tom and Jerry cartoons, the mouse almost always outsmarted the cat. By adopting a few new tactics, you can easily outsmart and defeat Microsoft RDP Trojans and other malware.
Array Channel Partner iSECURE recently posted a new blog regarding the many reasons customers in the greater New York metropolitan area should consider partnering with them for their network security needs. iSECURE has had a singular focus on security for many years, and their staff has extensive certifications and experience in all manner of security technologies (including Array’s SSL VPNs and application delivery controllers). In addition, iSECURE offers an extensive schedule of events, conferences and Webinars, and maintains a strong focus on customer service. It’s a great read, from a great Array partner.
Without a doubt, the age of virtualization is here. The Accenture Enterprise Survey 2016 found that 95% of enterprises (small, medium and large) believe that all network services will be virtualized. Similarly, 88% of respondents to an SDxCentral survey felt that finding a network virtualization solution was either important or mission critical. An Array customer we recently spoke with estimated that his network was about 85% virtual, and the goal was 100% within the next year.
Array offers virtual editions of all our product lines. That same customer is running our vAPV virtual application delivery controller for load balancing of an electronic medical records application, and he reports that he’s very satisfied with the product and the performance.
However, virtualization (private or public cloud) is not a panacea for every problem associated with running a physical network. Application, networking and security applications – like ADCs, next-gen firewalls, SSL VPNs, DDoS protection, etc. – run very compute-intensive workloads that, in high-volume environments or under heavy workloads, can suffer from degraded performance and thus impact user experience.
The issue lies with the very structure of virtualized environments, which run on general-purpose servers, with shared resources and hypervisor-imposed overhead. The result is resource contention and inconsistent best-effort performance. Virtualized environments just weren’t designed to support networking and security applications; and conversely, these applications were not originally designed to run in virtualized environments.
For a decade or more, there were only two choices: run virtual editions of critical applications (in either private or public cloud) if the workload and performance expectations allowed it, or install dedicated physical appliances where top-end, guaranteed performance was required.
Now, there’s a new option.
Array’s AVX Series virtualized appliances deliver a hybrid approach by offering the agility and flexibility of virtualization with the guaranteed performance and throughput of dedicated/physical appliances. A single AVX10650, for example, can support up to 32 individual application delivery, networking or security appliance instances, and each of the instances includes dedicated I/O, CPU, SSL and RAM resources.
These resources are far more robust than that of a general-purpose virtual server. In addition, the hypervisor overhead is segregated into its own space where it will not impact application performance.
Using this unique approach, virtual appliances for load balancing, SSL VPN, WAF, DDoS and other functions can be deployed with agility and flexibility, without making any compromise on performance needed to support business-critical applications and customers. And, since the latest AVX Series update, third-party virtual appliances running KVM can now be supported as well.
The age of virtualization is indeed upon us, but like any newer technology, there are a few kinks to iron out. The AVX Series is an important tool to bridge the gap for application, networking and security application performance without compromise.
SSL VPN technology has been around for more than a decade, and is commonly deployed to provide safe, secure remote and mobile access for users. While the technology is quite mature, if you’re deploying an SSL VPN for the first time, or for the first time in a while, there are a few tips that can make your installation much smoother and hassle-free.
We spoke with our Tech Support team, which has an awesome reputation both internally and among our customers. Most members of the team have been with Array for over ten years, and we asked them to provide, in their experience, the top five ‘gotchas’ that they see on a regular basis in our customers’ AG Series SSL VPN deployments. In no particular order, they are:
Keep in mind that you will need a valid SSL certificate and key provided by a Certificate Authority. While this is normally needed later in the configuration process, by ordering early you can avoid delays. Array’s AG Series SSL VPNs do allow you to use a self-generated key for testing, but it is not a substitute for the CA-provided certificate and key that are needed for production operation.
The best practice is to configure an interface (port1) on the DMZ behind the firewall, and a second interface (port2) on the local area network (LAN). TCP port 443 is only required to be open to the DMZ. You can also enable TCP port 80 on the DMZ in order to redirect HTTP to HTTPS.
Proper routing will need to be applied for the Layer 3 VPN set-up. For best-practice configuration (see item #2) the default route should point to the DMZ default gateway. Static routes must be created for all traffic destined for the LAN.
If you’re going to allow users to access Web applications, the AG Series offers two different methods: Web Resource Mapping (WRM) and QuickLink. WRM and QuickLink are clientless methods, and both are relatively easy to configure. QuickLink has advantages in that it unifies the URLs generated by Web applications. The ‘gotcha’ here is that for QuickLink the URLs provided to the AG Series must be absolute and require additional DNS entries. (i.e. https://web-application.yourcompanyname/ rather than https://yourcompanyname/prx/000/web-application/). WRM will meet most requirements and is the simplest to configure; however, QuickLink can provide support for internal Web applications that do not work well using a ‘proxy’ URL.
Also related to Web application access: If the Web applications are deployed with remote databases, the application needs to have some type of session base to allow remote databases within the domain to recognize client requests coming through the AG Series.
There you have it. In your next SSL VPN installation, keep these tips in mind to help smooth your way to an easier deployment. To learn more about Array’s AG Series SSL VPN appliances, visit our product pages.
A shout out to John Weber, Skype for Business MVP, who recently posted a very thorough review of Array’s vAPV virtual application delivery controller for use with Microsoft applications such as Lync and Skype. John is a Skype for Business MVP (2015) – before that, a Lync Server MVP (2010-2014). Read the complete review on his TsooRaD blog.
Too often in the world of high tech, we get caught up in techno-speak (or as some call it, techno-babble). In many ways it is a natural outgrowth of describing highly complex networking concepts and techniques that defy any attempt to express them in more approachable terminology. We’re all guilty of it to some degree, but it seems to be especially prevalent than in the world of WAN optimization.
According to several industry analysts, the market for WAN optimization has shrunk slightly over the past few years. There are many possible reasons for this – IT budgets are always stretched, IT staff is dealing with dozens of competing initiatives, it’s easier just to throw more bandwidth at the problem, etc., etc., etc.
But maybe, just maybe, it’s possible that the real value of WAN optimization has been lost among all the techno-babble. That’s a shame, really, because there are several key areas where WAN optimization can make a huge difference in performance (which equates to user experience) and in meeting corporate goals. Our handy-dandy infographic provides a quick overview; you’ll find more detailed information below.
As the infographic shows, there are three broad areas where WAN optimization can be of benefit: Throughout the network in general; within the data center; and in remote/mobile/branch locations.
Throughout the corporate network, WAN optimization in general reduces the total amount of data transmitted, and dramatically improves TCP performance. Data transmission reduction is accomplished through content-aware data de-duplication, which recognizes and eliminates traffic that has previously been sent or stored. Array’s aCelera uses a single instance store, which provides a scalable resource to implement data differencing so that unchanged data is not sent over the network twice. The store also prevents multiple copies of the same data from being stored and maintained and enables predictive preloading based on usage patterns. Compression further enhances data reduction.
TCP optimization is another function that can make a dramatic difference in WAN performance. It makes transfers more efficient across the WAN and enables better utilization in both high and low bandwidth environments, provides faster recovery after packet loss, and enforces fair bandwidth use with other data flows.
In the data center, disaster recovery and backup can be a particular pain point. If recovery time objectives and recovery point objectives (RTO/RPO) are not met, it can expose the organization to risk of data loss in the event of disaster (or more recently, ransomware). WAN optimization uses data caching and differencing to reduce the total amount of data that must traverse the network to achieve an accurate backup, i.e., rather than transporting every single byte of data, only data that has changed since the last backup is copied to the backup servers. Bandwidth requirements and replication times are reduced by 2x to 5x, helping to meet RTO/RPO goals.
In addition, WAN optimization can improve app server performance through protocol optimizations, and through stream-based differencing. The latter detects which data has been previously delivered to local data stores, and avoids re-sending the duplicate data. Together, these functions eliminate redundant and chatty traffic to streamline server efficiency.
For mobile and remote workers, aCelera offers either a mobile app or a Windows client for the endpoint devices, which communicates back to the corporate WAN optimization controller to optimize application performance, and traffic throughput, prioritization and security. These capabilities can help ensure a seamless audio, video and VoIP experience for end users.
Branch offices can implement inexpensive, lower-end WAN optimization appliances or virtual appliances to gain the same types of performance and quality boosts afforded to mobile/remote workers through an app or Windows client.
As you’ve seen, WAN optimization can make a huge difference in network and application performance, throughput (both of which impact end-user experience) and the ability to meet corporate goals such as RTO/RPO. To learn more about Array’s aCelera line of physical and virtual appliances, as well as iOS/Android app and Windows client, visit our aCelera product overview page today.
Many IT managers have come to regard SSL VPN as a mere commodity technology – needed to provide secure access to network resources for remote and mobile workers, but about as exciting as plain oatmeal. Of course, securing remote access is the primary function of an SSL VPN appliance. However, just as network and security architectures have evolved over the years, SSL VPN technology has continued to evolve as well.
At Array, we’re seeing quite a number of interesting deployment models that go beyond the ‘standard’ use cases for SSL VPN; these real-world installations by Array customers have added simplicity of use and an extra layer of security that bring real value to their respective organizations. In no particular order, here are a few of these innovative uses:
Proxy Microsoft ActiveSync Connections If your organization has implemented or is planning a Bring Your Own Device (BYOD) initiative, the security of critical servers is an imperative. Rather than opening firewall ports to your Microsoft Exchange CAS servers (typically ports 80 and 443), use an SSL VPN appliance to proxy Microsoft ActiveSync traffic for mobile devices.
Centralize and Simplify Two-Factor/Multifactor Authentication For geographically dispersed companies, managing across multiple sites can become more than a little painful if two-factor (or multifactor) authentication is deployed at each server that will be accessed remotely. Centralizing authentication at a single SSL VPN appliance allows users to authenticate at one core point – then connections are proxied to the appropriate back-end resource regardless of its physical location. This model dramatically simplifies management of two-factor authentication, while accelerating deployment and reducing complexity for end users. The Array Networks AG Series Secure Access Gateway supports most two-factor (or multifactor) products, and in addition includes an out-of-the-box OTP solution.
Maintain Security of Sensitive Information in the Field We’ve seen this particular use case most commonly in financial institutions, though it can be useful in any situation where an organization’s staff needs to carry confidential information outside the office. Using Array’s DesktopDirect remote desktop access solution, an add-on for the AG Series SSL VPNs, employees can securely access their work PC from any location and any device, and view applications and data just as if they were in the office.
For example, a bank can provision tablets for employees to use in signing up new accounts at local events, or to meet with customers at their home or office to discuss investment options for their respective portfolios. All customer-confidential information is secured, and does not remain on the tablet – and, as tablets are particularly vulnerable to loss or theft, this last point is quite important.
Central IT Admin Portal In this example use case, a separate portal is set up specifically for IT staff to securely access and manage internal network resources from a remote location (home, remote office, etc.). Links can be included to proxy Web-based applications, and to proxy RDP connections that are statically assigned based on internal policy. Specific network tools for IT staff that require limited remote access capabilities can also be published to the portal, and two-factor authentication and/or single sign-on can be enforced to meet internal security requirements. Array’s AG Series includes monitoring capabilities that can be used to maintain a log of all remote IT-related tasks as well.
Branding: Maintaining a Consistent Look and Feel Most companies lack the time or resources required to ‘custom-brand’ Web-based applications such as Outlook, SharePoint and others for a consistent corporate look and feel. Centralizing internal Web-based applications through an SSL VPN simplifies branding by providing a ‘single pane of glass,’ or portal, on the SSL VPN. This portal can be easily customized with the corporate logo, colors and other elements of the brand, and provides an easy-to-use and recognizable point of access to business applications.
These are just a few examples of how Array customers are using SSL VPNs to provide additional security and versatility to their organizations. Join the conversation! We’d love to hear your ideas, questions and comments on ‘outside the box’ uses for SSL VPNs.
Array recently published a new white paper, titled ‘360° Application Security.’ The white paper describes an architecture for holistic multi-layer security for Web-based business operations that addresses all potential attack vectors, and does so in a coordinated manner using an architecture that will scale to meet the needs of a growing business.
The infographic provides a brief overview and synopsis of key points in the white paper. Learn more about how you can achieve security without compromise – gaining the security needed to keep your operation running smoothly, without unduly impacting performance and productivity. Click the image below to view the 360° Application Security infographic.
You may have read recently about Array joining the Nutanix Elevate Technology Alliance Program. Nutanix earlier today posted a guest blog from Array titled “Array Networks and Nutanix Acropolis Change the Paradigm for Virtualization TCO.” The blog post explores the history of virtualization and cloud, and how the Nutanix enterprise cloud, in conjunction with Nutanix Acropolis hypervisor and Array application delivery, can radically change the traditional cost of ownership equations. Read more here.
Other Array authors have written in the past about the value of SSL VPNs in supporting BYOD, and in the technology’s overall value as a key component of the network security infrastructure. SSL VPN – a.k.a. TLS VPN, secure access gateway, etc. – is a pretty mature technology; however if you are planning for a new deployment or a technology refresh, there are several overarching themes that should be considered.
The primary benefit of SSL VPNs lies in the encryption of data traffic between points, of course, but encryption is only part of the story. Because of their position at the network edge, in order to be truly secure SSL VPNs usually employ a combination of protection mechanisms. Array’s AG Series SSL VPN gateways, for example, use a proprietary OS and SSL stack that is not based on OpenSSL (which has had multiple high-severity vulnerabilities throughout its lifespan).
Firewalling can also be a problem, since inbound SSL-encrypted traffic cannot be inspected by traditional firewalls. Thus it’s important that the SSL VPN product itself include firewall capabilities, including DoS/DDoS protection for Layers 3 – 7. Protection for the corporate network itself is typically provided by a network gapping technique. Array’s products use a full reverse proxy to create this gap between the non-secured and secured networks. Application-level filtering can provide an additional fine-grained level of control by enforcing access control policies based upon protocol content.
AAA is the foundational step in establishing the identity of a user, and the SSL VPN appliance should be able to integrate with the organization’s existing authentication interface (typically RADIUS or LDAP). If a non-standard authentication interface is used (such as a legacy system, database, etc.), then it’s important that the SSL VPN appliance allow customization to integrate with these types of interface. Highly granular and role-based authorization is also essential in keeping network assets safe, and administrators should be able to limit access to data and applications based on user role as well as other parameters. For flexibility, it should be possible for policies to be stored locally or on an external server, and for administrators to correlate policies across external and internal policies.
Especially in the world of BYOD, there is risk in unsecured devices gaining access to secured network locations. For this reason, host checking is essential – and the administrator should have the ability to set different parameters in order to determine the level of risk posed by a given device, and to allow/disallow access to various assets based on that risk assessment. In addition, because mobile devices are frequently lost or stolen, there should be a mechanism available to ‘wipe’ the device of any sensitive corporate information after a session’s end.
Access by mobile devices can present special challenges, and the SSL VPN appliance should support the two major mobile OSs (Android, iOS) and offer multiple access methods (Web-based, mobile app) for flexibility. In addition, Array’s SSL VPN appliances allow existing Windows and desktop applications to be seamlessly presented via the mobile app, while sensitive data remains on the enterprise network.
Almost all SSL VPN vendors publish performance metrics, however when evaluating solutions it’s important to compare apples to apples. Drill down into the numbers, for example, for maximum number of SSL operations per second, do the vendor’s specifications include handshakes, bulk encryption, or both? Are performance test graphs under simulated load available that can help you validate the claims? And do the performance parameters complement each other, i.e. is the volume of SSL operations per second adequate to support the number of concurrent user sessions that is claimed?
Users can quickly become frustrated when they are required to use multiple interfaces and methods to access the resources they need to be productive, so the SSL VPN solution should offer the ability to customize the login and other pages to suit the needs of employees, partners, departments, etc., and it should be intuitive with minimal user interaction required.
In addition, Array’s AG Series offers DesktopDirect™, a remote desktop access solution that allows workers to remotely connect to office PCs from any device and access their familiar desktop applications and data. This solution eliminates the need for additional laptops, software or training, and the user experience is virtually identical to that of the office environment. Data never leaves the network, so security can be assured.
Another area to consider is segmentation, i.e., some organizations will need to ‘wall off’ separate access portals to eliminate the possibility of an employee accessing information for which they are not authorized. One good example of this is a finance or HR department, which has highly confidential data and resources that should be completely separate from other departments. Some SSL VPNs, like Array’s AG Series, offer up to 256 virtual secure access portals to allow segmentation to control access to resources.
The beginning of a new year always brings an exuberant flurry of predictions from industry pundits, marketing folks, bloggers and others. While certainly many of these predictions have merit, in the 15-plus years since Array was founded we’ve all seen our share of industry fads, hype and vaporware, as well as entire classes of technology that were rendered obsolete by later developments. Remember personal digital assistants (PDAs), anyone? Netbooks? NetScape?
Some of this year’s crop of industry predictions might be a little ‘out there.’ (For one of the more amusing – and thought-provoking – round-ups, see Ericka Chickowski’s excellent slideshow on Dark Reading, “Boldest Cybersecurity Predictions for 2016.”) Some are fairly predictable; most have at least a grain of truth.
At Array, we see a number of trends that have developed over the past few years that we believe will gain even more traction and adoption in the coming year, and therefore bear closer scrutiny:
Hybrid Cloud: A number of industry surveys and predictions are pointing to hybrid cloud as a hot trend for IT managers, and it makes a lot of sense. CapEx budgets are always under tight control for IT departments, but demand for applications and data continues to grow unabated. These two opposing forces can both be accommodated by moving certain network assets to the cloud; the strategy can reduce CapEx while providing the agility that businesses need to grow and thrive.
Multi-Tenant, Multi-Function Application Delivery: As a ripple effect of the enterprise move to hybrid cloud, Infrastructure-as-a-Service (IaaS) providers will begin to revisit their application delivery strategies. Currently, many offer load balancing services via virtual application delivery controllers. This option offers a great deal of agility and operational agility; however, it can come at the cost of performance and cost efficiency. Multi-tenant, multi-function virtualized appliances, like Array’s AVX Series, can be an alternative that provides the agility of cloud and virtualization with the performance and cost efficiency of dedicated appliances. The AVX Series, for example, can support up to 32 entry-level instances per system, and instances can be either application delivery controllers or SSL VPN. The latter allows network or customer administrators to securely access management interfaces or other network/application resources from anywhere, at any time.
Security Continues to be a Major Concern: Network security always seems to make it into industry predictions, and with good reason. This past year brought several high-profile consumer data breaches, and nation-states are increasingly targeting government and enterprise assets (see this article on a possible Russian attack on the Ukrainian power grid a few weeks ago). In addition, terrorist organizations may have begun what’s dubbed a ‘cyberjihad.’ Network administrators must remain ever vigilant and continue to investigate technologies such as SSL VPN and Web application firewalls to create a layered, multi-level security strategy.
Value Begins to Matter More than Brand. We may have begun to see a slowdown in growth in the industry’s largest players, who offer premium-priced products that oftentimes far exceed the actual requirements of the enterprise. Like Goldilocks, IT managers are beginning to take a closer look at products like Array’s that hit the sweet spot – powerful yet simple to use, and scalable yet cost effective.
Management Integration also Matters More. Another key area this year for IT organizations is very likely to be management integration. Most IT teams have invested heavily in virtualized servers and centralized management, so it makes sense to expand management beyond servers and storage to the ‘nuts and bolts’ technologies that optimize and streamline data and application performance (like ADCs). The overall theme is a push toward greater agility, lower CapEx, and reduced OpEx. Array has worked hard in the last year to offer a broad range of management integrations, including VMware vRealize Orchestrator, Microsoft SCCM, and OpenStack Neutron LBaaS. We also support homegrown cloud management through extensible APIs.
These are the trends we’ll be watching in 2016. Join the conversation – tell us your predictions or trends by filling out the comment form below.
In parts I and II of this blog series, we examined the frequency and severity of OpenSSL vulnerabilities, and key differences between OpenSSL and Array’s proprietary SSL stack. In this final edition of the series, we’ve promised to provide useful tips and techniques as well as best practices to help you use SSL while mitigating risk.
Network security as a whole has come under increasing scrutiny in the past year, as jaw-dropping security breaches exposed confidential information including social security numbers, passwords, credit card information and more. In addition, several high-profile network vulnerabilities have been reported that have made global headlines.
It’s now fairly common for network security managers to be called upon to report to their respective organization’s board of directors – and they want assurances that their company won’t be the star of the next big breach headline.
Luckily, there are a number of strategic (and tactical) steps you can take to minimize risk and maintain a strong security posture. To name just a few, in no particular order:
Identify if and where OpenSSL resides in your network. You’ll need to ask your vendors, but it’s very commonly used for Web servers (estimates range from 50 to 75% worldwide), and it’s also common in SSL VPN appliances and application delivery controllers, among other products. OpenSSL may also be used in ‘non-production’ applications for some products – for example, Array uses OpenSSL for our WebUI, XML RPC and SOAP APIs in our APV Series application delivery controllers. All production traffic, however, runs over our proprietary SSL stack.
Know which version(s) of OpenSSL are in use. In part I of this series, we determined that older versions of OpenSSL may be generally safer – though that’s not always true. The flawed code that was responsible for the Heartbleed bug, for example, was introduced into the code two years before researchers discovered the vulnerability. (And for the record, the version of OpenSSL that Array uses for non-production traffic predates the introduction of the Heartbleed flaw.)
Consider a layered security approach. If OpenSSL is running on your Web or application servers, consider adding application delivery controllers that run a proprietary SSL stack – like Array’s APV Series – to load balance traffic among servers. You’ll gain in performance, availability and flexibility, while protecting the servers through a reverse-proxy architecture, kernel-level ACLs, packet filtering, DDoS protection and WebWall application security suite. This strategy effectively ‘walls off’ OpenSSL-based servers behind non-OpenSSL appliances.
Rethink security for remote and mobile workers. A number of reported OpenSSL vulnerabilities over the years have had the potential to allow man-in-the-middle (MitM) attacks – however, SSL VPNs are one of the most frequently mentioned methods of preventing MitM exploits for remote and mobile workers who need to access the corporate network. Therein lies the conundrum – if your SSL VPN appliance is based upon OpenSSL, but OpenSSL has had multiple MiTM vulnerabilities… Enough said. Read about Array’s secure access gateways (SSL VPNs), which are also based upon Array’s proprietary SSL stack. Another strategy you may wish to consider is remote desktop protocol (RDP) for remote/mobile workers. Array’s DesktopDirect feature set for the AG Series can significantly mitigate data leakage by ensuring that data never resides on the remote device – it remains on the corporate network at all times.
Reexamine your authentication schema. Many of the previous OpenSSL vulnerabilities have had the potential to expose users’ passwords. If you’re following best practices of requiring strong passwords, and requiring users to change them frequently, that’s all to the good. However, some SSL VPN products (like Array’s) offer additional authentication checks that can be used to further bolster security. For example, in addition to passwords you might also authenticate the device MAC address or hardware ID.
Another option is two-factor authentication. Array has partnered with a number of third-party vendors of this technology, who offer cloud-based, virtual or dedicated solutions. Typically the technology pairs something you know (i.e. your password) with something you have (a token or smart device app with constantly changing access codes, which are synchronized with the AG Series SSL VPN appliance).
Of necessity, the list above is focused on the technology area that Array does best: application delivery networking. A search on ‘protect against Heartbleed’ or other well known OpenSSL vulnerabilities will also yield dozens of articles that offer other viewpoints. Are there other strategies and tactics that you’ve developed to mitigate risk while using OpenSSL-based servers and networking products? Join the conversation by commenting below.
You may have noticed a recent flurry of activity from Array centered around cloud initiatives. Within the past two months, we’ve announced availability of our vAPV virtual application delivery controller on both the AWS Marketplace, and the Microsoft Azure Marketplace. These public cloud offerings provide a great deal of flexibility, often at a very reasonable cost, to augment or replace existing premise-based datacenter hardware.
Hyperconverged infrastructure makes a great deal of sense for many medium- to large-sized organizations. Space and power requirements can be reduced by around 75%, a major savings in terms of rackspace- and OPEX-constrained organizations. The all-in-one design of the Nutanix Xtreme Computing Platform, combining storage, compute and networking in one, also represents a major reduction in management overhead, while driving simplicity to the data center.
The heart of any datacenter operation, however, is less about “what it is” than “what it can do for me.” The latter revolves around applications – many of which are not cloud-enabled – such as Microsoft Exchange and SharePoint, Oracle, SAP and similar business-critical tools.
These vital applications, which serve and promote productivity within an organization, need to be highly available, secure, and with rock-solid performance in order to achieve the gains needed to not just to survive, but to thrive in this global economy.
That’s where application delivery controllers shine.
By intelligently load balancing production traffic across multiple servers either locally or globally, Array’s vAPV application delivery controllers assure performance and availability – even if a server is down or offline for maintenance. Multi-layer security is provided through a proprietary SSL stack (which has proved immune to the vast majority of OpenSSL bugs), as well as our WebWall® application security suite and other means.
In addition, Array’s dedicated APV Series ADC appliances can be used to front-end Nutanix if greater levels of SSL transaction processing or compute-intensive tasks are needed. Working in conjunction with or in place of Array vAPV virtual application delivery controllers, the APV Series physical appliances offload SSL processing, reducing server load and freeing processing capacity for other tasks.
It should be noted that we’ve worked closely with many of the largest business application providers to develop detailed deployment guides to assist in rolling out ADCs to support performance, availability and secure access to these mission-critical applications.
We’ve also worked closely with Nutanix to ensure interoperability and interworking between our respective platforms, and we’ve recently completed testing on Nutanix’s low cost, KVM-based Acropolis hypervisor (AHV). When paired with Array’s application delivery controllers, which are typically 40% (or more) less than comparable ADCs, this combination offers a great balance of performance, features and flexibility and a much lower price-point.
Array’s new cloud-y options offer a wide range of flexibility for any network manager looking to incorporate a cloud-based strategy. If you’re looking specifically at moving to a Nutanix-based private or hybrid cloud infrastructure, learn more about Array’s application delivery networking solutions for Nutanix on our hyperconverged infrastructure page, or our APV Series overview page.
In Part I of this mini-blog series, I briefly explored the frequency and severity of OpenSSL vulnerabilities, and presented an infographic/timeline of a number of vulnerabilities that posed a very high exploitability subscore (i.e. they were deemed much easier for a malefactor to exploit than other vulnerabilities).
As I stated in that post, this series is most emphatically not meant as ‘OpenSSL bashing.’ The majority of our business is network security, and that’s ultimately the focus of this series.
Array does use OpenSSL in certain product functions, such as our XML RPC and SOAP APIs, as well as our Web-based user interface (WebUI). For our core product functionality and production traffic, however, we use our own proprietary SSL stack. As a network/IT manager, why should that matter to you?
OpenSSL is used by most, if not all, of our esteemed competitors throughout their products –from WebUI to production traffic. In addition, it’s used by a wide variety of other products in the networking industry, as well as around a half million Web servers globally.
That very ubiquity carries risk by making OpenSSL a more attractive target for the evil-doers out there. As one commenter wrote on a Schneier on Security blog on the Heartbleed vulnerability:
“Because it is open source and free to use, it is likely to create a mono culture [sic] and thus a single ‘disease’ can have catastrophic effects.”
Our proprietary SSL stack has proven immune to OpenSSL vulnerabilities, such as Heartbleed, Bash and others. We’ve also ‘walled off’ production traffic from our product functions that do use OpenSSL –thus limiting exposure – and we use an older, time-tested OpenSSL version that predates the introduction of the Heartbleed code error. In addition:
OpenSSL has had a reputation for being overly complex, bloated and stuffed with functions that are extraneous to the majority of tasks it is used for.
We chose to develop a proprietary SSL stack for a number of reasons; some of them are lost to the mists of time, but surely must include that the OpenSSL project began at just about the same time as Array was founded. In addition, we chose a different hardware path than others – leveraging Intel architecture rather than ASICs – which has given us advantages in economies of scale and time to market with new features and capabilities.
Above all else, though, was that a proprietary stack allows us to include only those functions that are required for the tasks that our products perform. It has allowed us to keep our code much more agile and flexible, and provides much higher performance through much lower overhead.
It should be noted as well that in the wake of Heartbleed, two separate development efforts forked off of OpenSSL to provide a cleaner, more secure and streamlined SSL/TLS implementation: BoringSSL, run by a team from Google, and LibreSSL, run by a team from OpenBSD , which is no relation to the OpenSSL team. (Note that the LibreSSL team pruned more than 90,000 lines of C code and 150,000 lines of content from its OpenSSL fork in its first few weeks of operation.)
These are great efforts, and we’ll be watching them closely as they progress. This leads to one last insight regarding the OpenSSL effort:
As Nicole Perlroth wrote in the New York Times Enterprise Computing blog, “When a crucial and ubiquitous piece of security code like OpenSSL … can be accessed by all the world’s programming muscle, but only has one full-time developer and generates less than $2,000 in donations a year, clearly something is amiss.”
Heartbleed appears to have served as a wake-up call for the industry, and the Core Infrastructure Initiative stepped up to provide funding for full-time developers as well as a code audit. This is all great – no, fantastic – news for OpenSSL.
However, a complex code base like OpenSSL can’t change overnight, and time will tell if the other initiatives will bring a more secure iteration. Meanwhile, by our choice many years ago to develop and maintain our own SSL stack, and through our careful implementation of safeguards, we’ve insulated our customers from the vast majority of OpenSSL vulnerabilities.
In Part III of this series, we’ll discuss best practices, tips and techniques that can help you gain the important benefits of SSL while mitigating risk.
Balancing the dissimilar needs of network security and employee productivity has long been a conundrum for IT professionals. Network threats, from malware to malicious attackers to data leakage, continue to grow unabated as criminals mine for sensitive business data that can be converted to cold hard cash. Meanwhile, employees are becoming ever more mobile, with the traditional workplace being reimagined as anywhere, any time the employee needs to work.
A recent study commissioned by Dell highlights the ‘great divide’ between network security and remote or mobile worker productivity. In a poll of medium to large enterprises, 91% of business users reported that their companies’ respective security measures had a negative impact on their productivity. Perhaps a key contributor to this discontent arises from another finding in the study: 85% of respondents needed to keep track of two or more login and password combinations to access files and applications required for their daily work.
Anyone who has worked in a corporate setting can probably attest to the difficulty of managing multiple passwords to access business applications like Exchange, Oracle, SharePoint, Citrix, VMware View and many others. If multifactor authentication is a part of the network security equation, it adds an additional layer of peace of mind for the IT staff but further compounds the difficulty for employees striving to get their work done.
Fortunately there’s a better way.
Array’s AG Series secure access gateways (SSL VPNs) have the unique ability to act as a ‘central gateway’ for both office-based and remote/mobile workers to access business applications and data. This method presents a single, unified and customizable login portal that serves to accept, authenticate, and pass network credentials to network resources behind the access gateway.
In effect, employees now have just one central point of login for all applications they are authorized to access, regardless of their location. They no longer need to remember multiple login points (local, remote, etc.) for their authorized network resources.
This method even works for Web-based assets such as application portals (SalesForce.com for example). Using SSL Post, the user’s network credentials are pulled from the AG Series’ cache and presented to the Web page that is requesting them.
It’s important to note that the AG Series allows role-based control of access via Active Directory groupings. This control can be extremely granular – right down to specific device ports, if needed. In addition, a range of access methods is supported, including clientless Web access; a pre-installed or Web-delivered client; or via the MotionPro native app for iOS and Android devices.
By using Array’s AG Series SSL VPN appliance as a single, unified, captive login portal for your company, you can have one user experience to rule them all while maintaining strong network security and boosting employee productivity – and remove a point of frustration as well.
The passing of the one-year anniversary of the OpenSSL Heartbleed vulnerability – and a recent rash of highly exploitable vulnerabilities with names of lesser cachet – led me to wonder: Just how frequently are OpenSSL vulnerabilities reported, and what are their impacts?
While Array has developed our own proprietary SSL stack for production traffic, we do use OpenSSL for certain of our products’ functions such as our XML RPC and SOAP APIs, WebUIs and other non-traffic-related tasks. Thus, this exercise is categorically not about OpenSSL bashing – rather, it’s intended to gain a better understanding of the vulnerability landscape and to serve as a foundation for discussion on network security as a whole.
The infographic below was compiled from the NIST National Vulnerability Database, and lists vulnerabilities with Exploitability Subscores of 8.5 and higher (with 10 being the highest). While every attempt was made to ensure accuracy and completeness, the vast scope of the NIST database makes this a nearly insurmountable task.
As you will see, like almost every software ever created, OpenSSL has had its share of vulnerabilities over the years. Many were reported at or shortly after a major product release; after the 1.0.2 release on Jan. 22, 2015, for example, CVE-2015-0291 and CVE-2015-0292 were reported less than two months later.
In many ways, that’s the nature of the beast in open-source software development. The very structure that gives open source such great qualities – multiple developers (often volunteers) working together to create a freely-available code base – can also lead to errors because developers are working independently. However, with an entire community of developers, any errors are typically fixed very quickly, thus mitigating the impact.
And in all fairness, Array products were vulnerable to a couple of the vulnerabilities listed here, as well as a handful of others with lesser exploitability scores. Usually those vulnerabilities were related to the functions mentioned above, or to our older, end-of-sale products like the SPX and TMX Series. Follow the Array Support Twitter feed to keep up to date on all our product notifications.
In Part II of this blog series, I’ll dig deeper into the differences between open-source development and proprietary code bases, and offer concrete suggestions on keeping your network safe. Until then, let’s all be careful out there.
Last month, Array joined the Intel Network Builders program, which is working to accelerate the transition to Software-Defined Networking (SDN) and Network Functions Virtualization (NFV). As of this writing, the ecosystem has more than 150 vendor/members, as well as a growing list of end-user organizations.
Joining the Intel program is another important milestone in Array’s commitment to NFV. (As you may recall, late last year Array joined the OPNFV Project as a silver founding member.) It also serves to reemphasize why our commitment to a CPU-based architecture – vs. relying on ASICs – makes a very big difference in our application delivery controller and secure access gateway products, and thus benefits our partners and customers as well.
ASICs came to the fore some years ago, when the general-purpose CPUs and operating systems of that time were unable to provide the performance required to process ever-growing network traffic loads. As in any design choice, however, there are (and remain) drawbacks to an ASICs-based approach. ASICs carry higher engineering costs, which typically translate into higher product cost, and software bugs can be very complex to fix. Those two factors combine to result in a longer time to market for new features, new capabilities, and bug fixes.
In the meantime, Array developed its SpeedCore® operating system, a next-generation software architecture that allows Array products to take advantage of CPU advances, and to easily scale to meet the needs of complex and high-performance application delivery networking environments.
SpeedCore’s multi-core technology allows Array to leverage general-purpose processors to provide equal or better performance than ASIC-based architectures, with better agility and much lower costs. SpeedCore’s CPU-based environment allows Array to introduce new features and enhancements quickly, and without requiring our customers to rip-and-replace their existing products, or even to take products offline for a hardware upgrade. Instead, Array customers can add features or special customizations with just a simple, non-disruptive software upgrade.
In addition, leveraging the SpeedCore operating system and a CPU-based architecture for our dedicated and virtualized appliances minimizes overall complexity and maintains guaranteed high performance and reliability, while keeping the lid on support costs.
Array’s early choices on architectural design also hold important ramifications for the transition to NFV. The efficiency and agility of SpeedCore and a CPU-based architecture will allow Array ADC and SSL VPN products to more easily accommodate the new NFV model. In addition, Array ADCs have highly granular visibility into applications, allowing them to gather application-level insights that can be leveraged to guide SDN-based switch packets, thus improving performance and security.
Lastly, I/O is one the main performance bottlenecks when virtualizing the network functions. Intel’s ability to support SR-IOV on multiple platforms/hypervisors becomes a key factor in ensuring that Array’s virtualized network functions perform at the highest possible network throughput. Array’s virtualized platform (the AVX Series) uses Intel’s NIC and SR-IOV technology to achieve industry-first guaranteed-per-instance performance on a multi-tenant platform.
As you can see, architectural decisions made early in a product’s life cycle can have a huge impact on performance, agility and reliability far down the line. Array’s foresight in choosing an Intel-based architecture, coupled with our innovative SpeedCore OS, has given users of Array’s ADC and SSL VPN products a wealth of benefits.
ust over a year ago, the tech industry and its customers alike were jolted the by revelation of a new and potentially very serious vulnerability in OpenSSL. Dubbed Heartbleed, or CVE-2014-0160, the security bug affects certain versions of OpenSSL that do not properly handle heartbeat extension packets. This could allow attackers to craft packets that trigger a buffer over-read, resulting in the exposure of sensitive information from clients and servers.
Array’s application delivery controllers and secure access gateways use our own proprietary SSL stack, and thus were not affected by Heartbleed. Many competing products are based on OpenSSL, however, and their respective manufacturers raced to implement patches and fixes to protect their customers.
With the 20-20 hindsight afforded by a year’s distance from the Heartbleed announcement, what has changed and what have we learned?
Heartbleed wasn’t the first, nor the last. OpenSSL had multiple vulnerability announcements prior to Heartbleed, as well as over the last year. For Man-in-the-Middle (CVE-2014-0224), and ClientHello (CVE-2015-0291), once again neither Array’s AG Series SSL VPNs nor APV Series ADCs were vulnerable due to our proprietary SSL stack. For the FREAK vulnerability (CVE-2015-0204), only certain of our products were affected (i.e. end-of-sale ADCs and SSL VPNs, and some functions of our aCelera™ WAN optimization controllers). New software versions for these products were released and are available on the Array Support site to mitigate these vulnerabilities.
Security is a mindset, not a feature. SSL/TLS itself, as well as other components of application delivery networking, had vulnerability announcements in the last year. However, as an SSL company, Array eats and breathes security. From the beginning, we’ve been fanatical about removing unnecessary features and loopholes in our software to improve both security and performance. This security mindset paid off with the Bash vulnerability (CVE-2014-6271 et al.), for example, because Array APV and AG Series do not expose Bash for remote access.
Web and application servers may still be vulnerable to Heartbleed. Security industry firm Venafi recently issued a report that found that as of April 2015, nearly three quarters of Global 2000 firms had public-facing systems that remained vulnerable. The primary reason cited by the report was incomplete remediation, typically by failing to replace SSL keys and certificates. Note that adding a Heartbleed-proof application delivery controller (shameless plug) like Array’s APV Series can provide an additional layer of defense while providing load balancing, SSL offloading and other functions that improve server and application performance.
The nature of malicious attacks has changed. At the dawn of the Internet, it was mostly kiddie scripters and other idle minds. Now, headline-grabbing malicious attacks are perpetrated by organized criminals (or even nation-states) with a goal of compromising personal financial information, sensitive corporate and government information, and even a nation’s infrastructure. It’s all about money now, or causing real damage, and the stakes are very high.
While OpenSSL is but one potential attack vector, Heartbleed and other OpenSSL vulnerabilities point out the new reality for IT professionals: They must remain ever mindful, ever vigilant, and ever diligent to protect the networks they manage against malicious attacks.
We recently published a new case study on SoftLayer, an IBM company, that showcases how this major Infrastructure-as-a-Service (IaaS) provider is using Array’s APV Series application delivery controllers for Load-Balancing-as-a-Service (LBaaS) offerings. In addition, SoftLayer deploys Array’s AG Series secure access gateways to allow customers and SoftLayer administrators to manage infrastructure in their respective network segments.
This points up an important distinction: IaaS providers have a unique environment with very different requirements than enterprise deployments. However, especially with regard to application delivery controllers, Array offers features, capabilities and pricing models that are uniquely suited for IaaS deployments.
Guaranteed Performance In Shared Environments
As organizations increasingly build their businesses in the cloud (i.e. IaaS environment), load balancing becomes ever more important to support cloud-based server and storage offerings. End-users have come to expect LAN-like performance no matter where the actual resources are physically located. Best-effort application and storage performance may be acceptable for some IaaS customers, but most will require guaranteed performance and SLAs to ensure that their end-users receive a high-quality user experience.
Array offers physical, virtual and virtualized ADC appliances that provide IaaS operators with a wide degree of choice in designing their LBaaS environment. See the table for a brief introduction:
One physical appliance supports one customer, providing a high degree of performance, reliability and control
APV Series Multi-Tenant Appliances
APV Series as a multi-tenant appliance supports multiple customers by using virtual IPs (VIPs). Performance is guaranteed by limiting the number of concurrent connections per customer
vAPV Virtual Appliance
As a virtual appliance running on virtualized servers, performance depends upon the VM environment. Where resources are shared, performance cannot be guaranteed, however
In a virtualized environment, and managing hundreds, thousands or hundreds of thousands of customers and devices, Infrastructure-as-a-Service providers also face unique challenges. To fully utilize available resources and to be able to provision them on-demand, it becomes essential to implement an overarching cloud management system.
There is a wide variety of options for IaaS providers, ranging from proprietary ‘homegrown’ solutions to open-source platforms like OpenStack, to commercial offerings like VMware vRealize Orchestrator or Microsoft System Center.
To support IaaS providers, and to ensure that APV Series ADCs can integrate with the widest possible variety of cloud management systems, Array developed a robust set of APIs and integrations with leading CMS providers. Support for each of the three broad CMS categories includes:
Integration enabled via XML RPC or Array’s eCloud™ API. XML RPC provides very comprehensive control, while the eCloud API offers a faster path to integration for a smaller subset of ADC functions
For IaaS providers using OpenStack standards, the eCloud API integrates with the OpenStack LBaaS API and supports management of multiple ADCs
VMware and Microsoft
Array has developed plug-ins for orchestration systems such as vRealize Orchestrator (vRO) and Microsoft System Center Configuration Manager
Flexible Pricing Models
Like any business, IaaS providers are looking to maximize profitability by reducing risk and up-front costs and aligning CapEx and OpEx with customer demand. Much like the flexible platform and management options described above, Array also offers a great degree in flexibility in pricing models, thus allowing IaaS providers greater choice in their LBaaS strategy. APV Series dedicated appliances, AVX Series virtualized appliances, and vAPV virtual appliances each offer specific pricing advantages, depending on the deployment model and customer needs:
APV Series Dedicated Appliances
When dedicated hardware is required for superior performance and reliability, APV Series provides the highest scalability and functionality, typically at 40% less cost than similar enterprise-class ADCs, and supports SSL processing at 75% less cost per transactions per second
AVX Series Virtualized Appliances
These versatile appliances can be ordered in ¼, ½, ¾ or full capacity, and partitioned for entry-level, small, medium or large vAPV instances. Configuration is field-changeable, and additional licenses can be added at any time. In addition, AVX Series can support vxAG virtual SSL VPN gateways to allow secure remote and mobile access for customer and staff administrators
vAPV Virtual Appliances – Monthly
vAPV monthly licenses allow IaaS providers to use only what they need, for as long as they need, at affordable price points. Licenses expire or can be renewed when the subscription period ends
vAPV Virtual Appliances – Revenue Sharing
This innovative pricing model requires no up-front cost for the IaaS provider, while supporting enterprise-grade LBaaS services via virtual appliances
vAPV Virtual Appliances – Perpetual
Perpetual vAPV licenses give IaaS providers the flexibility of deploying virtual ADC appliances whenever, wherever needed. Licenses can also be upgraded at any time to support higher throughput if needed
As you’ve seen, through our work with SoftLayer and other IaaS providers Array has developed a very flexible set of ADC options, from platform to management integration to pricing models, to support the unique environment and requirements of IaaS and LBaaS providers. To learn more, visit our IaaS solutions page, or check out our latest white paper, titled Application Delivery as an Infrastructure Service.
The OpenStack word mark and the Square O Design, together or apart, are trademarks or registered trademarks of OpenStack Foundation in the United States and other countries, and are used with the OpenStack Foundation’s permission.
Back in the day, network speed and throughput were limiting factors for the overall productivity of an organization. Gigabit Ethernet came onto the scene in 1999, and offered a quantum leap in performance over previous connectivity standards.
10GbE was approved by IEEE in 2002, and slowly gained more widespread deployment as the switch vendors and others adopted the standard. Now, 40GbE and even 100GbE are available (though industry analyst firm Infonetics predicts that within one to two years, 40GbE will phase out as 25GbE and 100GbE become the norm).
The Rise Of The Application
In that same timeframe, individual PC licenses for generalized office applications have been replaced by Software-as-a-Service offerings such as Microsoft’s Office 365 and Adobe Systems’ Creative Cloud. It’s almost the de facto standard to host an organization’s email on Microsoft Exchange Server. Applications such as Oracle’s suite of products, as well as those of SAP, IBM, EMC and many others, are used for tasks from order entry to business intelligence to electronic medical records and have become intrinsic to the operation, competitive edge, and overall success of the majority of businesses and other organizations today. Can you imagine attempting to conduct your job without the myriad applications you use on a daily basis?
So, Which Is King?
Sorry, switch vendors. Ultimately the network exists to support the applications – and without applications, the network is just an empty pipe. Given adequate bandwidth and speed, and acceptable uptime standards, applications will run smoothly and end-users won’t flood the help desk with calls about application availability or slowness.
However, there is a caveat to that. What happens when dozens (or hundreds) of applications and their data are traversing the network? What happens when the same data (such as images, data files, etc.) is downloaded hundreds of times a day by end-users? What if multiple simultaneous connection requests overwhelm the application’s server? And how can you optimize application performance for mobile users on smart devices?
For example, APV Series dedicated ADC appliances can offload CPU-intensive connection management tasks, freeing server cycles for client requests. Connection multiplexing, developed by Array, also aggregates client connections to improve server efficiency by 50% or more.
APV Series ADCs can also apply caching, compression and traffic shaping to improve server performance, reduce bandwidth requirements, and assure critical applications take precedence over non-essential traffic.
aCelera WAN optimization minimizes traffic traversing the network, reducing end-user response times by up to 95% and ensuring a LAN-like experience regardless of end-users’ locations. aCelera also offers a mobile client to accelerate traffic between individual devices and aCelera appliances in the data center or cloud.
Long Live The King!
And the winner is: Your IT team, if your network resources are optimized to support the applications your company or organization needs in order to grow, thrive, compete and succeed. Explore our resources on application acceleration, WAN optimization, and application-specific deployment guides to learn more.
Late last week industry analyst firm MarketsandMarkets issued a new report on the WAN optimization market that predicted a CAGR of 18.8% from 2014 to 2019, with North America expected to be the largest single market and the APAC region predicted to have a CAGR of 21.2% in that period.
The predicted growth more than doubles the market in just five years. This may be astounding to many – especially compared to overall tepid network equipment market forecasts – but if you drill down into it, you’ll quickly discover what we at Array have been promoting for quite some time:
WAN optimization is the ‘secret sauce’ that makes networks and applications work. It’s that simple. But it’s also a bit complex.
Network/application performance used to be fairly straightforward. Given adequate bits and bytes and speeds and feeds, you could be confident that your network and applications were performing at their peak.
The last five years have been game-changing though. BYOD means that employees can work anywhere, anytime. Applications like Exchange, Oracle and others have become integral to getting the job done. New work concepts like ROWE (Results-Oriented Work Environment) have cropped up, encouraging employees to focus on what matters: the bottom line.
It’s no longer ‘good enough’ to assure the C-suite that your network is providing adequate throughput. What matters now is employees’ perception of your network’s ability to supporttheir efforts in turn. Excessive downtime on a critical application like Exchange server? Slow response times from Oracle? These types of things cause headaches for employees – which will soon become your headache.
Add some Secret Sauce
WAN optimization works by streamlining the data that traverses your network. Put simply, data de-duplication and differencing (with caching) means that data that once was sent multiple times to a local data store now needs be sent only once. Traffic is prioritized so performance for end-users is greatly enhanced. TCP, and even relatively arcane protocols are optimized to eliminate redundant and chatty traffic. Compression further reduces the amount of traffic transmitted over the WAN.
This is, of course, just a small sampling of the many ingredients that combine to make WAN optimization the ‘secret sauce’ of network and application performance. To learn more, visit our WAN optimization solution page, or our aCelera WAN optimization controllers product page.
There’s been a bit of buzz in the normally sedate SSL VPN market lately, with Juniper divesting its flagship Junos Pulse (a.k.a. MAG Series or SA Series) SSL VPN product line to Siris Capital – which in turn rolled out a new company to develop and sell the product line.
This big change has caused customers and resellers to evaluate their options for current and future SSL VPN purchases. Also recently, industry analyst firm Gartner released a Market Guide for Enterprise Infrastructure VPNs, in which the authors rightly found, “The VPN marketplace is mature and fragmented, because the capabilities are embedded in other products, such as routers, firewalls, portals, application suites, unified threat management (UTM) appliances and platform OSs. Mainstream VPN vendors offer it as part of a family of networking products and services, which can also include access management and single sign-on (SSO).”
The authors also noted that “VPNs are alive and well, and have a long future: Companies should continue to use infrastructure VPN encryption methods as one of their security layers, review options in all four scenarios presented in this research and maintain a five-year plan.” The market guide, which is highly recommended reading, lists Array Networks as a representative vendor, and provides market recommendations that are very practical and well thought out.
At Array, we’ve had a singular focus on SSL from the start of the company nearly 15 years ago. In fact, we think of ourselves as ‘The SSL Company.’ Unlike most (if not all) other vendors, we developed our own SSL stack rather than using OpenSSL as a foundation. Through that foresight, Array’s AG Series and SPX Series have been immune to recent sensationalized OpenSSL vulnerabilities like Heartbleed and Man in the Middle (MitM).
Also through our long history as an SSL VPN vendor, our products are very mature with a rich set of features across a product line with models to serve very small to extremely large deployments.
As the Gartner guide noted, “Encrypted communications are fundamental to assuring the safe and secure transfer of business information.” We’ve got the commitment, the architecture, the features, scalability, performance and more to help you ensure a successful SSL VPN deployment.
Juniper SSL VPN Replacement Program
If you’re one of the many Juniper customers and resellers questioning your current SSL VPN options, Array can help! We’re committed to the SSL VPN market, and our AG Series can meet or exceed the capabilities of the corresponding MAG Series or SA Series products.
We’re offering a very attractive program right now to help you migrate to our AG Series, with free hardware and licensing – all you need purchase is a discounted 3-year support contract. Reach out to your Array sales representative or reseller today to learn more.
Gartner, Market Guide for Enterprise Infrastructure VPNs, John Girard, Eric Ahlm, Jeremy D’Hoinne, 02 March 2015
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
According to ComputerWeekly’s 2015 IT Priorities Report, 46% of IT managers worldwide plan to implement a Bring Your Own Device (BYOD) initiative in 2015, and 30% plan to deploy mobile apps. If you’re responsible for building your organization’s BYOD policy, there are hundreds, if not thousands, of articles and guides available on the topic – an article by industry consultant Bryan Barringer is one of the most recent, and it carries some very good insights.
Unfortunately, most of the BYOD policy articles overlook a technology that has been the workhorse for secure remote access for more than a decade: SSL VPN.
Originally designed for secure remote PC and laptop access, SSL VPNs have adapted and evolved over the years as BYOD morphed from a buzzword to reality for many organizations. The SSL VPN solutions of today, like Array’s AG Series secure access gateways, offer a wide range of support for smart mobile devices. And, due to their unique position at the network edge, with visibility into the endpoints and policy-based control over access to network resources, SSL VPNs can be your first line of defense for BYOD – the foundation for your BYOD policy, if you will.
For example, Array’s SSL VPN solution provides granular access control based on user and role, and host-checking can verify device and user identity as well as whether the endpoint meets security parameters like anti-virus, anti-spyware, personal firewalls, allowed OS version, etc.
A mobile client supports secure access for native business apps and HTML5 apps via a secure browser, and all data associated with enterprise apps is stored in a secure container to prevent data leakage. The secure container can be remotely wiped in the event of loss or theft of a mobile device, and device-based identification can be used to prevent future SSL VPN connectivity by that device.
There’s much more to come – I’ll be posting part II of this blog series in the coming weeks. In the meantime, check out our secure mobile access page for more details on SSL VPN and BYOD.
One Note of Caution: All SSL VPNs Are Not Created Equal.
You may have read over the past year or so of several vulnerabilities associated with OpenSSL, which is commonly used by other SSL VPN vendors. Heartbleed, Man-in-the-Middle, and GHOST are just a few of them. As you’re evaluating SSL VPN options, you may want to ask your vendor if their solution uses OpenSSL. Array’s AG Series uses a proprietary SSL stack, and thus has not been affected by any of the OpenSSL vulnerabilities.
It gives IaaS providers unprecedented flexibility to support multiple customers while managing just one appliance (or two, for high availability). Or, enterprises can support multiple applications, user types, etc. – again, with just one appliance (or two).
And unlike other ADC products marketed as ‘multi-tenant,’ AVX10650 instances do not share physical resources. They’re fully independent – each with its own I/O, CPU, SSL card and memory – so there’s no resource contention to drive down performance (and user experience).
This is a multi-tenant, virtualized ADC solution that truly offers multiple benefits for IaaS providers and enterprises.
It offers four different basic configurations, from entry-level basic ADC for up to 32 vAPV instances, to the high-performance large configuration supporting four vAPV instances per appliance and 28Gbps guaranteed throughput per instance. It combines the flexibility of a virtual ADC, with the rock-solid, high-horsepower performance of a physical ADC – more than 2K transactions per second (TPS) for 2048-bit SSL even at the entry level, and up to 17K SSL TPS (2048-bit) in the ‘large’ configuration.
You can buy just what you need today, and ‘pay as you grow.’ For example, if you determine you need a medium ADC configuration (16 vAPV instances per appliance), you can purchase one quarter, half, three quarters or full capacity (that’s 4, 8, 12 or 16 instances in this case). If an AVX10650 is purchased at less than full capacity, you can upgrade at any time.
With the AVX10650 virtualized ADC you’re not racking and stacking multiple ADCs to support multiple customers, applications or communities of interest – nor do you have the associated management, power and space headaches. And it provides hardware-based SSL throughput that virtual ADCs can only dream of. Find out more about the next-generation AVX10650 in the press release or datasheet.
In virtualized environments, SSL/TLS data encryption is commonly used to secure mission-critical and sensitive data as it transits to remote users and shared networks. Virtual application delivery controllers (ADCs) are also frequently deployed to provide SSL offloading from servers (reducing their load and thus improving performance) as well as application acceleration, load balancing across links, servers and global data centers, and Web/application security.
However, SSL/TLS offloading in a virtualized environment presents several key hurdles for virtual ADCs: Software-based performance is typically much lower than that of hardware-based (i.e. dedicated) ADC appliances – and if other virtual machines are sharing the same CPU, resource contention can further reduce performance. Also, to be effective, the ADC must be able to gain the information needed (from clear text) for intelligent application routing, filtering and/or server persistence – and this requires even more processing power.
Scaling can also be problematic. Sure, you can throw more virtual ADCs into the mix, but it will add both cost and setup/management complexity to the equation.
When you need to ensure SSL/TLS performance through SSL offloading, and scaling is also a concern, consider a hybrid virtual/dedicated model. This model combines the flexibility and low cost of virtual ADCs with the raw horsepower of our dedicated APV Series appliances – which can support up to 4 million SSL/TLS connections/sections and up to 25 Gbps encrypted data throughput per unit.
You may have read Array’s recent press release on joining the OPNFV Project,
an open source reference platform for Network Functions Virtualization, as a founding member. While SDN (Software-Defined Networking) has gotten a lot of buzz in the media and other circles, NVF may actually have a much greater impact for corporate and service provider networks. A few points to consider:
A recent poll showed that among CIOs and CTOs, NFV was the top trend impacting their roles (80%), and 36% chose NFV as the single most important trend affecting their roles. (This is far above mobility or any other single trend.) In addition, 85% predicted that NFV would become a major player in the communications service provider market within 3 years.
NFV is complementary to SDN. While SDN is focused on creating network abstractions to enable faster innovation, NFV holds the promise of reducing CAPEX, OPEX, space and power consumption – all worthy goals that will contribute to improved network performance and economics. In addition, both movements have the potential to foster open innovation, which can open markets to new third-party applications and tools.
NFV (and SDN) can address most, if not all, of the inefficiencies and barriers to innovation that exist in current network infrastructures. Much as the public switched telephone network moved from all-analog, to digital for backhaul only, to nearly all digital transmission, corporate and service provider networks can move from the current status quo to a more efficient and manageable model. Fragmented, non-commodity hardware and physically installing appliances at each site? Gone. The hardware development barrier for new vendors? Also gone, and creating a massive opportunity for new breakthroughs.
Application delivery networking (ADN), Array’s key strength, can provide great benefits for SDN. SDN is primarily focused on network control at the switch and controller level. With its granular visibility into applications, ADN can collect application-level intelligence and thus guide SDN-based switch packets for improved performance and security.
OPNFV has brought together some of the best and brightest in the networking industry, with the goal of creating an open platform to support NFV. I don’t think I need to belabor the point, but open, community-led and industry-supported initiatives have brought about great innovations that helped power the tech industry now and into the future.
There’s a lot more on the horizon for NFV, and in particular, the OPNFV Project. Keep them on your radar, and stay tuned for more to come.
If you’ve optimized every possible element of your SSL-secured Web site, applications or SaaS deployment, but you’re still getting complaints about slow response times and endless waits, there’s a likely culprit at large: SSL processing overhead. The new, much-more-secure 2048-bit SSL standard, mandated earlier in 2014, is five times more compute-intensive than the previous 1024-bit standard.
This translates into a 5x increased load on application and Web servers, which can bog down performance dramatically. Network managers have only a couple of options for dealing with the increased overhead of 2048-bit SSL processing: Throw more servers and memory resources at the problem, or invest in a robust, dedicated SSL offloading solution to remove processing overhead from servers.
The latter approach offers a number of advantages. By removing the overhead of SSL processing from Web and application servers, those resources can now operate at greater efficiency and with much higher performance. Application and Web response times are reduced, resulting in improved end-user experience.
SSL offloading works by handling compute-intensive SSL functions for servers – such as key exchange, bulk encryption and client certificate management. It’s ideal for scaling SaaS and e-commerce environments, as well as business-critical applications for healthcare, financial services and other industries.
If your organization is struggling with slow Web and application response times due to SSL processing overhead, check out Array’s SSL Offloading page as well as our APV Series application delivery controllers, which offer the lowest cost per SSL transaction per second, as well as a robust set of load balancing, application acceleration, security and other capabilities.