Page 1
Blue Coat and the Blue Coat logo are trademarks of Blue Coat Systems, Inc., and may be registered in certain jurisdictions. All other product or service names are the property of their respective owners.
© Blue Coat Systems, Inc. 2009. All Rights Reserved.
Application Delivery NetworkingAshok Parmar2nd July 2009
Page 2
© Blue Coat Systems, Inc. 2009. All Rights Reserved.
Agenda
Why we need a new approach
Application Delivery Networking Defined
The ADN pillars:
– Visibility
– Acceleration
– Security
Blue Coat ProxyClient
Page 3
© Blue Coat Systems, Inc. 2009. All Rights Reserved.
Rationale
Page 4
© Blue Coat Systems, Inc. 2009. All Rights Reserved.4
New Business Drivers Demand New Technology
– Consolidation– Information control to
reduce risk– Eliminate remote
resources
– Tele-working
– Dispersed field teams
– External partnerships
– New territories for more reach
– WW Partnerships
– Regional information needed
Page 5
© Blue Coat Systems, Inc. 2009. All Rights Reserved.
End Users and Applications are Changing
5
SaaS
Web 2.0 & Mash-Ups
Remote Offices
WAN and Internet
Mobile Users
Enterprise Datacenter Consolidation
Unified Communications
VideoIP TelephonyMessaging
Page 6
© Blue Coat Systems, Inc. 2009. All Rights Reserved.
The Connectivity Layer is Poor at Delivering Applications
The connection network:– Doesn’t know what
applications are running across it
– Has limited knowledge of users and content
– Can’t tell what is malicious and what isn’t
– Can’t control mission critical applications
6
A New Kind of Layer is Required…
SaaS
Web 2.0 & Mash-Ups
Remote Offices
WAN and Internet
Mobile Users
Enterprise Datacenter
ConsolidationUnified
Communications
VideoIP TelephonyMessaging
Page 7
© Blue Coat Systems, Inc. 2009. All Rights Reserved.
Application Delivery Network
7
Application Delivery Network
Connectivity
Application Servers
End Users
WAN Optimization
Secure Web Gateway
Application PerformanceMonitoring
Sees Users,And information
Sees connections and packets
Sees information
Sees & Controls EVERYTHING
Page 8
© Blue Coat Systems, Inc. 2009. All Rights Reserved.
Application Delivery Network
8
Connectivity
Sees Users,And information
Sees connections and packets
Application Servers
End Users Sees information
Sees & Controls EVERYTHING
Application Delivery Network
End-to-End User Experience Control
Page 9
© Blue Coat Systems, Inc. 2009. All Rights Reserved.
Application Delivery Networking Blue Coat has moved beyond just Security or
Acceleration– Enable fast, secure access to Key Applications
regardless of location
Gartner recognizes this as Application Fluent Networking
Page 10
© Blue Coat Systems, Inc. 2009. All Rights Reserved.
The Demo Components
Blue Coat ADN demo network
Internet
NAT RouterWireless Router
PS900ProxySG 210 ProxySG 210
VMWareServers
Page 11
© Blue Coat Systems, Inc. 2009. All Rights Reserved.
Visibility
Page 12
© Blue Coat Systems, Inc. 2009. All Rights Reserved.
See: Application Performance Monitoring
See Accelerate Secure
Discover All Application Traffic600+ apps, good & bad, sub-classify within complex apps / HTTP
Monitor User ExperienceMeasure & alarm, SLA compliance, VoIP metrics, integrate with tools
Troubleshoot Performance IssuesIsolate delays, connections, host/app performance, capture & analyze
Resolve Issues, Pre-empt ProblemsFix performance issues with Acceleration & Control – before users call
Page 13
© Blue Coat Systems, Inc. 2009. All Rights Reserved.
Visibility
PacketShaper shows ALL traffic on network L7+– TCP and UDP based applications can be identified
– Granularity down to individual flows
Application traffic can be controlled– Bandwidth consumption limits
– Quality of Service
– Network resources reserved for Critical Applications
Extensive Reporting Available– Bandwidth
– Reponse Times
– Network Efficiency
Page 14
© Blue Coat Systems, Inc. 2009. All Rights Reserved.
The Class Tree
Page 15
© Blue Coat Systems, Inc. 2009. All Rights Reserved.
Line graph displays Inbound and Outbound rates at the current time (now) and tracks the rates over the last three minutes.
Displays real-time rates for Inbound and Outbound links
Speedometer-like gauge displays the real-time rate for each link, and the needle on the gauge dynamically updates as the rate fluctuates.
RealTime Graphs - Link View
Page 16
© Blue Coat Systems, Inc. 2009. All Rights Reserved.
Allows the user to view real-time utilization for multiple traffic classes (applications). With this graph, up to 10 classes can be displayed.
RealTime Graphs - Application View
Page 17
© Blue Coat Systems, Inc. 2009. All Rights Reserved.
Control
Power and flexible set of control features– Partitions
– Dynamic Partitions
– Priority policy – P7 (max) thru P0
– Rate Policy
– Class Licenses/Flow Limit
Page 18
© Blue Coat Systems, Inc. 2009. All Rights Reserved.
Which Policies Should You Use?
Depends on the application profile
– Rate Policies - medium to longer lived flows, bursty applications or flows that need a minimum guarantee.
HTTP, Email, Lotus Notes, NetBIOS-IP, FTP, P2P, Citrix, etc.
– Priority Policies – Short lived flows, some UDP and flows where a minimum rate is not needed.
Telnet, tn3270, Games, chat tools, IPSec, some short lived UDP flows, etc.
Page 19
© Blue Coat Systems, Inc. 2009. All Rights Reserved.
Host Analysis Table
Click on IP address for detailed flow information
Page 20
© Blue Coat Systems, Inc. 2009. All Rights Reserved.
Flow Analysis Table with info
Click on IP address for detailed flow information
Click on NetBIOS for other host host with NetBIOS flows.
Page 21
© Blue Coat Systems, Inc. 2009. All Rights Reserved.
Acceleration
Page 22
© Blue Coat Systems, Inc. 2009. All Rights Reserved.
Accelerate: WAN Optimisation for All Applications
Internal Bulk Applications
External Applications
Real Time Applications
Storage ConsolidationFile AccessEmailIntranetBackup & Data ReplicationImage Distribution
Video & Multi-MediaBusiness Web Software as a Service (SaaS)Recreational (Contain)Malicious (Stop)
VoiceVideo ConferenceReal-Time TransactionsThin Client & RT Virtual
See Accelerate Secure
Page 23
© Blue Coat Systems, Inc. 2009. All Rights Reserved.
Acceleration
Proxy SG allows Acceleration by various methods– Caching / Pipelining for Web Content
– WAN Optimisation for all TCP traffic
– Removal of unwanted traffic via security controls
Single device for Forward or Reverse Proxy
Multiple devices allow WAN Optimisation
Page 24
© Blue Coat Systems, Inc. 2009. All Rights Reserved.
Acceleration – Object Caching
Client served from local cache
100% acceleration – no data across WAN
Works on second, and all subsequent requests
DATACENTER
Page 25
© Blue Coat Systems, Inc. 2009. All Rights Reserved.
ProxySG implements Object Caching for six protocols:
HTTP
FTP
Windows Media Streaming
Real Media Streaming
CIFS (Windows File Sharing)
HTTPS (when SSL-Interception is used)
Object Caching
Page 26
© Blue Coat Systems, Inc. 2009. All Rights Reserved.
Traffic Mix
Page 27
© Blue Coat Systems, Inc. 2009. All Rights Reserved.
Activity and Gains
Page 28
© Blue Coat Systems, Inc. 2009. All Rights Reserved.
Visibility – Object caching single side ProxySG
First Run
Second & Third Run
Page 29
© Blue Coat Systems, Inc. 2009. All Rights Reserved.
WAN Optimisation
All TCP traffic can be optimised– Volume of Data Transfer reduced
– Latency Effects mitigated
– File locks / permissions always checked
– Bulk protocols show greatest benefit
Real Time Applications controlled by PacketShaper– Citrix / Telnet
– Quality of Service for VoIP
– Also includes UDP traffic
Page 30
© Blue Coat Systems, Inc. 2009. All Rights Reserved.
Why So Slow?! Take the Quiz
A) 0.7 seconds. 45Mbps = 5.625MBps so 4 / 5.625 = 0.7111
Your Network: 45Mbps – yeah, that’s big100ms – yeah, that’s fast
Question: You copy a 4MB PPT File. How long will it take?
Hint: CIFS is a WAN worst-offender.It sends data in 4KB chunks, then waits for an acknowledgement.
B) 200 seconds. 4MB = 1000 x 4KB chunks1000 trips there1000 trips back 2000 trips x 0.1 sec = 200
4K
B S
en
t4
KB
Se
nt
4K
B S
en
t4
KB
Se
nt
AC
K!
AC
K!
AC
K!
AC
K!
Page 31
© Blue Coat Systems, Inc. 2009. All Rights Reserved.
Latency Effects
T1 and no latency
Same file - T1 and 50ms latency
T1 and 50ms latency second and third transfers, same file.
Page 32
© Blue Coat Systems, Inc. 2009. All Rights Reserved.
Protocol Optimisation
10-100X Faster Includes CIFS, MAPI, HTTP, HTTPS, TCP
10-100X Faster Includes CIFS, MAPI, HTTP, HTTPS, TCP
10-100X Faster Includes CIFS, MAPI, HTTP, HTTPS, TCP
Page 33
© Blue Coat Systems, Inc. 2009. All Rights Reserved.
Byte Caching
110111110011100100100101110[REF#1] 00011110001110011000110000010011110000001101111010010[REF#2] 010101010100101000010100
110111110011100100100101110111111111111111111111111111111111111111100011110001110011000110000010011110000001101111010010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010101010100101000010100
Byte CachingByte Caching
1101111100111001001001011101111111111111111111111111111111111111111000111100011100110001100000100111100000011011110100100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000101010101001
01000010100
Proxies “learn” common patterns Create short references and pass those instead Works on all files, all applications over TCP
110111110011100100100101110111111111111111111111111111111111111111100011110001110011000110000010011110000001101111010010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010101010100101000010100
Page 34
© Blue Coat Systems, Inc. 2009. All Rights Reserved.
Compression
11011111001110010010010111001100101011101100100001001100111001000001111000111001100011
110111110011100100100101110011001010111011001000011010011001110010000011110001110011000110000010011110000001101111010010000110110100101111100110100111011010011010011110010000000000001110010111001011011011010010101100101100101010101010010101010101010100101000010100
COMPRESSIONCOMPRESSION
110111110011100100100101110011001010111011001000011010011001110010000011110001110011000110000010011110000001101111010010000110110100101111100110100111011010011010011110010000000000001110010111001011011011010010010010101010010101010101101100101100010100
Industry-standard gzip algorithm compresses all traffic Removes predictable “white space” from content and objects
being transmitted
Page 35
© Blue Coat Systems, Inc. 2009. All Rights Reserved.
WAN Optimisation Benefits
e.g. Mapped Drives - CIFS
File Copy– (Cold) First pass quicker through Protocol Optimisation /
Compression
– (Warm) Second pass even quicker due to Object Caching
– Modified files still copy quickly due to Byte Caching
Actual volume of data transferred reduced
User experience (response times) much improved
Bandwidth appears increased
Further control now possible with PacketShaper integration
Page 36
© Blue Coat Systems, Inc. 2009. All Rights Reserved.
Edge session view
Page 37
© Blue Coat Systems, Inc. 2009. All Rights Reserved.
SGOS 5.4 Sky UI
Geared towards Acceleration
Page 38
© Blue Coat Systems, Inc. 2009. All Rights Reserved.
WAN Optimisation plus PacketShaper
Existing SG Statistics tab– Active Sessions
– Traffic Mix etc
Added Visibility into Optimised Traffic on Shaper– SG Traffic Sub-Tree
– Individual Protocols visible
– Non-Optimised (tunnelled) traffic still visible
All traffic can now be controlled
SG Tunnelled traffic can be in separate partition
Page 39
© Blue Coat Systems, Inc. 2009. All Rights Reserved.
Visibility - PacketShaper with ProxySG
Use the prxysg.plg – place into the PLG directory on 9.256/ in the shaper
Page 40
© Blue Coat Systems, Inc. 2009. All Rights Reserved.
Security
Page 41
© Blue Coat Systems, Inc. 2009. All Rights Reserved.
Secure: Data and Productivity Protection
See Accelerate Secure
Guard Employee Productivity• Advanced URL filtering: Blue Coat & 3rd Parties• Block inappropriate content according to policy
Protect Against Malware
• Filter outgoing Web traffic in real time• Reduces exposure to malicious web content
Prevent Information Leaks• Integrated data leakage protection with 3rd parties
• Watch, alert & prevent exit of proprietary info
Validate Trust• Identity based access policy: prevent unauthorized use
• Support for eleven authentication protocols
Page 42
© Blue Coat Systems, Inc. 2009. All Rights Reserved.
Full Protocol Termination = Total Visibility & Context(HTTP, SSL, IM, Streaming, P2P, SOCKS, FTP, CIFS, MAPI, Telnet, DNS)
Policy Control• Fine-grained policy for applications,
protocols, content & users (allow, deny, transform, etc)
• Granular, flexible logging• Authentication integration
Proxy Appliance
+ +
Ultimate Control Point for CommunicationsUltimate Control Point for Communications
Web Security• Prevent spyware,
malware & viruses• Stop DoS attacks• IE vulnerabilities,
IM threats
Accelerated Applications• Multiprotocol
Accelerated Caching Hierarchy
• BW mgmt, compression, protocol optimization
• Byte & object caching
Page 43
© Blue Coat Systems, Inc. 2009. All Rights Reserved.
Security
ProxySG intercepts traffic– Enabled per protocol
– Proxied sessions terminated / reinitiated
– Low-level (method) controls
– SSL can be opened up
Authentication can be enabled– Individual users identified
– Security Policies enforced per user / group
Content Scanning for protection– URL Filtering to control internet access
– Content Scanning guards against Malware downloads
Page 44
© Blue Coat Systems, Inc. 2009. All Rights Reserved.
Blue Coat Layered Defenses
Cloud ServiceWebPulse & WebFilter
Inline Threat DetectionProxyAV
Web Application & Content Controls ProxySG
Integrated Data Loss PreventionProxySG with 6 DLP partners
Remote Users ProxyClient
Page 45
© Blue Coat Systems, Inc. 2009. All Rights Reserved.
WebPulse Cloud Service
Malware detection
Web content analysis & ratings
Reputation analysis
Real-time rating service
WebPulseCloud Service
Web Content Content Ratings
• Multiple Threat Engines• Machine Analysis• Human Raters
1B web requestsper week
Page 46
© Blue Coat Systems, Inc. 2009. All Rights Reserved.
New Malware Defense
InternetEnterpriseNetwork
ProxySGwith WebFilter ProxyClient
WebPulseCloud Service
Five MinuteUpdates
ImmediateAccess
WebPulse 5min updates to WebFilter
Immediate updates to ProxyClient and K9
Analyzes over 1B user requests per week
Unites gateways & clients into computing grid defense
Page 47
© Blue Coat Systems, Inc. 2009. All Rights Reserved.
Co-Processor Architecture
Improved utilization with M:N ratio
Higher throughput per gateway
Results in less hardware
Optimized design
EnterpriseNetwork
Internet
ProxySG
ProxyAV ProxyAV DLP
Clean Object Cache
Finger Print Cache
Dual Cache Design
• Trickle First• Trickle Last • Defer Scan (media)
Customer Example:
Large User Base (100K+)
Blue Coat Solution:8 ProxySGs, 20 ProxyAVs
Competitor Solution:96 appliances
Threat detection is the lowestperforming element, embeddedit wastes gateway utilization
ICAP, ICAP+, S-ICAP
Page 48
© Blue Coat Systems, Inc. 2009. All Rights Reserved.
VPM and Policy
Page 49
© Blue Coat Systems, Inc. 2009. All Rights Reserved.
Creating a VPM Web Access Rule
Page 50
© Blue Coat Systems, Inc. 2009. All Rights Reserved.
AUP
Page 51
© Blue Coat Systems, Inc. 2009. All Rights Reserved.
Coaching
Page 52
© Blue Coat Systems, Inc. 2009. All Rights Reserved.
Denied
Page 53
© Blue Coat Systems, Inc. 2009. All Rights Reserved.
ADN for Remote Users
Page 54
© Blue Coat Systems, Inc. 2009. All Rights Reserved.
Blue Coat ProxyClient: Acceleration and Security for individuals
Software Client– Easy to deploy
– Suitable for roaming users / small offices
– Works with existing VPN clients
Accelerates Business Applications– LAN-like performance when away from office
– Reduces data costs for 3G connections
Allows direct but safe Internet access– Enforces URL filtering policy appropriate to location
– Interacts with Blue Coat’s WebPulse service
Free of charge
Page 55
© Blue Coat Systems, Inc. 2009. All Rights Reserved.
At least one ProxySG at Data Centre Define ADN for acceleration Install BCWF for filtering Configure ProxyClient features Distribute Client software
ProxyClient Deployment
Policies Configurations
DeploymentsInternet
Web Serversand SaaS
Customers
Remote Users
Internet Gateway with
Blue Coat WebFilter
Proxy Client
Centralized Storage and Applications
Data Center
Page 56
© Blue Coat Systems, Inc. 2009. All Rights Reserved.
The Benefits of the ProxyClient
Page 57
© Blue Coat Systems, Inc. 2009. All Rights Reserved.
Blue Coat Application Delivery:Unique Range of Capabilities
Intelligent Control
Discover All Application Traffic
MonitorUser Experience
Troubleshoot Performance Issues
Resolve IssuesPrioritize Traffic
Accelerate Internal Bulk Traffic
Control and OptimizeExternal Applications
Optimize and ProtectReal Time Applications
Protect Against Malware
GuardEmployee Productivity
Prevent Information Leaks
ValidateTrust
See Accelerate Secure
Page 58
© Blue Coat Systems, Inc. 2008. All Rights Reserved.