Application delivery network
Encyclopedia
An Application Delivery Network (ADN) is a suite of technologies that, when deployed together, provide application availability, security, visibility, and acceleration. Gartner defines Application Delivery Networking as the combination of WAN optimization (WOC) and Application Delivery Controllers (ADCs). At the data center end of an ADN is the Application Delivery Controller (ADC), an advanced traffic management device that is often also referred to as a web switch, content switch, or multilayer switch, the purpose of which is to distribute traffic among a number of servers or geographically dislocated sites based on application specific criterion. In the branch office portion of an ADN is the WAN optimization controller, which uses objectless caching techniques to reduces the number of bits that flow over the network, and shapes TCP traffic using prioritization and other optimization techniques. Some WOC components are installed on PCs or mobile clients, and there is typically a portion of the WOC installed in the data center. Application Delivery Networks also are offered by some CDN vendors.
The ADC, one component of an ADN, evolved from layer 4-7 switches
in the late 1990s when it became apparent that traditional load balancing techniques were not robust enough to handle the increasingly complex mix of application traffic being delivered over a wider variety of network connectivity options.
In theory, an Application Delivery Network (ADN) is closely related to a content delivery network
. The difference between the two delivery networks lies in the intelligence of the ADN to understand and optimize applications, usually referred to as application fluency.
Application delivery uses one or more layer 4–7 switches
, also known as a web switch, content switch, or multilayer switch to intelligently distribute traffic to a pool, also known as a cluster or farm, of servers. The application delivery controller (ADC) is assigned a single virtual IP address (VIP) that represents the pool of servers. Traffic arriving at the ADC is then directed to one of the real web servers based on a number of factors including application specific data values, application transport protocol, availability of servers, current performance metrics, and client-specific parameters. An ADN provides the advantages of load distribution, increase in capacity of servers, improved scalability, security, and increased reliability through application specific health checks.
Increasingly the ADN comprises a redundant pair of ADC on which is integrated a number of different feature sets designed to provide security, availability, reliability, and acceleration functions. In some cases these devices are still separate entities, deployed together as a network of devices through which application traffic is delivered, each providing specific functionality that enhances the delivery of the application.
connection with the server, improving the responsiveness of the application.
Some ADN implementations take this technique one step further and also multiplex HTTP and application requests. This has the benefit of executing requests in parallel, which enhances the performance of the application.
The RFCs most commonly implemented are:
HTTP compression
is asymmetric and transparent to the client. Support for HTTP compression is built into web servers and web browsers. All commercial ADN products currently support HTTP compression.
A second compression technique is achieved through data reduction algorithms. Because these algorithms are proprietary and modify the application traffic, they are symmetric and require a device to reassemble the application traffic before the client can receive it. A separate class of devices known as WAN Optimization Controllers (WOC) provide this functionality, but the technology has been slowly added to the ADN portfolio over the past few years as this class of device continues to become more application aware, providing additional features for specific applications such as CIFS and SMB.
This feature enables other reliability features in the ADN, such as resending a request to a different server if the content returned by the original server is found to be erroneous.
.
Typical industry standard load balancing algorithms available today include:
The ADN also ensures application availability and reliability through its ability to seamlessly "failover" to a secondary device in the event of a hardware or software failure. This ensures that traffic continues to flow in the event of a failure in one device, thereby providing fault tolerance for the applications. Fault tolerance is implemented in ADNs through either a network or serial based connection.
is the most common method of securing application traffic through an ADN today. SSL uses PKI
to establish a secure connection between the client and the ADN, making it difficult for attackers to decrypt the data in transit or hijack the session.
A typical use of this functionality is to hide the operating system and server software used to host the application. This is usually accomplished by rewriting the Server field in an HTTP response.
A second typical use of this functionality is the exploitation of the ADN's ability to rewrite the URI
portion of an HTTP request. The client is presented with a URI and VIP that are known only to the ADN, and upon receiving the request the ADN may either (a) rewrite the URI and send a 302 redirect or (b) transparently translates the URI and responds to the client as if the URI were the right one in the first place.
strategy often cited by security professionals.
from ICMP and SYN floods. As a result, the ADN must necessarily protect not only itself but the applications it is delivering from succumbing to such attacks. The ADN generally employs a number of protections against typical network layer attacks though it does not implement the full security offered by an IPS
. Some of the Network Layer Security technologies that may be employed by ADN devices include:
, also called TCP splicing, is the postponement of the connection between the client and the server in order to obtain sufficient information to make a routing decision. Some application switches and routers delay binding the client session to the server until the proper handshakes are complete so as to prevent Denial of Service attacks.
s (ACLs), Bogus IP ranges (Bogon filtering) and deep packet inspection
pattern matching. In some cases, thresholds or rate limiting of IP addresses or ranges of IP addresses may be employed.
capabilities of some of these products can identify traffic by application type and can be used to analyze, block, shape and prioritize traffic.
The ADC, one component of an ADN, evolved from layer 4-7 switches
Multilayer switch
A multilayer switch is a computer networking device that switches on OSI layer 2 like an ordinary network switch and provides extra functions on higher OSI layers.- Layer 3 Switching :...
in the late 1990s when it became apparent that traditional load balancing techniques were not robust enough to handle the increasingly complex mix of application traffic being delivered over a wider variety of network connectivity options.
Application delivery techniques
The Internet was designed according to the end-to-end principle. This principle keeps the core network relatively simple and moves the intelligence as much as possible to the network end-points: the hosts and clients. An Application Delivery Network (ADN) enhances the delivery of applications across the Internet by employing a number of optimization techniques. Many of these techniques are based on established best-practices employed to efficiently route traffic at the network layer including redundancy and load balancingIn theory, an Application Delivery Network (ADN) is closely related to a content delivery network
Content Delivery Network
A content delivery network or content distribution network is a system of computers containing copies of data placed at various nodes of a network....
. The difference between the two delivery networks lies in the intelligence of the ADN to understand and optimize applications, usually referred to as application fluency.
Application delivery uses one or more layer 4–7 switches
Multilayer switch
A multilayer switch is a computer networking device that switches on OSI layer 2 like an ordinary network switch and provides extra functions on higher OSI layers.- Layer 3 Switching :...
, also known as a web switch, content switch, or multilayer switch to intelligently distribute traffic to a pool, also known as a cluster or farm, of servers. The application delivery controller (ADC) is assigned a single virtual IP address (VIP) that represents the pool of servers. Traffic arriving at the ADC is then directed to one of the real web servers based on a number of factors including application specific data values, application transport protocol, availability of servers, current performance metrics, and client-specific parameters. An ADN provides the advantages of load distribution, increase in capacity of servers, improved scalability, security, and increased reliability through application specific health checks.
Increasingly the ADN comprises a redundant pair of ADC on which is integrated a number of different feature sets designed to provide security, availability, reliability, and acceleration functions. In some cases these devices are still separate entities, deployed together as a network of devices through which application traffic is delivered, each providing specific functionality that enhances the delivery of the application.
TCP multiplexing
TCP Multiplexing is loosely based on established connection pooling techniques utilized by application server platforms to optimize the execution of database queries from within applications. An ADC establishes a number of connections to the servers in its pool and keeps the connections open. When a request is received by the ADC from the client, the request is evaluated and then directed to a server over an existing connection. This has the effect of reducing the overhead imposed by establishing and tearing down the TCPTransmission Control Protocol
The Transmission Control Protocol is one of the core protocols of the Internet Protocol Suite. TCP is one of the two original components of the suite, complementing the Internet Protocol , and therefore the entire suite is commonly referred to as TCP/IP...
connection with the server, improving the responsiveness of the application.
Some ADN implementations take this technique one step further and also multiplex HTTP and application requests. This has the benefit of executing requests in parallel, which enhances the performance of the application.
TCP optimization
There are a number of RFCs which describe mechanisms for improving the performance of TCP. Many ADN implement these RFCs in order to provide enhanced delivery of applications through more efficient use of TCP.The RFCs most commonly implemented are:
- Delayed Acknowledgements
- Nagle AlgorithmNagle's algorithmNagle's algorithm, named after John Nagle, is a means of improving the efficiency of TCP/IP networks by reducing the number of packets that need to be sent over the network....
- Selective Acknowledgements
- Explicit Congestion Notification ECN
- Limited and Fast Retransmits
- Adaptive Initial Congestion Windows
Data compression and caching
ADNs also provide optimization of application data through caching and compression techniques. There are two types of compression used by ADNs today: industry standard HTTP compression and proprietary data reduction algorithms. It is important to note that the cost in CPU cycles to compress data when traversing a LAN can result in a negative performance impact and therefore best practices are to only utilize compression when delivering applications via a WAN or particularly congested high-speed data link.HTTP compression
Http compression
HTTP compression is a capability that can be built into web servers and web clients to make better use of available bandwidth , and provide faster transmission speeds between both...
is asymmetric and transparent to the client. Support for HTTP compression is built into web servers and web browsers. All commercial ADN products currently support HTTP compression.
A second compression technique is achieved through data reduction algorithms. Because these algorithms are proprietary and modify the application traffic, they are symmetric and require a device to reassemble the application traffic before the client can receive it. A separate class of devices known as WAN Optimization Controllers (WOC) provide this functionality, but the technology has been slowly added to the ADN portfolio over the past few years as this class of device continues to become more application aware, providing additional features for specific applications such as CIFS and SMB.
Advanced health checking
Advanced health checking is the ability of an ADN to determine not only the state of the server on which an application is hosted, but the status of the application it is delivering. Advanced health checking techniques allow the ADC to intelligently determine whether or not the content being returned by the server is correct and should be delivered to the client.This feature enables other reliability features in the ADN, such as resending a request to a different server if the content returned by the original server is found to be erroneous.
Load balancing algorithms
The load balancing algorithms found in today's ADN are far more advanced than the simplistic round-robin and least connections algorithms used in the early 1990s. These algorithms were originally loosely based on operating systems' scheduling algorithms, but have since evolved to factor in conditions peculiar to networking and application environments. It is more accurate to describe today's "load balancing" algorithms as application routing algorithms, as most ADN employ application awareness to determine whether an application is available to respond to a request. This includes the ability of the ADN to determine not only whether the application is available, but whether or not the application can respond to the request within specified parameters, often referred to as an service level agreementService Level Agreement
A service-level agreement is a part of a service contract where the level of service is formally defined. In practice, the term SLA is sometimes used to refer to the contracted delivery time or performance...
.
Typical industry standard load balancing algorithms available today include:
- Round Robin
- Least Connections
- Fastest Response Time
- Weighted Round Robin
- Weighted Least Connections
- Custom values assigned to individual servers in a pool based on SNMP or other communication mechanism
Fault tolerance
The ADN provides fault tolerance at the server level, within pools or farms. This is accomplished by designating specific servers as a 'backup' that is activated automatically by the ADN in the event that the primary server(s) in the pool fail.The ADN also ensures application availability and reliability through its ability to seamlessly "failover" to a secondary device in the event of a hardware or software failure. This ensures that traffic continues to flow in the event of a failure in one device, thereby providing fault tolerance for the applications. Fault tolerance is implemented in ADNs through either a network or serial based connection.
Network based failover
The Virtual IP Address (VIP) is shared between two devices. A heartbeat daemon on the secondary device verifies that the primary device is active. In the event that the heartbeat is lost, the secondary device assumes the shared VIP and begins servicing requests. This process is not immediate, and though most ADN replicate sessions from the primary to the secondary, there is no way to guarantee that sessions initiated during the time it takes for the secondary to assume the VIP and begin managing traffic will be maintained.Serial based failover
In a serial connection based failover configuration two ADN devices communicate via a standard RS232 connection instead of the network, and all sharing of session information and status is exchanged over this connection. Failover is nearly instantaneous, though it suffers from the same constraints regarding sessions initiated while the primary device is failing as network based failover.Transport layer security
Although often erroneously assigned to the application layer, SSLTransport Layer Security
Transport Layer Security and its predecessor, Secure Sockets Layer , are cryptographic protocols that provide communication security over the Internet...
is the most common method of securing application traffic through an ADN today. SSL uses PKI
Public key infrastructure
Public Key Infrastructure is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates. In cryptography, a PKI is an arrangement that binds public keys with respective user identities by means of a certificate...
to establish a secure connection between the client and the ADN, making it difficult for attackers to decrypt the data in transit or hijack the session.
Resource cloaking
The use of a virtual IP address (VIP) and position of the ADN in the network provides the means through which certain resources can be cloaked, or hidden, from the client. Because the ADN is designed to understand applications and application protocols, such as HTTP, it can manipulate certain aspects of the protocol to cloak the servers in the pool and prevent potentially useful information regarding the software and hardware infrastructure from being exposed.A typical use of this functionality is to hide the operating system and server software used to host the application. This is usually accomplished by rewriting the Server field in an HTTP response.
A second typical use of this functionality is the exploitation of the ADN's ability to rewrite the URI
Uniform Resource Identifier
In computing, a uniform resource identifier is a string of characters used to identify a name or a resource on the Internet. Such identification enables interaction with representations of the resource over a network using specific protocols...
portion of an HTTP request. The client is presented with a URI and VIP that are known only to the ADN, and upon receiving the request the ADN may either (a) rewrite the URI and send a 302 redirect or (b) transparently translates the URI and responds to the client as if the URI were the right one in the first place.
Application firewall
In recent years commercial ADNs have begun to include application firewall functionality to further secure applications during the delivery process. This is a hotly debated subject with many security professionals arguing that the functionality included in an application firewall are unnecessary and should be handled by the application while others consider employing as much security as possible, regardless of position in the delivery network, to be the best practice. Many commercial ADN companies have acquired and integrated these functions and present such features as part of a defense in depthDefense in Depth (computing)
Defense in depth is an information assurance concept in which multiple layers of security controls are placed throughout an information technology system...
strategy often cited by security professionals.
Network layer security
The ADN is most often deployed in the DMZ at the edge of the network. This results in exposure to potential network layer attacks including Denial of Service (DoS)Denial-of-service attack
A denial-of-service attack or distributed denial-of-service attack is an attempt to make a computer resource unavailable to its intended users...
from ICMP and SYN floods. As a result, the ADN must necessarily protect not only itself but the applications it is delivering from succumbing to such attacks. The ADN generally employs a number of protections against typical network layer attacks though it does not implement the full security offered by an IPS
Intrusion-prevention system
Intrusion Prevention Systems , also known as Intrusion Detection and Prevention Systems , are network security appliances that monitor network and/or system activities for malicious activity. The main functions of intrusion prevention systems are to identify malicious activity, log information...
. Some of the Network Layer Security technologies that may be employed by ADN devices include:
Delayed binding
Delayed bindingDelayed binding
Delayed binding, also called TCP connection splicing, is the postponement of the connection between the client and the server in order to obtain sufficient information to make a routing decision. Some application switches and routers delay binding the client session to the server until the proper...
, also called TCP splicing, is the postponement of the connection between the client and the server in order to obtain sufficient information to make a routing decision. Some application switches and routers delay binding the client session to the server until the proper handshakes are complete so as to prevent Denial of Service attacks.
IP filtering
ADNs often have the ability to filter traffic based on Access Control ListAccess control list
An access control list , with respect to a computer file system, is a list of permissions attached to an object. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects. Each entry in a typical ACL specifies a subject...
s (ACLs), Bogus IP ranges (Bogon filtering) and deep packet inspection
Deep packet inspection
Deep Packet Inspection is a form of computer network packet filtering that examines the data part of a packet as it passes an inspection point, searching for protocol non-compliance, viruses, spam, intrusions or predefined criteria to decide if the packet can...
pattern matching. In some cases, thresholds or rate limiting of IP addresses or ranges of IP addresses may be employed.
Traffic management
ADNs are increasingly adding advanced traffic management functionality. The deep packet inspectionDeep packet inspection
Deep Packet Inspection is a form of computer network packet filtering that examines the data part of a packet as it passes an inspection point, searching for protocol non-compliance, viruses, spam, intrusions or predefined criteria to decide if the packet can...
capabilities of some of these products can identify traffic by application type and can be used to analyze, block, shape and prioritize traffic.
Commercial ADNs
- A10 NetworksA10 NetworksA10 Networks is a privately held company specializing in the manufacture of application delivery controllers . Founded in 2004 by Lee Chen, co-founder of Foundry Networks, A10 originally serviced just the identity management market with its line of ID Series products...
- Akamai TechnologiesAkamai TechnologiesAkamai Technologies, Inc. is an Internet content delivery network headquartered in Cambridge, Massachusetts, US.The company was founded in 1998 by then-MIT graduate student Daniel M. Lewin, and MIT Applied Mathematics professor Tom Leighton...
- AppEx NetworksAppEx NetworksAppEx Networks is a privately-held WAN optimization and ADN company headquartered in Cupertino, California, with an R&D center in Beijing, China. AppEx manufactures networks appliances based on its patented technologies, and delivers WAN optimization, ADN and traffic management solutions...
- AryakaAryakaAryaka is a technology company that provides cloud-based WAN optimization and application acceleration services. The company is headquartered in Milpitas, California with development offices in Bangalore, India and has 100+ employees....
- Blue Coat SystemsBlue Coat SystemsBlue Coat Systems Inc. is a network security and network management company based in Sunnyvale, California, United States.It identifies itself as an application delivery network specialist...
- Brocade Communications
- CDNetworksCDNetworksCDNetworks founded in 2000, is a full service content delivery network , with increasing business in the United States.-Content delivery services:...
- Citrix
- Cisco SystemsCisco SystemsCisco Systems, Inc. is an American multinational corporation headquartered in San Jose, California, United States, that designs and sells consumer electronics, networking, voice, and communications technology and services. Cisco has more than 70,000 employees and annual revenue of US$...
- CotendoCotendoCotendo, Inc. is a content delivery networkand an application delivery networkservice provider. The company's headquarters are in Sunnyvale, California, with research and development based in Netanya, Israel.- Mobile Acceleration Suite :...
- Crescendo NetworksCrescendo NetworksCrescendo Networks, Ltd. was a privately held computer networking company headquartered in Sunnyvale, California with regional offices in EMEA and APAC...
- EdgeCast NetworksEdgeCast NetworksEdgeCast Networks is a Los Angeles, CA, based content delivery network . The company was founded in 2006 and is funded by the venture arm of The Walt Disney Company, Steamboat Ventures. It has CDN reseller agreements with Deutsche Telekom, Global Crossing, Navisite, and The Planet...
- ExindaExindaExinda is a United States technology company that provides computer networking products and services. Headquartered in Andover, Massachusetts, Exinda delivers WAN optimization and network bandwidth management solutions to small and medium-sized enterprises....
- Expand NetworksExpand NetworksExpand Networks, Ltd., based in Tel Aviv, Israel, is a provider of WAN Optimization solutions.- About :Expand Networks is privately held. The company was founded in 1998; initial financing was provided by Discount Investment Corporation, The Eurocom Group, Ophir Holdings, and a private group of...
- F5 NetworksF5 NetworksF5 Networks, Inc. is a networking appliances company. It is headquartered in Seattle, Washington and has development and marketing offices worldwide. It originally manufactured and sold some of the very first load balancing products...
- Foundry NetworksFoundry NetworksFoundry Networks, Inc. was a networking hardware vendor selling high-end Ethernet switches and routers. The company was founded in 1996 by Bobby R. Johnson, Jr. and was headquartered in Santa Clara, California, USA...
- InternapInternapFounded in May 1996 in Seattle, Internap Network Services Corporation is a publicly traded company headquartered in Atlanta, Georgia that enables route-optimized delivery of content over the Internet. Internap’s business units include Internet Protocol , data center and Content Delivery Network ...
- Ipanema TechnologiesIpanema Technologies- Company Information :Ipanema Technologies’ is an I.T. company founded in 1999 by Jean-Yves Leclerc,Thierry Grenot and François Lecerf. They develop systems for application traffic management, WAN visibility, WAN optimization, WAN acceleration, WAN control and Wan governance.They are...
- Juniper NetworksJuniper NetworksJuniper Networks is an information technology and computer networking products multinational company, founded in 1996. It is head quartered in Sunnyvale, California, USA. The company designs and sells high-performance Internet Protocol network products and services...
- Limelight NetworksLimelight NetworksLimelight Networks is a content delivery network service provider. The company is based in Tempe, Arizona, U.S.A., with offices in San Francisco, Seattle, New York, London, Paris, Frankfurt, and Tokyo. The company operates a global fiber-optic network that helps content publishers avoid sending...
- NetQoSNetQoSNetQoS Inc. provides network management software and services, including applications for performance management and response time analysis. "QoS" refers to "quality of service." NetQoS Ranked Number 184 Fastest Growing Company in North America on Deloitte’s 2007 Technology Fast 500...
- NortelNortelNortel Networks Corporation, formerly known as Northern Telecom Limited and sometimes known simply as Nortel, was a multinational telecommunications equipment manufacturer headquartered in Mississauga, Ontario, Canada...
- RadwareRadwareRadware , is a provider of integrated Application delivery, Network Security and Load balancing solutions based in Tel Aviv, Israel. Radware, which is a member of the Rad Group of companies, is a public company and its shares are traded on NASDAQ.- History :...
- StreamcoreStreamcoreStreamcore is an information technology company specializing in Quality of Service , controlling/monitoring Unified Communications and application delivery management over the Wide area network . Its headquarters are located in Puteaux, France, with offices in Germany, Africa, and the Middle...
- Sun MicrosystemsSun MicrosystemsSun Microsystems, Inc. was a company that sold :computers, computer components, :computer software, and :information technology services. Sun was founded on February 24, 1982...
- Zeus TechnologyZeus TechnologyZeus Technology, Ltd. is a software company based in Cambridge, England. Zeus Technology, Inc. is a wholly owned US subsidiary.- Timeline :...