IT administrators have identified three primary components of achieving this goal: building a network capable of delivering the bandwidth necessary to meet the stringent performance requirements of new IP applications and services; deploying a series of network and security appliances that provide necessary flow visibility to adhere to internal corporate compliance, acceptable usage policies and external government regulations; and enabling or supporting intranet and Internet security to protect both corporate and individual user information.

In a relatively short time, enterprise networks have moved from 100-Mbps to 1-Gbps backbones. Just as quickly, many are beginning the move to 10 Gbps, with designs for the next generation of Ethernet promising from 40 Gbps to 100 Gbps. The exponential increase in network performance is occurring with the expectation of providing the bandwidth required to support a rapidly expanding list of IP applications and services with stringent performance requirements.

Ethernet and IP have been established as the Level 2 and Level 3 protocols for next-generation networks. In addition to providing the necessary bandwidth, when combined, they create a universal infrastructure that enables IT administrators and users of the network to almost instantaneously begin deploying and using new IP applications and services.

This high-speed network infrastructure removes congestion and provides enough room for application expansion, but history has shown that users will find many ways to consume it. In addition, such networks may expose the enterprise to millions of packets per second, making guarantees of the performance of applications difficult, in addition to creating more difficulty in managing and controlling the overall usage to protect against unacceptable use and threats.

Enterprise IT organizations require visibility into the network to maintain sensible levels of control. Outside the enterprise, attackers can intercept data to steal or compromise information, or attack the enterprise with an arsenal of worms, viruses, spam and other malware. Inside the enterprise, the IT staff must ensure that the network is being used for the applications critical to the business’ success, while simultaneously addressing concerns from within in the form of accidental or intentional leakage of confidential information.

A HOST OF NEW APPLIANCES
IT organizations rely on a host of network appliances to provide network access and control, visibility into the network communication flows, and protection from internal and external threats. These network appliances are often deployed in enterprise data centers and at the LAN-WAN boundary, performing many functions, including intrusion detection (IDS), intrusion prevention (IPS), unified threat management (UTM), network access control (NAC) and a host of antigen devices for spam, virus and other malware. These network appliances provide a new level of compliance by verifying user access rights and interrogating communications within, to and from the enterprise.

These network appliances are deployed in-line, with virtually no impact on network performance when deployed in 10/100 and underutilized Gigabit Ethernet networks. As the networks have evolved to line-rate, multigigabit and 10-Gigabit Ethernet speeds, however, their presence in-line for all communication flows creates a bottleneck for network performance.

Simply put, the appliances hosting the applications have failed to keep pace with improvements in network performance. Their network I/O, memory and CPU utilization all are under strain at these new performance levels. As a result, these network appliances are rated for use by some amount of aggregate bandwidth, or a number of users, sessions and flows. When any of these are exceeded, the appliance becomes a bottleneck that can only be relieved by the addition of another network appliance.

Because performance at the expense of compliance is just as unacceptable as compliance at the expense of performance, IT organizations have adopted a practice of stacking appliances. This design constraint, coupled with the sheer number of types of network appliances, has led to an explosion in the enterprise data center. This has created numerous problems, including the number of physical devices located in the network, the capital costs associated with them, the maintenance costs and their operation costs (power consumption, rack space, cooling).

The final dimension with which the enterprise IT organization struggles is end-to-end security. Secure IP communications are required–in some cases, inside the LAN, and in almost all cases, outside of it. Client-based encryption tactics through methods like secure sockets layer (SSL) are the most-common implementation. These security methods provide end-to-end encrypted sessions, protecting both corporate and personal user information.

Many security solutions, however, have the adverse effect of introducing new problems for network operators. SSL encryption makes data useless to potential interceptors while also making it difficult for network operators to verify that the encrypted information complies with corporate and government regulatory policies. Without examining the contents of SSL communications, network operators leave open the possibility for information to be leaked or malware to enter.

THE PROBLEM WITH ENCRYPTION
With more communications expected to become encrypted each year, network operators face two extremes: blocking SSL communications entirely, or allowing SSL communications and greatly reducing the effectiveness of their network appliances that are unable to examine the encrypted flows. In other cases, network operators allow encrypted communications, but only through SSL proxies that permit the IT organization to examine the content before entering or exiting the enterprise. These proxies provide the opportunity to examine the contents of network traffic with their network appliances, yet still offer encryption prior to leaving the enterprise. They do so, however, by creating a server network bottleneck.

A new class of network and security appliances provides solutions for performance, visibility and control, as well as security in a single system. They are the bridge between the high-speed network and the multicore, multithreaded, virtualized appliances that host the network and security applications. These devices offer line-rate network throughput, application and protocol acceleration, deep-packet inspection and flow analysis for both plain text and encrypted communication streams.

These appliances also serve as host systems for the many network and security applications that enterprises consider staples of their Ethernet and IP infrastructures, such as IDS, IPS, UTM and NAC. In addition to serving as application hosts, they have the ability to transparently intercept encrypted communications and provide the hosted applications with all requisite flows for analysis. The ability to provide the network and security applications with both plain-text and encrypted communications extends the usability of those appliances, ensuring that the applications will be able to reliably perform
as intended.

The combination of line-rate throughput, deep-packet inspection, flow analysis and application acceleration allows a single network and security appliance to scale to line-rate network performance for a larger number of users, sessions and flows. This extends the usability of a single appliance up to 15 times. IT organizations are able to vertically consolidate the data center by not requiring stacks of redundant appliances that exist due to their inability to scale.