T.S. Eliot once wrote: "Hell is
where nothing connects to anything". Obviously, Eliot never managed a network or he
would have said, Hell is where everything connects to everything. Anyone who
manages an IT environment must grapple with the everyday worries of the systems, the
networks, the users and the budgets. The constant juggling act of keeping costs low whilst
enhancing an organisations efficiency (and profits) can make life stressful.
A new breed of ASPs
It is also a well-known fact that businesses now have a much higher degree of IT
competence amongst the upper echelons of management, due mainly to the advent of the
Internet rather than because of the internal systems. People are used to travelling and
picking up their emails but still have great difficulty in accessing their applications
and data, upon which they are highly dependent. It is clear, however, that a fundamental
shift is taking root in our industry. It is in response to customers who desire the latest
software applications to gain a competitive edge, but dont have the technical and
financial resources to support them. These customers are driving a set of hosted
application services that are now possible because of three converging factors: the mass
adoption of the Internet, increased server processing power and application server
software. This environment is giving rise to a new breed of application service providers.
ASPs host software from centralised data centres, renting access over dedicated high-speed
networks or over the Internet. Customers of all sizes get real-time access to
best-of-breed software from the latest productivity suites to the most robust
enterprise application without the risks, costs and complexities of maintaining it
on their own. They are now able to focus on core business objectives, rather than on
arduous IT issues. The application-hosting model combines an ASP data centre, the
bandwidth of a Network Service Provider (NSP) and the application-specific expertise of
consultants, value-added resellers, systems integrators and independent software vendors.
Of course, some will say that it is easy to Web-enable any application but it is a
well-known fact that 99% of software products still work in the traditional manner. It can
often take months of programming to change an application to work as a dynamic and fully
functional Web-enabled product. Just think, what we used to think of as legacy systems,
i.e. traditional mainframe applications, will soon be thought of as non-browser
aware applications. The Internet forges one of the most powerful alliances that we have
seen - that of computing and communications. It simultaneously supports messaging,
publication, voice, video, real-time collaboration, and a variety of other specialised
applications. We take for granted the fact that the Internet can tolerate varying packet
sizes, varying delay, varying bandwidth, varying error rates and varying topology; and yet
it still works!
How do I become an ASP?
An ASP, however, can harness this and can be the answer to many an IT managers
prayers. An ASP can Web-enable almost any application that can run on Windows NT and
deliver it to users within a matter of days; all thats needed is a Web browser and
Internet connection. Its not just about outsourcing an application, rather its
about outsourcing the IT department. So what skills and technologies does an ASP need to
be able to deliver fast and secure application access? Well, its technical staff require
superior knowledge of Networking, Windows NT, Citrix Metaframe, Terminal Server, Security,
and the Internet. It also needs to implement Bandwidth Priority, Network Security, User
Authentication, and Data Encryption. I will now explain some of these technologies in
IP networks cant differentiate between mission-critical and non-critical traffic.
They lack predictability and control and are disconnected from business goals and
priorities. Each customer of an ASP needs dedicated bandwidth, and the service level
agreement may dictate that extra burstable bandwidth be allocated on an ad hoc
basis. In addition, an ASP needs to be able to limit extraneous bandwidth for those
protocols which would normally use as much as they can grab; HTTP for instance. By using a
technique called Bandwidth Prioritisation between the firewall and the router, one can
make the network adapt to the needs of specific applications. To understand how it works
one must know a little more about TCP.
Many of the features that make TCP reliable also contribute to its performance problems.
It uses sliding window flow control where multiple packets are sent before it stops and
waits for an acknowledgement (ACK). The receiver then not only acknowledges that it
received the data but also advertises how much it can handle. It also deploys a slow start
algorithm to alleviate the problem of multiple packets filling up router queues. With TCP
Slow Start, when a connection opens, only one packet is sent until an ACK is received. For
each ACK, the congestion window increases by one until a threshold is reached.
We know that flow control is safe but it would be far better if one could implement TCP
Rate Control instead and stop router queue buffers filling up in the first place. Data
packets will often fail to get through to the receiving station and will be re-transmitted
some time later. If this continues then all you get is increased latency, and application
response times increase as the flow is extremely bursty. However, by detecting
this and intercepting the sending process we can break it down in to smaller packets and
re-transmit it. A similar analogy is taking a pipe and pouring gravel down it; it will
probably clog up and need dislodging. However, slowly pour sand down it instead and you
get not only a smoother flow, but ultimately more sand (i.e. data) through it. Even cars
on a motorway exhibit this property and were all far too familiar with the effect of
traffic pulsing. Reduce the speed to say 30 mph through a set of road works and the
traffic flows evenly (in this case the speed limit signs are the rate control mechanism).
Now, whilst all organisations that allow network access to the Internet should
implement a firewall strategy, many dont. If they do then they often use inferior
products or try to minimise the costs by using routers that include basic port blocking
mechanisms. An ASP needs far tighter security control as well as good logging and
reporting tools, not only because it is allowing its customers to access its Web servers,
but also because it is allowing them to access real-time applications and data on the
Citrix servers. In addition, many customers are extremely cautious about the security of
their data over a public domain such as the Internet so an ASP needs to be able to
guarantee a secure private channel to each client. The first line of defence after the
router is the firewall which uses a combination of application-level proxies, network
circuits and packet filtering to ensure that data traversing the firewall is controlled.
In addition, firewalls use algorithms for matching access rules to connection attempts. In
this way only access attempts that meet the exacting requirements of specific rules, such
as passing of the Citrix ICA protocol for specific ports, are permitted.
Whilst a firewall controls security at a protocol and application level, it is generally
not the best technology to look after user name and password. Authentication servers,
however, can extend security beyond static IDs and passwords by uniquely authenticating
users before granting them network access over dial-up, LAN, Internet or intranet
connections. They use two-factor authentication to further strengthen security by
requiring something the user has a token issued by the ASP and something
unique the user knows: a PIN to enable the token.
The final aspect of security is perhaps the most important as far as an ASPs
customers are concerned: that of the security of their data over the Internet. This has
been traditionally accomplished by use of Virtual Private Networks (VPN) but presents
something of a problem for an ASP due to the fact that it relies upon its own firewall
technology being the same as its customers. What is needed is a SOCKS v5 VPN
solution that is firewall blind and is able to encrypt the data-stream to
securely traverse any firewall using a standard HTTP proxy. In addition, it must tightly
integrate strong encryption, application management, and intelligent logging and
reporting. The SOCKS server is placed on the de-militarised zone of the firewall and all
VPN-enabled clients will communicate transparently over secure encrypted channels, through
the server and into the ASP.
So, the world is getting smaller and communications costs are decreasing at the same time
that the speed of communications is increasing. It is my belief that the Internet
hasnt even begun to take off yet but people have a level of expectation of global
application access that is only just being made possible by the small but growing band of
ASPs. We will soon be able to launch an application in the same way that we can pick up a
telephone and dial a phone number: without worrying or caring about the technology behind
Jonathan Moss is Technical Director of iProvide