Scaling Up The Box
Date: Friday , February 28, 2003
KEITH DALE, VP OPERATIONS AT GETTHERE.COM does his annual system capacity analysis every summer. Getthere is the engine on which most airlines offer their online ticketing facilities. Last year, over 7 million transactions passed through Getthere’s engines, and the company was expecting a similar—if not increased—traffic this year. In this scenario, Dale found from his examination that his systems were quite capable of handling the traffic for the next year and the technologies were good for at least three years. “But I wanted to make sure that we were really geared up to handle the healthy growth that was being forecast in the company,” recalls Dale. “Primarily, we wanted to do two things: move all the SSL terminations—which was mixed in the old environment, some being done at the network layer, and some being done at the patchy web server layer—to the network layer; and increase my capacity by an order of magnitude. The new box needed to handle more volume—from 400 connections per second to 4000 connections per second.” When Dale put out his requirements, Netscaler from Santa Clara, CA offered one of their products—the Secure Application Switch—which Dale “found very robust, full of good features, easily scalable, and most importantly, at half the price of the rest of the products that were being offered.”
“When MSN was launching their latest version last year, they were planning to set up 82 servers. We brought it down to 16,” says B V Jadadeesh, president and CEO, Netscaler. The Netscaler box sits in front of the servers and brings an intelligent traffic analysis and request filter on the server load. This reduces the load on the servers, and generates faster response at the user end. Think of it as a freeway. After a car passes on a lane from point A to point B, the lane doesn’t close down. It stays open for the next car. Similarly, when a TCP link is established between a user and the server, the link is kept open after the first user completes transaction, so that the next user could use the same link. This is in contrast, says Sunderrajan Prabhakar, CTO at Netscaler, to the normal transaction, where a new link is established every time a request is sent to the server. “It will simply punish the server,” comments Prabhakar.
At the core of the box lies Netscaler’s patented Request Switching Technology, which offloads the TCP processing—without any changes to the server—and takes the millions of requests and process them over a few “persistent” connections. Many current products take a more packet-centric approach to traffic management at this level, while still distributing at the connection level. However, handling content processing at the packet level still results in inefficient traffic management. Again, these traffic management systems make a single content-based decision for the entire group of requests on a connection based on the first object being requested. This means that one server will handle each connection, even though it may contain multiple content requests, often times for various types of content. Because of this, traffic jams occur when additional connections are systematically routed to servers already processing connections containing a large number of content requests. This results in poor server utilization and slower site response times. “The technology finds application for secure content traffic. In SSL traffic, the normal encryption fails due to modem compression at the user end. With a Netscaler leverage, we compress the transaction before encryption, which is possible only with our product,” says Jagadeesh. “NetScaler’s Request Switching technology handles web application traffic in the most efficient way possible—by analyzing and directing incoming traffic at the application request level—enabling fine-grain traffic direction, protection and control.”
After nearly two-and-a-half years of development and patenting, Netscaler is finding good traction for their product. “In using an Akamai service for faster server transaction, content has to conform to the Akamai. But with a Netscaler box, clients don’t have to go through this,” says Jagadeesh. “And remember, this is a one time cost, whereas the other plan has a monthly service fee.”
Also, the widespread adoption of SSL as the preferred means to ensure data security has elevated the need for point products such as SSL accelerators to handle the encryption/decryption process. Introducing one or more of these point products into a web infrastructure increases complexity, and possibly degrades application performance. In addition, other infrastructure optimization capabilities are nullified in the face of encrypted traffic. As a result, ensuring the fully secure delivery of business-critical applications sometimes result in leaving these applications and infrastructure vulnerable to attack or degrading end-user response.
There are a myriad of point products on the market today that are designed to optimize one or more aspects of web service delivery while attempting to solve some of these challenges. Many of these products are designed to protect against specific kinds of Denial of Service (DoS) or intrusion attacks. Others are aimed at improving site capacity or end-user performance in some particular way. Continuous application availability begins with a complete application protection solution. After a firewall inspects traffic, it permits all legitimate traffic to be passed on to the web server. If this traffic is HTTP based, it is sent through port 80. Unfortunately, over 80% of DoS attacks occur over port 80. Because these types of attacks appear as legitimate traffic they remain undetected by a traditional firewall. Even truly legitimate surges in traffic can threaten the availability of a site. Existing DoS protection solutions either drop requests after reaching server connection limits, or redirect application requests to other servers—consuming expensive back-up capacity. Netscaler claims that its box is able to prevent certain attacks from reaching the server and regulate others such that every legitimate transaction is completed without imposing a performance penalty to the user or a capacity penalty to the provider.
“In 2000, we saw an overbuild of server capacity. We saw an opportunity to reduce these server investments, and went to customers with our plans. They laughed and said, ‘We need more traffic!’” recalls Jagadeesh. In the following years, the over capacity has shrunk—either the companies went out of business, or the server became outdated, or the companies downsized their server farms. “Now, with minimal server capacities, companies want maximum traffic and transactions,” says Prabhakar. “Our boxes will help them achieve continuous delivery of content, faster responses, and security at the application level.” In a recent Light Reading evaluation of similar products, NetScaler got the highest overall score: 4.3 out of a possible 5. It got the best average mark for each group of tests, although it didn't come out on top in every individual test. Its most remarkable results were handling close to 2.4 million simultaneous HTTP sessions or TCP connections—and having a list price that's half that of Extreme's and WinCom's.
With a recent round of funding that saw Sequoia Capital also participate, Netscaler is now focusing on customer acquisition and retention. Apparently this has also got some good marks, as Keith Dale comments, “They are dedicated, very sound on their technology and have shown immediate responses.” After a quiet three years, Netscaler is now chalking up some good revenues.