Secure the bridge, speed the traffic

Case study: Air National Guard finds traffic flow, network security are two sides of the same coin

Air National Guard: Let a pilot show you the way

Deploying any system on a nationwide network serving more than 200 locations is not a simple job, but that's what the Air National Guard plans to do over the next several months. It is installing a previously untested ' by ANG ' appliance to provide both Internet policy enforcement and application acceleration on its wide-area network.

'We have a large, complex network,' said Air Force Lt. Col. Dunkin Walker, who heads the Communications Directorate at the Guard's Network Architecture Branch. The WAN provides connectivity to ANG facilities in each of the 50 states and in four U.S. territories.

The key to making the implementation work is to try it before you buy it. The Guard did a pilot deployment of the equipment, ProxySG Appliances from Blue Coat Systems, at McConnell Air Force Base, Kansas, home to the USAF Network Operations and Security Center.

'We got some good lessons from the pilot,' Walker said.

The first lesson was that the ProxySG did both of the jobs ANG needed to get done: It could handle policy enforcement at the gateways and improve network performance by managing bandwidth and accelerating the applications. Settings and configuration on the boxes were worked out in a controlled environment, and they learned how the appliances interacted with the local network.

But they also found that the proxy does not work well with other proxies, and you should know if you already have such a device on your local network.

'You have to take the old proxy completely out of the loop,' Walker said.
But the most important lesson was that a careful pilot program can help you determine not only what product to buy, but how to deploy it.
' William Jackson

Get more from your bandwidth

Wide-area optimization technologies squeeze more performance from your network through various techniques, including:

Bandwidth management, mapping network traffic to the organization's priorities.

Protocol optimization, which opens multiple connections for talky applications and loads multiple objects in parallel.

Object caching, saving and serving up objects from a local cache, limiting the use of the network to what is necessary.

Byte caching, similar to object caching but with blocks of data rather than complete objects. This allows the downloading only of data that has changed between requests. Both types of caching become more effective over time and with more people using the network.

Compression, or shrinking the size of the files being transmitted by removing the redundant parts and adding them back in at the destination.

Policy enforcement, allowing users access to only applications pertinent to their jobs.

' William Jackson

DOUBLE DUTY: Blue Coat's ProxySG Appliance did both jobs the Air National Guard needed done, helping to secure its Internet connections while optimizing WAN performance.

It was serendipity. The Air National Guard needed a proxy appliance to secure Internet connections and enforce network policy on its nationwide wide-area network. At the same time, it was becoming apparent that either more bandwidth was needed on that WAN or the existing bandwidth had to be used more efficiently. It found that one box could handle both functions.

'I don't care how much bandwidth you have, it is still a good thing to have more efficient bandwidth,' said Air Force Lt. Col. Dunkin Walker, chief at the ANG Network Architecture Branch Communications Directorate.

The Guard was already looking at the ProxySG Appliance from Blue Coat Systems for its proxy needs because that was on the Air Force list of approved products.

'We would have ended up with a proxy anyway,' Walker said. What was surprising was that the proxy being considered also had acceleration functions. 'We didn't expect that. We were overjoyed when we heard that was a part of the product.'

The Air National Guard expects to begin installing more than 200 of the appliances in October to handle its network security and WAN bandwidth needs.

Getting more from your existing bandwidth is not a trivial task, and more agencies are looking to WAN optimization technologies as a way to get a five- to 20-fold improvement in network performance without leasing more bandwidth. The WAN optimization space, which started as a tactical bandage to fix network congestion problems, is becoming a strategic enterprise service, said Chris King, director of strategic marketing at Blue Coat. 'The level of investment required is much lower.'

The knee-jerk approach to speeding up application performance over the network is to add bandwidth or purchase new servers and distribute them across the enterprise to host applications and data that would be closer to users. There are a number of problems with this approach, King said.

Distributing applications on servers also goes against the current trend in government. 'There is a tendency for a lot of government organizations to centralize a lot of the data for security management,' King said. However, even in the best of situations, centralizing applications can have a performance impact on large networks.

'The distance that the user's traffic is required to traverse to get to the application is significantly greater than the application was designed for,' King said. A WAN can span thousands of miles, and 'as fast as light travels, it still takes time.'

Delays can go from a few milliseconds to a hundred milliseconds to cover the distance, depending on network conditions and the number of hops required ' and talky applications can require dozens or hundreds of round-trip exchanges. 'When you're talking about 200 milli- seconds delay round trip, it adds up.'

This was the situation the Air National Guard (ANG) was facing with its network, which connects more than 200 locations in 54 states and territories.

'The ANG network is as big as the Air Force network,' Walker said. 'It's not a small organization. We have long-haul communications links between all of the locations.'

The more than 107,000 air guardsmen make up about a third of the Air Force's total
manpower, and they are involved daily in training, rescue missions, firefighting support, combat communications and air traffic control. Increasingly, their missions rely on the ANG WAN.

'Everything is moving to the network,' Walker said. 'In an ideal situation, the long-haul pipes would grow to meet these needs.'

But the real world is seldom an ideal situation. 'The communications were not adequate for everything that is on the network today,' he said. 'We had to pursue another way to increase the bandwidth available across the network.'

That turned out to be the ProxySG. Blue Coat started life as a niche company that accelerated commercial transactions on the Internet with a proxy that terminated and reissued connections on behalf of a server. After the dot-com bust, the company became Blue Coat and focused on security controls in its gateway device to complement its optimization features.

Enforcement and acceleration go hand in hand because of the network overhead in policy enforcement, King said.

'Every time you add a layer of controls, you affect performance,' he said. 'It's going to get harder to do any kind of policy or security without adding acceleration.'

The ProxySG has a policy enforcement engine with 500 variables, allowing granular control of where users can go on the Web, what they can do there and what kinds of data can be downloaded. It can block sites, limit the volume of traffic from some sites and disallow some kinds of content from sites that are not blocked. Policies can be tailored for specific sites, workgroups and individuals.

Effective policy enforcement can also help improve network performance by controlling the amount of traffic on the network. Every bit that is blocked makes room for another, legitimate bit.

After being briefed on acceleration by Blue Coat about a year ago, the Air National Guard tested the proxy appliances in a pilot program at McConnell Air Force Base, Kansas, where the Air Force has its Network Operations and Security Center (NOSC). The test concluded successfully in the summer, and ANG immediately began gearing up for a networkwide deployment.

The boxes were all shipped by October, and the job of installing them in 200 locations began. One appliance will be installed in each of the Guard's 88 wing headquarters and 14 other similar-sized facilities. Eighty-two geographically separated ANG units also will get proxies.

The appliances will be centrally managed from the operations center at McConnell, and each will have a standard ANG policy for Web use.

'If individual wings want to have a more restrictive policy, they will open a ticket with the NOSC,' which will update the policy, Walker said.
The ANG project is complicated somewhat by an additional layer of politics that administrators have to negotiate.

'The Air National Guard is really a militia that is controlled by the state to a large extent' and nationalized when needed, Walker said. 'The states think of themselves as their own enterprises.'

This makes mandates about network architecture and policy difficult.
'We have to sell them on the idea that they are a part of something bigger and abide by the same rules,' he said. 'It's more political than the active-duty military,' in which orders are orders.

It is not a small or a simple project, but 'we expect to be pretty much done by the end of the year,' Walker said. If done right, the only difference the end users will see is an improvement in network performance.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above