Secure the bridge, speed the traffic
Case study: Air National Guard finds traffic flow, network security are two sides of the same coin
- By William Jackson
- Oct 21, 2007
DOUBLE DUTY: Blue Coat's ProxySG Appliance did both jobs the Air National Guard needed done, helping to secure its Internet connections while optimizing WAN performance.
It was serendipity. The Air National Guard needed a proxy appliance to secure Internet connections and enforce network policy on its nationwide wide-area network. At the same time, it was becoming apparent that either more bandwidth was needed on that WAN or the existing bandwidth had to be used more efficiently. It found that one box could handle both functions.
'I don't care how much bandwidth you have, it is still a good thing to have more efficient bandwidth,' said Air Force Lt. Col. Dunkin Walker, chief at the ANG Network Architecture Branch Communications Directorate.
The Guard was already looking at the ProxySG Appliance from Blue Coat Systems for its proxy needs because that was on the Air Force list of approved products.
'We would have ended up with a proxy anyway,' Walker said. What was surprising was that the proxy being considered also had acceleration functions. 'We didn't expect that. We were overjoyed when we heard that was a part of the product.'
The Air National Guard expects to begin installing more than 200 of the appliances in October to handle its network security and WAN bandwidth needs.
Getting more from your existing bandwidth is not a trivial task, and more agencies are looking to WAN optimization technologies as a way to get a five- to 20-fold improvement in network performance without leasing more bandwidth. The WAN optimization space, which started as a tactical bandage to fix network congestion problems, is becoming a strategic enterprise service, said Chris King, director of strategic marketing at Blue Coat. 'The level of investment required is much lower.'
The knee-jerk approach to speeding up application performance over the network is to add bandwidth or purchase new servers and distribute them across the enterprise to host applications and data that would be closer to users. There are a number of problems with this approach, King said.
Distributing applications on servers also goes against the current trend in government. 'There is a tendency for a lot of government organizations to centralize a lot of the data for security management,' King said. However, even in the best of situations, centralizing applications can have a performance impact on large networks.
'The distance that the user's traffic is required to traverse to get to the application is significantly greater than the application was designed for,' King said. A WAN can span thousands of miles, and 'as fast as light travels, it still takes time.'
Delays can go from a few milliseconds to a hundred milliseconds to cover the distance, depending on network conditions and the number of hops required ' and talky applications can require dozens or hundreds of round-trip exchanges. 'When you're talking about 200 milli- seconds delay round trip, it adds up.'
This was the situation the Air National Guard (ANG) was facing with its network, which connects more than 200 locations in 54 states and territories.
'The ANG network is as big as the Air Force network,' Walker said. 'It's not a small organization. We have long-haul communications links between all of the locations.'
The more than 107,000 air guardsmen make up about a third of the Air Force's total
manpower, and they are involved daily in training, rescue missions, firefighting support, combat communications and air traffic control. Increasingly, their missions rely on the ANG WAN.
'Everything is moving to the network,' Walker said. 'In an ideal situation, the long-haul pipes would grow to meet these needs.'
But the real world is seldom an ideal situation. 'The communications were not adequate for everything that is on the network today,' he said. 'We had to pursue another way to increase the bandwidth available across the network.'
That turned out to be the ProxySG. Blue Coat started life as a niche company that accelerated commercial transactions on the Internet with a proxy that terminated and reissued connections on behalf of a server. After the dot-com bust, the company became Blue Coat and focused on security controls in its gateway device to complement its optimization features.
Enforcement and acceleration go hand in hand because of the network overhead in policy enforcement, King said.
'Every time you add a layer of controls, you affect performance,' he said. 'It's going to get harder to do any kind of policy or security without adding acceleration.'
The ProxySG has a policy enforcement engine with 500 variables, allowing granular control of where users can go on the Web, what they can do there and what kinds of data can be downloaded. It can block sites, limit the volume of traffic from some sites and disallow some kinds of content from sites that are not blocked. Policies can be tailored for specific sites, workgroups and individuals.
Effective policy enforcement can also help improve network performance by controlling the amount of traffic on the network. Every bit that is blocked makes room for another, legitimate bit.
After being briefed on acceleration by Blue Coat about a year ago, the Air National Guard tested the proxy appliances in a pilot program at McConnell Air Force Base, Kansas, where the Air Force has its Network Operations and Security Center (NOSC). The test concluded successfully in the summer, and ANG immediately began gearing up for a networkwide deployment.
The boxes were all shipped by October, and the job of installing them in 200 locations began. One appliance will be installed in each of the Guard's 88 wing headquarters and 14 other similar-sized facilities. Eighty-two geographically separated ANG units also will get proxies.
The appliances will be centrally managed from the operations center at McConnell, and each will have a standard ANG policy for Web use.
'If individual wings want to have a more restrictive policy, they will open a ticket with the NOSC,' which will update the policy, Walker said.
The ANG project is complicated somewhat by an additional layer of politics that administrators have to negotiate.
'The Air National Guard is really a militia that is controlled by the state to a large extent' and nationalized when needed, Walker said. 'The states think of themselves as their own enterprises.'
This makes mandates about network architecture and policy difficult.
'We have to sell them on the idea that they are a part of something bigger and abide by the same rules,' he said. 'It's more political than the active-duty military,' in which orders are orders.
It is not a small or a simple project, but 'we expect to be pretty much done by the end of the year,' Walker said. If done right, the only difference the end users will see is an improvement in network performance.