ICP Electronics
ITouch Partner
Lucent Partner
Marconi Partner
Nortel Partner
RAD Partner
Telco Partner
Tellabs Partner
VoxTechnologies 3Com Partner
Adtran Partner
Alcatel Partner
CA Partner
ChannelBank
Cisco Systems Partner
Eastern Partner
Enterasys Partner
Extreme Partner
Larscom Partner Kentrox Partner

VoxTechnologies Enterprise Network Series

The Enterasys Content Provisioning Architecture

Technical Whitepaper

Abstract

Written for Internet and application service providers who need scalable, reliable, high-performance solutions to help them keep up with the rapid growth of the Internet access and eCommerce markets, this whitepaper discusses the logical and physical components to consider when provisioning and implementing a content hosting site

This whitepaper examines the networking architectural requirements for building large content hosting sites so that the anticipated growth in online business can be handled seamlessly, improving revenues for both service providers and their customers. It describes Enterasys' Content Provisioning Architecture and how it meets these requirements in a scalable, reliable and manageable fashion.

The Internet Phenomenon Continues

The World is Going Online
A recent report by CommerceNet 1 estimates that in North America alone, there are now more than 92 million Internet users. Outside of North America, the Internet phenomenon is growing even faster.

 

The same report estimates that 55 million people are using the Internet for online shopping and browsing. Of these, over 28 million are making online purchases; and nearly 50% of these people made their first purchase since March 1999. No longer can the Internet be seen as a geek's paradise or teenager's chat room.

Pioneers of the Internet Gold Rush

Leading this trend are Internet pioneers such as Amazon.com, Lands End, Egghead Software, Charles Schwab, Dell Computer, etc., all of whom are able to reduce costs by cutting out the middleman and offering customers direct access to browse, configure and order products. Their success is documented in nearly every newspaper or magazine that you pick up, and the idea that an online company can grow from a home operation to a multimillion-dollar company in one year has captured the imagination of every red-blooded entrepreneur. This new wave of "dot-com" companies has also instilled fear into traditional businesses that have been slow to respond to this commercial trend and are now racing to catch up with their new competitors.

Be My Host?

From the customer's perspective, the world of e-business is not that different from traditional "brick and mortar" business. Responsiveness, reliability, availability, convenience and presentation are critical in ensuring customer satisfaction, whether online or in-person. If a customer walks in to a shop and does not get prompt service, they are likely to walk out and never come back again. If the same thing happens in an online store, word may spread over the Internet until it seems like the whole world knows. We have all heard stories about online vendors being unable to cope with unexpected demand on their site resulting from a new product release or a big external event, and the impact on future business can be catastrophic. Alternatively, praise from a satisfied customer can spread just as fast, and has a far more desired effect.

Anyone contemplating becoming a content provider needs to ask themselves the following questions:

• Do I have the necessary in-house systems and web expertise to set up and run an in-house eCommerce site?
• How many visitors do I expect and what Internet band-width will I need to support this?
• How many web and application servers will I need to handle the anticipated loads?
• Are there peaks and troughs in my customers' buying patterns caused by seasonal or new product releases?
• How quickly can I respond to business growth, in terms of adding more bandwidth capacity or processing power?
• Am I prepared to open my online shop 24x7 to a global market?

Unless a company has the investment in high-performance systems, a high-speed Internet connection that can handle peak traffic, and a support staff with the technical expertise to run the site 24 hours a day, seven days a week, then the best answer is to consider an outsourced content hosting solution. The servers, web content and back-end applications are co-located in a service provider's location with a high-speed (100 or 1000 Mbps) LAN connection to the Internet. Internet service providers have the expertise and high-speed access to get an online site up and running quickly, and already have the support staff to look after it. In fact, a new breed of provider known as an application service provider (ASP) is evolving to address this growing market, and a recent Forrester report estimated that this market will grow to $15 billion by the year 2003. 2 An ASP will not only provide network access and racking for the servers, but can also license software applications and provide software customization.

Content Hosting Requirements

What Are End Users Looking For?

Content hosting customers are looking for two main things from their service provider: connectivity and reliability. On top of this, they want to be able to offer their customers the ability to perform secure transactions and to control and update their content securely. Given that it is highly likely that a competitor may have their site co-hosted by the same service provider—especially if it is a large national provider— customers are also concerned about the security of their critical business data. Early hosting sites (or Internet Exchanges, as they were originally called) addressed these concerns by physically separating each hosted site's systems and locking them in metal cages. All visitors to the hosting site were escorted by service provider personnel. While providing the required levels physical security, this solution did not offer the service provider the ability to share the physical network infrastructure between different logical customer domains. This kind of service is now more correctly termed a "co-located service," as it provisioned rack and floor space rather than secure access to a shared network infrastructure.

What Do Service Providers Need to Provide?

Service providers need to maximize their revenue from value-added services while minimizing the cost of the equipment and bandwidth needed to provide these services. Content hosting is the most ubiquitous service offered, after basic $20/month Internet access subscriptions. The service needs to be able to scale from putting the local flower shop online to hosting a large globally available online merchant. Service providers also need to keep in mind that once you put the small local flower shop online, it could easily turn into the horticultural equivalent of Amazon.com in a very short time. To deliver today and tomorrow's content services, service providers have the following basic needs:

High-Speed Connections. When Internet access meant 28.8 Kbps dial-up modems, users had limited expectations of what could be downloaded and how long it would take. Today, with the availability of higher-speed digital access methods such as DSL and cable modems, customers' expec-tations of what can be downloaded and how fast it should take have changed dramatically. In addition, the availability of new media streaming services such as video or audio webcasts is placing even higher demands on the access bandwidth requirements.

High-bandwidth Internet access is needed to handle these large volumes of data. For small sites, the equivalent of a T1/E1 (2 Mbps) pipe is adequate, while for larger sites a T3/E3 (45 Mbps) link could be needed. For major hosting sites, an OC-3 (155 Mbps) or even OC-12 (622 Mbps) ATM or packet-over-SONET may be required to satisfy the demand for online connections. A successful service provider needs to have access boxes that can handle all of these speeds, and possibly even higher ones.

No Firewall Bottlenecks. If a hosting site connects to the Internet using a T3/E3 pipe, this can deliver up to 17,000 session connections per second. An OC-3 link can deliver 50,000 connections per second. If, for security reasons, the connections are going through a single firewall, then it can easily be overloaded. Any firewall implementation must be scalable so that it can service not just 50,000 but over time 100,000 or even a million connections per second.

No Single Point of Failure. In order to provide 99.999% reliability, any solution needs to have built-in redundancy not only at the box level but at the application level. A box may fail or a software application may fail or become overloaded, and a successful solution must provide fast failover at both the box and application level in order to maintain uptime. If a customer can't get through to the site, then a competitor's site is only a click away.

Traffic Measurement and Accounting Tools. Most Internet service providers started out offering Internet access to their subscribers. Hosting meant simply providing disk space for an individual's personal web site. Traffic patterns were fairly predictable and proportional to the number of subscribers and the ratio of access ports needed to provision them.Now, content can vary from basic web pages with low or high-resolution graphic images, to online media streaming and software distribution. With commercial content, hosting traffic patterns and access requirements are much more difficult to predict and measure. Unlike personal web hosting, commercial hosting does not lend itself to flat-rate tariffing, and needs to take account of not just bandwidth usage but also usage of the applications involved. The same tools need to be available not just for billing but also for capacity planning purposes, to ensure that the site is appropriately provisioned with the correct capacity—both bandwidth and application—in order to meet the anticipated growth that a successful site is bound to experience.

Enterasys's Content Provisioning Architecture

Enterasys understands the technology required to deliver highly reliable, scalable network infrastructures for the type of mission-critical networks that service providers require. Our Content Provisioning Architecture is Enterasys's response to service providers who need the connectivity, reliability, scalability and management required for large-scale commercial content hosting.

The architecture defines generic building blocks needed to build a content hosting site. These building blocks are conceptual rather than physical; actual products may implement one or more of these conceptual layers, described below, depending on the performance and redundancy requirements of the specific content hosting solution required. A generic model is shown in Figure 1.

Network Layer

The network layer represents the external network through which visitors connect to the site and may comprise:

• A WAN connection to the public Internet
• A WAN connection to a private intranet
• A LAN connection to a router connected to either of the above

Access Layer

Traffic arriving to and from the network layer needs to be routed to the appropriate destination at the access layer. The access layer is also the appropriate point to perform any traffic accounting operations and handoff traffic to any co-located sites that have their own security policies. Functions performed in this layer include:

• Receiving and forwarding traffic to and from the network layer over one or more data links (LAN or WAN)
• Rerouting content requests to other hosting sites based on content availability or local replication policies—a web caching or distributed content service provides this function
• Routing services to forward traffic to the appropriate destinations
• Performing any quality of service traffic conditioning e.g. filtering, prioritization or rate limiting required before forwarding to either other co-located hosting domains or to the hosting domain itself—this could include, for instance, filtering of denial-of-service attacks or virus detection
• Collecting traffic statistics to be passed to the accounting and billing applications

Security Layer

As with any layered network implementation, the overall throughput is directly dependent on the slowest processing element in the path. Firewalls are typically the performance bottleneck, given the extra packet processing overhead and the need to keep a session context when using stateful inspection techniques. They are also often PC- or workstation-based and are therefore limited by the software application performance. So that the overall performance is not limited to the throughput of a single firewall, firewalls need to be deployed in parallel to provide the scalability required. Even if the overall site performance requirement is within the capability of a single firewall (for a small hosting site for instance), multiple firewalls are often needed in order to provide redundancy.

Advanced firewall implementations (such as CheckPoint's Fire-wall- 1 product) use stateful inspection techniques that require that the session state context of the connection be taken into account. For these techniques to work, all traffic on a single TCP connection must be processed by the same firewall. For instance, the path taken by the TCP SYN request can be traced back by the corresponding SYN-ACK response. The inbound and outbound flows of TCP requests and response packets need to be symmetric, as shown in Figure 2. Otherwise, session context can be lost and connections rejected by the firewall. Various techniques can be used to overcome this problem while providing multiple firewalls in parallel:

• By synchronizing the state context information across multiple firewalls. This is possible, but there is always a finite window during which the firewalls will be out of synchronization, given the high number and frequent setup and tear-down of session connections. For instance, a single web page with multiple graphic images may result in multiple HTTP connection requests. This mechanism is supported in Checkpoint's Firewall-1 products.
• By leaving a "trail of breadcrumbs." However, this method can only be used with HTTP-based traffic and would not work with other content applications not using HTTP such as specialized eCommerce or security applications. It also has the disadvantage of generating extra traffic, and places the onus on other systems to enforce the path flow.
• By using a routing policy to ensure that all traffic for the same application flow is directed through the same firewall. Additionally, it must ensure that the statistical probability of which firewall is used follows a normal distribution to ensure that firewall loading is evenly balanced. This is the mechanism Enterasys uses in the Xpedition products. The routing decision is made using a hashing function based on the least order bits of the source address for the connection and the number of firewalls in the parallel path.

Firewall Ingress Policy

The purpose of the ingress policy component is to make this forwarding decision based on whatever method, and coordinate with the firewall egress component below to ensure inbound and outbound traffic traverses the same firewall for security monitoring.

Firewalls

The firewall component is responsible for examining all traffic to ensure that the security policies for the content domain are appropriately enforced. These policies may be both intra-domain and inter-domain applicable. Intra-domain rules are used to ensure that traffic is properly segregated between the different security domains of, for instance, different hosted customers such as Company A and Company B. Inter-domain rules are applied to enforce security polices within a single content domain. For example, to accept or deny requests for different types of service within the customer's content domain, e.g. allow content updating only by recognized superusers or allow special application services to recognize extranet partners but not to general site users.

Other provisioning decisions that need to be considered at this layer are:

• How many firewalls need to be deployed per content domain to achieve the required throughput levels
• How many rules need to be applied given the extra processing overhead that they place
• What level of redundancy is required should a firewall or its connection fail and how would the failover be activated, e.g. hot-wire,VRRP, plain old routing or spanning tree; the method chosen can vary the failover time from milliseconds for hot-wire techniques, a few seconds for VRRP, tens of sec-onds for routing and minutes for spanning tree techniques

Firewall Egress Policy

This component provides the complementary function of the ingress policy component above and ensures that outbound traffic emanating from the content server domains is routed back through the same firewall path as the corresponding inbound traffic using the same mechanism employed for the incoming data stream.

Server Load Balancing Layer
In order to provide fast, reliable response to customer requests, any content server site needs to replicate both servers and the content on the servers so that it can handle problems caused by:

• Hardware failures: a server could fail
• Network failure: the path to a server could be lost

A Server Load Balancer can provide this function. It translates a single IP address into a set of IP addresses depending on various algorithms. It can be as simple as a round robin load balancer using LSNAT 3 to a system that can perform more sophisticated balancing algorithms using loading and responsiveness calculations. It can detect simple availability of the physical server at the network layer to more complicated techniques to ensure the availability of the content application software to ensure that a transaction is likely to be properly processed before it is forwarded to the server.

The main functions of this layer are:

• To present a single IP address for a group of content servers
• To balance traffic across the set of available web servers using a variety of scheduling algorithms
• To detect failure of a server and remove it from the list of available servers
• To ensure content application software is properly functioning
• To provide redundancy and failover using either hot-wire, VRRP, routing or bridging techniques

Though these functions have traditionally been provided in a specialized platform, more and more switching vendors are incorporating these functions into their high-performance routing/switches to provide greater functionality and reduce the number of boxes required. In the future, this layer will most likely collapse down into the following layer in terms of product implementation.

Content Server Layer

This comprises one or more content domains relating to the hosted customers or to particular content services provided by individual customers. For instance, a customer may wish to have different provisioning for web browsing versus e-com-merce applications to ensure that priority is always given to paying customers.

To achieve the levels of performance demanded by today's multiprocessor-based server engines, high-speed switching techniques are needed based on either 100 Mbps or 1000 Mbps Ethernet LANs. If the processing capability of the content server allows, even higher aggregate bandwidth speeds can be obtained combining multiple LAN connections into a single aggregated pipe using techniques such as Enterasys's Smart-Trunking or Sun Microsystems' SunTrunking. To provide further security, and also to reduce the proliferation of broadcast traffic between the servers, VLAN techniques such as IEEE 802.1Q may be appropriate at this layer.

Functions performed at this layer include:

• High-speed switching of data to individual content server platforms
• Optional trunking of switch connections to linearly increase bandwidth to high-performance content servers
• Use of VLANs to further de-aggregate traffic and segment LAN connections to reduce the overhead of broadcast traf-fic and to provide further security domains if required

Sample Content Hosting Implementation

An example of a content hosting implementation is shown in Figure 3. This shows all the layers discussed implemented as discrete components. For implementations that have lower performance or redundancy requirements, some of these discrete functions can be collapsed into single components implementing multiple functions as shown later in this paper.

 

Enterasys's Content Provisioning Solutions

Enterasys provides flexible solutions that deliver high performance and availability, and improve your responsiveness to new market opportunities. Our industry-leading products work together to form a cohesive, scalable solution that helps you take advantage of new revenue opportunities while ensuring that you are able to meet your customers' ever-growing demands.

Xpedition

Enterasys's Xpeditions combine wire-speed performance, pinpoint control and superior routing capacity in one award-winning device. Equally important, the Xpedition provides seamless interoperability with previous generations of networking equipment, protecting customers' investments.

In addition to Layer 2 switching and full-function, wire-speed routing, the Xpedition's unique ability to switch Layer 4 application flows extends its functionality well beyond the boundaries of traditional routers. This advanced capability provides pinpoint control of network traffic through extensive security, port-level accounting and comprehensive quality of service—all at the application level, and all without sacrificing wire-speed performance.

Internet Appliance

Enterasys's Internet Appliances are specially packaged Xpedition configurations designed for small to medium content hosting applications. They support web-cache redirection, flow rate limiting and LSNAT load balancing algorithms including round-robin, weighted round-robin and least-loaded. They are available in various packages supporting a combination of 100 Mbps and Gigabit Ethernet connections, and are ideal for small to medium hosting sites that need to reduce the number of individual platforms without reducing the performance achieved.

BIG/ip Server Load Balancer

The BIG/ip Server Load Balancer is a unique, high-availability, intelligent, load-balancing device designed for the high transaction overheads and sophisticated application performance parameters of a large content hosting data center. Situated between the firewalls and content server domains, the load balancing systems continually monitor each of the content servers to ensure that they are available and performing correctly, and then automatically route incoming Internet and intranet service requests to the most available server. Up to 255 physical servers can be configured behind the BIG/ip, and external users only see specified IP addresses for HTTP and other network services.

Enterasys's BIG/ip intelligently manages and distributes Internet, intranet and extranet user requests across redundant arrays of network servers, regardless of platform type or combination. It supports a wide variety of network applications and traffic to provide high availability for end-user connections.

Nokia Firewalls

Enterasys and Nokia offer a comprehensive line of products for Internet security applications to deliver an unprecedented solution for Internet access and virtual private networking.

The fully integrated router/firewall solution introduces a new level of simplicity in deploying firewalls and VPNs. Additionally, Nokia supports true high availability through the combination of the Virtual Router Redundancy Protocol (VRRP) and Check-Point Firewall-1 synchronization.

Flow Accounting Server/Enterasys Traffic Accountant

The Flow Accounting Server comprises software that collects traffic data from a Xpedition using LFAP 4 messages. Multiple boxes can be configured for redundancy and load sharing. The Xpeditions that collect the traffic data can be configured with primary and secondary Flow Accounting Server addresses. If the primary is unavailable, then the secondary can be used. The Flow Accounting software runs on a Sun Microsystems UltraSPARC workstation and provides raw data which can be processed into reports by the Enterasys Traffic Accountant, a Windows NT-based application that runs on a Pentium-class processor and produces reports based on an analysis of the application flows collected by the Xpedition.

Enterasys's Solution Advantages

• High availability and fault tolerance, plus hardware-based load balancing with VRRP
• Service enabling with per application or user QoS, as well as Rate Limiting and Access Control
• Policy-based routing for directing flows through correct fire-wall to maintain stateful inspection context
• Comprehensive, high-availability functionality including extended content verification, extended application verification
• Secure access and protection of sensitive resources
• Traffic accounting for billing and capacity planning
• Technology independent—10/100/1000 Ethernet, POS,ATM
• Non-stop server availability with built-in redundancy
• Transparent web caching, advanced traffic engineering
• SPECTRUM management with support for SNMP, RMON and RMON II
• Flow Accounting with billing application

Enterasys's hosting solutions bring together the award-winning and performance-leading Xpedition; the unmatched security of Nokia/Checkpoint firewalls; and the sophisticated BIG/ip local and distributed server load balancer products. These solutions provide the industry's best response for customers demanding guaranteed throughput and secure access to their content servers. In addition, Enterasys's content hosting solutions provide the following benefits:

• Reduced cost of ownership and complexity by deploying appropriate and secure access to applications. Enterasys's solution leverages extensive traffic filtering and multilayer access control lists, as well as an integrated fire-wall for secure access serving internal and external users. This not only protects your customers against unauthorized access, but also reduces the costs associated with external network attacks or internal misuse of server and network resources. It also allows IT managers to identify devices, protocols, or even applications that should be limited or controlled.
• Server application customization via Layer 4 control capabilities. Enterasys's hosting solutions provide end-to-end Layer 4 capabilities, allowing users to set up applications on a subset of the server array. This enables server arrays to be customized to meet business needs without technological restraints. Applications do not need to be loaded on all servers, reducing the cost of software licenses and guaranteeing network responsiveness during peak loads.
• No technology limits. Enterasys's hosting solutions incorporate the Xpedition, a true multilayer, wire-speed Gigabit Ethernet switching device that eliminates the threat of network bottlenecks and allows the network to scale to meet growing demands. In addition, the solution reduces costs by providing both LAN and WAN technologies in a single chassis.
• With server farms creating a central traffic flow on the enterprise, the need for extensive accounting and monitoring becomes much greater. Enterasys's hosting solutions allow for intelligent capacity planning, reduced costs through forward-thinking management, and increased revenues through accurate billing models.

The solution's high availability ensures that customers will be able to access the information or service they want 24 hours a day, seven days a week. In addition, content verification and full-featured load balancing provide unparalleled quality of service to administrators and users.

Enterasys's content hosting solutions add scalability and security over and above basic routing and caching functionality. These techniques reduce workload, increase server performance and are the cornerstone to maximizing the usefulness of content servers.