Jason Needham, product manager F5 Networks, says the network is also a good place for user authentication and authorization. “If I’m a financial institution, it’s OK to do authorization at the application server. But wouldn’t I rather block unauthorized users before they get to the door?”
The proliferation of XML and SOA promises to magnify performance and security issues. XML is verbose and inefficient, bringing new security issues. In fact, Cisco, HP, and vendors of network-based XML acceleration and security devices, such as Sarvega and Reactivity, will tell you that the network could offload a lot of XML processing, translation, and security from beleaguered servers. It could even take over some of the classic application and data-integration burden.
A New Networking Direction
The move toward network intelligence is actually coming from two directions: Leading the charge on one path are the established giants, while specialty vendors are marching up another front.
HP’s Brice Clark describes his company’s ProCurve Adaptive EDGE architecture as a two-pronged approach. “You start with intelligence at the edge, where it needs to be located to support mobility and next-generation applications. Command comes from the center, configuring the network continuously on the fly based on the identity of the user, the application, the connection, and the device.”
The ProCurve IDM (Identity Driven Manager) is unique to HP’s line. It enables the application of security, access control, QoS, VLAN enrollment, and performance settings based on the authenticated user or group of users, including their locations, the time of day, and other factors. HP has also incorporated optional intelligent capabilities for its ProCurve 5300 series switches, including WLAN client authentication, WLAN access-point-to-access-point connection handoff, virus throttling, and encryption — features that were formerly offered only in dedicated WLAN switches.
Clark says the next step will likely be deeper packet inspection to recognize applications and apply policies accordingly, even triggering packet-processing applications hosted in the switch, based on the user, device, or application.
“You can transcode a video stream for a PDA on the switch, rather than at the server or encrypt a financial transaction,” Clark says. “The network is good at packet processing. Servers and operating systems aren’t.”
Cisco, on the other hand, has announced a three- to five-year plan for what it calls Application-Oriented Networking. Later this year, the company plans to provide AON blades for its Catalyst data-center switches, as well as branch office routers that can actually read application-to-application messages (such as purchase orders) and route them intelligently according to predefined policies. So, for example, a $50 order could be routed to a different server or get a different quality of service than a multimillion-dollar order would.
AON blades will also be able to take on much of the integration and translation normally performed by application middleware, thanks to partnerships with integration players like TIBCO Software and IBM, as well as integrated XML processing, translation, and security functions.