Living on the edge

Edge appliances fill the gap between resource restrictions and plans for future growth

Given today’s shortage of IT resources, the demand for self-sufficient technology is becoming an industrywide rallying cry.

Frustrated by the limited scalability of software but not flush enough to throw money at their problems, enterprises are turning to edge appliances. In the edge appliance, companies are finding the easily managed, low-cost alternative they need.

Edge appliances — devices that offer specialized functionality at the edge of a network — were initially conceived of as hardware alternatives to running software on servers. The increasing complexity of today’s datacenter, however, has spurred edge-appliance vendors to push the concept further. Edge appliances now seek to accommodate ever-changing security requirements, the influx of XML data, and the emergence of a single network carrying voice, data, video, and even storage traffic. Customers have responded to the evolution of the edge appliance concept by increasing their demands for performance, ease-of-maintenance, and scalability.

Given their black-box design, edge appliances can be placed exactly where they are needed, allowing them to tackle a wide range of enterprise issues, including security access, performance enhancement, and traffic and storage management. Edge appliances are often specialized to perform a single function, making them easy to manage. Because they use ASICs, they perform better than software run on general-purpose CPUs.

The trick is to figure out how much an edge appliance can handle before it becomes more of a server than an appliance. Edge-appliance vendors must walk the fine line between simplicity and functionality when gearing their wares to fit customer needs. Adding intelligence is a future goal for many vendors, but they must be careful not to make their appliances too complex, thereby undercutting a key customer value.

Scot Klimke, CIO of Network Appliance, notes that the rise of edge appliances was natural, given software's limitations in solving problems such as load balancing, firewall maintenance, and caching. According to Klimke, when an enterprise datacenter grows beyond a certain threshold, software is overburdened and performance sags under the load.

But where software comes up short, edge appliances continue to evolve to handle more types of functions -- and enterprises have noticed, says Klimke. “The appliances are getting cheaper, and easier to manage and deploy. They are like Cisco routers for the masses. They can be used and run without a Ph.D. in computer science.”

Speed, performance, and management

For many enterprises, the greatest benefit of edge appliances is the enhancement of performance and security. Both functions are critical building blocks for the enterprise, but they often require two things currently in short supply: money and expertise. Dropping an appliance at the network edge puts the specific technology in place where it’s needed most.

Because edge appliances can be placed where vulnerabilities first come to light, security is the hottest market in the edge appliance space. Indeed, 54 percent of InfoWorld CTO Network Survey respondents say a security appliance would be their first choice if buying an edge appliance today.

Todd Bowersox, Web application manager at Agile Software, used security appliances to ensure that his company’s Web-based applications were running properly and securely. For the protection plan, Bowersox chose an appliance from Teros, in Santa Clara, Calif. The Teros 100 Application Protection System Version 2.0 learns the acceptable behaviors of a Web-based application and then uses this intelligence to protect against attacks.

"Initially we didn't want to buy an appliance" because of complexity concerns, says Bowersox. "However, when you get software, you are faced with an administration headache when you load it onto six or more servers.”

Bowersox notes that although Agile could have done the security plan themselves, Agile’s vice president of IT told him “not to cut any corners.” So the Teros appliance’s pure-security focus was a good fit.

Teros is one company that is addressing the relatively new area of application security. Yet applications aren't the only place security appliances are headed. Startup ReefEdge has developed an appliance that allows enterprises to create and manage user accounts, and security policies for 802.11-based LANs. Also addressing wireless networks is AirDefense, which recently released an appliance that plugs into a network and finds rogue access points within an enterprise. A rogue access point is a wireless access point that an employee, for example, purchases and plugs into a corporate network to give themselves unapproved wireless access. This is rarely in sync with company security policies, and therefore open to security threats.

Solving performance problems also gives edge appliances an opportunity to shine. Because they can examine traffic patterns and inspect packets directly, edge appliances can substantially streamline traffic flow.

And with the greater use of XML to create more robust applications, enterprises are quickly finding that the new code eats up lots of processing power and cycles. The same is true of SSL. With greater emphasis on Web transactions, SSL sessions are growing too burdensome for servers. Offloading those functions to a dedicated device frees servers up to do their jobs. A separate edge appliance is also more cost-effective to offload these redundant processing duties.

Jeff Lamb, CTO of Leader Technology, looked for this benefit of reduced server strain when designing a solution to process the copious amount of XML used by the company’s applications. Lamb purchased DataPower Technology’s XA35 XML Accelerator to handle XML processing for the Web-based conference-call company.

“We found that the cost of generic Linux boxes over time adds up,” Lamb explains. “We have expertise in house; so [at first] it was hard to justify the cost for our environment. But the project we’re working on is going to drive us to the point where the cost of the [edge] device is justified.”

There is a side benefit as well: Edge accelerators and traffic appliances can scale more easily than larger servers can, a fact not lost on chief technologists. Keith Dale, vice president of global operations at GetThere, which provides software used by travel agencies, says this was a major factor in his decision to purchase an edge appliance rather than allocate server resources to sort traffic.

"If we're requiring a box to handle a lot of traffic, then we need to see how scalable that solution is," Dale explains. He estimates his company will experience 80 percent growth this year. "Hardware appliances scale much more predictably than software solutions."

GetThere deployed a NetScaler Request Switch 9000 to terminate SSL, with the goal of deploying a technology that could handle 10 times more connections than the company's previous combined hardware and software approach could.

Dale adds that throwing another server at the problem would only have caused another management headache: The more servers you have, the more changes need to be made as something in the network dictates a change. Instead the edge appliance performs the task with room to spare.

"We chose NetScaler to do our load balancing for the next three years," Dale says. "Our average utilization is 8 percent, so we have a lot of headroom to sustain our growth."

Balancing act

Indeed, edge appliances are getting more attention from enterprises -- and vendors seeking a share of scarce budget dollars -- because they offer a possible solution to today’s most pressing IT question: How do you operate within the narrow band of today’s technology budget while at the same time establishing room for, hopefully positive, future changes?

Fast Petroleum, which operates 45 convenience stores in Georgia and Tennessee, installed 41 SonicWall security appliances in its stores after the slow performance of the company’s security software began posing a problem. Similar to many other edge appliances, the SonicWall SOHO (Small Office Home Office) 3 Internet security appliance that Fast Petroleum deployed is built on top of an ASIC designed to perform security functions only. This specialization accounts for the marked improvement in performance that an ASIC can provide when compared with general-purpose processors.

Despite the immediate performance gains, the company’s decision was based primarily on future needs, according to Danny Norris, controller at Fast Petroleum.

"Software just isn't fast enough and does not provide the reliability you get in hardware," explains Norris. "Today we use the VPN to transfer accounting data back to our headquarters. But looking to the future, we may use the extra speed for credit card transactions or scanning in our stores."

Adding more intelligence to edge appliances is one way to increase their future potential. But even as edge appliances capture more of the spotlight, their changing identity is sparking a debate as to where the appliance ends and where the switch begins.

"This is the debate in IT circles today," Network Appliance’s Klimke says. "At what point do you combine a lot of functionality, and when do you keep it separate."

This is an important debate for future edge appliances -- too many functions on a single appliance will get you back where many started, with a server that was asked to do too much. However, vendors find that it is customers who are asking for more functionality in their appliances, perhaps seeking a happy medium between single-task box and full-force server.

Devices from Sarvega and NetScaler are examples of two devices that walk that line. Both combine a number of features dedicated to different tasks; Sarvega's switch performs XML parsing and translation but also terminates SSL, freeing up servers to serve rather than process the SSL. Netscaler’s device also terminates XML but primarily performs load balancing for applications. A new appliance from Radware pushes the edge application identity even further: It becomes something of an appliance platform, allowing users to customize its software to the task at hand.

In the end, no matter how complex, the strength of edge appliances lies in their ability to focus on one or two tasks and to deliver the goods. John Chirapurath, vice president of marketing at Sarvega explains it best: "At some point, subsuming functionality does not make sense," he says. "A device manufacturer needs to look at what network layer it operates at and then decide what other functions at that layer can be drawn in."

Copyright © 2003 IDG Communications, Inc.