BIG-IP
There are 99 entries for the tag BIG-IP
Is it Linux? Is it third-party? Is it proprietary? Isn’t #vcmp just a #virtualization platform? Just what is inside an F5 BIG-IP that makes it go vroom? Over the years I’ve seen some pretty wild claims about what, exactly, is “inside” a BIG-IP that makes it go. I’ve read articles that claim it’s Linux, that it’s based on Linux, that it’s voodoo magic. I’ve heard competitors make up information about just about every F5 technology – TMOS, vCMP, iRules – that enables a BIG-IP to do what it does. There are two sources of...
I get by with a little help from my friends… While cloud and virtualization primarily focus on improving the provisioning process, there is a lot more to managing a data center and its critical components than just deployment. There’s upgrades – both software and hardware – and migration to new solutions as well as tweaking knobs and buttons to optimize and troubleshoot issues. While public cloud computing may alleviate much of the pain associated with forward movement, private and hybrid environments as well as traditional data center models must face the reality of dealing with these...
#adcfw #infosec F5 is changing the game on security by unifying it at the application and service delivery layer. Over the past few years we’ve seen firewalls fail repeatedly. We’ve seen business disrupted, security thwarted, and reputations damaged by the failure of the very devices meant to prevent such catastrophes from happening. These failures have been caused by a change in tactics from invaders who seek no longer to find away through or over the walls, but who simply batter it down instead. A combination of traditional attacks – network-layer – and modern attacks – application-layer – have...
#mobile #vdi #infosec Scale and flexibility make SSL VPN an important part of any corporate remote access strategy You might have noticed a couple of news items from F5 this week that appeared related. If you noticed you were right, they are. First, we were very excited to announce recognition of our hard work on our SSL VPN solutions: F5 Positioned in Leaders Quadrant of SSL VPN Magic Quadrant. Second, we were even more excited to announce adding industry-leading support for Android’s 4.x OS, enhancing its SSL VPN capabilities. Why would be...
Domain sharding is a well-known practice to improve application performance – and you can implement automatically without modifying your applications today. If you’re a web developer, especially one that deals with AJAX or is responsible for page optimization (aka “Make It Faster or Else”), then you’re likely familiar with the technique of domain sharding, if not the specific terminology. For those who aren’t familiar with the technique (or the term), domain sharding is a well-known practice used to trick browsers into opening many more connections with a server than is allowed by default. This...
Being too quick to shout “cloud” when the solution may be found elsewhere can lead to unintended consequences. As with all technology caught up in the hype cycle, cloud computing is often attributed with being “the solution” to problems irrespective of reality. Cloud is suddenly endowed with supernatural powers, able to solve every business and operational challenge merely by being what it is. Take, for example, the attribution of cloud as being “the solution” to the very real issue of severe snow in the UK. Cloud solutions can...
The THC #SSL #DoS tool exploits the rapid resource consumption nature of the handshake required to establish a secure session using SSL.
A new attack tool was announced this week and continues to follow in the footsteps of resource exhaustion as a means to achieve a DoS against target sites.
Recent trends in attacks show an increasing interest in maximizing effect while minimizing effort. This means a move away from traditional denial of service attacks that focus on overwhelming sites with traffic and toward attacks that focus on rapidly consuming resources, instead. Both have the same ultimate goal: overwhelming infrastructure,...
Sometimes mitigating operational risk is all about the hardware. MTBF. Mean Time Between Failure. An important piece of this often-used but rarely examined acronym is the definition of “mean”: The quotient of the sum of several quantities and their number; an average An average. That means just as many folks experienced failure later than the value as did earlier. And it is the earlier that is particularly troublesome when it comes to the data center. Customers replace disk drives at rates far higher than those suggested...
#iApp #v11 If you were wondering what these three things have to do with F5, read on … What has a strange sense of humor, an unhealthy love of bacon and donuts, and has held a wide variety IT roles and responsibilities for a whole lot of years? If you were said “the F5 Product Management Engineering team” give yourself a cookie (or better yet some bacon). The question is, why should you care? To understand that, you first have to understand the role that “PME” has within F5. Many of...
#vmware An infrastructure architecture that overcomes VMware View concurrency limitations Sheer volume and geographically disparate deployment of VMware View pods can result in a confusing array of locations from which users must choose to find their preferred desktop. Currently, View deployments are called “pods” and each is limited to a maximum 10,000 concurrent users. That may seem an unlikely upper limit to hit, but there are organizations for which that number is an issue. Every additional 10,000 concurrent users requires a unique supporting infrastructure along with a unique endpoint – an URL – to...
#v11 ScaleN breaks out of the traditional infrastructure scalability mold We previously introduced ScaleN but we didn’t really dig into how it’s enabled, other than to mention it’s been made possible in part by leveraging F5’s vCMP (virtual Clustered Multi-Processing) technology, which puts the “virtual” in “virtual networking.” The basic premise of infrastructure scalability is that if the component providing the scalability fails, well, the service for which it provides HA fails. That’s not good. So it was that HA architectures employing a variety of models came about to ensure that such a scenario...
#v11 DNS remains one of the most critical – and necessarily public – services within the data center. Neglect its security at your own peril…. DNS is still like your mom. Too often underappreciated and taken for granted, DNS – like many network and infrastructure services – is largely ignored until there’s a problem. Unfortunately for critical services like DNS, firewall, and load balancing, by the time there’s a problem there’s a PROBLEM. It’s important to not only actively manage DNS today, but actively protect it, too. After all, it is the primary means by...
#v11 Say hello to DNS Express You may recall we recently expounded upon the need for the next generation of infrastructure to provide more protection of critical DNS services. This is particularly important given recent research on behalf of Versign that found “60% of respondents rely on their websites for at least 25% of their annual revenue.” Combined with findings that DDoS attacks, DNS failures and attackers comprised 65% of unplanned downtime in the past year, the financial impact on organizations is staggering. We also described the most popular solution today, DNS caching, and...
#v11 #iApp #devops Bring dev and ops closer together to enable IT as a Service and repeatable, consistent application deployments. The overriding theme of BIG-IP v11 is its focus on applications. From security to availability to management to resiliency, this release is focused on applications. Its revolutionary approach to application services offer immediate and future operational benefits by taking another step toward a dynamic data center. iApp is a feature name for what are fundamentally programmable application templates. These templates make simple user interfaces for complex system configurations. The minimal UI requirements are defined from the...
#v11 #vcmp #scaleN #iApp It’s time to bring the benefits of server virtualization, rapid provisioning and efficient, flexible scalability models to the network. Many of you know I’m a developer by trade and gained my networking stripes after joining Network Computing Magazine around the turn of the century. I focused heavily on application-centric solutions (sometimes much to my chagrin; consider evaluating ERP solutions for a moment and I’m sure you’ll understand why) but I was also tasked with reviewing networking solutions. In particular, the realm of load balancing and application delivery fell squarely to me for...
Pop Quiz: In recent weeks, which of the following attack vectors have been successfully used to breach major corporation security? (choose all that apply) Phishing Parameter tampering SQL Injection DDoS SlowLoris Data leakage If you selected them all, give yourself a cookie because you’re absolutely right. All six of these attacks have successfully been used recently, resulting in breaches across the globe: International Monetary Fund US Government – Senate CIA Citibank ...
Mobile users feel the need …. the need for spe- please wait. Loading… We spent the week, like many other folks, at O’Reilly’s Velocity Conference 2011 – a conference dedicated to speed, of web sites, that is. This year the conference organizers added a new track called Mobile Performance. With the consumerization of IT ongoing and the explosion of managed and unmanaged devices allowing ever-increasing amounts of time “connected” to enterprise applications and services, mobile performance – if it isn’t already – will surely become an issue in the next few years. The adoption...
It’s not enough to have a strategic point of control; you’ve got to use it, too. One of the primary threats to the positive operational posture of an organization is that of extremely heavy load. Whether it’s from a concerted effort to take down the site (DDoS) or simply an unanticipated flood of legitimate users is really not as important to today’s discussion as understanding the impact both can have not just on your applications, but on their supporting infrastructure. You know, the network “stuff” that sits between the client and your applications, defending...
Of course not, because sometimes it is about the hardware. If the rise of Massively multiplayer online role-playing game (MMORPG) like WoW (World of Warcraft) taught us anything it's the lag kills. What we technically know as latency is known to the PC gaming community as "lag". It's the time between hitting a key to take an action and that action actually being taken. Network latency is a Very Bad Thing™ for real-time online games in which other people are counting on you to blast your opponents. Failure to do so in a timely fashion can...
Desktops aren’t GPS-enabled but don’t let that stop you from providing hyperlocal information to all your fans. IMAGE from macmillan buzzword dictionary Two people are sitting in an Internet-enabled café. Let’s call the café Starbucks. One of them is using an iPhone or iPad while having a Hoffachino to find out what’s going on in the area. One of them is using a laptop to do the same. One of these two people is likely to get more accurate responses with less work. Which one is it? ...
Because ‘big data’ isn’t just a problem for data at rest, it’s a problem for data being transferred.
Remember when we talked about operational risk comprising more than security? One of the three core components of operational risk is availability which is defined differently based not only the vertical industry you serve but also on the business goals of the application. This includes disaster recovery goals, among which off-site backups are often used as a means to address the availability of data for critical applications in the event of a disaster.
Data grows, it rarely shrinks, and operational tasks...
Migration is not going to happen overnight and it’s going to require simultaneous support for both IPv4 and IPv6 until both sides of the equation are ready.
Making the switch from IPv4 to IPv6 is not a task anyone with any significant investment in infrastructure wants to undertake. The reliance on IP addresses of infrastructure to control, secure, route, and track everything from simple network housekeeping to complying with complex governmental regulations makes it difficult to simply “flick a switch” and move from the old form of addressing (IPv4) to the new (IPv6). This reliance is spread up and...
Mobile users. cloud computing . End-runs around IT security by developers. The trend has always existed, it’s just speeding up now. IT needs to take back control – and fast. But first IT needs the tools with which to do that…
Let’s ignore the horrible acting by Kevin Costner in “Robin Hood: Prince of Thieves” (I personally prefer Russell Crowe in the 2010 version but that’s me and unfortunately they cover two different periods of Robin Hood’s legendary life so we’re stuck with the lesser version) and let’s just focus on a couple key lines/concepts that are relevant to the...
The consumerization of IT is well underway. Supporting secure remote access via what are traditionally “consumer” gadgets is a must. In the days when Web 2.0 was forcing its way into IT along with the Millennials the warning went out to IT: either you adopt the technology or you’ll lose control because youngins’ are going to bring it with them whether you like it or not. Since that time the “adopt or else” mantra has been one that IT has had to deal with regarding technology in general. cloud computing , consumer...
It’s not just having partnerships, it’s what you do with them that makes a difference When you’re an application delivery focused organization it kind of behooves you to focus on, well, applications. But since you don’t actually develop the applications yourself, how do you ensure that the policies and solutions you do develop are going to actually work and provide value for those applications? You could adopt an “on the job training” style policy, where you figure out the best configuration and options as you encounter applications, but that may not...
Modern DoS attacks are distributed, diverse and cross the chasm that divides network components from application infrastructure. A unified application delivery platform with multi-layer visibility is the best way to detect and mitigate multi-layer attacks.
The WikiLeaks attacks have taught us that information security strategies must evolve to keep up with the ever-changing attack vectors leveraged against web applications and web sites across the Internet. It’s no longer enough to protect against attack X or Y; it’s now necessary to protect against both – simultaneously.
Because of the role F5 BIG-IP solutions play in application delivery...
F5 introduces its Service Delivery Network to help service providers weather the storm. If you haven’t seen the video “Everything’s amazing, nobody’s happy” (Louis CK) go ahead and check it out. You won’t regret it, trust me. Especially the section where he’s talking about the impact of the need for instant gratification via mobile connectivity. Seriously. We’ve all done the same thing – complained, griped, and probably called our service provider names because an application or web site didn’t respond immediately. As in sub-second response time. Even though many of us are technically...
Improving the availability, performance, and security of Microsoft Lync Server 2010 with F5 BIG-IP
The word “consolidation” generally brings to mind these days a reduction in physical equipment, whether that physical equipment be servers or infrastructure. But consolidation can – and does – also refer to the bringing together of similar technologies in software to provide a unified system that better supports integration across similar functions.
It is the latter definition that has become common of late in the communications space, with providers and ISVs alike consolidating and unifying the communication and collaboration experience not only across functions but...
Rackspace steps up to the plate with a new hybrid architectural solution. Earlier this year we talked about the “other” hybrid architecture; the one that lives out there, in the cloud, but that combines two different deployment models: applications deployed on co-located servers that are imbued with elasticity by taking advantage of the same provider’s cloud computing offering. Throughout the year I’ve posited (nearly harped upon) the reality that because most organizations are not greenfields, hybrid architectures will be the norm. This is especially true with applications that have consistent...
“When crypto breaks, it usually breaks badly.” – Dennis Fisher, ThreatPost One of the most frustrating occurrences in information security is to discover that the security systems and technology being leveraged to protect applications and data is flawed: that it, itself, is vulnerable to attack and exploitation. This is particularly true in the cryptography realm, because as Dennis Fisher pointed out, when “crypto breaks, it usually breaks badly.” The “padding oracle” exploit is not, as the name implies, an attack on Oracle products. It is unfortunate for Oracle (as it has been for...
Web 2.0 is about sharing content – user generated content. How do you enable that kind of collaboration without opening yourself up to the risk of infection? Turns out developers and administrators have a couple options…
The goal of many a miscreant is to get files onto your boxen. The second step after that is often remote execution or merely the hopes that someone else will look at/execute the file and spread chaos (and viruses) across your internal network. It’s a malicious intent, to be sure, and makes developing/deploying Web 2.0 applications a risky proposition. After all, Web 2.0...
Eliminating the overhead associated with active health checks without sacrificing availability
One of the core benefits of cloud computing and application delivery (and primary purposes of load balancing) is availability. In the simplest of terms, achieving availability is accomplished by putting two or more servers (virtual or iron) behind a load...
It’s an integration thing. One of the advantages of deploying an application delivery controller (ADC) instead of a regular old Load balancer is that it is programmable – or at least it is if it’s an F5 BIG-IP. That means you have some measure of control over application data as it’s being delivered to end-users and can manipulate that data in various ways depending on the context of the request and the response. While an ADC has insight into the end-user environment – from network connection type and conditions to platform and location –...
Virtual Desktop Infrastructure (VDI) is designed to deliver virtual, managed desktops in the corporate environment. There are many benefits to this model, especially when applied to traditionally high-maintenance desktops in call centers where users may not be technically savvy and insist on, oh, changing the fonts and background to be black and then calling the help desk to “fix” the problem*. Fixing the problem becomes a simple case of pushing the clean desktop to the user. But as VDI broadens its use from limited, internal deployments to off-site deployments supporting remote workers and disaster...
Extending identity management into the cloud
The focus of several questions I was asked at Interop involved identity management and application access in a cloud computing environment. This makes sense; not all applications that will be deployed in a public cloud environment are going to be “customer” or “market” focused. Some will certainly be departmental or business unit applications designed to be used by employees and thus require a certain amount of access control and integration with existing identity management stores, like Active Directory.
Interestingly F5 isn’t the only one...
When you’re dealing with conditional formatting of objects based on enumerated values you can eliminate conditional assignments by directly mapping your ENUMs to CSS classes. There are many cases where enumerated values are used to describe values, especially in the world of infrastructure 2.0. Availability status, for example, is a commonly used enumeration to indicate whether a load balancing related object – a virtual server, a pool, a node (server) – is available, unavailable, or in some unknown state. When building web-based dashboards or management interfaces for such solutions, the server-side code often ends up with a lot...
When you look at the success of some very proprietary solutions and the loyalty with which customers defend them, you have to wonder if vendor lock-in is really as bad a thing as we sometimes make it sound. The subtext in the discussions around data portability and interoperability in general in cloud computing is really about vendor lock-in. Those driving efforts to come up with solutions that allow customers to pack up their data and head to another provider are primarily concerned about the dangers of being locked-in to a single vendor solution. ...
Infrastructure 2.0, from a purely developmental standpoint, is about APIs. It’s about offering up the functionality and capabilities of a wide variety of infrastructure – network, storage, and application network – to be externally controlled, integrated, and leveraged for whatever purpose a developer might dream up. It enables providers and enterprises alike to turn infrastructure functionality into services. Need compression? Caching? Routing? Load balancing? Via service-enabled management APIs these can become services, provisioned and released through the invocation of a service. When expanded to include the sharing of actionable data – performance statistics, status, availability of application...
Cloud offers an appealing “pay only for what you use” that makes it hard to resist. Paying on a per-usage hour basis sounds like a good deal, until you realize that your site is pretty much “always on” because of bots, miscreants, and users. In other words, you’re paying for 24x7x365 usage, baby, and that’s going to add up. Ironically, the answer to this problem is … cloud. Don and I occasionally discuss how much longer we should actually run applications on our own hardware. After all, the applications we’re running are generally pretty light-weight, and only see...
F5 and VMware demonstrate live migration of a virtualized application across clouds without downtime or user disruption Cloud is reaching the peak of possibilities and that (often) means just more paper solutions. You know the ones; the ones that exist only on paper (or in blogs as the case may be). Those paper solutions need to exist because the ideas need to come first either out of necessity, i.e. to solve a specific problem, or out of a desire to find new ways to leverage emerging technology, like virtualization. But still, you’d like to see some of these...
Using network-side scripting to remove client-side cookies @quine overhead an interesting question that he offered via Twitter regarding cookies and BIG-IP. Specifically someone was wondering whether BIG-IP automatically removes cookies from the browser. Our team had a quick discussion because the question isn’t as straight-forward as it first appears. On the surface the answer is an unequivocal “no”, because for an intermediary to just arbitrarily remove cookies would be a Very Bad Thing. But the ability to manipulate cookies is certainly something you can do using iRules, and if you implemented such functionality then the...
We know what the problem is. We know what the solution is. So why aren’t we doing something about it? Every year, around April Fools’ day, someone pulls out the old “Internet Spring Cleaning” gag. For those of us who are not technical neophytes or have been “online” long enough, the joke is amusing but not nearly as much as when it originally appeared many, many, many years ago. Is it possible, though, that one day the old “the Internet needs to be rebooted” gag might be real? That in order to get from here...
You’ve declared your Data Center Independence. You’ve agreed on a basic set of rights. The problem now is ensuring that those rights are upheld and that you can achieve that independence. We’re not innocent bystanders in the data center revolution; we wholly support your rights to choose the architecture and solutions that best fit your environment. You can’t do it alone. You need tools with which to fight the data center revolution. So we’re arming you with at least some of those tools (hey, we can’t do it all alone) with the introduction of BIG-IP v10...
Ah, those were the days, weren’t they? When improving the security, reliability, and performance of applications over the LAN, over the WAN, and over the Internet meant you had to deploy many different solutions, each one standing on their own in the data center. When you had to learn how to configure and manage as many devices as you have fingers just to deliver a single business-critical application to users and customers across a wide variety of environments. When there really wasn’t an option because solutions weren’t unified, weren’t contextually aware, and were basically just a bunch of point solutions...
Ah, those were the days, weren’t they? When you needed a way to add security at several layers to your network and application network infrastructure but knew that implementing a solution capable of securing those pesky applications was more than likely going to end up with poor performance and angry users. When you needed to add something to secure applications and the network against the growing wave of attacks but knew that doing so would negatively impact performance. It was a tough choice, and most people ended up going the route of maintaining application performance at the expense...
Ah, those were the days, weren’t they? When you needed a way to inspect data at the edge for application-specific issues but knew that implementing a solution capable of that kind of agility was more than likely going to end up with poor performance and angry users. When you needed to add something to secure applications and the network against the growing wave of attacks but knew that doing so would negatively impact performance. It was a tough choice, and most people ended up going the route of maintaining application performance at the expense of security and optimization...
One of the reasons behind some folks pushing for infrastructure as virtual appliances is the on-demand nature of a virtualized environment. When network and application delivery infrastructure hits capacity in terms of throughput - regardless of the layer of the application stack at which it happens - it's frustrating to think you might need to upgrade the hardware rather than just add more compute power via a virtual image. The truth is that this makes sense. The infrastructure supporting a virtualized environment should be elastic. It should be able to dynamically expand without requiring a new network architecture,...
Over the holidays I did, as most folks I suspect, things I enjoy doing. For me, one of those things was playing around with Adobe's Flex using Flex Builder 3. Yes, I am that much of a geek. I was a bit concerned it would take some time to figure it all out, but after quickly realizing that MXML, Adobe's interface markup language, was close enough to XAML, Microsoft's interface markup language, it was pretty much smooth going. ActionScript is close enough to JavaScript and C and most other languages I'm familiar with so that...
If you're an F5 customer running BIG-IP v4.x it's time to consider migrating to newer platforms. I know, why in the world would you want to upgrade when your BIG-IP has been running just fine for years? Probably the most important reason is that F5 is ending the life of the 4.x release and will no longer focus resources on improving it. That means all the new improvements and innovation will continue to be put into the 9.x branch and without migrating you'll miss out on a lot of great opportunities to support new protocols, deploy new functionality...
We all understand the lines in the sand (or the architectural diagram) that separate client-side scripting from server-side scripting. It's very clear that client-side scripting, e.g. JavaScript, VBScript, ActionScript, executes on the client while server-side scripting, e.g. PHP, ASP, executes on the server. But what about network-side scripting?
"There is no such thing!" might be the first response to this question, but I beg to disagree. Programmable proxies, a la F5's BIG-IP Local Traffic Manager, that provide a scripting language such as iRules, are simultaneously client-side and server-side, with the best definition to describe their placement in architectures being network-side...
Over the years imaginative developers have come up with a number of ways through which they hope to stop the pilfering of their images. Whether due to copyright issues or the increased bandwidth and associated costs resulting from "hot linking", site owners have tried a variety of solutions from JavaScript that prevents the ability to right-click and "save as" to watermarking high-resolution versions to make their images less appealing to image thieves. Regardless of the reason you may want to prevent image theft, there's an easier and more effective method than introducing easily countered JavaScript and costly alternative...
After having recently discussed all the different kinds of proxies that exist, it occurred to me that it might be nice to provide some examples of what you can do with proxies besides the obvious web filtering scenario. This is by no means an exhaustive list, but is provided to show some of the more common (and cool, I think) uses of proxies. What's really awesome is that while some of these uses are available with only one type of proxy (reverse or forward), a full proxy can provide all these uses, and more, in a single, unified...
I read about a "new" TCP flaw that, according to C|Net News, Related Posts puts Web sites at risk. There is very little technical information available; the researchers who discovered this tasty TCP tidbit canceled a conference talk on the subject and have been sketchy about the details of the flaw when talking publicly. So I did some digging and ran into a...
If you're excited about the automation capabilities of cloud computing and virtualization, you are going to love this solution. In a virtualized environment where applications can ostensibly be popping up all over, and applications are no longer tied to specific servers, there is a need to automatically manage these application instances in a high-availability (load balanced) environment. What you need is the ability to automagically add and remove application instances from the application delivery controller (load balancer) so you don't have to worry about tying those applications down, which could reduce the benefits typically associated with virtualization. If...
Reuven Cohen of the Elastic Vapor blog, in this article, puts forth the notion that infrastructure is required to enable cloudbursting and then asks an excellent question: To truly enable a capable cloudbursting infrastructure, I feel there needs to be a common consensus on how this may be archived and by what means. So the question in...
We're virtually there! Figuratively speaking, of course. VMWorld kicks off Monday night, and F5 is just putting the finishing touches on everything we've got to bring along to the show (yes, that means trinkets, too). What the heck are we doing at a virtualization show? Pshaw. We've been in the business of network and server virtualization for ... well, forever. Hey, 12 years is forever in this industry, isn't it? We'll be doing a cool demo with BIG-IP GTM in the B-Hive demo, where we'll demonstrate global load sharing between virtual data centers, and Trace|3...
Developers have an almost supernatural ability to workaround restrictions, even though some of the restrictions on building applications delivered via the web have been akin to a kryptonite. Like Superman fighting through the debilitating effects of the imaginary mineral, they've gotten around those restrictions by coming up with ways to implement functionality and improve the behavior of browsers and thus web applications anyway. The first greatest hack was giving HTTP state. The second? Cookie-based persistence. The third? The CNAME trick. THE PROBLEM The reason the "CNAME trick" came about was a limitation on browser connections...
For those of you unfamiliar with the idiom, it should be taken to mean "benefiting one at the expense of another." In this case, Paul is the end-user and Peter is the server administrator. Or better yet, Paul is the browser and Peter is the server. All web browsers, including IE (Internet Explorer), impose a per-server connection limit was imposed to reduce overload on servers. This was introduced back when the web was exploding and browsers opened up connections willy-nilly and made server operators cry. Often. The limitation imposed by IE (two connections per host) was harsher...
The cloud computing craze is leading to some interesting new terms. Cloudware and cloudbursting are two terms I particularly like for their ability to describe specific computing models based on cloud computing. Today we're going to look at cloudbursting, which is basically a new twist on an old concept. Cloudbursting appears to be to marry the traditional safe enterprise computing model with cloud computing; in essence, bursting into the cloud when necessary or using the cloud when additional compute resources are required temporarily. Jeff at Amazon Web Services Blog talks about the inception of this term as applied...
You walked past me again today without stopping. I remember when you used to stop and admire my glowing red ball every day. But that was back when I was brand new and you thought I was the center of your data center. I heard you talking to some friends about looking for a web acceleration solution yesterday. You were going to a meeting about it later that afternoon and you were so excited it was almost like old times, until you pointed me out on the way by and said, "Oh yeah, there's our load balancer." ...
I read a very nice blog post yesterday discussing some of the traditional pros and cons of load-balancing configurations. The author comes to the conclusion that if you can use direct server return, you should. I agree with the author's list of pros and cons; DSR is the least intrusive method of deploying a load-balancer in terms of network configuration. But there are quite a few disadvantages missing from the author's list. Author's List of Disadvantages of DSR The disadvantages of Direct Routing are: Backend server...
Web 2.0 is built on primarily two technologies: AJAX and RSS. AJAX is used to develop interactive, real-time applications while RSS is primarily used as for integration and syndication. Import a feed, share a feed, drag-n-drop a gadget, widget, or component. It's all RSS (XML) today. It's further becoming a requirement of Web 2.0 sites that they provide some sort of API through which developers can write add-on applications. Twitter, Tumblr, Facebook. They all offer APIs that are quite heavily used at this time and startups are following suit. Other sites offer richer media, like video or slideware,...
This past week there's been some interesting commentary regarding Twitter's change to its API request throttling feature. Request throttling, often used as a method to ensure QoS (Quality of Service) for a variety of network and application uses, is used by Twitter as an attempt to not overwhelm the system such that they are forced to display the now (in)famous Twitter fail whale image. One of the things you can do with a BIG-IP Local Traffic Manager (LTM) and iRules is request throttling. Why would you want to let a mediating device like an application delivery controller control...
Multi-tenant applications are extremely popular in the SaaS (Software as a Service) world. Almost all SaaS delivered CRM (Customer Relationship Manager) and SFA (Sales Force Automation) applications are necessarily multi-tenant. These applications use a meta-data driven model to enable the customization of applications on a per customer basis. This allows the provider to deploy a single application to scale vertically, supporting a wide variety of industries with a single code base. In order to scale horizontally, however, it is necessary to deploy multiple instances of that single code base. To enable a scalable architecture to properly support (hopefully)...
Remember way back when we talked about dynamically updating a WSDL to present the appropriate endpoint when being delivered through a BIG-IP? You may recall the basic problem: automatically generated WSDL docs contain the local web/application server's IP address/FQDN as the endpoint and not the IP address/FQDN of the BIG-IP, leaving clients with a non-reachable service endpoint. Since that original blog post, a couple of users have asked for the appropriate iRule to dynamically update those auto-generated WSDL docs. Colin was kind enough to code up just such an iRule, and wrap it up with some...
Several years ago it became necessary for browsers to put limitations on the number of simultaneous connections allowed not only to be open, but how many of those could be open to a single domain. This helped prevent unintentional (and, in some cases, intentional) denial of service situations where a site's poor web server just couldn't keep up with the demand. After all, managing TCP/IP connections is expensive and if one user hogs all the available connections (as determined by web server configuration and RAM) there may be hundreds of users out there that are denied access to the latest...
Yes, I've got gaming on the brain after this month's release of the latest edition of D&D and a weekend with friends "geeking" out with polyhedral dice and imaginary monsters. You might recall that Don stood in line at midnight earlier this month to pick up our copy of the newest (4th) edition of Dungeons & Dragons (D&D). Since then we've been dissecting the game, noting its similarities and differences from earlier versions. Bemoaning the loss of some features while nodding our heads appreciatively at some of the other changes. It took me most of...
Apparently quite a bit if it can be turned into an acronym... Quick. Say the acronym "ROC" out loud. Now choose the picture that immediately came to your mind. A B ...
Kevin Saitta, a solution consultant, has a nice blog post on architecting a Microsoft BizTalk 2006 R2 solution. Unfortunately, amidst the goodness, is a statement regarding load balancers that needs to be corrected. Kevin is not alone in his beliefs regarding load balancers, unfortunately, I've seen a lot of posts lately that seem to indicate that folks out there still have a circa 1999 knowledge set regarding the capabilities of load balancers. Kevin writes Load Balancer A load balancer balances the load between servers, but more importantly, if one server...
Everyone's now familiar with last week's Amazon outage, it's been all over the web. Amazon is still not detailing what went wrong, but lots of folks are speculating on the reasons for the failure. Alistair Croll over at gigaom had a nice recap of the recent Amazon outage, including a list of facts and what we can deduce them, and the rumor mill is, of course, churning away with fantastic stories of what went wrong. Rather than add to the speculation on the reasons behind Amazon's outage - because we may never know the truth - it's a...
In researching the MySpace deprecated API exploit I came across the details on MySpace's REST (Representational State Transfer) API. I'm going to ignore the debate surrounding the definition of "high REST" versus "low REST" and concentrate on the bridging aspect, as it's something I've already touched on and find to be of more value than worrying over what it's called or whether it's a standard or whatever else might be the focus of these arguments. You may recall that part of the problem with a true REST implementation is that many browsers do not support PUT and DELETE....
An issue that often comes up for users of any full proxy-based product is that the original client IP address is often lost to the application or web server. This is because in a full proxy system there are two connections; one between the client and the proxy, and a second one between the proxy and the web server. Essentially, the web server sees the connection as coming from the proxy, not the client. Needless to say, this can cause problems if you want to know the IP address of the real client for logging, for troubleshooting, for...
After reading most of what's available on the Adobe Zero Day Exploit, and getting an idea of how it propagates (Flash and JavaScript inserted via an SQL injection attack), I turned to iRules guru Colin for some help crafting an iRule that might stop a site from serving up infected content to a user. This is particularly helpful for those who are running a BIG-IP but who aren't running a web application firewall like ASM (Application Security Manager) and may have been inadvertently infected.
After looking through the screen capture of some JavaScript that attempts to load the malware from...
By now you've certainly heard about the "zero day" Adobe Flash player exploit. If not, you can read a bit about it here and here. What appears to be going on is similar to how other exploits and malware become quickly propagated across the web: Set up a site that hosts some malware with a simple but effective password stealer hidden in a Flash file Inject malicious code via SQL injection techniques into a web site that will load the Flash files from the host you set up in step 1....
Individual servers in a farm may be expected to fail, but the site - that's a different story Tom's Hardware has an interesting look at an architecture I'm going to call "built to fail". This architecture is focused on building a fault tolerant site, not necessary a fault tolerant web application infrastructure. While the author of the article implies that this architecture is something new, it's really not except in the sense that today's Web 2.0 app providers might not care if a server is lost because it's cheap to replace while other, more cost conscious organizations...
If you've ever used the quite popular Prototype framework, you've noticed that there are some unique options available that are designed to help reduce the number of connections made to the server when automatically updating specific content. The decay rate in Prototype's PeriodicalUpdater is designed to help reduce the number of requests made to the server when content is not refreshing on every request. Ajax.PeriodicalUpdater("content-id", "url", { frequency: 10, decay: 2, method: 'get'} ) This code will start making a call to url and updating content-id every 10 seconds. If the content hasn't changed, decay will...
There's a lot of things that BIG-IP can do to improve the reliability, scalability, and performance of Web 2.0 applications. But there are always two sides to every story, and so it is with BIG-IP and Web 2.0, or specifically, AJAX. This latest article, Getting Started with iControl and AJAX, offers advice and code to get you started building a custom AJAX-based dashboard for BIG-IP. Imbibing: Coffee Technorati Tags: MacVittie,development,iControl,BIG-IP,F5,AJAX,Web 2.0
This is an interesting article from Network World about how CIOs in Australia and New Zealand perceive security as being easier than reducing costs. The IDC Annual Forecast for Management report surveyed 363 IT executives from Australia (254 respondents) and New Zealand (109 respondents) across industries including finance, distribution, leisure and the public sector. CIO Challenges ...
This is an interesting, albeit very short, post on web acceleration options. The author, Todd, gives a pretty quick "hit list" of reasons to use hardware (such as an application delivery controller) over the built-in capabilities of your web server: 1. Compression 2. Caching 3. TCP enhancements (optimizations) There are additional benefits to using a hardware solution with specific features/functionality that address web acceleration that Todd doesn't mention, perhaps because these options are not necessarily available for web servers and operating systems. 1. Better browser control. Many web application acceleration products are capable of manipulating the...
Do you have a .plan for your .com? You should. Remember when users had a .plan? When the screech of a modem was the most annoying sound you'd hear while online? When multiplayer interaction meant joining a MUD, MOO, or MUSH? When FTP was the only way to transfer files, and if you wanted to chat you'd hop on #IRC? When discussions were for newsgroups, if you ignored alt.binaries.pictures.anything, which was certainly not for discussions. It wasn't necessarily the proliferation of broadband that caused a massive leap in users on the Internet. Just as there are plenty of...
How to apply SOA principles to traditional web application architecture I promised kudos and comments last week for Ronald Schmelzer's ZapNote on the requirement for a service proxy in SOA implementations and so I shall right now. While Ron didn't come right out and say it, a major reason the service proxy is an essential component of a successful SOA implementation is that it protects the concept of loose-coupling, a primary foundational principle of SOA. Loose-coupling is generally applied to consumer-producer relationships and essentially requires that there be no code or logic on the consumer (client) that binds it tightly...
Why do web app developers make URLs so hard to remember?!? Rewriting for Fun Over the course of the past few weeks I've sent out a link to our personal Gallery installation to share pictures of our new son many times. Now I love Gallery and even though I can recite PI to 42 significant digits, I can't recall the exact URL to the album containing his pictures. I'm constantly looking it up and cutting and pasting it into my e-mail and quite frankly, it's getting annoying. It's long and confusing and not easily remembered. I can't rewrite...
A Quick History Lesson Back in the day, server-load balancing vendors figured out that connection management (the setup and teardown of TCP/IP connections) was actually quite a burden on servers. You see, the server not only had to spend time setting up and tearing down the connection, but it also had to keep track of those connections in something we like to call a "session state table". The problem was, and still is, that a server has a limited amount of memory and can only manage X number of connections concurrently. This is primarily a matter of configuration of...
Over the past three weeks Don and I have had a lot of time to chat whilst making the trek back and forth between home and the hospital where the newest member of our family was keeping residence. Mostly we talked about our new son and speculating as to when he might be allowed to come home (Feb 17), but as is our wont we often ended up talking about work. That's one of the benefits of working "together" and in the same field, at least we think so. One of those discussions revolved around iControl and the fact that...
Every morning while I drink my allowed daily allowance of caffeine I peruse through my news and blog feeds via Google Reader. I expect, and am not disappointed, to find that those items I marked as "read" yesterday are still marked as such, and that those I "starred" for follow up are also still marked as such. And of course every feed I've subscribed to still exists, just as it did the night before. This seems like a trivial thing, because we've come to expect that our web applications are intelligent enough to remember our personal settings and configuration....
Erik Dafforn recently posted his Webmaster Wish List for 2008. What it sounds like is that Erik is really asking for tools that make it easier to configure web sites and, more specifically, how web servers respond to requests. What's interesting about his list is that most of his wish list can easily be answered with the implementation of a simple iRule on BIG-IP Local Traffic Manager. For example, you might have pages such as www.companyname.com/products/ and www.companyname.com/products/index.aspx. Typically, these URLs contain exactly the same content, but due to inconsistent linking throughout the site (and from third-party sites),...
We don't often consider the impact of manageability of technology in our daily lives, even though it's become an integral part of just about every aspect of our lives. Likely most prevalent amongst technology management issues is how we deal with our home entertainment systems. From a desire to manage all the devices that deliver and control various forms of media - cable, DVDs, games, etc... - with a single, intelligent mangement device evolved what we like to call the "universal remote". These little management devices are able to control every component comprising our home entertainment system, greatly reducing the cost...
Google. Amazon. Facebook. LinkedIn. Salesforce.com. While certainly not an all inclusive list, these very recognizable web monsters all offer access to their "platforms" via a web-based API, a.k.a. services. With the notable exception of Salesforce.com, most have implemented these services as a REST (Representational State Transfer) or REST-like set of interfaces, but in general these APIs meet the criteria necessary to be referred to as services. They're SOA as surely as any other service out there. These services are being incorporated at a rapid pace into other web-based (dare I say Web 2.0) applications, and a plethora of others...
Every industry measures performance, we just use different jargon to discuss it. When we talk about the raw power of a car engine we talk in terms of horsepower; of harnessing the performance of hundreds of horses such that they work together as a single unit. In the world of computing we use terms like MIPS (million instructions per second), and in the world of application delivery we measure performance in terms of transactions per second (TPS). The problem in the world of computing is, unfortunately, that simply adding more "horses" to the mix doesn't linearly increase performance. Generally...
This was just one of those press releases that was so close to being right and yet was missing half the picture. Chicago-based managed dedicated server provider, SingleHop, Inc., advises shoppers to be prepared to suffer through the dreaded "high traffic volume" warnings this holiday season as retailers may be hit with higher than average website traffic.
That's really no surprise, after all I'm fairly certain my shopping alone is enough to cause outages. If you've run into an outage lately, my apologies. I'll be finished shopping shortly. I promise.
In any case, Zak Boca, President, SingleHop, goes...
Our own Deb Allen posted a great tech tip yesterday on conditional logic using HTTP::retry with iRules. This spawned a rather heated debate between Don and myself on the importance of performance versus reliability and application delivery, specifically with BIG-IP. Performance is certainly one of the reasons for implementing an application delivery network with an application delivery controller like BIG-IP as its foundation. As an application server becomes burdened by increasing requests and concurrent users, it can slow down as it tries to balance connection management with execution of business logic with parsing data with executing queries against a database with making...
Performance. Everybody wants to know how things perform, whether it be cars, laptops, XML gateways, or application delivery controllers. It's one of the few quantifiable metrics used to compare products when IT goes shopping, especially in the world of networking. Back at Network Computing I did a lot of testing, and a large portion of that testing revolved around performance. How fast, how much data, how many transactions, how many users. If it was possible, I tested the performance of any product that came through our lab in Green Bay. You've not had fun until you've actually melted an SSL...
Yesterday Don voiced his opinion that XML tagging is a broken proposition. One of his basic premises is that because tags, a.k.a. meta-data, are generated by people and people aren't always as, shall we say, obsessive about doing so, that the entire system is broken. Obviously I disagree or I wouldn't be penning this post. :-) Web 3.0, a.k.a. the Semantic Web, is going to require tagging, or meta-data if you prefer. Without it there's not a good way to establish the relationships between content that forms the basis for connections. But people are only part of the equation,...
Occassionally I get to chat with the guys in the trenches about ongoing implementations involving BIG-IP. Often these involve deploying BIG-IP in front of XML/SOA gateways for load balancing and high-availability (a la failover) duties, as well as session management capabilities. This is primarily due to a lack of support for these options on the part of XML/SOA gateways combined with the need to horizontally scale out the gateways to deal with high volume throughput. I got to thinking about this deployment scenario during a chat with very smart SOA guys Tony Bishop and Jim Haughton and we decided that...
Diving more deeply into the issue of speeding up JavaScript and the load balancing question, Scott Conroy points out: The single URL strategy has a major downside, though it is certainly cleaner than having to deal with many URLs. Since HTTP 1.1 says that user agents and servers SHOULD have only two concurrent connections, requests for multiple resources can easily develop into blocking operations. If, say, I have a page that includes twenty images to download, my browser (in its default config) will only download 2 images at a time. If I put those images on multiple "servers"...
An interesting article on "How JavaScript is Slowing Down the Web (And What To Do About It)". The basic premise is that Web 2.0 applications like blogs are using so much JavaScript to load widgets and perform other functions that it's causing the initial page load to be s l o w. That's so true. The author has many (okay, there are five) suggestions for improving performance, but one sticks out in my mind, probably because it's core to F5 and its products - and it's not entirely accurate. 3. Load-balance requests by generating different...
Improving the performance of AJAX applications by switching servers isn't always feasible in a real environment It's nice to see the analysis of AJAX I did last year being validated, especially by one of the creators of the popular AJAX-focused toolkit, Dojo. While I agree with Dylan's assessment of where to begin the "search & destroy mission" and the reasons behind poor performance of AJAX-based applications, I just can't get behind his suggestion to switch Web servers simply to resolve highly aggressive polling-based applications. The best place to begin a thorough search & destroy mission is with...
When being chased by a dragon, you don't need to be faster than the dragon. You just need to be faster than the halfling behind you.
I had a lot of discussions at RSA this past week, and of course some of them centered on performance. One of the challenges often associated with pure proxy-based application anything involves dealing with the argument that proxies degrade performance, especially in something as intense as an application firewall. That's because of the associated computational cost of buffering input, reassembling packets, and parsing through data in addition to the requirement of managing TCP connections...
Is the pipe half-full or half-empty?
David Linthicum does a good job of pointing out the factors that can affect performance of your SOA in his recent Real World SOA entry: When to Consider SOA Performance.
I particularly liked rule #3:
"Third, use of too many fine grained services may cause performance problems. Indeed, you should not be afraid to leverage fine grained services within your SOA. However, you need to understand the performance issues with doing so, taking careful consideration of the network bandwidth and how other applications leverage the services."
You should indeed take the network into careful consideration when...
