|
| DevCentral > Weblogs > - Two Different Socks
|
F5
There are 556 entries for the tag F5
 |
Talking about standards apparently brings out some very strong feelings in a whole lot of people. From “it’s too early” to “we need standards now” to “meh, standards will evolve where they are necessary”, some of the discussions at CloudConnect this week were tinged with a bit of hostility toward, well, standards in general and the folks trying to define them. In some cases the hostility was directed toward the fact that we don’t have any standards yet. [William Vambenepe has a post on the subject, having been one of the folks hostility...
posted @ Friday, March 19, 2010 3:41 AM |
|
|
There are two kinds of privacy. Only one is the responsibility of vendors and providers to ensure. The rest is up to you.
Regulations like HIPAA and PCI-DSS are designed to guarantee that providers storing electronic personally identifiable information, or PII in the vernacular, is safeguarded against theft or accidental disclosure. They are not designed to provide consumers with any kind of “social gag” that might alert them they are offering up information or photographs the likes of which they may later regret sharing. While social networking sites like Facebook now provide “privacy” options that allow consumers to control who...
posted @ Thursday, March 18, 2010 5:47 AM |
|
|
What does a 2-year old and cloud-based applications have in common? The Toddler has recently decided that he can navigate the stairs by himself. Insists on it, in fact. That’s a bit nerve-wracking, especially when he decides that 2:30am is a good time to get up, have a snack, and recreate a Transformers battle in the family room. It’s worse when you’re asleep and don’t know about it. Oh eventually you hear him and you get up and try to convince him it’s time for sleep (see? all the...
posted @ Tuesday, March 16, 2010 3:59 AM |
|
|
In this case “baby” is load balancing and the corner is cloud computing. SocialCloudNow recently wrote up a pretty darn accurate (which is hard to find these days) description of “cloud computing” by walking through the components required. The author did an excellent job – especially where he dove into the relationship between orchestration and cloud computing. Loved that a lot – most folks ignore that piece of cloud computing even though it’s very, very important. But I was a bit put off (okay, a lot put off) at one statement: ...
posted @ Monday, March 15, 2010 4:15 AM |
|
|
Hey there! CloudConnect is next week (already?) and while some of us are already on a plane heading to the Bay area to kick things off (Shlomo Swidler is already on his way, according to his tweets at 36,000 feet) some of us will be lounging preparing for our various workshops and panels until early next week. That being the case, if you’re not going to be attending and thus missing the panel I’m moderating (what? How could you miss that?) but had a burning question you wanted to ask one of the panelists, let...
posted @ Friday, March 12, 2010 11:16 AM |
|
|
Because it’s Friday and sometimes you just have to get it out of your head.
Your app is slow, demand has grownthe hardware is not your ownyour heart sweats, your body shakesanother clone is all it takes
Compute is cheap, it can’t be beatthere was no doubt, you’d take the leap your budget’s tight, exec’s decreedanother cloud is all you need
Whoa, you like to think that you’re immune to the stuff, oh Yeahit’s closer to the truth to say you can’t get enough,you know you’re gonna have to face it, you’re addicted to cloud
there’s no 5 9s, but you don’t...
posted @ Friday, March 12, 2010 3:30 AM |
|
|
In the networking side of the world, vendors often seek to differentiate their solutions not just based on features and functionality, but on form-factor, as well. Using a descriptor to impart an understanding of the deployment form-factor of a particular solution has always been quite common: appliance, hardware, platform, etc… Sometimes these terms come from analysts, other times they come from vendors themselves. Regardless of where they originate, they quickly propagate and unfortunately often do so without the benefit of a clear definition. A reader recently asked a question that reminded me that we’ve done just that...
posted @ Thursday, March 11, 2010 3:31 AM |
|
|
Or Why Carr’s Analogy is Wrong. Again. Nicolas Carr envisioned compute resources being delivered in a means similar to electricity. Though providers and consumers alike use the terminology to describe cloud computing billing and metering models, the reality is that we’ve just moved from a monthly server hosting model to a more granular hourly one, and the delivery model has not changed in any way as we’ve moved to this more “on-demand” model of IT resources. There’s very little difference between choosing amongst a list of virtual “servers” and a list of physical “servers” with...
posted @ Wednesday, March 10, 2010 3:43 AM |
|
|
Thought those math rules you learned in 6thgrade were useless? Think again…some are more applicable to the architecture of your data center than you might think.
Remember back when you were in the 6th grade, learning about the order of operations in math class? You might recall that you learned that the order in which mathematical operators were applied can have a significant impact on the result. That’s why we learned there’s an order of operations – a set of rules – that we need to follow in order to ensure that we always get the correct answer when performing...
posted @ Tuesday, March 09, 2010 3:41 AM |
|
|
“Security” concerns continue to top every cloud computing related survey. This could be because, well, CIOs and organizations in general are concerned about security. It could be because the broader question of control over the infrastructure – including security – is never proffered as a reason for reluctance to jump into the fray known as cloud computing. Forty-nine percent of survey respondents from enterprises and 51 percent from small and medium-size businesses cited security and privacy concerns as their top reason for not using cloud computing. – Survey: Security Concerns Hinder Cloud Computing Adoption, NetCentric...
posted @ Monday, March 08, 2010 5:07 AM |
|
|
The current threat level is … the same as it was yesterday, and the day before, and will be tomorrow. We’ve all been in the airport before and heard the announcement. “The current threat level is orange. Blah blah blah blah yada yada whatever.” At least that’s what I hear today because I’ve become immune to the fact that “orange” means there’s a threat. There’s always a threat, it seems, and the announcement simply conveys what appears to many of us to be the “status quo.” We have effectively been desensitized to a “higher” threat level as...
posted @ Friday, March 05, 2010 3:48 AM |
|
|
The advent of virtualization brought about awareness of the need to decouple applications from IP addresses. The same holds true on the client side – perhaps even more so than in the data center. I could quote The Prisoner, but that would be so cliché, wouldn’t it? Instead, let me ask a question: just which IP address am I? Am I the one associated with the gateway that proxies for my mobile phone web access? Or am I the one that’s currently assigned to my laptop – the one that will change tomorrow because today I am...
posted @ Thursday, March 04, 2010 3:54 AM |
|
|
Microsoft Dynamic Infrastructure Toolkit for Systems Center (DIT-SC) is hopping forward, literally, into the network. With or without established standards, this dog is going to hunt. It takes time to develop standards, something we often overlook. When the foundational standards upon which the Internet were being developed there were (almost) no users, no broadband, and no real urgency to get something available. The adoption of disruptive, highly volatile technologies such as virtualization and cloud computing result in an environment in which today’s standards groups are not afforded the luxury of time. Organizations want, nay they need, standards...
posted @ Wednesday, March 03, 2010 3:58 AM |
|
|
A recent blog on EBPML.ORG entitled “REST 2010 - Where are We?” very aggressively stated: “REST is just a "NO WS-*" movement.” The arguments presented are definitely interesting but the most compelling point made is in the way that REST APIs are constructed, namely that unlike the “ideal” REST API described where HTTP methods are used to define action (verb) and the path the resource (noun), practical implementations of REST are using a strange combination of both actions (verbs) and resources (nouns) in URIs. What this does is simulate very closely SOA services, in which the endpoint...
posted @ Tuesday, March 02, 2010 4:04 AM |
|
|
Ultimately a highly-scalable, high-performance architecture will rely on choosing the right form factor in the right places at the right time.
Scale is not just about servers, and for corporate data centers and cloud computing providers looking to realize the benefits of rapid elasticity and on-demand provisioning scale simply must be one of the foundational premises upon which a dynamic data center is built. And that includes the infrastructure.
This isn’t the first time I’ve touched upon this subject, but it’s a concept that needs to be reiterated – especially with so many pundits and analysts looking for the...
posted @ Monday, March 01, 2010 3:53 AM |
|
|
What is needed to customize the cloud is a pair of data center ruby slippers called Infrastructure 2.0. Frank Gens of IDC discussed the “New IDC IT Cloud Services Survey: Top Benefits and Challenges” in his blog and what is not surprising is that security continues to top the challenges associated with cloud services. What may be surprising to some is the increasing focus on customization. It shouldn’t be. As customers continue to push at the boundaries of the cloud computing model they will inevitably find it unable to meet some need they have, such as customization....
posted @ Friday, February 26, 2010 3:31 AM |
|
|
There’s a reason for the angst elicited by inaccurate definitions of cloud computing and it may lead to rethinking a laissez-faire view of such definitions. Language impacts our perception and can dramatically change the way we understand – or don’t understand – ideas. Because one of the primary uses of language is to present arguments or assert propositions such as “We need to allocate X percent of our budget to a cloud computing initiative” it makes it important that everyone involved in the conversation agrees on basic meanings and definitions. This is one of the reasons I,...
posted @ Thursday, February 25, 2010 3:18 AM |
|
|
Managing a virtual machine is not the same thing as managing the stuff inside it. I’ve been noticing a disturbing, though not unexpected, trend in the world of virtualization and cloud computing around management of infrastructure, particularly around virtual network appliances (VNAs). Specifically this trend is claiming the ability to manage virtualized infrastructure. You’d think I’d be happy about that. I probably would - if the solutions were actually capable of managing the infrastructure. Digging into these management solutions shows that for the most part the definition of the term “manage”...
posted @ Wednesday, February 24, 2010 3:56 AM |
|
|
There’s compression, and then there’s compression. One of the most common means of improving application performance is to reduce the size of the data being exchanged as redress for inherent network protocol behavior that can cause excessive delays in delivery of application data. Compression is often enabled to achieve this goal, and because most data being delivered to applications is text-based (XML, HTML, JSON) this technique generally works quite well. Depending on the architecture of the application delivery network, however, there may be other “types” of compression that can be used in addition to the “compression” typically associated...
posted @ Tuesday, February 23, 2010 3:48 AM |
|
|
There’s a difference between automation and orchestration, and knowing which one you’re really doing is half the battle in achieving a truly dynamic data center. Randy Heffner on CIO.Com wrote an excellent article on SOA and its value, “SOA: Think Business Transformation, Not Code Reuse.” The problem I had with the article was not in any way related to its advice, conclusions, or suggestions. The problem I had was that I kept thinking about how perfectly much of his article could be applied to data center orchestration, operational transformation, and automation. Simply replace “SOA” with “orchestration”, “software reuse”...
posted @ Monday, February 22, 2010 3:43 AM |
|
|
Surprised? I was, but I shouldn’t have been. While working on other topics I ran across an interesting slide in a presentation given by Microsoft at TechEd Europe 2009 on virtualization and Exchange. Specifically the presenter called out the average 12% overhead incurred from the hypervisor on systems in internal testing. Intuitively it seems obvious that a hypervisor will incur overhead; it is, after all, an application that is executing and thus requires CPU, I/O, and RAM to perform its tasks. That led to me to wonder if there was more data on the overhead from other...
posted @ Thursday, February 18, 2010 3:47 AM |
|
|
More interesting, what if you had the means to actually try to meet them? On the surface, Infrastructure 2.0 seems to have very little value to the end-user. It is, after all, about collaboration at the infrastructure layer. It is under the covers, as it were, of the application blanket with which end-users actually interact. But it may end up that Infrastructure 2.0 will have a direct impact on the control the user has over the way in which applications are delivered. Which is to say they might one day have some. What this means is something...
posted @ Wednesday, February 17, 2010 3:43 AM |
|
|
The problem with HTTP (okay, one of the problems with HTTP, happy now?) is that it resides at the top of the “stack” regardless of whether we identify the “stack” as based upon the TCP/IP stack or the OSI model stack. In either case, HTTP sits at the top like a a king upon his throne. There’s nothing “higher” than the application in today’s networking models. But like every good king, HTTP has a crown: the actual application data exchanged in the body of an HTTP transaction. In the good old days, when intermediaries (proxies) were only able...
posted @ Tuesday, February 16, 2010 3:17 AM |
|
|
Or more apropos, it’s in the complex and intimate relationship between applications and their infrastructure. What’s the difference between a highly virtualized corporate data center and a cloud computing environment? There are probably many, but the most important distinction – and the one that earns the latter a “cloud computing” tag – is certainly that the former lacks a comprehensive orchestration system and was likely not architected using a rapid, infrastructure inclusive, scalability strategy. Mitch Garnaat, “The Elastician”, recently managed to sum up what should be every modern data center’s motto in a...
posted @ Monday, February 15, 2010 4:06 AM |
|
|
Preparing for the upcoming Cloud Connect conference several speakers and presenters have put forth the proposal that no one should attempt to define cloud yet again. After all, if you’re attending the conference (and you are attending, of course, aren’t you?) then you certainly have a firm understanding of what cloud computing is and what it can do. But most end-users and business stakeholders won’t be attending and don’t have a firm understanding of cloud computing. Even the technology pundits to whom these constituents turn to learn about the technology often fail to really “get” cloud computing, as evinced...
posted @ Friday, February 12, 2010 3:50 AM |
|
|
If developers will not write “virtualization aware” applications, who will? The future of application development platforms may be at stake… Right now developers are packaging up applications in virtual machines and deploying them. That’s according to, well, every survey you find related to virtualization and cloud computing. Joe McKendrick, citing the latest Evans Data Cloud Development Survey, noted that “sixty-one percent of 400 developers in Evans Data Corp’s recent Cloud Development Survey report that at least some of their IT resources will move to the public cloud within the next year.” But even given the number...
posted @ Thursday, February 11, 2010 3:30 AM |
|
|
Agreed that cloud vendors need to differentiate on services. Disagreed that cloud standards will not forward that cause and that virtualization platform makes a difference. The battle for virtualization platform dominance rages on, but it will not be virtualization that makes or breaks a cloud computing offering; it will be the diversity – or lack thereof - of the services it offers. We need to stop focusing on virtualization as the be-all and end-all of cloud computing and start bending our efforts toward what really matters: the ability of providers to efficiently offer a broad set of...
posted @ Wednesday, February 10, 2010 4:35 AM |
|
|
The W3C specification now offers the means by which cross-origin AJAX requests can be achieved. Leveraging network and application network services in conjunction with application-specific logic improves security of allowing cross-domain requests and has some hidden efficiency benefits, too. The latest version of the W3C working draft on “Cross-Origin Resource Sharing” lays out the means by which a developer can use XMLHTTPRequest (in Firefox) or XDomainRequest (in IE8) to make cross-site requests. As is often the case, the solution is implemented by extending HTTP headers, which makes the specification completely backwards and cross-platform compatible even if the...
posted @ Tuesday, February 09, 2010 4:18 AM |
|
|
Scaling applications that include AJAX and non-AJAX components may require more than just tuning your web server A common problem after deploying a Web 2.0 AJAX-based application shows itself through poor performance or lower capacity on the server, often both. Web serving tuning is almost always the first step in improving performance and capacity, but the inherently competing behavior of AJAX-requests and “normal” HTTP requests quickly becomes problematic as well. Tune for the AJAX requests and performance of regular old HTTP requests suffers. Tune for regular old HTTP requests, and performance of AJAX-requests suffer. This is...
posted @ Monday, February 08, 2010 4:35 AM |
|
|
We worry about VM sprawl but what about device sprawl? Management of a multitude of network-deployed solutions can be as operationally inefficient as managing hundreds of virtual machines, and far more detrimental to the health and performance of your applications. Turning them all into virtual network appliances that might need scaling themselves? That’s even badder. But all you hardware fanbois best not smirk too much because the proliferation of hardware network devices is only slightly less badder than the potential problems arising from virtual network appliance sprawl. WAIT, WHY IS DEVICE SPRAWL BAD AGAIN?...
posted @ Friday, February 05, 2010 4:02 AM |
|
|
We seem on the verge of repeating the mistakes associated with failed SOA implementations: ignoring the larger issue of architecture. Everyone – from pundit to public – is asking the same question: “Where are the network virtual appliances?” But fewer people seem to be asking a question that needs to go hand-in-hand with that one: “Where are the architectural guidelines to support deployment of network virtual appliances?” SOA has been deemed by many to be a failure in part because it lacked true architectural guidance. Architects were simply unable – whether by lack of skills or training or...
posted @ Thursday, February 04, 2010 4:43 AM |
|
|
The difference between these two performance metrics is significant so be sure you know which one you’re measuring, and which one you wanted to be measuring. It may be the case that you’ve decided that SSL is, in fact, a good idea for securing data in transit. Excellent. Now you’re trying to figure out how to implement support and you’re testing solutions or perhaps trying to peruse reports someone else generated from testing. Excellent. I’m a huge testing fan and it really is one of the best ways to size a solution specifically for your...
posted @ Wednesday, February 03, 2010 4:10 AM |
|
|
Emerging architectures are conflating responsibilities up and down the application stack. Who is responsible for integration when services reside in the network? While preparing for an upcoming panel I’m moderating at Cloud Connect (in the “New Infrastructure” track), the panelists and I had a great discussion on the topics we wanted to discuss in the session. During that discussion it became increasingly clear that an interesting phenomenon has been occurring: the conflation of network and application responsibilities in the traditional “stack.” Much of this inversion is absolutely necessary for emerging models of networking and computing...
posted @ Tuesday, February 02, 2010 3:36 AM |
|
|
Which of course are like Ogres. They’re big, chaotic, and have lots of layers of virtualization. In discussions involving cloud it is often the case that someone will remind you that “virtualization” is not required to build a cloud. But that’s only partially true, as some layers of virtualization are, in fact, required to build out a cloud computing environment. It’s only “operating system” virtualization that is not required. Problem is unlike the term “cloud”, “virtualization” has come to be associated with a single, specific kind of virtualization; specifically, it’s almost exclusively used to refer...
posted @ Monday, February 01, 2010 3:52 AM |
|
|
Using HTTP headers and default browser protocol handlers provides an opportunity to rediscover the usability and simplicity of the mailto protocol.
Over the last decade it's become unsafe to use the mailto protocol on a website due to e-mail harvesters and web scraping. No one wants to put their e-mail address out on teh Internets because two minutes after doing so you end up on a trillion SPAM lists and the next thing you know you're changing your e-mail address.
But people still wanted to share contact information, so it became common practice to spell out your e-mail address, such...
posted @ Thursday, January 28, 2010 3:07 AM |
|
|
I haven’t heard the term “graceful degradation” in a long time, but as we continue to push the limits of data centers and our budgets to provide capacity it’s a concept we need to revisit. You might have heard that Twitter was down (again) last week. What you might not have heard (or read) is some interesting crunchy bits about how Twitter attempts to maintain availability by degrading capabilities gracefully when services are over capacity. “Twitter Down, Overwhelmed by Whales” from Data Center Knowledge offered up the juicy details: ...
posted @ Wednesday, January 27, 2010 2:55 AM |
|
|
Nope. Wasn’t under the couch. In fact it turns out it wasn’t even missing, it’s just been overlooked and might already be in your data center. As more organizations continue to make virtualization a core part of their overall application deployment strategy they are finding challenges associated with managing and, apparently, optimizing their newly created heterogeneous infrastructure. Kevin Fogarty, in “10 Virtualization Vendors to Watch in 2010”, writes of some of the challenges with virtualization to come in the next year. One of those challenges is, apparently, optimization of resources across physical and virtual assets, at least...
posted @ Tuesday, January 26, 2010 4:02 AM |
|
|
Cloud computing and content delivery networks (CDN) are both good ways to assist in improving capacity in the face of sudden, high demand for specific content but require preparation and incur operational and often capital expenditures. How about an option that’s free, instead? While it’s certainly in the best interests of every organization to have a well-thought out application delivery strategy for addressing the various events that can result in downtime for web applications it may be that once in a while a simple, tactical solution will suffice. Even if you’re load balancing already (and you are, of...
posted @ Monday, January 25, 2010 3:55 AM |
|
|
One of the concerns with cloud bursting specifically for the use of addressing seasonal scaling needs is that cloud computing environments are not necessarily PCI-friendly. But there may be a solution that allows the application to maintain its PCI-compliance and still make use of cloud computing environments for seasonal scaling efficiency. Cloud bursting, a.k.a. overdraft protection, is a great concept but in some situations, such as those involving PCI-compliance, it can be difficult if not impossible to actually implement. The financial advantages to cloud bursting for organizations requiring additional capacity on only a seasonal basis are well understood,...
posted @ Thursday, January 21, 2010 5:54 AM |
|
|
Most people don’t start thinking they need a “load balancer” until they need a second server. But even if you’ve only got one server a “load balancer” can help with availability, with performance, and make the transition later on to a multiple server site a whole lot easier. Before we reveal the secret sauce, let me first say that if you have only one server and the application crashes or the network stack flakes out, you’re out of luck. There are a lot of things load balancers/application delivery controllers can do with only one server, but automagically fixing...
posted @ Wednesday, January 20, 2010 5:58 AM |
|
|
The benefits of automation and orchestration do not come solely from virtualization. Virtualization has benefits, there is no arguing that. But let’s not get carried away and attribute all the benefits associated with cloud computing and automation to one member of the “game changing” team: virtualization. I recently read one of the all-too-common end-of-year prediction blogs on virtualization and 2010 that managed to say with what I think was a straight face that virtualization of the network is what makes it “fluid”. From: 2010 Virtualization Predictions - The Year the Network Becomes Fluid and Virtual ...
posted @ Tuesday, January 19, 2010 3:08 AM |
|
|
There’s been increasing interest in Infrastructure 2.0 of late that’s encouraging to those of us who’ve been, well, pushing it uphill against the focus on cloud computing and virtualization for quite some time now. What’s been the most frustrating about bringing this concept to awareness has been that cloud computing is one of the most tangible examples of both what infrastructure 2.0 is and what it can do and virtualization is certainly one of the larger technological drivers of infrastructure 2.0 capable solutions today. So despite the frustration associated with cloud computing and virtualization stealing the stage,...
posted @ Monday, January 18, 2010 3:35 AM |
|
|
In the wake of Google’s revelation that its GMail service had been repeatedly attacked over the past year the search engine goliath announced it would be moving to HTTPS (HTTP over SSL) by default for all GMail connections. For users, nothing much changes except that all communication with GMail will be encrypted in transit using industry standard SSL, regardless of whether they ask for it by specifying HTTPS as a protocol or not. In the industry we generally refer to this as an HTTPS redirect, and it’s often implemented by automatically rewriting the URI using a load balancing /...
posted @ Friday, January 15, 2010 3:10 AM |
|
|
Cloud computing can’t assure availability of applications in the face of a physical network outage, can it? Cloud computing providers focus on providing an efficient, scalable environment in which applications can be deployed and provide for their availability with load balancing services and health monitoring and elastic scalability. But it can’t assure availability of your network. The Rackspace outage late last year was allegedly caused by a peering issue. You know, a network, problem. UPDATE: “The issues resulted from a problem with a router used for peering and backbone connectivity located outside...
posted @ Wednesday, January 13, 2010 5:46 AM |
|
|
Infrastructure 2.0 enabled application delivery platforms have more than a few things in common with the Transformers. Like Autobots, there’s more to it than meets the eye. If you’re familiar with the mythology of the Transformers – and perhaps even if you aren’t – you know that they key attribute of Transformers is their ability to take on “alternate modes” such as cars, trucks, and winged vehicles simply by scanning the object and then adapting their own form to match. One of the key premises of Infrastructure 2.0 is also the ability of network and...
posted @ Tuesday, January 12, 2010 3:02 AM |
|
|
If you’re just trading “specialized” hardware for “dedicated” hardware you’re losing more than you’re gaining. Apparently I have not gotten the memo detailing why specialized hardware is a Very Bad Thing(TM) . I’ve looked for it, I really have, but I cannot find it anywhere. What I did find was any number of random press releases announcing how “virtual version X” of some network or application infrastructure solution was now virtualized and hey, you don’t specialized hardware to run it. These random press releases neglect, I might add, to mention that there's very little difference between the requirement...
posted @ Monday, January 11, 2010 3:21 AM |
|
|
Kicking of the new year (and a new decade) with a lively debate on a technological concept that is barely out of its infancy is always a good thing. Fred Cummins over at HP recently penned “Pursuit of the Intercloud is Premature” and caught the eye of several of us for whom Intercloud is near and dear and, I think, provided a great way to start off the year by declaring the concept of Intercloud “not yet worthy of concern”. If this elastic mesh is provided by a single cloud provider, then it is...
posted @ Friday, January 08, 2010 3:56 AM |
|
|
Being an efficient developer often means abstracting functionality such that a single function can be applied to a variety of uses across an application. Even as this decreases risk of errors, time to develop, and the attack surface necessary to secure the application it also makes implementing security more difficult. Over the holidays I had the opportunity to do some coding on my latest web application project. I won’t bore you with the details of what it is because it’s to support a hobby of Don and mine except to say that it’s running on a LAMP stack...
posted @ Thursday, January 07, 2010 3:58 AM |
|
|
If it is, you might want to reconsider how you’re handling security, acceleration, and delivery of your applications before users “go postal” because of poor application performance. Sometimes wisdom comes from the most unexpected places. Take Jason Rahm’s status update on Facebook over the holidays. He’s got what is likely a common complaint regarding the delivery model of the US postal service: the inefficiency of where postage due is determined. Everyone has certainly had the experience of sending out a letter (you know, those paper things) and having it returned a week or more later...
posted @ Wednesday, January 06, 2010 3:19 AM |
|
|
The wrong load balancing algorithm can be detrimental to the performance and scalability of your web applications. When you’re mixing and matching virtual or physical servers you need to take care with how you configure your Load balancer – and that includes cloud-based load balancing services. Load balancers do not at this time, unsurprisingly, magically choose the right algorithm for distributing requests for a given environment. One of the nice things about a load balancing solution that comes replete with application-specific templates is that all the work required to determine the optimal configuration for the load balancer and...
posted @ Tuesday, January 05, 2010 3:50 AM |
|
|
We’ve been talking about “aligning IT with the business” since SOA first took legs but you rarely see CONCRETE EXMAPLES OF WHAT THAT REALLY MEANS. It sounds much more grand and lofty than it really is. To put it in layman’s terms, or at least take it out of marketing terms, aligning IT with the business is really nothing more than justifying or tying a particular IT investment or project to a specific business goal. What that means ultimately is that you, as an IT professional, must understand what those business goals are in the first place. Once...
posted @ Wednesday, December 30, 2009 5:11 AM |
|
|
load balancing intermediaries have long used the terms “virtual server” and “virtual IP address”. With the widespread adoption of virtualization these terms have become even more confusing to the uninitiated. Here’s how load balancing and application delivery use the terminology.
I often find it easiest to explain the difference between a “virtual server” and a “virtual IP address (VIP)” by walking through the flow of traffic as it is received from the client.
When a client queries for “www.yourcompany.com” they get an IP address, of course. In many cases if the site is served by a load balancer or...
posted @ Monday, December 28, 2009 6:00 AM |
|
|
Here comes St. Beaker and Santa Cloud … Twas two weeks past deployment and all through the house Echoed taps on a keyboard and clicks from a mouse The apps were all running inside VMware In hopes compute resources soon would they share. The dashboard showed statuses green and not red our admins had thoughts of going home in their heads The director was ready to it a wrap and I began...
posted @ Wednesday, December 23, 2009 6:06 AM |
|
|
An e-mail exchange with Kay Kinton, a spokesperson for Amazon, on the subject of Amazon and its recent run-in with the Zeus botnet controller, raised two very interesting and valid points. First, there is a fine balance that must be maintained by providers – cloud or traditional hosting – regarding the privacy of applications and data deployed by customers and monitoring/security. Second, Kay points out that it’s easier in the EC2 environment, at least, to disable botnets once they are discovered. The second point is one that appears on the surface to be true but I’m not entirely...
posted @ Friday, December 18, 2009 3:16 AM |
|
|
Like peanut-butter and jelly, cloud computing and application acceleration are just better together. Ann Bednarz of Network World waxes predictive regarding 2010 trends in application delivery and WAN optimization in WAN optimization in 2010. One of the interesting tidbits she offers from research firm Gartner is growth in the application acceleration market: Second, the research firm is predicting a return to modest growth for the application acceleration market in 2010. Gartner is forecasting a compound annual growth rate of 12.22%, with 2014 revenue of $4.27 billion. This, when viewed alongside...
posted @ Thursday, December 17, 2009 3:21 AM |
|
|
Cloud computing environments are just as suited to illegitimate use as legitimate use. Do providers need a way to separate the chaff from the wheat to reassure enterprise-class customers that they’re doing everything they can to eliminate the hijacking of cloud computing resources for nefarious purposes? One of the negatives of being the technology darling du jour is that every misstep, problem, and outage is immediately jumped on and reported everywhere. Amazon is particularly susceptible to such coverage, being recognized as one of the leaders in public cloud computing. Last week Amazon suffered yet another outage, true, but...
posted @ Tuesday, December 15, 2009 3:42 AM |
|
|
When you’re dealing with conditional formatting of objects based on enumerated values you can eliminate conditional assignments by directly mapping your ENUMs to CSS classes. There are many cases where enumerated values are used to describe values, especially in the world of infrastructure 2.0. Availability status, for example, is a commonly used enumeration to indicate whether a load balancing related object – a virtual server, a pool, a node (server) – is available, unavailable, or in some unknown state. When building web-based dashboards or management interfaces for such solutions, the server-side code often ends up with a lot...
posted @ Monday, December 14, 2009 4:45 AM |
|
|
A recent tweet about a free, Linux-based XML Security suite reminded me that we do not opine on the subject of XML security and its importance enough. SOA has certainly been dethroned as the technology darling du jour by cloud computing and virtualization and with that forced abdication has unfortunately also come a reduction in the focus on XML and security. That’s particularly disturbing when you recognize that what’s replaced SOA – primarily WOA and RESTful APIs – exchange data primarily via one of two formats: XML and JSON. Whether you prefer one over the other is...
posted @ Friday, December 11, 2009 3:51 AM |
|
|
Should the enterprise standardize on JSON or XML as their lingua franca for Web 2.0 integration? Or should they use both as best fits the application?The decision impacts more than just integration – it resounds across the entire infrastructure and impacts everything from security to performance to availability of those applications. One of the things a developer may or may not have control over when building enterprise applications is the format of the data used to communicate (integrate) with other applications. Increasingly services external to the enterprise are very Web 2.0 in that they provide HTTP-based APIs for...
posted @ Thursday, December 10, 2009 3:56 AM |
|
|
An interesting thing happens when you combine toolkits like XAJAX and SAJAX and the ability to perform content-based routing: you can actually achieve function-level load balancing in both cloud-based and traditional architectures. As you might have discovered from previous posts mentioning it, I still do web application development to support hobby interests in my (very little) spare time. I’m currently in love with the XAJAX library, which has made development of what is supposed to be a very interactive application nearly effortless. I’m also very much enamored of load balancing/application delivery and cloud computing, specifically...
posted @ Wednesday, December 09, 2009 3:59 AM |
|
|
Beware the danger of building out isolated network and application network infrastructures in the cloud lest we end up with silos from which it is difficult to escape. While writing a separate post on the business value of public versus private cloud computing investments I specifically called out the fact that infrastructure – virtual or physical – provisioned in a cloud environment is applicable only to that cloud environment; it really can’t be shared within the enterprise architecture or other public cloud computing environments, for that matter. That led to considering the impact...
posted @ Tuesday, December 08, 2009 3:31 AM |
|
|
The long, lost application delivery spell compendium has been found! Its once hidden, arcane knowledge is slowly being translated for the good of all web applications. Luckily, you don’t have to be Elminster or Gandalf or <insert powerful wizard you know here> to cast this spell over your infrastructure Contingency School of Magic: Evocation Components: Somatic (requires gestures), Material (requires physical component) Saving Throw: None Spell Resistance: No Through the use of the contingency spell, application delivery professionals can dictate the conditions...
posted @ Monday, December 07, 2009 3:37 AM |
|
|
Should the next generation management of network and application network devices look and act more like Facebook and Twitter? Infrastructure 2.0 could take us there. Y ou may think I’m kidding and certainly I make this proposal with some amount of humorous intent, but there is some value, I think, in applying the concepts of Web 2.0 and social networking to network management systems (NMS). There’s a reason it’s called social networking, after all. It’s modeled closely on networking and NMS is primarily about managing not just individual network and application network devices, but on managing...
posted @ Friday, December 04, 2009 4:34 AM |
|
|
Ultimately the CAPEX vs OPEX arguments over public and private cloud computing are irrelevant. Business-value is the only metric that really counts. B renda Michelson, Principal of Elemental Links, writes “elemental cloud computing” recently tweeted: “100k buys way more public, than private, cloud computing power” which started a short but inspiring conversation on the subject centering around the observation that “cloud is the gift that keeps on giving.” That’s alluding to the fact that the compute power purchased in “the cloud” is an annual expense, unlike private, cloud computing power which requires renewal at...
posted @ Thursday, December 03, 2009 4:03 AM |
|
|
Certainly no one would seriously argue that web applications are fast enough for everyone. SPDY is one suggested solution, but what if we combine MapReduce and SPDY? Could we develop an architectural solution that leverages the best of SPDY without requiring entire infrastructure changes to support a new protocol? More than a couple of people have mentioned Map/Reduce as a means to achieve workload-level distribution of applications in a cloud computing environment. I hadn’t looked into Map/Reduce but finally decided that if that many very smart people were thinking it was a solution, I should look into it....
posted @ Wednesday, December 02, 2009 3:14 AM |
|
|
There are many good reasons to go down the virtual infrastructure road. The illusion that it’s cheaper than dedicated hardware solutions is not one of them.
I was reading an interesting predictive article on WAN optimization that contends that virtualized WAN optimization controllers (WOC) are, well, just better than sliced bread. One of the reasons why the author opined this way was presented as the great benefits of horizontal scalability (linear) in cloud computing environments.
Savings and scalability. This approach ensures that there is no need for dedicated hardware to support WAN optimization, saving on CAPEX and OPEX. Cost...
posted @ Tuesday, December 01, 2009 3:52 AM |
|
|
Using Anonymous Human Authentication to prevent illegitimate access to sites, services, and applications. In the “real world” there are generally accepted standards set for access to a business and its services. One of the most common standards is “No shirt, no shoes, no service.” Folks not meeting this criteria are typically not allowed past the doors of a business. But on the web, access to services is implicit in the fact that the business is offering the service. If the HTTP service is accessible, it’s implicitly allowing connections and providing service without any standard criteria...
posted @ Monday, November 30, 2009 4:47 AM |
|
|
With any luck I am already AFK for a visit with Don’s mother and his family for Thanksgiving. And I’m really (really, I swear) going to be AFK (away from keyboard) for the entire time. Really. I’m serious this time, stop looking at me like that. Ever heard of “pre-publishing?” So while I’m out, you might need something to read. And if so, you might want something you can read two or three times because, well, it was that entertaining. If that’s the case, I highly recommend you give “BSOFH: Catering to a niche...
posted @ Wednesday, November 25, 2009 8:53 AM |
|
|
Ever wonder why requests coming through proxy-based solutions, particularly load balancers, end up with an IP address other than the real client? It’s not just a network administrator having fun at your expense. SNAT is the question – and the answer. SNAT is the common abbreviation for Secure NAT, so-called because the configured address will not accept inbound connections and is, therefore, supposed to be secure. It is also sometimes (more accurately in the opinion of many) referred to as Source NAT, however, because it acts on source IP address instead of the destination IP address as is...
posted @ Tuesday, November 24, 2009 3:58 AM |
|
|
The long, lost application delivery spell compendium has been found! Its once hidden, arcane knowledge is slowly being translated for the good of all web applications. Luckily, you don’t have to be Elminster or Gandalf or <insert powerful wizard you know here> to cast this spell over your infrastructure Detect Invisible (Application) Stalkers School of Magic: Abjuration (Protective Spells) Components: Somatic (requires gestures), Material (requires physical component) Casting Time: special Range: Layers 3-7 Area: global Duration: Until discharged ...
posted @ Monday, November 23, 2009 3:58 AM |
|
|
Sometimes the best answer to a problem is to hit the reset button, but it should probably be the last answer, not the first. My cohort Pete Silva attended the 2009 Cloud Computing and Virtualization Conference & Expo and offered up a summary of one of the sessions he enjoyed (‘Cloud Security - It's Nothing New; It Changes Everything!’ (pdf)) in a recent post, “Virtualization is Real” One of the sessions I enjoyed was ‘Cloud Security - It's Nothing New; It Changes Everything!’ (pdf) from Glenn Brunette, a Distinguished Engineer and Chief...
posted @ Friday, November 20, 2009 4:15 AM |
|
|
If you aren’t using all the security tools at your disposal you’re doing it wrong. How many times have you seen an employee wave on by a customer when the “security device enclosed” in some item – be it DVD, CD, or clothing – sets off the alarm at the doors? Just a few weeks ago I heard one young lady explain the alarm away with “it must have be the CD I bought at the last place I was at…” This apparently satisfied the young man at the doors who nodded and turned back to whatever...
posted @ Thursday, November 19, 2009 3:42 AM |
|
|
Whenever keys, certificates, and PKI enter into a security solution’s architecture the solution almost always becomes overly complex. DNSSEC is no exception, but it doesn’t have to be. DNS plays a role in every application on the Internet. It is the 411 of the Internet, essentially, without which the millions of users that don’t memorize the IP addresses associated with domain names would be utterly lost. But DNS is vulnerable to exploitation and has, in fact, been exploited in the past. Like any core infrastructure upon which we depend to conduct business, communicate, and generally entertain ourselves, it...
posted @ Wednesday, November 18, 2009 3:44 AM |
|
|
Google’s desire to speed up the web via a new protocol is laudable, but the SPDY protocol would require massive changes across networks to support ArsTechnica had an interesting article on one of Google’s latest projects, a new web protocol designed to replace HTTP called SPDY. SPDY uses a single SSL-encrypted session between a browser and a client, and then compresses all the request/response overhead. The requests, responses, and data are all put into frames that are multiplexed over the one connection. This makes it possible to send a higher-priority small file without...
posted @ Tuesday, November 17, 2009 4:20 AM |
|
|
The question is whether that impact is positive (a reduction) or negative (an increase). One of the biggest threats to data integrity is the introduction of malicious content via SQLi (SQL Injection) attacks. Traditional database access methods don’t provide a lot in the way of validating requests and like HTML the vagaries of SQL allow for myriad ways in which a statement can be constructed – and thus exploited. These vagaries, of course, are one factor in the reason why SQLi continues to plague applications and sites driven by user generated content. Another factor is certainly...
posted @ Monday, November 16, 2009 4:52 AM |
|
|
When you look at the success of some very proprietary solutions and the loyalty with which customers defend them, you have to wonder if vendor lock-in is really as bad a thing as we sometimes make it sound. The subtext in the discussions around data portability and interoperability in general in cloud computing is really about vendor lock-in. Those driving efforts to come up with solutions that allow customers to pack up their data and head to another provider are primarily concerned about the dangers of being locked-in to a single vendor solution. ...
posted @ Friday, November 13, 2009 3:47 AM |
|
|
These three things have a lot more in common than you might think and all three tend to evoke similar levels of frustration. A very real problem women face when shopping is this: no two brands define a size the same. If you usually wear a size 8 in “Brand X” you might actually wear a size 10 or 6 in “Brand Y”, depending on how the brand decided to define its sizing. Customers, women in this case, cannot count on consistency in sizes across brands. This makes shopping annoying because every time you change brands you’re never...
posted @ Thursday, November 12, 2009 4:05 AM |
|
|
No, not the kind you do on Facebook when you’re really, really tired but the kind defined as a means to reduce power consumption without affecting application performance or availability by eliminating non-essential processing and networking whenever possible. An article on “Drowsy” computing as a means to reduce power consumption in data centers got me thinking about how such concepts might be applied to networking. To summarize the concept of “drowsy” computing its basic premise is that when applications aren’t being heavily used some mechanism is used to reduce the power consumption on...
posted @ Wednesday, November 11, 2009 3:23 AM |
|
|
Microsoft has made some fairly substantial changes to the core architecture of Exchange 2010. Given that messaging can only be described as business critical today, it’s no surprise that many new aspects of Exchange 2010 and in particular its new architecture are designed to improve availability and management of its messaging systems. Exchange 2010 includes many changes to its core architecture. In Exchange 2010, new features such as incremental deployment, mailbox database copies, and database availability groups work with other features such as shadow redundancy and transport dumpster to provide a new, unified...
posted @ Tuesday, November 10, 2009 3:27 AM |
|
|
Cloud computing management functionality and standards are right now laser-focused on virtual machines, and most APIs include the ability to stop,start,launch,etc…at that level of the infrastructure. This is because the application is still insulated by its virtualized environment. The “depth” of management and standards efforts today stops at the hard shell of the virtualization layer and leaves the soft, chewy application center alone. This means nothing is really all that different for developers. But it could, and some might argue should, be different. The development of a web-application for a cloud computing environment today is really...
posted @ Monday, November 09, 2009 3:57 AM |
|
|
Yesterday the blogosphere, twittosphere, and other-spheres were abuzz when a new TLS renegotiation man-in-the-middle attack was disclosed.
Interestingly enough, while we were all still reading about it and figuring out all the nuances, one of our own DevCentral members was out implementing a solution.
No, he’s not a vendor with a product to worry about, he’s just a “guy” trying to defend his web site and applications from potential attacks like this one. But he’s a guy with network-side scripting in his arsenal of web application security tools, and with that and his understanding of the very well-documented vulnerability...
posted @ Friday, November 06, 2009 12:30 PM |
|
|
While you spend your time arguing over where application security belongs, miscreants are taking advantage of vulnerabilities. By the time you address the problem, they’ve moved on to the next one. Dmitry Evteev @ Positive Technologies Research has discovered (yet) another method of exploitation that allows for the injection of malicious SQL into sites and databases. A method that I discovered today in MySQL documentation struck me with its simplicity and the fact that I haven’t noticed it before. Let me describe this method of bypassing WAF. ...
posted @ Friday, November 06, 2009 3:43 AM |
|
|
Brute force attacks by spammers seeking easy access causing frustration for users with no resolution in sight At least once a day I see someone on Twitter broadcast that they have been “locked out of their Twitter account, temporarily.” A search for “locked out” returns thousands of tweets with a good mixture of some folks who’ve (amusingly) been locked out of apartments/houses/buildings and many that have been temporarily locked out of Twitter. The more technically savvy tweeters like Ray Valdes often mention that it is most likely the result of spammers and miscreants attempting to brute force their...
posted @ Thursday, November 05, 2009 3:27 AM |
|
|
Infrastructure 2.0, from a purely developmental standpoint, is about APIs. It’s about offering up the functionality and capabilities of a wide variety of infrastructure – network, storage, and application network – to be externally controlled, integrated, and leveraged for whatever purpose a developer might dream up. It enables providers and enterprises alike to turn infrastructure functionality into services. Need compression? Caching? Routing? Load balancing? Via service-enabled management APIs these can become services, provisioned and released through the invocation of a service. When expanded to include the sharing of actionable data – performance statistics, status, availability of application...
posted @ Wednesday, November 04, 2009 3:18 AM |
|
|
With just a few clicks you, too, can create a cloud computing environment. But if you’re like a lot of organizations, you may not know what to do with it after that. The latest version of Ubuntu Server (9.10) includes the Ubuntu Enterprise Cloud (UEC), which is actually powered by Eucalyptus. The ability to deploy a “cloud” on any server running Ubuntu is really quite amazing, especially given the compatibility of Eucalyptus with Amazon and the plethora of application images available for nearly immediate deployment. It supports both a public and private option, and a hybrid model, and...
posted @ Tuesday, November 03, 2009 5:30 AM |
|
|
You can address the problem of converting smart quotes – and any other content - in your application if you control the code. What if you’re using third-party software for which you do not have the code? Or what if it is your code but the “defect” is so low on the priority list that you won’t get to it until the year 2020?
Dealing with Microsoft smart quotes is a fact of life for developers. Almost every developer out there has a server-side script/function they use to strip them out of user-generated content and replace them with web-friendly HTML...
posted @ Monday, November 02, 2009 3:03 AM |
|
|
Cloud computing is, at its core, about using resources in the most operational and financially efficient manner possible. It’s about spreading resources around and sharing them to achieve greater scalability with fewer investments in hardware and software. But what if you aren’t moving to cloud? Or virtualization? Or perhaps you are, but the benefits won’t be really seen until you actually get enough resources shared across your organization. Isn’t there any other way to better utilize the resources you have now to improve the bottom line? Yes, yes, there is. And the best part is that these methods...
posted @ Thursday, October 29, 2009 3:30 AM |
|
|
Carrying over the provisioning and capacity planning techniques used in a traditional data center to cloud computing negates the full power of the Force cloud computing. One of the benefits of cloud computing is supposed to be efficiency, particularly in the utilization of compute resources. Over-provisioning of compute resources has long been one way in which IT combats the need for scalability and availability of applications but this often leaves a large percentage of compute resources unused. The utilization rule once employed as a means to ensure availability and performance of applications, i.e. no device...
posted @ Wednesday, October 28, 2009 3:32 AM |
|
|
Vertical scalability used to require optimizations inside the application, at the code level. Cloud computing changes the nature of vertical scalability and, one hopes, will lead to a new model of scalability based on the capabilities of Infrastructure 2.0 and increasingly granular resource management capabilities. RightScale recently offered up its own analysis of Amazon Usage Estimates and while the details they provide on Amazon usage from their vantage point is very interesting I found one of their related observations even more fascinating: In earlier days the predominant method of scaling was by...
posted @ Tuesday, October 27, 2009 3:13 AM |
|
|
There is a common myth that the reason legacy code continues to run in businesses around the world is that no one understands it; that IT and businesses are afraid to replace it because they don’t know what it does. Once again, living in the mainframe capital of the world (the insurance industry heavy midwest), I get to talk to IT folks who deal with legacy software and hardware all the time. Do not doubt that they know exactly what that legacy software does and how it works, and perhaps frightening to proponents of change and the...
posted @ Monday, October 26, 2009 4:09 AM |
|
|
Paul Miller, who pens Cloud of Data, had an interesting perspective during a chat this week on what effect infrastructure upgrade cycles might have on cloud computing adoption. Paul postulated that as these servers fail and organizations have to make the decision to replace or not replace them that cloud computing becomes a more viable option. That seems a reasonable assumption, especially if the primary reason organizations are evaluating cloud computing is driven by a desire to reduce costs. But in a recent post Paul posits this might not be the case, citing a recent ongoing study from Avanade in...
posted @ Friday, October 23, 2009 5:39 AM |
|
|
IMAGE CREDIT: DANIEL PENNEY Everyone has surely experienced the frustration of an overloaded desktop/laptop. You’ve just got too many apps open at one time and the performance of your machine has been slowly degrading to the point where you can select an application from the toolbar, run down to the local Starbucks, stop and chat with a friend, and return to find the application still not ready for use. The same thing happens on servers. Even though a web/application server is likely only running a few critical applications,...
posted @ Thursday, October 22, 2009 4:13 AM |
|
|
“Where are you storing your data these days,” he asked casually after trying to come up with a better opening line but failing. “Ah, dahhling,” she drawled while gesturing in no particular direction with an almost deprecating wave of her hand. “The Cloud, where else?” Thanks to the nearly constant misapplication of the phrase “The Cloud” and the lack of agreement on a clear definition from technical quarters I must announce that “The Cloud” is no longer a synonym for “Cloud Computing”. It can’t be. Do not be misled into trying, it will only cause you...
posted @ Wednesday, October 21, 2009 3:12 AM |
|
|
All the applause over Google’s Data Liberation Front announcement and blogs is making my head hurt. Or maybe that’s the lack of sleep. Either way, it’s disconcerting to me that so many bright people are choosing to make much of what is just a baby step – if that - toward a much larger, much more difficult goal. After all, data without an application to interpret and make use of it is about as useful as a Netbook without a network connection. There seems to suddenly be a lot of focus on “data” and the ability for...
posted @ Tuesday, October 20, 2009 3:14 AM |
|
|
Mobile devices may still be somewhat awkward in terms of supporting rich, web-based applications but they are leaps and bounds ahead of most infrastructure in their ability to figure out where you are. GeoLocation technologies used to be used by load balancing solutions to address poor application performance across high-latency connections such as intercontinental and satellite links. While this is still an important variable in assuring application performance, especially for very large sites, GeoLocation is increasingly used to comply with legal restrictions on broadcasting, export of data and applications, and to provide more relevant information to users than...
posted @ Monday, October 19, 2009 4:15 AM |
|
|
A lack of ability in the cloud to distinguish illegitimate from legitimate requests could lead to unanticipated costs in the wake of an attack. How do you put a price on uptime and more importantly, who should pay for it? A “Perfect Cloud”, in my opinion, would be one in which the cloud provider’s infrastructure intelligently manages availability and performance such that when it’s necessary new instances of an application are launched to ensure meeting the customer’s defined performance and availability thresholds. You know, on-demand scalability that requires no manual intervention. It just “happens” the way it should....
posted @ Friday, October 16, 2009 3:15 AM |
|
|
Amazon’s ELB is an exciting mix of well-executed infrastructure 2.0 and the proper application of SOA, but it takes a lot of work to make anything infrastructure look that easy. The notion of Elastic Load Balancing, as recently brought to public attention by Amazon’s offering of the capability, is nothing new. The basic concept is pure Infrastructure 2.0 and the functionality offered via the API has long been available on several application delivery controllers for many years. In fact, looking through the options for Amazon’s offering leaves me feeling a bit, oh, 1999. As if load balancing hasn’t...
posted @ Thursday, October 15, 2009 3:50 AM |
|
|
One of the benefits of Infrastructure 2.0 is connectedness: the ability to collect and share pertinent data regarding the health and performance of applications and infrastructure services. Based on that data a dynamic infrastructure can adapt on-demand and make decisions that respect real capacity limits, not artificial ones. Randy Hayes writes “The CapCal Blog”, and describes CapCal as being about “measuring the performance and scalability of web apps using real, production level workloads.” In A Very Delicate Load Balancing Act he discusses the impact of load balancing configurations on the capacity and performance of applications. ...
posted @ Wednesday, October 14, 2009 4:20 AM |
|
|
Cloud offers an appealing “pay only for what you use” that makes it hard to resist. Paying on a per-usage hour basis sounds like a good deal, until you realize that your site is pretty much “always on” because of bots, miscreants, and users. In other words, you’re paying for 24x7x365 usage, baby, and that’s going to add up. Ironically, the answer to this problem is … cloud. Don and I occasionally discuss how much longer we should actually run applications on our own hardware. After all, the applications we’re running are generally pretty light-weight, and only see...
posted @ Tuesday, October 13, 2009 4:30 AM |
|
|
Spectacular “cloud” failures over the past few weeks have raised the hue and cry for portability and interoperability across clouds for data.The problem is that the cry is based on the false assumption that a “cloud service” is the same as an “application service.” Apparently Microsoft felt Google and Amazon were getting too much attention with their recent outages and decided to join the game. The absolute loss of data for thousands lots and lots of T-Mobile Sidekick users is regrettable and yes someone needs to address such issues but that someone is not a standards group or...
posted @ Monday, October 12, 2009 9:06 AM |
|
|
When an admin brags they can do some task with their eyes closed there may be hidden process inefficiencies that orchestration can uncover. But the orchestration in a public cloud is effectively done for you, with little opportunity to design based on your organization’s operational processes. Orchestration in a private cloud, however, is all up to you. I was doing the laundry a few weeks ago, folding the clothes before I took them upstairs and hung them up when I realized just what I was doing. What I had been doing for, well, a very long time...
posted @ Friday, October 09, 2009 3:11 AM |
|
|
The term “Infrastructure 2.0” seems to be as well understood as the term “cloud computing.” It means different things to different people, apparently, and depends heavily on the context and roles of those involved in the conversation. This shouldn’t be surprising; the term “Web 2.0” is also variable and often depends on the context of the conversation. The use of the versioning moniker is meant, in both cases however, to represent a fundamental shift in the way the technologies are leveraged by people. In the case of Web 2.0 it’s about the shift toward interactive, integrated web applications used to...
posted @ Thursday, October 08, 2009 4:36 AM |
|
|
Remember at trade shows oh, a few years back now, the “hot” vendor swag was 256MB USB keys. I’m sure many of you spent time trying to collect them as fervently as kids collect Pokeman cards (or whatever the CCG du jour may be). Just a few years later you’d have laughed if someone offered such a small key up as swag because disk had become so cheap they were probably dumping what was left in stock in those “claw-grab” games that promise big prizes for only 50 cents a try that are the bane of every parent I...
posted @ Wednesday, October 07, 2009 10:54 AM |
|
|
The problem of AJAX, interstitial request patterns, and the effect on the performance and availability of your applications. There are several reasons why applications need to be scaled out but they all come down to essentially addressing the same core problem: resource consumption. In the case of networked applications this often means specifically TCP connection resources. Now most people don’t think of TCP connections as a resource, per se, but every web and application server has an upper limit to the number of TCP connections it can hold open at any given time. In some cases this...
posted @ Wednesday, October 07, 2009 3:53 AM |
|
|
A question I often hear is “Why don’t you just move load balancing/application delivery into a virtual appliance model?” My answer is almost always “That’s the wrong question.” The question that should be asked is “What are the potential impacts to the infrastructure and application?” Because the whole point of deploying an application delivery solution – virtual appliance or hardware – is about improving some facet of the infrastructure in order to better deliver your applications. So in order to determine whether using a virtual appliance is a good idea or not you have to ask what the impacts might...
posted @ Tuesday, October 06, 2009 3:43 AM |
|
|
Steve (apparently yes, we are on a first name basis) offers up his thoughts on developing APIs for the Cloud in “A Cloud Tools Manifesto.” While the inclusion of the word “manifesto” in the title raised quite the stir (“Manifestogate” is still fresh on the minds of many cloud-oriented people), what really caught my eye is his inclusion of a “mock endpoint” primarily for testing of API based integration and development. This is something that’s increasingly important not just to cloud but to Web 2.0 and social networking sites that provide APIs via which other sites and client applications can...
posted @ Monday, October 05, 2009 4:00 AM |
|
|
Malicious links served up in a browser are OS agnostic. They don’t care about the OS because the target is people, not technology. In response to the problem of links and trust put forth in a recent post a reader replies that the answer to “evil links” is simply to run Linux instead of Windows. the very best solution is to run something other than windows, and with ubuntu at its current state of maturity (and free-ness), why wouldn't you? I won’t disagree with the assessment of Ubuntu and its current...
posted @ Friday, October 02, 2009 5:04 AM |
|
|
There are few things in reality that can match The Gazebo in its ability to evoke fear and suspicion amongst gamers. The links on your web site may be one of them. In the history of Dungeons and Dragons there exists the urban legend known to all as “The Gazebo.” The Gazebo, over the years, has become a gaming euphemism for a situation in which people over analyze and overestimate the risk involved with interacting with some “thing”. In the case of The Gazebo the “thing” was, as you might guess, a gazebo. Yes, a simple wooden...
posted @ Thursday, October 01, 2009 4:07 AM |
|
|
Are you monitoring the network, servers, stack, or the application? The answer may mean the difference between your application being available or not. One of the biggest problems with moving away from simple load balancing to application delivery is that network teams don’t often get the memo and the application teams don’t have a good understanding of what load balancers can do so they can’t even offer suggestions regarding how to architect a better solution to availability. That means neither team really understands the role of health monitoring in maintaining availability for applications. What should happen...
posted @ Wednesday, September 30, 2009 3:25 AM |
|
|
Operational efficiency in the cloud comes in part from automation and orchestration as well as from the outsourcing of management and maintenance of the hardware. While you can’t achieve the latter without cloud or hosting externally, you can realize a lot of the same efficiencies in a traditional architecture just by leveraging existing collaborative capabilities of infrastructure 2.0. Glenn Gruber of Software Industry Insights in “Who’ll Be the First to Offer Cash for Infrastructure” (which is a great read in general) says: And for those who are thinking about evaluating a private cloud...
posted @ Tuesday, September 29, 2009 4:12 AM |
|
|
If one of the drivers for moving to cloud-based applications is reducing costs, you should think twice about the placement of application security solutions. There’s almost no way to avoid an argument on this subject so I won’t tiptoe around it: web application security in the cloud is better accomplished at the edge, with a web application firewall or similar solution, than it is inside the cloud in the application. This is true regardless of whether the cloud model is public or private; basically if you’re being charged on a per-usage basis then placement of web application security...
posted @ Monday, September 28, 2009 3:50 AM |
|
|
We interrupt your regularly scheduled dose of geek for a brief but important message Every year a variety of application delivery vendors sit around, wringing their hands, waiting for Gartner to release its latest Magic Quadrant for Application Delivery Controllers. No matter how much weight you personally put on Gartner’s – or any other analyst firms’ – opinion on the subject of who is and is not a leader, there is plenty of evidence to prove out the belief that if you aren’t at least on the Magic Quadrant you aren’t even getting your foot in the door...
posted @ Friday, September 25, 2009 10:15 AM |
|
|
Infrastructure 2.0 requires collaboration. Collaboration requires the ability to communicate. The ability to communicate requires integration. But how that integration will happen may shape the future of infrastructure and network architecture. There is a growing recognition of the basic problems associated with the rapid rate of change inherent in on-demand architectures (cloud) and the complexity that comes from virtualized data centers. Challenges such as IP address and application management, visibility, and last but not least, integration. Yes, that most dreaded of all technology concepts has finally come to the network. The...
posted @ Friday, September 25, 2009 3:43 AM |
|
|
Back in the day when I was actually allowed to write code for customers the pat answer to any code being returned from QA because of problems was a flat “but it works on my machine.” Alright, alright, I’ll be honest; it wasn’t flat at all, it usually a plaintive whine. This isn’t an uncommon scenario as differences in environments and interactions with other applications may be enough to cause problems on one machine and not another. Troubleshooting such subtle issues were painful, to say the least, and not something anyone wanted to do. Now comes the time...
posted @ Thursday, September 24, 2009 3:37 AM |
|
|
Understanding the various types of load balancing
When someone says “load balancing” the immediate reaction is usually to think of pools of servers and applications being load balanced to provide high-availability for massive sites like Amazon or Google or Facebook. But there’s a couple of other types of load balancing that deserve to be recognized because although they sit in the shadow of “load balancing” they are often invaluable assets to network and application architects attempting to ensure availability and adherence to service level agreements.
Link Load Balancing
Link load balancing is the...
posted @ Wednesday, September 23, 2009 4:15 AM |
|
|
Business critical internal processing systems often require high-availability and fault tolerance, too. Load balancing and application delivery is almost always associated with scaling out interactive, web-based applications. Rarely does anyone think about load balancing and application delivery in batch processing systems even when those systems might be critical to the business they are supporting. But scaling out non-interactive processing systems and providing high-availability to such critical systems is just as easily accomplished for an application delivery controller (ADC) as it is to scale out an interactive web-based application. Maybe easier. When that system also requires a...
posted @ Tuesday, September 22, 2009 4:06 AM |
|
|
Isolation of resources in “the cloud” is moving providers toward hosted data centers and away from shared resource computing. Do we need to go back to the future and re-examine mainframe computing as a better model for isolated applications capable of sharing resources? James Urquhart in “Enterprise cloud computing coming of age” gives a nice summary of several “private” cloud offerings; that is, isolated and dedicated resources contracted out to enterprises for a fee. James ends his somewhat prosaic discussion of these offerings with a note that this “evolution” is just the beginning of a long process. ...
posted @ Monday, September 21, 2009 3:21 AM |
|
|
There’s more than one way to address the rapid rate of change in infrastructure supporting a dynamic environment. We spend a lot of time talking about how software and systems and standards are the ultimate solution to addressing the rapid rate of change in the association between applications and IP addresses in a dynamic infrastructure. But sometimes you have look down the stack to find a simpler, more economical and honestly, elegant, answer to the challenge of managing the problem associated with virtualized and cloud computing architectures. We need to take another look at the link layer...
posted @ Friday, September 18, 2009 3:19 AM |
|
|
Commoditized from solution to feature, from feature to function, load balancing is no longer a solution but rather a function of more advanced solutions that’s still an integral component for highly-available, fault-tolerant applications. Unashamed Parody of Monty Python and the Holy Grail Load balancers: I'm not dead. The Market: 'Ere, it says it’s not dead. Analysts: Yes it is. Load balancers: I'm not. The Market: It isn't. Analysts: Well, it will be soon,...
posted @ Thursday, September 17, 2009 4:00 AM |
|
|
AJAX enables the use of network-side scripting enabled application delivery solutions to offload client-side functionality and improve capacity and performance of dynamic (Web 2.0/AJAX) applications. In the last couple of weeks I’ve embarked on a home project to rewrite – from scratch – a couple of web applications that Don and I and friends use on a regular basis. Consider it a very restricted (in terms of users) social networking application, because that’s basically what it is. I made heavy use of AJAX for one component in the past version but have been really leveraging it a lot more...
posted @ Wednesday, September 16, 2009 5:02 AM |
|
|
Are you load balancing servers or applications? Network traffic or application requests? If your strategy to application availability is network-based you might need a change in direction (up the stack). Can you see the application now? Network load balancing is the distribution of traffic...
posted @ Tuesday, September 15, 2009 4:16 AM |
|
|
How Infrastructure 2.0 might leverage publish-subscribe technology like PubSubHubub to enable portability of applications across clouds and data centers
Tower of Babel by Pieter Bruegel the Elder. One of the topics surrounding cloud computing that continues to rear its ugly head is the problem of portability across clouds. Avoiding vendor lock-in has been problematic since the day the first line of proprietary code was written and cloud computing does nothing to address this. If anything, cloud makes this worse because one of its premises is that users (that’s you, IT staff) need not...
posted @ Monday, September 14, 2009 3:45 AM |
|
|
Sharing is core to a successful cloud implementation but not something every organization does well. How do you encourage business stakeholders to play well with others? In most definitions of “cloud computing” there lies a central, key component: shared resources. It is the sharing of resources, in fact, through which many of the benefits of reduced operating expenses are supposed to be achieved. It is the sharing of resources – or perceived inability to share resources – that confounds some folks when discussing private cloud, although there are several ways in which sharing of resources can...
posted @ Friday, September 11, 2009 4:01 AM |
|
|
Infrastructure 2.0 is not just about automation, but rather is about the orchestration of processes, which are actually two different things: the former is little more than advanced scripting, the latter requires participation and decision making on the part of the infrastructure involved. Automation is the process of codifying – usually through a scripting language but not always – a specific task. This task usually has one goal, though it may have several steps that have to be performed to accomplish it. An example would be “bring this server down for maintenance.” This may require quiescing connections...
posted @ Thursday, September 10, 2009 9:45 AM |
|
|
Logs are for auditing, accountability, and tracking down offenders – not for providing real-time security A new law signed into effect in February 2009 requires that health care providers and organizations subject to HIPAA notify affected customers in the event of a breach affecting more than 500 records. There was very little discussion of this new requirement in the blogosphere which was surprising given this statement hidden amongst one of the few articles on the subject. Dominique Levin, executive vice president of marketing and strategy for log management vendor LogLogic, told SCMagazineUS.com...
posted @ Wednesday, September 09, 2009 3:24 AM |
|
|
A load balancing algorithm can make or break your application’s performance and availability It is a (wrong) belief that “users” of cloud computing and before that “users” of corporate data center infrastructure didn’t need to understand any of that infrastructure. Caution: proceed with infrastructure ignorance at the (very real) risk of your application’s performance and availability. Think I’m kidding? Stefan’s SOA & Enterprise Architecture Blog has a detailed and very explanatory post on Load Balancing Strategies for SOA Infrastructures that may change your mind. This post grew, apparently, out of some (perceived) bad behavior on...
posted @ Tuesday, September 08, 2009 4:11 AM |
|
|
There is no reason in a modern web application for users to see a white error page Sightings of the Twitter “fail whale” are, these days, fewer and far between. That’s a good thing. What’s interesting is that when it does show up, users are almost amused – as if they’re glad to see an old friend. I mean, come on; Twitter’s users named the whale, for crying out loud. How many of your users have a fan club for your error pages? Exactly. That’s the kind of reaction you want from HTTP errors but what you...
posted @ Thursday, September 03, 2009 2:52 AM |
|
|
Why would miscreants bother with other routes when they can go straight to the source? People concerned with security of the cloud are generally worried about illegitimate access of the applications and data they may deploy in the cloud. That’s a valid concern given the needs of certain vertical industries to comply with privacy-focused regulations like HIPAA and PCI DSS. It’s an extremely valid concern given research and studies showing just how vulnerable most web sites and applications are. Hint: it’s more than you probably think it is, and it’s likely your application is vulnerable...
posted @ Tuesday, September 01, 2009 3:32 AM |
|
|
F5 and VMware demonstrate live migration of a virtualized application across clouds without downtime or user disruption Cloud is reaching the peak of possibilities and that (often) means just more paper solutions. You know the ones; the ones that exist only on paper (or in blogs as the case may be). Those paper solutions need to exist because the ideas need to come first either out of necessity, i.e. to solve a specific problem, or out of a desire to find new ways to leverage emerging technology, like virtualization. But still, you’d like to see some of these...
posted @ Monday, August 31, 2009 4:33 AM |
|
|
How to leverage a “private virtual cloud” such as Amazon VPC with your own dynamic infrastructure A couple of blog posts on Amazon’s recent announcement of its VPC (Virtual Private Cloud) have made much of the fact that the resources available within Amazon’s cloud via VPC aren’t public. These same commentaries seem to believe that this makes the resources not very valuable. One author called it a “terrible” implementation because “users can’t expose clients to the internet and can’t assign them IP addresses.” I understand how some might reach that conclusion if they...
posted @ Monday, August 31, 2009 3:48 AM |
|
|
DNS wasn’t meant to handle hybrid cloud architectures and on-demand routing When you start distributing services (workloads, applications) across multiple locations, a la cloud balancing, and those locations may change on a frequent basis you begin to run into problems with finding those services and scaling the rate of change effectively. DNS was designed to resolve host names, but never expected that the same host name might resolve to one of two, three, or four IP addresses all within the span of five minutes. If we want to support a rapid rate of change, we’d...
posted @ Friday, August 28, 2009 4:29 AM |
|
|
Cloud changes how we deliver applications but we’re still delivering applications With all the hype around cloud it’s easy to get caught up in deployment models and architectures and how much money it is/is not going to save us and, of course, with the cool factor that always surrounds such innovation. But when we get our heads too far up in the clouds we forget what we’re really doing: delivering applications. Whether it’s thin-client, fat-client, browser-based, client/server, three-tier, n-tier, traditional, .NET, Java EE, or cloud we are still all focused on the same goal: deliver an application. ...
posted @ Thursday, August 27, 2009 3:57 AM |
|
|
Secure, optimized tunnels to a remote site, e.g. the cloud. Haven’t we been here before? In the continuing discussion around Business Intelligence in the cloud comes a more better (yes I did, in fact, say that) discussion of the reasons why you’d want to put BI in the cloud and, appropriately, some of the challenges. As previously mentioned, BI data sets are, as a rule, huge. Big. Bigger than big. Ginormous, even. One of the considerations, then, if you’re going to leverage a cloud-based business intelligence offering – or any offering in which very, very large data sets/files...
posted @ Wednesday, August 26, 2009 3:47 AM |
|
|
Cloud providers know the secret to a successful cloud computing implementation is integration between the infrastructure and virtualization Ever notice that cloud providers are v e r y reluctant to reveal on what foundation their cloud computing architectures are laid? Most providers don’t want to share their “secret sauce” because, well, then everyone else could get into the game as well. While it is certainly true that the infrastructure – and specifically the application delivery infrastructure – you choose to lay the foundation for a cloud computing architecture can affect your ability to succeed and innovate...
posted @ Tuesday, August 25, 2009 10:17 AM |
|
|
The real power behind cloud is processes, and those don’t come out of a box VMworld, in case you’ve been out of touch, is approaching fairly quickly. As with any trade show/conference there’s likely to be a lot of announcements about this and that and oh, of course, that too. What is interesting about cloud computing and virtualization is that most of the really exciting announcements are not going to be about new products or new features. You heard me, they aren’t going to be about new products or features. The foundations for cloud...
posted @ Tuesday, August 25, 2009 3:41 AM |
|
|
Survey says IT still doesn’t agree on the definition of cloud – private or public – but everybody is doing it Every organization with a stake in cloud computing’s predicted billions of dollar market is interested in understanding what it is IT wants – and needs – for cloud. The only way to find out, in most cases, is to ask. So ask we did. We asked 250 IT managers, network architects and cloud service providers not only about how they define cloud computing, but how widespread adoption of the disparate models of cloud really...
posted @ Monday, August 24, 2009 7:32 AM |
|
|
You’re going to need a dynamic infrastructure lest you effectively negate the gains achieved by higher VM densities In the continuing saga of “do more with less” comes a new phrase that’s being tossed around: VM density. For example, VMware puts forth the notion that the Total Cost of Ownership (TCO) of virtualization technology must consider VM density, saying, “Density matters in a many-to-one relationship.” VMware illustrates this concept in the context of TCO, but in general an increasing number of solutions are beginning to tout not only the benefits of higher VM density, but of their solutions ability...
posted @ Monday, August 24, 2009 4:07 AM |
|
|
Just what is the bandwidth of a van full of hard drives traveling 300 miles at a speed of 65 mph? After a short Twitter discussion based on this post which suggested Ye Olde Sneakernet is the best way to transfer large data sets from the enterprise to the cloud (which is, unfortunately, not as uncommon a suggestion from cloud providers as you might think) I was dared to compute the actual bandwidth of said sneakernet (probably because I said I had the urge to do just that, but is that really important? I didn’t think so.) ...
posted @ Friday, August 21, 2009 4:00 AM |
|
|
Why do application delivery vendors talk about both? Aren’t they the same thing? In general, acceleration implies that something will be done to the application: caching, compression, etc… The actual behavior of the application is changed such that the client may need to participate in the acceleration. Acceleration is technically speaking disruptive in the sense that it requires participation of client, intermediary, and often the server. This generally takes a form that leverages existing standards, a la caching, such that no changes need be made to clients or servers, but the behavior of the application and its...
posted @ Thursday, August 20, 2009 6:00 AM |
|
|
Idle resources will always need to exist, especially in a cloud architecture With IT focused on efficiency – for reduction in operating expenses and in the interests of creating a greener computing center – there’s a danger that we’ll attempt to achieve 100% efficiency. You know, the data center in which no compute resources are wasted; all are applied toward performing some task – whether administrative, revenue generating, development cycles, or business-related – and no machine is allowed to sit around idle. Because, after all, idleness is the devil’s playground, isn’t it? But before...
posted @ Wednesday, August 19, 2009 3:17 AM |
|
|
Amazon EC2 and S3 are no more or less safe than they were last week despite hype around PCI compliance admission The recent admission/announcement that “Amazon EC2 is not PCI compliant” (this is not exactly true, but we’ll get to that later) has set off a rush of blogs, articles, and tweets that say, in effect, EC2 is no longer “safe”. But a lack of compliance does not make Amazon any more less safe than achieving PCI compliance makes a site more safe. Ladies and gentlemen of the Internet, I submit as proof the...
posted @ Tuesday, August 18, 2009 3:29 AM |
|
|
I was recording a podcast last week on the subject of cloud with an emphasis on security and of course we talked in general about cloud and definitions. During the discussion the subject of “private cloud” computing was raised and one of the participants asked a very good question: Some of the core benefits of cloud computing come from shared resources. In a private cloud, where does the sharing of resources come from? I had to stop and think about that one for a second, because it’s not something I’ve really thought about before. But it was...
posted @ Monday, August 17, 2009 3:34 AM |
|
|
Without processes the cloud is not a cloud So you’ve virtualized your application infrastructure using VMware or Microsoft or the “virtualization solution de jour.” You probably also virtualized the application access via an application delivery solution so you can provide scalability on-demand. You might have even virtualized your storage to make it more efficient. Basically, you’re all ready to go and operators are standing by … And therein lies the problem: operators are standing by. The on-demand piece of your little private cloud is almost entirely managed by human beings, which means...
posted @ Friday, August 14, 2009 3:17 AM |
|
|
Simultaneously one of the best use-cases for cloud as well as the worst. What’s IT to do? David Linthicum, SOA and cloud pundit and all-around interesting technology guy, recently pointed out a short post on business intelligence (BI) vendors joining forces with the cloud to offer cloud-based BI services. Four open-source and proprietary vendors on Wednesday announced a new partnership resulting in a cloud-based BI (business intelligence) stack. Jaspersoft and Talend will respectively lend their open-source BI and data-integration technologies to the integrated offering, which also employs Vertica's analytic database...
posted @ Thursday, August 13, 2009 4:58 AM |
|
|
Back when I was developing GIS data translation software I had to fight security all the time. My desktop was so locked down I couldn’t compile the code because I didn’t even have appropriate permission to access the file system. Why? The guy in charge of security was so paranoid about someone doing something they shouldn’t that he completely missed the other half of his responsibility: ensuring people had access to data and information and systems to which they legitimately had a need to access. The potential impact of a data/security breach is so high these days that...
posted @ Wednesday, August 12, 2009 3:45 AM |
|
|
When it comes to availability, coding a solution is just delaying the inevitable Jonathan Howell, in Five Things That Will Kill Your Site – an excellent read, by the way, for all web application developers – asserts that there are several ways to avoid web application death that do not require the implementation of “expensive redundant hardware with top of the line load balancers and an enterprise class SAN.” In general he’s got some good advice to which application developers should pay attention, but I had to disagree with his assertion that a solution to provide graceful degradation...
posted @ Tuesday, August 11, 2009 3:56 AM |
|
|
Why Carr’s analogy doesn’t describe today’s cloud environments and how SOA can get us closer to what he describes Back when cloud first starting drifting in to obscure the computing landscape there were a lot of parallels drawn between it and grid, and a lot of analogies used to explain the concept behind it. Cloud computing is most often analogized using Nicolas Carr’s analogy of the cloud as an electrical grid; that’s always bothered me at almost a visceral level. But I could never articulate why well enough and a lot of smart people told me that if I...
posted @ Monday, August 10, 2009 3:57 AM |
|
|
If they can take down Twitter via DNS, they can take your site, too.
Everyone is talking about the DoS (Denial of Service) attack on Twitter but most of them are missing what really happened. We’re so used to defending against HTTP-based DoS attacks that we’ve missed that it’s much easier to DoS a site based on the most critical piece of infrastructure on the Internet: DNS.
If you really wanted to take out a site like Twitter or Facebook using an HTTP-based DoS it would take a whole lot of serious traffic because those sites are designed and architected...
posted @ Thursday, August 06, 2009 2:40 PM |
|
|
This isn’t all or nothing – focus on the right cloud model for each application and not the entire data center There’s a lot of discussion about why you should choose one cloud computing model over another and all of them miss the point entirely. This isn’t a mutually exclusive deal; it doesn’t have to be just one model chosen. In fact it shouldn’t be. Data centers aren’t comprised of single types of applications. There’s custom applications, deployed sometimes on well-known packaged platforms and in other cases on open source or lesser known platforms. There’s packaged...
posted @ Thursday, August 06, 2009 4:31 AM |
|
|
For some companies there’s never been a quantifiable financial impact from attacks. Cloud may change that. One of the frustrations with information security is that it’s always difficult – if not impossible – to quantify risk. Without the ability to quantify risk, it’s often the case that solutions that would mitigate the risk are left unimplemented because there’s no way to prove that the risk would turn into a breach, downtime, or other revenue impacting incident. Take the recent PayPal outage. Estimates are that the hour of downtime for the payment processing king might have...
posted @ Wednesday, August 05, 2009 3:37 AM |
|
|
Ever wanted to prove or understand how the network impacts productivity? There is a formula for that… We often talk in abstract terms about the affects of application performance on productivity. It seems to make sense that if an application is performing poorly – or unavailable – that it will certainly affect the productivity of those who rely upon that application. But it’s hard enough to justify the investment in application acceleration or optimization without being able to demonstrate a real impact on the organization. And right now justification is more of an issue than it’s ever been. ...
posted @ Tuesday, August 04, 2009 4:15 AM |
|
|
If you happened to read my post this morning (WILS: Applications Should Be Like Sith Lords) you might be wondering if the cat got my tongue this morning or if perhaps I’ve lost the ability to ramble on write passionately about application delivery. When you’ve spent as many years as I have writing for a living you learn how to expand on a subject. Sometimes you have to, especially when you really only have about 500 words worth of insight to share but need to fill 1500 words of space on a page. I can be long...
posted @ Monday, August 03, 2009 4:52 AM |
|
|
When you’re thinking about deploying an application it would be good to remember Yoda’s words regarding the Sith: Always two there are, a master and an apprentice. ALWAYS TWO THERE ARE Like Sith Lords, there should always be two instances of any given application available. Just in case. And that doesn’t mean two virtual servers – unless each one is on a different piece of hardware. If you want to ensure availability then you absolutely must not confine your application to one piece of hardware. ...
posted @ Monday, August 03, 2009 4:26 AM |
|
|
The concept of a server needs to go the way of the dodo One of the reasons I enjoy Twitter is that quite frequently – if you’re following the right people – you’ll see a tweet that is absolutely profound despite its simplicity and the constraints placed upon the author. Recently we were having a mini-discussion on Twitter regarding the definition of availability that elicited just such a golden nugget from botchagalupe: “Apps designed for a cloud should remove the ‘server’ concept.” First, I really like the use of the article “a” in...
posted @ Friday, July 31, 2009 3:41 AM |
|
|
The importance of a full-proxy architecture to application delivery, security, cloud computing, and virtualization People often describe the act of changing focus from one related but distinct task to another as “wearing two different hats.” Like moving from “developer” to “administrator” when you’re trying to deploy an application in a testing environment. You’re the developer, but then you have to “switch gears” and become a server administrator in order to ensure that the application server and its environment is configured properly before you can actually test the application you just wrote. But the metaphor...
posted @ Thursday, July 30, 2009 4:07 AM |
|
|
Context, it’s always about context (or the lack thereof) I received a call recently that most people have probably received: our banking institution just wanted to verify that yes, that was Don or I making purchases at midnight in Wisconsin and then later in Indiana and yet again that afternoon in Ohio. That’s a good thing, I’m sure, as they’re just trying to watch our back. But later in the day I tried to make a purchase and was, horror of horrors, denied. The bank, when called, seemed matter-of-fact about the situation. The security flag hadn’t been...
posted @ Wednesday, July 29, 2009 4:34 AM |
|
|
Availability means more than the dread “d” word The focus on making servers unhackable to prevent service disruption (that’s such a politic way of saying the dread “d” word – downtime) is admirable but exposes the tendency of technical folks to go down rat holes when discussing application delivery challenges and specifically the challenge of assuring availability of applications and services. What generally seems to happen when we start talking about availability in the cloud is that we go down the rat hole of talking specifically about the cloud and not applications deployed...
posted @ Wednesday, July 22, 2009 2:57 AM |
|
|
The “replace” in “rip and replace” essentially means getting rid of old security problems and replacing them with new ones. Twittergate is (thankfully) behind us but it’s almost assuredly going to be the case that we’ll be rehashing this one for a while. This certainly isn’t the first time Twitter and security issues have clashed, and as in the past Twitter (and really any very public application in a similar situation) is the clear loser. And of course there comes the unsolicited advice offered regarding what Twitter needs to do to address its security issues. I am, of...
posted @ Monday, July 20, 2009 3:43 AM |
|
|
Is ESB just an expensive integration hub or is there more to the story than we heard… In the beginning, the ESB (Enterprise Service Bus), was marketed as much more than an integration technology. While the core of an ESB is certainly about connectivity between services, there was – and still is – so much more to an ESB than just integrating disparate protocols and technologies. Transformation, parallel processing, content based routing, and service orchestration are among the more useful and beneficial capabilities of an ESB. That’s why it was somewhat surprising to see the CTO of...
posted @ Friday, July 17, 2009 3:26 AM |
|
|
First, everyone needs to calm down. Twitter.com itself was not breached. According to Evan Williams as quoted in a TechCrunch article, the attack did not breach Twitter.com or its administrative functions, nor were user accounts affected in any way. So everyone can just stop with the “Twitter needs to revamp its security!” and “Twitter isn’t secure” headlines and articles because it’s not only blatantly wrong, it’s diverting attention that should be devoted to the real problem: e-mail and account self-service. THE E-MAIL FACTOR What was compromised remains somewhat of a mystery. Following through the...
posted @ Thursday, July 16, 2009 2:58 AM |
|
|
One of the interesting points that discussions around intercloud brings up is the need for infrastructure to, if you’ll pardon the use of marketing jargon, align with the business. What that really means is that applications and their supporting infrastructure need to be more business-aware. Thing is you don’t really need intercloud or even cloud or even virtualization for many of these business-aware capabilities. They are certainly a boon, but solutions that include application delivery functionality don’t need to wait for a fully-baked cloud or intercloud implementation. Consider, for example, the potential of business-layer load...
posted @ Wednesday, July 15, 2009 3:55 AM |
|
|
Apparently if you’re attending the USENIX Security conference (August 12-14, 2009, in Montreal, Canada) you can participate in the Security Grand Challenge. What is that, you ask? Here’s how the organizers describe it: The concept is very simple. The participant teams will have to use their science and technical skill to create an environment where a server can function with integrity and minimum required service levels even when under attack. On the day of the competition, each participant team will receive a virtualized server, with a number of services. The services might...
posted @ Tuesday, July 14, 2009 2:59 AM |
|
|
No, that isn’t a homophonic mistake. Dan directed my attention to an interesting article recently, “Are 3-tier web architecture models too rigid?” in which the author postulates that “maybe it is time to finally break out of the old 3-tier web architecture box and retire the concept…” In addition to a great mention of F5 and an “application delivery tier” in web architecture models (the concept of which deserves its very own blog post), the author inadvertently, I think, brings to the fore one of the reasons SOA might have failed to dominate the world: service...
posted @ Monday, July 13, 2009 3:22 AM |
|
|
Without availability scalability is irrelevant I really enjoyed Jeff Atwood’s recent blog on Scaling Up vs Scaling Out, which includes a fairly detailed comparison of the costs associated with each approach to scalability. I enjoyed it because not only did it take into consideration the cost of hardware, but also remembered to include the cost of software licensing. And of course there’s the fact that Jeff’s site is focused on development and coding, and this discussion broadened the discussion into the realm of application networking – a demesne with which I am of course particularly fond. ...
posted @ Friday, July 10, 2009 3:38 AM |
|
|
So once we have the intercloud, what are we going to do with it? Some debate is heating up, at least on Twitter, about a variety of cloud-related topics. As James Urquhart pointed out in his “Three debates that will benefit cloud computing” debate is good, because it fuels innovation and drives markets forward. One of the things that’s frustrating about new technology and concepts is that terminology often confuses the discussion. We periodically still see discussions – and debates – around the definition of cloud computing, after all, so that shouldn’t be surprising at all....
posted @ Thursday, July 09, 2009 3:15 AM |
|
|
Using network-side scripting to remove client-side cookies @quine overhead an interesting question that he offered via Twitter regarding cookies and BIG-IP. Specifically someone was wondering whether BIG-IP automatically removes cookies from the browser. Our team had a quick discussion because the question isn’t as straight-forward as it first appears. On the surface the answer is an unequivocal “no”, because for an intermediary to just arbitrarily remove cookies would be a Very Bad Thing. But the ability to manipulate cookies is certainly something you can do using iRules, and if you implemented such functionality then the...
posted @ Wednesday, July 08, 2009 3:43 AM |
|
|
Smashing Magazine has a cool “cheat sheet” for those interested in the ongoing development of HTML 5. Of interest is what’s being excluded and what’s new, as well as the length of time it’s going to take before HTML 5 is completely supported: XHTML is dead, long live HTML 5! According to W3C News Archive, XHTML 2 working group is expected to stop work end of 2009 and W3C is planning to increase resources on HTML 5 instead. And even although HTML 5 won’t be completely supported until 2022, it doesn’t mean that it won’t...
posted @ Tuesday, July 07, 2009 4:06 AM |
|
|
Can intercloud intelligence eliminate the impact of intercontinental latency? Ken has always posited that it would be not only kewl but highly efficient if your data center could “follow the sun.” We all know that application performance is affected – positively and negatively – by distance. So if you’re a global organization with one primary data center that means some folks are going to have to settle for poorer application performance. That pesky speed of light law absolutely must be obeyed, for now at least, and intercontinental traffic has high latency, period. So let’s introduce the...
posted @ Monday, July 06, 2009 3:10 AM |
|
|
Can the inherent abstraction of virtualization succeed where SOA did not? My first read through a post on the Cloud Front Office led me to scoff disdainfully at the re-emergence of a concept central to a successful SOA implementation: the service catalog. Oh, we called it "registry" and then "registry/repository (reg/rep)" and finally "governance" but the concept behind it was exactly the same. Take a gander at the description of a cloud service catalog apparently growing out of discussions that began at Structure 09: Last week I attended Structure 09, one of the...
posted @ Thursday, July 02, 2009 3:39 AM |
|
|
The importance of stress-testing in production Everyone is still a-twitter over the problems the web experienced last week right after the news of Michael Jackson’s death. There have been numerous stories on the fact that the Internet nearly fell over itself and died under the strain of trying to support the rush of millions of users as they queried, clicked, watched video, read blogs and news reports on the subject. The Internet itself, of course, was just fine. The infrastructure comprising our electronic highway was humming along, routing packets happily here and...
posted @ Wednesday, July 01, 2009 4:14 AM |
|
|
The concept of an “intercloud” is floating around the tubes and starting to gather some attention. According to Greg Ness you can “Think of the intercloud as an elastic mesh of on demand processing power deployed across multiple data centers. The payoff is massive scale, efficiency and flexibility.” Basically, the intercloud is the natural evolution of global application delivery. The intercloud is about delivering applications (services) from one of many locations based on a variety of parameters that will be, one assumes, user/organization defined. Some of those parameters could be traditional ones: application availability, performance, or user-location. Others...
posted @ Tuesday, June 30, 2009 3:25 AM |
|
|
Somebody has to be first Recently Microsoft came up with a solution, supported natively in IE8, to protect against clickjacking attempts. Apparently some folks have decided that because Microsoft has a history of implementing proprietary solutions that this one, too, must be proprietary. These same folks must also have very little understanding of today’s web application architectures, as they declared the solution pretty much useless based on some pretty poor assumptions regarding the implementation of said solution. As noted in the Register, “some critics have contended the protection [X-FRAME-OPTIONS custom HTTP header] will be ineffective because...
posted @ Monday, June 29, 2009 3:15 AM |
|
|
I was chatting with my mother a couple weeks ago about cloud (she’s a used-to-be programmer turned project manager for a Fortune 500. Don’t look at me like that, I keep telling you it runs in the family) and one of the problems she lamented about was that folks don’t seem to understand how entrenched COBOL and the mainframe is in the organization. It’s so entrenched that given the choice between a client-server application and a COBOL application that did the same thing they chose the COBOL program because it was less expensive and they had the knowledge on staff...
posted @ Friday, June 26, 2009 2:50 AM |
|
|
Whether you are aware of it or not, if you’re deploying applications in the cloud or building out your own “enterprise class” cloud, you’re going to be using load balancing. Horizontal scaling of applications is a fairly well understood process that involves (old skool) server virtualization of the network kind: making many servers (instances) look like one to the outside world. When you start adding instances to increase capacity for your application, load balancing necessarily gets involved as it’s the way in which horizontal scalability is implemented today. The fact that you may have already...
posted @ Thursday, June 25, 2009 3:14 AM |
|
|
But browser support is only half the solution, don’t forget to implement the server-side, too. Clickjacking, unlike more well-known (and understood) web application vulnerabilities, has been given scant amount of attention despite its risks and its usage. Earlier this year, for example, it was used as an attack on Twitter, but never really discussed as being a clickjacking attack. Maybe because aside from rewriting applications to prevent CSRF (adding nonces and validation of the same to every page) or adding framekillers there just haven’t been many other options to prevent the attack technique from being utilized against...
posted @ Tuesday, June 23, 2009 3:27 AM |
|
|
I am not a number, I am a free man! – "The Prisoner", sampled by Iron Maiden (edited because geeks are picky and well, they're right even though I always think of Maiden and Eddie first before getting to the actual origins)
We, meaning everyone who deals with technology for a living, know that the move to IPv6 is inevitable. We simply must migrate in order to maintain the scalability of the Internet and its infrastructure. Well, we could continue to use technologies like NAT and SNAT in order to conserve IPv4 addresses, but really that’s just not practical...
posted @ Monday, June 22, 2009 3:54 AM |
|
|
The inclusion of a web server gives attackers clear line-of-sight to their targets There’s been a few articles on Opera Unite that have called into question the security of the decision to include a web server with the browser. Most of those discussions have centered around the ability to muck with files not intended by the host to be shared, but given current infection techniques there’s a far greater danger to Opera: mass injection attacks. As is often pointed out, current attack techniques are not necessarily targeting web sites per se, but are intended to infect...
posted @ Friday, June 19, 2009 3:56 AM |
|
|
You can’t differentiate until you do something different Gartner analyst and cloud pundit Lydia Leong reminds us that without differentiation, all clouds look pretty much the same. “These are traits that it doesn’t take a genius to think of. Most are known requirements established through a decade and a half of hosting industry experience. If you want to differentiate, you need to get beyond them.” [emphasis added] She lists traits common to most cloud providers: premium equipment, VMWare-based, private VLANs, private connectivity, and co-located dedicated gear but doesn’t really get into...
posted @ Thursday, June 18, 2009 2:40 AM |
|
|
One of the tasks of an enterprise architect is to design a framework atop which developers can implement and deploy applications consistently and easily. The consistency is important for internal business continuity and reuse; common objects, operations, and processes can be reused across applications to make development and integration with other applications and systems easier. Architects also often decide where functionality resides and design the base application infrastructure framework. Application server, identity management, messaging, and integration are all often a part of such architecture designs. Rarely does the architect concern him/herself with the network infrastructure, as that is...
posted @ Wednesday, June 17, 2009 4:07 AM |
|
|
Two steps forward, three steps back Every time there is a major shift in technology thought about architecture the question of how it will and should impact infrastructure arises. When SOA was the “next great thing” there was a spate of announcements regarding how infrastructure would not only support it but integrate into its ecosystem. This time it’s virtualization, and its impact on infrastructure both from a support standpoint and usage is getting a lot of mindshare. In a recent announcement around virtual network infrastructure Om Malik of GigaOm has some interesting commentary: As...
posted @ Tuesday, June 16, 2009 3:27 AM |
|
|
How to optimize compute resources in a heterogeneous environment using weight/ratio-based load balancing Unless you’re starting from scratch your data center is full of physical servers of various and sundry sizes, colors, shapes, and compute resources. And even if you’re starting from scratch and you have beautiful racks of everything the same, it’s not likely to stay that way if for no other reason than, well, hardware moves on at an astonishing rate these days. So you’ve almost certainly got (or will have) a physically heterogeneous environment in terms of hardware compute resources. When you’re scaling...
posted @ Monday, June 15, 2009 4:25 AM |
|
|
I’m heading out today for a little time off and so you’ll have to make due the rest of the week without any (new) words of wisdom from me. I know, try to pull yourself together. You’ll live, really, and I’ll be back Monday with something interesting, promise. While I’m out, you might consider checking out some of the blogs I follow myself on a regular basis. They’re always full of interesting tidbits and stories and wisdom on a variety of subjects, and if you don’t follow them yourself you might find something interesting in them. ...
posted @ Wednesday, June 10, 2009 4:25 AM |
|
|
An interesting thing happened on the way to testing that application from the cloud. We broke the innertubes!
Pros and Cons of Application Testing in the Cloud
A firm wanted to test their application and need 100 browser instances. In the old days it would have required 100 machines -- that would be a massive undertaking. Even with hardware virtualization, you would need 5 to 10 machines, and there would be some complex configuration issues. However, by putting it all in the cloud, they were able to sync up 100 virtual instances of the browsers and take them down over...
posted @ Wednesday, June 10, 2009 3:24 AM |
|
|
Balancing Cost, Performance, and Capacity in the Cloud There is a huge difference between provisioning applications to support capacity and provisioning them to support performance requirements. That as capacity increases performance decreases is one of the truisms of scalability that is likely to be one of the first axioms of cloud computing that will bite us in the proverbial rear-end while simultaneously reaching for our wallets. Alistair Croll of BitCurrent has a couple of great charts that illustrate this point perfectly. He then goes on to discuss how that affects cloud computing in “The cloud’s...
posted @ Tuesday, June 09, 2009 3:20 AM |
|
|
Automating components is easy. It’s automating processes that’s hard. The premise that if you don’t have an infrastructure comprised solely of Infrastructure 2.0 components then you cannot realize an automated, on-demand data center is, in fact, wrong. While the capabilities of modern hardware that come with Infrastructure 2.0 such as a standards-based API able to be leveraged by automation systems certainly makes the task all the more simple, it is not the only way that components can be automated. In fact, “legacy” infrastructure has been automated for years using other mechanisms that can certainly be incorporated into the...
posted @ Monday, June 08, 2009 3:14 AM |
|
|
When SOA was declared dead there was a spate of articles and blogs on why the architecture “died.” Most pundits came to the conclusion that like many innovations it wasn’t the technology to blame but rather people. Architects lacked the skills to properly leverage SOA; business stakeholders failed to look at SOA as a strategic architecture, choosing instead to use it as a tactical integration-solving solution; network and systems’ administrators did not understand the unique characteristics and issues a well-designed SOA raised within the network and on systems; and developers were loathe to “reuse” and “share” services despite alternate...
posted @ Thursday, June 04, 2009 4:07 AM |
|
|
Attackers say, we can go where we want to; we can leave our code behind… There’s probably a raid going on right now in Naxxramas and the attackers are almost certainly doing the Safety Dance. They probably learned the Safety Dance the same way I learned about it; from someone well-versed in its intricate steps. See, if you don’t know the Safety Dance and you come up against Heigan the Unclean, well… he’s not called Heigan the Unclean for nothing. You will not survive. Not even if you happen to have a Holocaust Cloak at...
posted @ Wednesday, June 03, 2009 3:58 AM |
|
|
Google didn’t kill HTTP. Neither did Colonel Mustard or Professor Plum. In fact, HTTP is still very much alive. Okay, folks, it’s time to stop declaring the death of protocols/technologies prematurely. Please? Especially when such proclamations are clearly not representative of reality. From ElasticVapor :: Life in the Cloud In Google's announcement what I found most fascinating was the protocol they choose for the basis of their new realtime vision. It wasn't HTTP but instead XMPP was selected as the foundation for this decentralized and interoperable vision. What this means in...
posted @ Tuesday, June 02, 2009 3:47 AM |
|
|
Cloud may change the definition of “business critical” applications
Google outages are rapidly becoming as passé as earthquakes to native Californians; unless it’s a really big one, no one really pays much attention. So it shouldn’t be surprising that Google’s latest “crash” (caused by some interesting routing problems, apparently) evinced an attitude of nonchalance from Stanley.
Who is Stanley? I don’t know, except that he was quite vocal about the outage and his opinion that he was “not really bothered by it.”
Google Crashes Again on Friday
Stanley Was wrote: Wednesday May 27 from around 8pm till shortly after midnight, I...
posted @ Monday, June 01, 2009 5:32 AM |
|
|
There is a tendency to describe every device on a network as simply “the network” regardless of whether that device is dedicated to security, or application delivery (layer 4-7), or actual network (layer 2-3) functionality. It’s an artifact of aging data center architecture models that there exists an artificial line of demarcation between web and application servers and everything else. We used to depict “everything else” as a cloud, but with the emergence of The Cloud doing so simply complicates discussions even further because the “network” necessary to support a dynamic, on-demand operational model of computing like “cloud” is more...
posted @ Friday, May 29, 2009 3:49 AM |
|
|
It certainly sounds reasonable: networks are moving toward a perimeter-less model so the line between internal and external network is blurring. The introduction of cloud computing as overdraft protection (cloud-bursting) further blurs that perimeter such that it’s more a suggestion than a rule. That makes the idea of encrypting everything whether it’s on the internal or external network seem to be a reasonable one. Or does it? THE IMPACT ON OPERATIONS A recent post posits that PCI Standard or Not, Encrypting Internal Network Traffic is a Good Thing....
posted @ Thursday, May 28, 2009 4:02 AM |
|
|
Understanding the impact of compression on server resources and application performance While doing some research on a related topic, I ran across this question and thought “that deserves an answer” because it certainly seems like a no-brainer. If you want to decrease bandwidth – which subsequently decreases response time and improves application performance – turn on compression. After all, a large portion of web site traffic is text-based: CSS, JavaScript, HTML, RSS feeds, which means it will greatly benefit from compression. Typical GZIP compression affords at least a 3:1 reduction in size, with hardware-assisted compression yielding an average...
posted @ Wednesday, May 27, 2009 3:50 AM |
|
|
There’s apparently been a bit of confusion over what, exactly, F5 thinks of cloud computing as an organization based on a recent blog post. I thought I’ve been fairly clear on where F5 stands in terms of cloud computing but I may be suffering what’s known as the “curse of knowledge”, which means I am so deeply entrenched in F5’s view of cloud that I forget that other people don’t have the luxury of that knowledge. So I’d like to take this opportunity to clear up any misconceptions that may be floating around and just set the record...
posted @ Tuesday, May 26, 2009 4:09 AM |
|
|
Let me ‘splain. No, there is too much. Let me sum up… This week has been full of interesting announcements: Microsoft warns of new server vulnerability McAfee blasted for having holes in its Web sites ‘Gumblar’ attacks spreading quickly There just aren’t enough words. But as they say, a picture is worth at least a thousand words, so I give you a pictoral response to this week’s interesting security happenings. ...
posted @ Thursday, May 21, 2009 4:22 PM |
|
|
As a telecommuter – and one that lives in that technological mecca of the midwest, Green Bay – I don’t often get the chance to talk face to face with, well, anyone. Being conscripted into booth duty at Interop this week means I get to talk to people with real problems and with ones that can quickly bring anyone with their head in the clouds back down to earth. Imagine if you will an application. A real, honest to goodness client-server application. Not web-based, but client-server; like the kind we wrote in Delphi and Visual Basic back in...
posted @ Thursday, May 21, 2009 6:30 AM |
|
|
Greedy algorithms can result in the right solution in the end, but rarely do Don and I were having a discussion with our oldest son the other night about writing a chess program. There are myriad options for implementing the learning aspects of a chess program, but this is not a task for the timid. He ended up proposing a much simpler solution (this was just an exercise in ‘can I write it’, after all) that would have essentially used a very greedy algorithm; one that made a decision regarding the computer’s next move based on current state of...
posted @ Monday, May 18, 2009 3:16 AM |
|
|
The consensus seems to be, at least from the myriad surveys, studies, and research, that cloud as a model is the right answer, it’s just the location that’s problematic for most organizations. Organizations aren’t ignoring reality; they know there are real benefits associated with cloud computing. But they aren’t yet – and may never be – willing to give up control. And there are good reasons to maintain that control, from security to accountability to agility. But the “people” still want the benefits of cloud, so the question is: how do we put...
posted @ Thursday, May 14, 2009 3:27 AM |
|
|
Part of the role of a Technical Marketing Manager at F5 is to get involved in communities and stay on top of what’s happening out there, “in the cloud”. Now obviously DevCentral, F5’s community, absolutely rocks. But admittedly our forums and blogs are pretty focused on technology that’s relevant to F5 (that’s everything about applications – from security and performance to availability and storage, in case you weren’t sure) and you aren’t really going to find a lot of information about databases or coding in C#/Java/Ruby or how to properly configure Active Directory forests. So when I’m out...
posted @ Thursday, May 14, 2009 3:22 AM |
|
|
If they aren’t now then Infrastructure 2.0 may force them in that direction - and vice versa. My brother (yes, it does run in the family) has a degree in computer science which, by most definitions, makes him a developer. That’s the focus of most computer science focused degree programs, much to the chagrin of the myriad other IT-focused specialties like networking, security, and operations. Interestingly enough, he worked his way through college as a sysadmin and his first job out of college was as a sysadmin. And now he’s doing a little of...
posted @ Wednesday, May 13, 2009 3:51 AM |
|
|
Risks with virtualization is same as it ever was but different Hoff makes a good point about cloud security last month in his “The Cloud is a Fickle Mistress: DDoS&M” which was, if I may quote, “it’s the oldies and goodies that will come back to haunt us.” In other words, it’s the well-known, well-understood protocol-based attacks of uncloud computing that will be problematic for cloud computing. Security in virtualized environments and “the cloud” is indeed the “same as it ever was.” And yet it’s different, too. COLLATERAL DAMAGE While it’s...
posted @ Tuesday, May 12, 2009 3:45 AM |
|
|
Why architecture matters not only to security but to the future of cloud computing It seems the phrase “in the cloud”, sadly, has become a marketing-hyped euphemism for “the Internet.” I say sadly because the use of cloud to refer to every and any service delivered over the Internet dirties up the cloud. It obscures the intent of cloud computing and makes it difficult for technologists in the trenches to get a handle on how cloud – both external and internal – can provide benefits and solutions to problems they have right now. The very loose use of the...
posted @ Monday, May 11, 2009 3:38 AM |
|
|
Everyone who is involved in networking, application networking, cloud computing, and virtualization knows about and is probably planning some kind of presence at Interop. It is “the” event for a variety of inter-related industries, all revolving around network-something. For six years I attended Interop, but as a member of the press. This time, I’m on the “other side” with a vendor, and the view is very different. At a minimum, there’s a lot more planning that goes into exhibiting at such an event. There’s booth layouts to review and decisions on what kind of information...
posted @ Friday, May 08, 2009 3:42 AM |
|
|
Now I lay me down to sleep I pray that safe my apps will keep If hacked they be before I wake I pray it was a (DEV || OPS) mistake Technorati Tags: MacVittie,F5,Infosec,prayer,humor,application,security
posted @ Thursday, May 07, 2009 9:40 AM |
|
|
Don’t confuse computing services with infrastructure services. We aren’t there yet. The subtext to the cloud computing discussion is subtle, as is the wont of subtext. But it is clear that underlying all the concerns about cloud computing is a common theme: control. Whether we’re talking about reliability or security, it should be obvious if you’re reading between and beneath the lines that the biggest stumbling block to massive cloud adoption is the issue of control. There is a very real difference between on-demand computing and on-demand infrastructure. What the cloud provides now, and is described...
posted @ Thursday, May 07, 2009 3:11 AM |
|
|
Brother, can you give a developer a hand? As the topology of networks delivering applications becomes increasingly complex it becomes more and more difficult to troubleshoot problems, especially for developers tasked with figuring out why their “application broke” in production when it was working just fine thank you very much in “DEV” and “QA.” It is rare, after all, that the production environment – including all the moving parts – is duplicated in development and testing environments. It is already difficult enough for developers to track down problems due to the complex nature of application infrastructure...
posted @ Wednesday, May 06, 2009 4:17 AM |
|
|
If you’ve ever played Dungeons & Dragons for an extended period of time (a campaign, in the vernacular) you know that of all the classes available the cleric is the least likely to be chosen willingly. The cleric class is much like the kid picked last in kickball, chosen only because you have to, not because you want to. Okay, bard may actually be less likely but cleric is really, really close and you need a cleric, you don’t necessarily need a bard. The problem is that clerics can be somewhat dull to play but...
posted @ Tuesday, May 05, 2009 3:38 AM |
|
|
Hint: It doesn’t actually have much to do with technology or products In case you hadn’t heard, a startup called Panda Security has introduced a cloud-based anti-virus offering. This set off a rift of articles and blogs discussing the solution itself and what it means and some who questioned whether ‘anti-virus’ even meant ‘security’ in the first place. But I’m not interested in that discussion except to say that folks need to be more careful about distinguish “cloud security” from “cloud-based security”. The former is about securing the cloud and its infrastructure, the latter about services hosted...
posted @ Monday, May 04, 2009 3:37 AM |
|
|
Toni Bowers, Head Blogs Editor at TechRepublic, had quite an interesting blog on the subject of women tech bloggers, “Sure she’s a good tech blogger, but what does she look like?” The comments are as interesting as the content, to be sure, as the responses come from a mostly male community.
MOST MEN AREN'T JERKS AFTER ALL
Now, Toni asks why men care about – and comment on – women’s looks as part of their feedback (and in some cases, as their only feedback). After all, you rarely see commentary about a man’s appearance in blog comments.
I...
posted @ Friday, May 01, 2009 6:20 AM |
|
|
The importance of context in solving the problems created by tying web applications to deeply rooted local metaphors (IP addresses). The relationship between IP addresses and web applications to most end-users is much like the metaphorical language of the Tamarians in Star Trek: The Next Generation “Darmok”. It is incomprehensible without the proper foundational concepts; to anyone who lacks the proper context. In the case of IP addresses and web applications that foundation is technological rather than the historical basis of the Tamarian’s metaphorical language. The diseconomy of scale inherent in our reliance on IP addresses...
posted @ Thursday, April 30, 2009 2:45 AM |
|
|
The blurring of professional and personal lives in social media and the rush of organizations to “join in” may create just that. Almost every modern organization has behavioral policies known as “zero-tolerance” these days. These policies are designed to provide a healthy, productive environment in which anyone can work without fear of being insulted, offended, harassed, or otherwise made uncomfortable on a day to day basis. Basically, “zero-tolerance” policies are - in part - the codification of the common-sense rule that says you don’t talk about religion, politics, or sex in the work environment. Controversial topics,...
posted @ Wednesday, April 29, 2009 3:05 AM |
|
|
You can’t afford not to invest in technologies that leverage virtualization to improve data center efficiency There’s an old adage that says you have to spend money to make money. In the data center these days this is more true than ever. You have to invest in technology capable of making your data center more efficient in order to make (save) money. A recent Robert Half Technology survey of 1400 CIOs indicates that data center efficiency and virtualization are top priorities. *CIOs were asked, "Which areas, if any, will your IT department be investing...
posted @ Tuesday, April 28, 2009 3:00 AM |
|
|
We know what the problem is. We know what the solution is. So why aren’t we doing something about it? Every year, around April Fools’ day, someone pulls out the old “Internet Spring Cleaning” gag. For those of us who are not technical neophytes or have been “online” long enough, the joke is amusing but not nearly as much as when it originally appeared many, many, many years ago. Is it possible, though, that one day the old “the Internet needs to be rebooted” gag might be real? That in order to get from here...
posted @ Monday, April 27, 2009 3:23 AM |
|
|
The undisclosed relationship between o3 magazine and application delivery startup Carbon Mountain Robert Scoble recently lamented the “free meals” the newspaper industry has given away but mentions that there are still some meals left, most notably “objectivity”: Meal left #4: objectivity and accountability. I can argue that lots of journalists aren’t objective, but the truth is they are part of a system that adds objectivity and accountability as a system BEFORE publishing. Blogging and Twittering, I have noticed, can be objective and accountable, but it sometimes takes time to figure that out, especially...
posted @ Thursday, April 23, 2009 10:54 AM |
|
|
How to defeat the ancient Jedi mind trick known as HTTP Request Smuggling. HTTP Request Smuggling (HRS) is not a new technique; it's been around since 2005. It takes advantage of architectures where one or more intermediaries (proxies) are deployed between the client and the server. HRS is can be used to poison web-caches and bypass security solutions such as web application firewalls as well as for the delivery of malicious payloads such as worms, viruses, and those used to exploit known vulnerabilities in web and application servers. The good news is that to exploit HRS,...
posted @ Thursday, April 23, 2009 3:39 AM |
|
|
Automation isn’t some special brand of soup and there’s no “automation nazi” who can deny access to its benefits. The recent McKinsey report on cloud computing has pundits everywhere choking on their donuts and scrambling to dispute the report’s findings, which essentially end up saying “cloud ain’t cheaper.” I’m not going to rehash the arguments. I’m not going to analyze the report. But I am going to dig into a few comments on the report by Thorsten at RightScale who started off by saying: “Its claim that cloud computing (in the...
posted @ Wednesday, April 22, 2009 3:18 AM |
|
|
OVF (Open Virtualization Format) apparently just isn’t getting enough mindshare out there in the discussions of cloud computing that focus on portability and interoperability. The goal of OVF is to provide a portable, interoperable non-vendor specific meta-data that describes an application, its virtual container, and the attributes necessary to deploy it in a new environment with minimal human intervention. This will, allegedly, allow it to move seamlessly from cloud to cloud, drifting ever-so-gently and making the entire process appear effortless. Given that lofty goal, it’s no surprise that Jon Oltsik, senior analyst at the Enterprise Strategy Group, wonders...
posted @ Tuesday, April 21, 2009 2:58 AM |
|
|
What is this application delivery thing that everyone keeps telling me I need? Isn’t that just the latest marketing term for load balancing? A recently released Forrester report concludes that “firms must develop and integrated strategy for application delivery.” We don’t disagree with that, or with the Gartner report claiming that “Load Balancing is Dead, Time to Focus on Application Delivery.” Application delivery is the next step in the logical evolutionary path from the tactical solution of load balancing to a comprehensive application infrastructure strategy. Forrester’s research indicates that despite the fact that application...
posted @ Monday, April 20, 2009 3:40 AM |
|
|
Open Source SSL Accelerator solution not as cost effective or well-performing as you think o3 Magazine has a write up on building an SSL accelerator out of Open Source components. It’s a compelling piece, to be sure, that was picked up by Slashdot and discussed extensively. If o3 had stuck to its original goal – building an SSL accelerator on the cheap – it might have had better luck making its arguments. But it wanted to compare an Open Source solution to a commercial solution. That makes sense, the author was trying to show value in...
posted @ Friday, April 17, 2009 4:56 AM |
|
|
This whole Web 2.0-sucking-the-life-out-of-servers problem? Yeah, it’s nothing new if you’ve been paying attention. I am not one prone to fits of smug arrogance. I don’t generally ever say “I told you so” (even if I did) or tsk-tsk when you failed to listen to some nugget of wisdom and it bites you some place…unpleasant. Don often tells me I should, and he will if I won’t, but most of the time I simply bite my tongue and let it pass on by. It’s my job to offer up the information, not force it down your throat....
posted @ Thursday, April 16, 2009 3:46 AM |
|
|
The acceleration technique known as pre-fetching went the way of the do-do bird sometime around 2002. But perhaps it should be resurrected, just in a different place and with a slightly different focus. A SHORT HISTORY OF ACCELERATION TECHNIQUES Most modern acceleration techniques revolve around two things: decreasing the amount of data to be transferred (compression, optimization of the client-side cache) or twiddling with protocols (TCP, HTTP) and their associated behaviors to improve the overall speed at which a client and server communicate. Back in the early days of application acceleration most technologies were...
posted @ Tuesday, April 14, 2009 3:01 AM |
|
|
Collaborating automatically via Web 2.0 APIs is a beautiful thing. I can update status on Twitter and it will automagically propagate to any number of social networking sites: Facebook. FriendFeed. MySpace. LinkedIn. If I had to do it all manually, I wouldn’t. But the automation of sharing, i.e. collaboration, between Web 2.0 social networking sites made possible by open APIs is just too easy to pass up.
The danger is, of course, that a single malicious message can just as quickly propagate through that same social network. The power of the API can quickly be turned against us.
A...
posted @ Monday, April 13, 2009 4:05 AM |
|
|
Leveraging virtualization as a means to create a specialized architecture can realize significant gains in performance and IT efficiency With all the talk about “packaging up applications” in a virtual machine and shipping them off to the cloud, it almost sounds as if virtualization might lead us to a return to architecting monolithic applications. The idea of packaging up everything you need to run an application in a virtual container and relieving the worries about connectors and adapters and integration is certainly appealing. But let’s take a step back from the virtualization craze as it relates to...
posted @ Thursday, April 09, 2009 3:34 AM |
|
|
You’ve declared your Data Center Independence. You’ve agreed on a basic set of rights. The problem now is ensuring that those rights are upheld and that you can achieve that independence. We’re not innocent bystanders in the data center revolution; we wholly support your rights to choose the architecture and solutions that best fit your environment. You can’t do it alone. You need tools with which to fight the data center revolution. So we’re arming you with at least some of those tools (hey, we can’t do it all alone) with the introduction of BIG-IP v10...
posted @ Wednesday, April 08, 2009 4:47 AM |
|
|
Those who cannot remember the past are condemned to repeat it. George Santayana, The Life of Reason, Volume 1, 1905 US (Spanish-born) philosopher (1863 - 1952) This oft repeated quote needs to be tweaked just a bit to be more applicable to web application security: Those who choose to ignore the past in favor of convenience are condemned to repeat it. Just how many times do developers have to “hack” a protocol that eventually becomes a wide-open hole through which even a blind miscreant...
posted @ Tuesday, April 07, 2009 9:25 AM |
|
|
Finding new life for SOA in the cloud We’ve been having quite a few discussions with analysts over the past few months on the subject of “cloud”. The interesting thing about these discussions is the vast array of points of view from which those analysts are viewing “cloud”. Some are focused on the network aspects, others on pricing/differentiation, and some are even very focused on what “cloud” means to applications – and the organizations that will, allegedly, take advantage of the cloud as a means of application deployment. One such analyst is Daryl Plummer of Gartner. Daryl...
posted @ Tuesday, April 07, 2009 3:37 AM |
|
|
Making the case for a Hungarian Notation variation for URL hierarchies One of the top discussions out in the ether these days revolves around URL shortening. One of the reasons folks flock to URL shortening services like bit.ly and TinyURL is because web sites and applications use exceedingly long URLs. Many times this is because of exposed file system hierarchies (a potential security risk, by the way) and a desire to take advantage of descriptive file names for SEO and informational reasons. Recently Delicious founder Joshua Schachter expressed his opinion that URL Shorteners are bad for the web, while...
posted @ Monday, April 06, 2009 3:15 AM |
|
|
Are you protecting your Web 2.0 APIs? As Web 2.0 applications continue to expand from connected to collaborative via the extensive use of APIs it behooves developers and security professionals alike to consider the ramifications of providing this necessary yet dangerous avenue of entry into their application infrastructure. Too many discussions around web application security are focused on the user-facing web interfaces and ignore the potentially more dangerous collaboration-focused interfaces that make up the API. What makes them more dangerous is that they almost always offer an XML exchange format, but it is rare that...
posted @ Wednesday, April 01, 2009 3:46 AM |
|
|
Long URLs and variable names increase transfer size which wastes bandwidth and money
o3 magazine has a great article on the impact of long URLs on bandwidth; specifically on how much bandwidth is wasted by excessively long URLs and variable names within HTML, JavaScript, and CSS selectors.
What the author does not mention, and he really should, is that wasting bandwidth can translate into wasted dollars, as well. This is particularly true of applications that might be hosted in a cloud environment, as well as those delivered across WAN links provisioned with bursting capabilities above limits for which organizations are...
posted @ Tuesday, March 31, 2009 4:13 AM |
|
|
Keep in mind that the time it takes a human being to blink is an average of 300 – 400 milliseconds. I just got back from Houston where I helped present on F5’s integration with web application security vendor White Hat, a.k.a. virtual patching. As almost always happens whenever anyone mentions the term web application firewall the question of performance degradation was raised. To be precise: How much will a web application firewall degrade performance? Not will it, but how much will it, degrade performance. My question back to those of you with the same...
posted @ Monday, March 30, 2009 3:21 AM |
|
|
First Amendment Vendors shall make no law respecting an establishment of architecture, or prohibiting the free design thereof; or constraining the flow of data, or of packets; or the right of the administrators easily to configure, and to ensure the fast, secure, and available delivery of applications. Second Amendment A well-performing network being necessary to the delivery of applications, the right of IT to optimization of any network environment, shall not be infringed. Third Amendment Budgetary constraints, though required for an efficient business, shall not force IT to compromise on security or...
posted @ Friday, March 27, 2009 2:10 AM |
|
|
If you do, you may find you’ll come out with a more effective security strategy Michael Santarcangelo shows why he’s known as a “human catalyst” with his strategy-focused effort to change the way we deal with security, Into the Breach. Michae'l’s basic premise is that a breach is a symptom of a larger problem and not the actual problem itself. Unlike most security-focused discussions today he tackles not the issue of electronic data and disclosure but the larger, more often ignored problem of low-tech breaches caused (often unintentionally) by people. Soylent security. It’s people,...
posted @ Thursday, March 26, 2009 3:58 PM |
|
|
One of the greatest strengths of the Cloud is that, like the Internet, it knows no boundaries. It crosses industry and international boundaries as if they do not exist. But as is often the case, your greatest strength can also be your greatest weakness. Take Google, for example, and it’s myriad Cloud-based application offerings. A new complaint made by Epic (Electronic Privacy Information Center) to the US Federal Trade Commission urges the regulatory agency to “consider shutting down Google’s services until it establishes safeguards for protecting confidential information.” From a recent FT.com article: ...
posted @ Thursday, March 26, 2009 5:47 AM |
|
|
When in the course of deploying applications, it becomes necessary for administrators to dissolve the technical shackles which have connected them to products, and to assume among the powers of IT, the separate and equal station to which management entitles them, a decent respect for their valuable time requires that vendors should provide them with the means by which they may enact this separation. We hold these truths to be self-evident, that not all applications are created equal, that they are endowed by their developers with certain quirky behaviors, that among these are chattiness, vulnerabilities, and very large...
posted @ Wednesday, March 25, 2009 4:03 AM |
|
|
Better performance, reduced costs and data center footprint are not niche-market interests. The fast-paced world of finance is taking a hard look at the benefits of hardware acceleration for performance and finding additional benefits such as a reduction in rack-space via consolidation of server hardware. Rich Miller over at Data Center Knowledge writes: Hardware acceleration addresses computationally-intensive software processes that task the CPU, incorporating special-purpose hardware such as a graphics processing unit (GPUs) or field programmable gate array (FPGA) to shift parallel software functions to the hardware level. ...
posted @ Tuesday, March 24, 2009 3:27 AM |
|
|
Remember when…it was sprawl or nothing? Remember when…you had to choose between security and speed? Remember when…you had to choose between agility and performance? It’s time for a change; a change that brings freedom and choice to the data center and puts IT back in control of its own architectural destiny. Technorati Tags: F5,revolution,data center,choice,change,freedom,agility,infrastructure,infrastructure 2.0,dynamic infrastructure,web,internet,video,blog Related articles by Zemanta Unified Ontology of Cloud Computing (johnmwillis.com) ...
posted @ Monday, March 23, 2009 3:27 AM |
|
|
Ah, those were the days, weren’t they? When improving the security, reliability, and performance of applications over the LAN, over the WAN, and over the Internet meant you had to deploy many different solutions, each one standing on their own in the data center. When you had to learn how to configure and manage as many devices as you have fingers just to deliver a single business-critical application to users and customers across a wide variety of environments. When there really wasn’t an option because solutions weren’t unified, weren’t contextually aware, and were basically just a bunch of point solutions...
posted @ Monday, March 23, 2009 3:21 AM |
|
|
I admit it. I’m a load / performance testing junkie. During my years with Network Computing I burned through any number of solutions designed to throw more traffic at products than money Congress is throwing at failed banks these days. And I do mean burned, as the last time I was in the lab there were no less than three non-functioning Spirent Avalanche systems that had given up the ghost after being forced to their absolute limits over years of use and abuse.
When I received a note telling me about LoadImpact.com, a load testing as a service site, naturally...
posted @ Friday, March 20, 2009 3:21 AM |
|
|
The reasons behind an increasing enrollment rate in computer science programs say it isn’t coolness driving interest, it’s cash. But the reality of computer science is such that opportunistic degree chasers aren’t likely to make it through the program. Recently, infrastructure was declared “cool again”. And this week computer science majors got the “cool” nod as well. My immediate reaction to both “news” announcements was: When were they not cool? My second was, how in the world does a rise in enrollment equate to coolness? The fact that infrastructure is getting more attention and more college...
posted @ Thursday, March 19, 2009 3:21 AM |
|
|
One of the oft cited reasons in surveys that enterprises aren’t flocking to the cloud like lemmings off a cliff is “lack of control”. Problem is that articles and pundits quoting this reason never really define what that means. After all, cloud providers appear to be cognizant of the need for users (IT) to be able to define thresholds, reserve instances, deploy a variety of “infrastructure”, and manage their cloud deployment themselves. The lack of control, however, is at least partially about control over the infrastructure itself and, perhaps, complicated by the shallow definition of “infrastructure” by cloud...
posted @ Wednesday, March 18, 2009 2:49 AM |
|
|
ArsTechnica has an interesting little article on what Windows Azure is and is not. During the course of discussion with Steven Martin, Microsoft's senior director of Developer Platform Product Management, a fascinating – or disturbing in my opinion – statement was made: There is a distinction between the hosting world and the cloud world that Martin wanted to underline. Whereas hosting means simply the purchase of space under certain conditions (as opposed to buying the actual hardware), the cloud completely hides all issues of clustering and/or load balancing, and it offers an entirely virtualized...
posted @ Tuesday, March 17, 2009 4:34 AM |
|
|
What’s driving your organizational interest in cloud? Is it apathy or is it architecture? The whole debate surrounding the existence, or non-existence as it were, of “private” clouds seems to revolve around the definition of cloud. Yes, we’re right back at the beginning, Vizzini. The problem is that lots of folks want to focus in on the “apathy” inherent in cloud rather than the “architecture”. Yes, apathy. After all, that’s what we’re saying when we include as a key component of the definition of cloud “you don’t have to care about the infrastructure.” For example, Andrew...
posted @ Monday, March 16, 2009 3:45 AM |
|
|
Ah, those were the days, weren’t they? When you needed a way to add security at several layers to your network and application network infrastructure but knew that implementing a solution capable of securing those pesky applications was more than likely going to end up with poor performance and angry users. When you needed to add something to secure applications and the network against the growing wave of attacks but knew that doing so would negatively impact performance. It was a tough choice, and most people ended up going the route of maintaining application performance at the expense...
posted @ Monday, March 16, 2009 3:39 AM |
|
|
Decisions about routing at every layer require context A friend forwarded a blog post to me last week mainly because it contained a reference to F5, but upon reading it (a couple of times) I realized that this particular post contained some very interesting information that needed to be examined further. The details of the problems being experienced by the poster (which revolve around a globally load-balanced site that was for some reason not being distributed very equally) point to an interesting conundrum: just how much control over site decisions should a client have? Given the...
posted @ Thursday, March 12, 2009 4:11 AM |
|
|
Mike Fratto loves to tweak my nose about web application security. He’s been doing it for years, so it’s (d)evolved to a pretty standard set of arguments. But after he tweaked the debate again in a tweet, I got to thinking that part of the problem is the definition of web application security itself. Web application security is almost always about the application (I know, duh! but bear with me) and therefore about the developer and secure coding. Most of the programmatic errors that lead to vulnerabilities and subsequently exploitation can be traced to a lack of secure...
posted @ Wednesday, March 11, 2009 3:21 AM |
|
|
There is no evidence, no research, no surveys that indicate the cloud is, or ever will be, ready to completely outsource an organization’s data center. There’s no reason to even believe that’s the goal of cloud providers, though it might seem a logical conclusion. So making outrageous claims about the capabilities of the cloud, and the relevance of the data center, does no one any good. What’s got me so riled up? This particular statement from a prediction for 2009 from Appirio: But all this talk about “private clouds” is a distraction from...
posted @ Tuesday, March 10, 2009 4:30 AM |
|
|
Ah, those were the days, weren’t they? When you needed a way to inspect data at the edge for application-specific issues but knew that implementing a solution capable of that kind of agility was more than likely going to end up with poor performance and angry users. When you needed to add something to secure applications and the network against the growing wave of attacks but knew that doing so would negatively impact performance. It was a tough choice, and most people ended up going the route of maintaining application performance at the expense of security and optimization...
posted @ Monday, March 09, 2009 4:30 AM |
|
|
One of the ways miscreants locate targets for mass SQL injection attacks that can leave your applications and data tainted with malware and malicious scripts is to simply seek out sites based on file extensions. Attackers know that .ASP and .PHP files are more often than not vulnerable to SQL injection attacks, and thus use Google and other search engines to seek out these target-rich environments by extension. Using a non-standard extension will not eliminate the risk of being targeted by a mass SQL injection attack, but it can significantly reduce the possibility because your site will automatically turn...
posted @ Thursday, March 05, 2009 3:46 AM |
|
|
Increasingly WAN optimization solutions are adopting the application acceleration moniker, implying a focus that just does not exist. WAN optimization solutions are designed to improve the performance of the network, not applications, and while the former does beget improvements of the latter, true application acceleration solutions offer greater opportunity for improving efficiency and end-user experience as well as aiding in consolidation efforts that result in a reduction in operating and capital expenditure costs. WAN Optimization solutions are, as their title implies, focused on the WAN; on the network. It is their task to improve the utilization of bandwidth,...
posted @ Wednesday, March 04, 2009 3:29 AM |
|
|
According to the definition of cloud computing used by Avanade for a recently released and often cited study on the use of cloud computing, I could claim to be a cloud computing provider. And so could you. Basically, so could just about everyone who happens to run web-based applications accessed over the Internet. From the summary of the report: In the midst of widespread economic turmoil, this global survey of C-level executives and IT decision-makers shows a clear, collective mandate: use technology to cut the cost of doing business. ...
posted @ Tuesday, March 03, 2009 2:59 AM |
|
|
During my reading of the Internet I happened across an ad on Network World that stopped me in my tracks. And not because it was one of those “pre-ads” that you can’t avoid, nor because it was cool or flashy or said something particularly witty. No, it stopped me in disbelief because it implied that someone else (a vendor) was in charge of your data center architecture; that you had nothing to do but sit back and wait for them to let you know when it – and you – were ready to take the next step. Look,...
posted @ Monday, March 02, 2009 4:32 AM |
|
|
It’s been a long time since I had the (mis)fortune to sit in a math class, so bear with me while I figure this out. In order to determine my daily budget for the application I am hosting with Google’s App Engine, I need to sum the results of the standard deviation of the derivative of yesterday’s CPU utilization, multiplied by the bandwidth used divided by pi and then multiple the whole thing by the number of e-mail messages sent by the application. Got that? Go. 5…4…3…2…1 Pencils down. What? Not finished yet? Okay, I’m being...
posted @ Thursday, February 26, 2009 4:07 AM |
|
|
Owning the stack is important to security, but it’s also integral to a lot of other application delivery functions. And in some cases, it’s downright necessary. Hoff rants with his usual finesse in a recent posting with which I could not agree more. Not only does he point out the wrongness of equating SaaS with “The Cloud”, but points out the importance of “owning the stack” to security. Those that have control/ownership over the entire stack naturally have the opportunity for much tighter control over the "security" of their offerings. Why? because they...
posted @ Wednesday, February 25, 2009 3:13 AM |
|
|
Cloud computing and virtualization promises to revolutionize the architectural principles of the data center. Shared resources enable efficiency, but ultimately the dynamism required to achieve such gains in efficiency will cause chaos in a variety of other functions throughout IT. The CIO is in for a rocky road unless a broader set of IT management vendors pave the way for a smooth ride. The (In)accuracy of Forecasting in a Dynamic Environment Organizations rely on the ability to forecast project costs and anticipated ROI in order to prioritize and set budgets for coming years. Many IT project management...
posted @ Tuesday, February 24, 2009 3:36 AM |
|
|
If you’re looking at standardization and interoperability efforts only as they relate to providers or end-users then you’re not thinking long term nor are you really considering the potential of cloud computing and virtualization to revolutionize data center architectures. In a nutshell, if you equate “cloud” with “providers like Amazon and Google” then you don’t really get the big picture. While the ultimate goal of cloud specifications and standards is to enable interoperability and ease of migration for the end-user, approaching the creation of such standards from the point of view of the end-user will result in a...
posted @ Monday, February 23, 2009 4:06 AM |
|
|
The case of Laura Dean has been treated as a “wake up call” to the millions of users of social networking sites. At first glance it appears there is nothing that Facebook (or any other social media site) could have done to prevent the theft and subsequent abuse of her identity. I was briefly on the “you can’t blame technology for this one” bandwagon until I stopped and thought about the ways in which fraud detection systems work and applied that process to the very simple login process used by every social media site in existence. ...
posted @ Friday, February 20, 2009 3:51 AM |
|
|
The focus of cloud and virtualization discussions today revolve primarily around hypervisors, virtual machines, automation, network and application network infrastructure; on the dynamic infrastructure necessary to enable a truly dynamic data center. In all the hype we’ve lost sight of the impact these changes will have on other critical IT systems such as network systems management (NSM) and application performance management (APM). You know their names: IBM, CA, Compuware, BMC, HP. There are likely one or more of their systems monitoring and managing applications and systems in your data center right now. They provide alerts, notifications,...
posted @ Thursday, February 19, 2009 4:55 AM |
|
|
When folks are asked to define the cloud they invariably, somewhere in the definition, bring up the point that “users shouldn’t care” about the actual implementation. When asked to diagram a cloud environment we end up with two clouds: one representing the “big cloud” and one inside the cloud, representing the infrastructure we aren’t supposed to care about, usually with some pretty graphics representing applications being delivered out of the cloud over the Internet. But yet some of us need to care what’s obscured; the folks tasked with building out a cloud environment need to know what’s...
posted @ Wednesday, February 18, 2009 4:14 AM |
|
|
It has been suggested that the use of application acceleration solutions as a means to improve application performance would result in programmers writing less efficient code. In a comment on “The House that Load Balancing Built” a reader replies: Not only will it cause the application to grow in cost and complexity, it's teaching new and old programmers to not write efficient code and rely on other products and services on [sic] thier behalf. I.E. Why write security into the app, when the ADC can do that for me. Why write code that...
posted @ Tuesday, February 17, 2009 3:41 AM |
|
|
The year 2009 may be remembered as the year technologies died. First Anne Thomas Maynes of Burton Group declared SOA dead, and more recently Mark Fabbi of Gartner announced the death of load balancers. The difference in the obituaries is striking: Maynes declare an entire architectural model dead while Fabbi merely declares the death of a product, not the technological concepts behind it. Load balancers may be dead, the concept of load balancing lives on as a critical foundation for more advanced and valuable features available in the load balancer’s evolutionary replacement: the application delivery controller. Where Maynes gives...
posted @ Monday, February 16, 2009 5:10 AM |
|
|
One of the negatives of providing a solution is that it necessarily assumes there is a problem. That’s actually a fair assumption in the technology world, as problems seem to abound with no end in sight. What it also does, unfortunately, is lead to a culture within IT that is more tactical than strategic. Because IT is almost always trying to put out one fire or another, they rarely have time to think – and plan – ahead. Honestly, that’s the responsibility of directors and C-level executives, anyway. It’s their responsibility to look ahead not just months...
posted @ Thursday, February 12, 2009 3:41 AM |
|
|
The issue of application state and connection management is one often discussed in the context of cloud computing and virtualized architectures. That's because the stress placed on existing static infrastructure due to the potentially rapid rate of change associated with dynamic application provisioning is enormous and, as is often pointed out, existing "infrastructure 1.0" systems are generally incapable of reacting in a timely fashion to such changes occurring in real-time. The most basic of concerns continues to revolve around IP address management. This is a favorite topic of Greg Ness at Infrastructure 2.0 and has been subsequently addressed...
posted @ Tuesday, February 10, 2009 7:59 AM |
|
|
Rich Miller, in response to some questions I maintain on meta-data ownership and interoperability with regards to the CCIF's efforts in defining a cloud interoperability specification, had some questions of his own: The part I'm itching to ask her about ... or start a more open conversation: the possibility of "a specification regarding application network delivery metadata" which, if properly (??) abstracted and generic, could "allow the meta-data policies to be transported and applied across different cloud implementations while preserving the specific details of implementation within the cloud computing infrastructure." Whoa!! Tall order, isn't it? ...
posted @ Monday, February 09, 2009 4:19 AM |
|
|
While the vast majority of folks are still debating what is or is not "cloud computing", there are already groups trying to get ahead of the curve by focusing on broader issues such as interoperability and portability. Indeed, by addressing the potential pitfalls associated with portability across cloud implements now rather than later, it is hoped that there won't be as many problems when it does finally become an issue. There is a very real danger, however, that cloud interoperability and portability specifications will fail to address the very real need to include all the relevant application and...
posted @ Friday, February 06, 2009 4:39 AM |
|
|
The February issue of Dr. Dobb's has a lot of articles about cloud computing. That's not surprising, cloud computing is very much on the minds of many folks these days and it does affect developers as much as (if not more than) most IT folks. One developer had a very interesting perspective on the topic, and very clearly spells out what he does and does not want: I don't want to write HTTP and SOAP and REST and SimpleDB queries. I don't want to be squeezed into a browser and I most certainly...
posted @ Wednesday, February 04, 2009 6:23 AM |
|
|
You're standing in line at the bank when someone walks in. You instinctively look around and notice the newcomer is wearing sunglasses, and a hooded sweatshirt. His hands are both inside the pockets of his sweatshirt, even though it's warm inside. He chooses a line, and dances nervously from foot to foot, craning his neck to see to the front of the line. After a few minutes he leaves the line and chooses a new one, growing increasingly agitated at the wait. He keeps looking from the clock to the line to the tellers, and appears to be wringing his...
posted @ Tuesday, February 03, 2009 4:01 AM |
|
|
The webification of applications over the years has led to the belief that client-server as an architecture is dying. But very few beliefs about architecture have been further from the truth. The belief that client-server was dying - or at least falling out of favor - was primarily due to fact that early browser technology was used only as a presentation mechanism. The browser did not execute application logic, did not participate in application logic, and acted more or less like a television: smart enough to know how to display data but not smart enough to do anything...
posted @ Monday, February 02, 2009 4:38 AM |
|
|
Yesterday I was privileged to co-host a webinar with WhiteHat Security's Jeremiah Grossman on preventing SQL injection and Cross-Site scripting using a technique called "virtual patching". While I was familiar with F5's partnership with WhiteHat and our integrated solution, I wasn't familiar with the term. Virtual patching should put an end to the endless religious warring that goes on between the secure coding and web application firewall camps whenever the topic of web application security is raised. The premise of virtual patching is that a web application firewall is not, I repeat is not a replacement for secure...
posted @ Thursday, January 29, 2009 11:00 AM |
|
|
We've been talking a lot about the benefits of Infrastructure 2.0, or Dynamic Infrastructure, a lot about why it's necessary, and what's required to make it all work. But we've never really laid out what it is, and that's beginning to lead to some misconceptions. As Daryl Plummer of Gartner pointed out recently, the definition of cloud computing is still, well, cloudy. Multiple experts can't agree on the definition, and the same is quickly becoming true of dynamic infrastructure. That's no surprise; we're at the beginning of what Gartner would call the hype cycle for both concepts, so...
posted @ Wednesday, January 28, 2009 7:19 AM |
|
|
For as many deployment models for packaged software as exist there are an equal or higher number of software licensing models. I used to think integration of software packages was the biggest challenge when evaluating them for Network Computing but the truth is that calculating the cost of licensing for that software was even more of a challenge. And realistic comparisons? Nearly impossible. The old models of software licensing are wholly incompatible with cloud computing and on-demand environments. Enterprise software is in a category unto itself when it comes to licensing. It isn't like drive-by...
posted @ Tuesday, January 27, 2009 4:24 AM |
|
|
Open APIs are a matter of much discussion these days in the realm of cloud computing. Just take a peek at the discussion that occurred via Twitter during Cloud Connect. Many folks were not shy in putting forth the notion that cloud portability and interoperability can only be achieved through accepted "cloud" standards. Integration standards, for the cloud, if you will. The fear is that any emerging standards will focus only the portability of the application or virtual container environment. They are likely to ignore the fact that no application is an island, and that the application delivery...
posted @ Monday, January 26, 2009 3:40 AM |
|
|
Much of the dialogue today surrounding cloud computing and virtualization is still taking the 50,000 foot view. It's all conceptual; it's all about business value, justification, interoperability, and use cases. These are all good conversations that need to happen in order for cloud computing and virtualization-based architectures to mature, but as is often the case that leaves the folks tasked with building something right now a bit on their own. So let's ignore the high-level view for just a bit and talk reality. Many folks are being tasked, now, with designing or even implementing some form of a cloud...
posted @ Friday, January 23, 2009 4:51 AM |
|
|
Twitter is, once again, feeling growing pains. This time the microblogging darling of the social networking world is proactively addressing the problem - by further rate limiting its APIs. Alex Payne, API Lead for Twitter, explained on the Twitter Developers mailing list: “Starting later this week we’ll be limiting those on the whitelist to 20,000 requests per hour. Yes, you read that right: twenty THOUSAND requests per hour. According to our logs, this accounts for all but the very largest consumers of our API. This is essentially a ...
posted @ Thursday, January 22, 2009 6:14 AM |
|
|
The debate this week is on location, specifically we're back arguing over whether there exist such things as "private" clouds. Data Center Knowledge has a good recap of some of the opinions out there on the subject, and of course I have my own opinion. Location is, in fact, important to cloud computing, but probably not in the way most people are thinking right now. While everyone is concentrating on defining cloud computing based on whether it's local or remote, folks have lost sight that location is important for other reasons. It is the location...
posted @ Wednesday, January 21, 2009 7:13 AM |
|
|
Infrastructure 2.0 is, at its core, about evolving to a new level of interconnectedness, one in which the underlying infrastructure becomes as flexible and adaptable as the applications and virtualization infrastructure it is responsible for managing and delivering. In order to be connected, however, you need a way in which disparate infrastructure components can communicate, either directly or via a third party (coordination | management | orchestration) server. That communication is almost certainly going to take (and in many cases has already taken) the form of service-enabled control planes. These "services" are necessary in order to provide the...
posted @ Tuesday, January 20, 2009 5:42 AM |
|
|
If you've taken the time to read over the "Top 25 Most Dangerous Programming Errors" published by SANS recently, you may (or may not) have noticed that CWE-319 is an anomaly, and should be easily picked out by developers and security professionals in a game called "which one of these is not like the other". CWE-319 If your software sends sensitive information across a network, such as private data or authentication credentials, that information crosses many different nodes in transit to its final destination. Attackers can sniff this...
posted @ Monday, January 19, 2009 3:57 AM |
|
|
While doing some research on a related topic I dug into the technical aspects of Obama's Blueprint For Change. The plans around technology are fairly nebulous, with a few exceptions, such as those related specifically to broadband access: Deploy Next-Generation Broadband: Barack Obama believes we can get broadband to every community in America through a combination of reform of the Universal Service Fund, better use of the nation’s wireless spectrum, promotion of next-generation facilities, technologies and applications, and new tax and loan incentives. On this front, a U.S. House committee recommended yesterday...
posted @ Friday, January 16, 2009 4:08 AM |
|
|
Zero-day IE exploits and general mass SQL injection attacks often overshadow potentially more dangerous exploits targeting lesser known applications and attack vectors. These exploits are potentially more dangerous because once proven through a successful attack on these lesser known applications they can rapidly be adapted to exploit more common web applications, and no one is specifically concentrating on preventing them because they're, well, not so obvious.
Recently, SANS Internet Storm Center featured a write up on attempts to exploit Roundcube Webmail via the HTTP Accept header. Such an attack is generally focused on exploitation of operating system, language, or environmental...
posted @ Thursday, January 15, 2009 9:12 AM |
|
|
Everyone is buzzing and tweeting about the SANS Institute CWE/SANS Top 25 Most Dangerous Programming Errors, many heralding its release as the dawning of a new age in secure software. Indeed, it's already changing purchasing requirements. Byron Acohido reports that the Department of Defense is leading the way by "accepting only software tested and certified against the Top 25 flaws." Some have begun speculating that this list obviates the need for web application firewalls (WAF). After all, if applications are secured against these vulnerabilities, there's no need for an additional layer of security. Or is there? ...
posted @ Wednesday, January 14, 2009 4:22 AM |
|
|
One of the reasons behind some folks pushing for infrastructure as virtual appliances is the on-demand nature of a virtualized environment. When network and application delivery infrastructure hits capacity in terms of throughput - regardless of the layer of the application stack at which it happens - it's frustrating to think you might need to upgrade the hardware rather than just add more compute power via a virtual image. The truth is that this makes sense. The infrastructure supporting a virtualized environment should be elastic. It should be able to dynamically expand without requiring a new network architecture,...
posted @ Tuesday, January 13, 2009 4:15 AM |
|
|
It has been suggested more than once, by folks normally considered rational, that in a cloud computing implementation everything - and I mean everything - should be virtualized. Even the infrastructure. The hype surrounding virtualization has spread not just to applications and their virtual image deployment as a means to achieve dynamic horizontal scale but also to infrastructure, to routers and switches and security devices. Indeed, there are a good number of infrastructure vendors currently offering and others feverishly working on virtual appliance versions of hardware devices for deployment in cloud and virtual computing environments. Part...
posted @ Monday, January 12, 2009 4:29 AM |
|
|
After talking about data integration being the Achilles heel of cloud computing I had a chat with Informatica, who is not only providing a solution for data integration for the cloud, but is leveraging the cloud to do it. While we at F5 are focused on tearing down the silos that exist in IT to support the delivery and management of applications both internal and external (SaaS, cloud), Informatica is looking to tear down the silos in the cloud that currently exist as Software as a Service (SaaS) offerings. Integration, always a painful subject, has become...
posted @ Friday, January 09, 2009 7:11 AM |
|
|
Over the holidays I did, as most folks I suspect, things I enjoy doing. For me, one of those things was playing around with Adobe's Flex using Flex Builder 3. Yes, I am that much of a geek. I was a bit concerned it would take some time to figure it all out, but after quickly realizing that MXML, Adobe's interface markup language, was close enough to XAML, Microsoft's interface markup language, it was pretty much smooth going. ActionScript is close enough to JavaScript and C and most other languages I'm familiar with so that...
posted @ Thursday, January 08, 2009 8:12 AM |
|
|
The spirit of SOA and its core principles are still very much alive, but we can't call it SOA any more because, well, SOA is (pretty much) officially dead, at least according to folks on the tubes and we all know that if you hear it on the tubes it must be true. Anne Thomas Manes of the Burton Group declared SOA officially dead on January 1, 2009, but maintains that "although the word “SOA” is dead, the requirement for service-oriented architecture is stronger than ever." Ms. Manes blames the death of SOA on the failure to...
posted @ Wednesday, January 07, 2009 9:07 AM |
|
|
dy·nam·ic (adj) Characterized by continuous change, activity, or progress flex·i·ble (adj) Responsive to change; adaptable. Able to bend without breaking Infrastructure 2.0 is, at its core, about not just the network but the entire infrastructure evolving to a new level of interconnectedness, one in which the underlying infrastructure devices become flexible and adaptable; capable of responding to the continuous change in the next generation data center without breaking. The demands placed upon infrastructure by virtualization, consolidation, and the cloud require that networks grow out of their static configuration models and adopt a more...
posted @ Tuesday, January 06, 2009 6:56 AM |
|
|
Over the holidays Marcin @ tssci security offered up a python script for brute forcing the HTTP OPTIONS on directories. One of the reasons someone would want this information is because if you're (accidentally, of course) allowing PUT methods on any directories, someone can upload something nasty and potentially execute an attack. The availability of PUT makes XSS attacks simple even for script kiddies, for example. There may be legitimate reasons for enabling PUT on your servers, but you don't necessarily want the whole world to know that - just the applications that need the functionality....
posted @ Monday, January 05, 2009 5:58 AM |
|
|
It's been a very long year, hasn't it? At least it has if you've been diligently trying to post every day for the past, oh, eight months or so. I've blogged through maternity leave, through days off, through travel and trade shows, and even sometimes on the weekends. Hard to believe I have anything left to say, isn't it? Those of you who know me can stop laughing now. Really. No, I'm serious, it wasn't that funny a question. It's probably more difficult for me not to blog than to blog. So for the...
posted @ Friday, December 19, 2008 8:06 AM |
|
|
VM sprawl is predicted to be one of the outcomes of early adoption and excitement over virtualization. Just as IT struggled to manage the explosion of PCs and servers across the enterprise, it is predicted that now it will need to find a way to manage the explosion of virtual machines as they pop up all over the enterprise with surprising alacrity. Part of the difficulty in managing new technology is the rogue deployment of X. Whether that's physical or virtual servers is irrelevant, the challenges associated with managing what are essentially unmanaged applications and servers deployed outside...
posted @ Friday, December 19, 2008 7:10 AM |
|
|
The INTERNET, December 18, 2008 - In what is certainly a blinding epiphany for some it was suddenly realized today that some applications are not well suited for deployment in a public cloud computing environment. With all the hype surrounding cloud computing these days it is easy to forget that there's more to enterprise applications than just some code and a database. It is a rare application that is an island in the data center, and the more integrated with other systems a given application is the less likely it is that the application will be well suited...
posted @ Thursday, December 18, 2008 4:14 AM |
|
|
Just because you can, doesn't mean you should. I'm going to start this one by quoting Hoff who was quoting Andreas Antonopoulos of Nemertes Research Group who was paraphrasing a concept put forth by Doug Gourlay. From Rational Survivability "How about using netflow information to re-balance servers in a data center" Routing: Controlling the flow of network traffic to an optimal path between two nodes Virtual-Routing or Anti-Routing: VMotioning nodes (servers) to optimize the flow of traffic on the network. Using netflow information, identify those...
posted @ Wednesday, December 17, 2008 4:03 AM |
|
|
When an application is deployed into a high-availability production environment there are a number of interesting infrastructure related things need to happen. The application delivery controller (ADC) needs to be configured, DNS entries updated, storage allocated, and all the other associated network infrastructure must be prepared to handle the delivery of the new application. We have a BIG-IP. Do I have to talk to the network guys?? ...
posted @ Tuesday, December 16, 2008 5:55 AM |
|
|
A while back Joe blogged about some Twitter integration he'd done around monitoring of BIG-IP. He's got a PERL proxy that monitors the BIG-IP and sends out notifications and alerts to a specified Twitter account. But I wanted something more interactive, something more social. I wanted to be able to send a tweet to my BIG-IP and have it respond; a BIG-IP Twitter bot, if you will. So Friday I finally decided it was time to do it. I set up a Twitter account for my BIG-IP and started coding. Luckily, the Twitter API is pretty straight-forward and...
posted @ Monday, December 15, 2008 6:03 AM |
|
|
One of the most affordable options for small and medium businesses in terms of Internet connectivity is business-class service from cable and telco providers like Time Warner Cable, Cox, Verizon, and AT&T. Unfortunately, the definition of "business-class" is ill-suited to businesses that host their own web applications or mail servers. If you've ever looked into business class service, you'll notice that like residential services, they are only truly cost effective if you don't really care about upload speed. For example, Verizon has a promotional offer that promises download speeds up to 7.1Mbps, but limits upload speeds to 768Kbps....
posted @ Friday, December 12, 2008 3:46 AM |
|
|
You may recall a recent overview on network-side scripting that described a few uses of this technology integrated with application delivery controllers. With thousands of examples of the uses of network-side scripting it's hard to choose just one to adequately represent its potential. Luckily, we don't have to stick to just one. Viva la Internet! Based on the technical session the great network-side scripting guru Colin and I ran at SD Best Practices in October, I've pulled nine ways to use network-side scripting that can enhance the scalability, security, and performance of web applications into a presentation for...
posted @ Thursday, December 11, 2008 4:04 AM |
|
|
As an application delivery solution provider focused on securing, accelerating, and optimizing web applications, we pay a lot of attention to web application development trends. Languages, environments, and technologies are all of significant interest because in many cases the decisions regarding development affect the security and performance of applications deployed in production. AJAX-based applications, for example, can have a significant impact on performance of the application and on the network (and vice-versa), so we pay attention to its adoption and use and are always looking for new ways to secure and accelerate applications using the technology. ...
posted @ Wednesday, December 10, 2008 4:35 AM |
|
|
Wesley: Now, there may be problems once our app is in the cloud.
Inigo: I'll say. How do I find the data? Once I do, how do I integrate it with the other apps? Once I integrate it, how do I replicate it?
If you remember this somewhat altered scene from the Princess Bride, you also remember that no one had any answers for Inigo. That's apropos of this discussion, because no one has any good answers for this version of Inigo either. And no, a holocaust cloak is not going to save the day this...
posted @ Tuesday, December 09, 2008 4:12 AM |
|
|
In the face of a recession everyone, individuals and organizations alike, begin scaling back spending. The first thing to go is luxury items; after all, you probably didn't need that big screen TV for Christmas, and the kids will likely be just as happy with used video games as they would with new ones. IT departments quickly scale back as well, putting off larger, more costly projects that aren't critical to the core business and re-evaluating much of their infrastructure in an attempt to cut costs and reduce the impact of the hardware and software costs of running...
posted @ Monday, December 08, 2008 3:52 AM |
|
|
SOA is, at its core, a design and development methodology. It embraces reuse through decomposition of business processes and functions into core services. It enables agility by wrapping services in an accessible interface that is decoupled from its implementation. It provides a standard mechanism for application integration that can be used internally or externally. It is, as they say, what it is. SOA is not necessarily SOAP, though until the recent rise of social networking and Web 2.0 there was little real competition against the rising standard. But of late the adoption of REST...
posted @ Friday, December 05, 2008 3:33 AM |
|
|
Deploying applications in a cloud computing environment, whether private or public, requires a bit of proactive thinking on the ramifications of a dynamic, on-demand environment, particularly when considering the impact on application session management. Consider that today, application sessions are often relied upon to remain in memory, on the application server, for hours. Persistence is achieved by storing the session in a file if necessary on the local server rather than in a database. This is particularly true of web applications developed in scripting languages like PHP that do not require a separate application server. But users who...
posted @ Thursday, December 04, 2008 7:15 AM |
|
|
The prediction of the death of online shopping this holiday season were, apparently, greatly exaggerated. As it's been reported, Sears, along with several other well known retailers, were victims of heavy traffic on Black Friday. One wonders if the reports of a dismal shopping season this year due to economic concerns led retailers to believe that there would be no seasonal rush to online sites and therefore preparation to deal with sudden spikes in traffic were unnecessary. Most of the 63 objects (375 KB of total data) comprising sears.com home page are served from sears.com...
posted @ Wednesday, December 03, 2008 3:10 AM |
|
|
Christofer Hoff, better known as @Beaker to the Twitterverse, put on his devil's advocacy hat (yes, it really is a good color for him) yesterday and questioned whether there was a need for hardware application delivery solutions in the cloud. He postulated via Twitter that application delivery functions would become part of the cloud fabric and thus whether they were implemented in hardware or software was largely irrelevant. Generally speaking we're in agreement on that one. But then he really used that devil's advocacy hat and suggested that the application delivery control layer might be virtualized and...
posted @ Tuesday, December 02, 2008 7:15 AM |
|
|
Thanks to a tweet from @Archimedius, I found an insightful blog post from cloud computing provider startup Kaavo that essentially makes the case for a move to application-centric management rather than the traditional infrastructure-centric systems on which we've always relied. We need to have an application centric approach for deploying, managing, and monitoring applications. A software which can provisions optimal virtual servers, network, storage (storage, CPU, bandwidth, Memory, alt.) resources on-demand and provide automation and ease of use to application owners to easily and securely run and maintain their applications will be critical for the...
posted @ Monday, December 01, 2008 2:59 AM |
|
|
Horizontal scalability achieved through the implementation of a load balancing solution is easy. It's vertical scalability that's always been and remains difficult to achieve, and it's even more important in a cloud computing or virtualized environment because now it can hurt you where it counts: the bottom line. Horizontal scalability is the ability of an application to be scaled up to meet demand through replication and the distribution of requests across a pool or farm of servers. It's the traditional load balanced model, and it's an integral component of cloud computing environments. Vertical scalability is the ability of...
posted @ Tuesday, November 25, 2008 3:29 AM |
|
|
The diseconomy of scale so adversely affecting the IP address management space isn't limited to network infrastructure; it's crawling up the stack steadily and infecting all layers of the data center like some kind of unstoppable infrastructure management virus. That is why, even with the simple act of managing an enterprise network’s IP addresses, which is critical to the availability and proper functioning of the network, actually goes up as IP addresses are added. As TCP/IP continues to spread and take productivity to new heights, management costs are already escalating. -- Greg Ness, "What Are the Barriers to...
posted @ Monday, November 24, 2008 3:47 AM |
|
|
Amidst the hype of cloud computing and virtualization have been the publication of several research notes regarding SOA. Adoption, they say, is slowing. Oh noes! Break out the generators, stock up on water and canned food! An article from JavaWorld quotes research firm Gartner as saying: The number of organizations planning to adopt SOA for the first time decreased to 25 percent; it had been 53 percent in last year's survey. Also, the number of organizations with no plans to adopt SOA doubled from 7 percent in 2007 to...
posted @ Friday, November 21, 2008 3:09 AM |
|
|
Last month I happened across this amusing, and ironic, poem describing the dichotomy that exists in trying to define cloud computing. Go ahead and read it, I'll wait, it's worth the time. Seriously. I am not going to define cloud computing again. I've done that already and the point of this discussion is not what is cloud computing but rather how the cloud is beginning to separate into distinct models, each serving a different set of needs. The common theme between these models is "as a service". Some "thing" traditionally relegated to the local IT data center is...
posted @ Thursday, November 20, 2008 3:12 AM |
|
|
Load balancing an application should, by now, be a fairly routine scaling exercise. But too often when an application is moved into a load balanced architecture it breaks. The reason? Application sessions are often specific to an application server instance. The solution? Persistence, also known as sticky connections. The use of sessions on application servers to add state to web (HTTP) applications is a common practice. In fact, it's one of the greatest "hacks" in the history of the web. It's an excellent solution to the problem of using a stateless application protocol to build applications for which...
posted @ Wednesday, November 19, 2008 3:40 AM |
|
|
Michael Vizard over at eWEEK makes an interesting prediction about the future of application acceleration: "Some day the whole concept of application acceleration will be baked into the core routers and switches we have in place." I disagree. Routers and switches are packet-based. They focus on getting a single packet from here to there based on layer 2/3 information. Application acceleration solutions require action higher in the stack, usually layer 4 through 7; they are flow or connection based, and are often specific to the application (think CIFS, SAMBA, HTTP, etc..). The information necessary for application acceleration solutions...
posted @ Tuesday, November 18, 2008 3:38 AM |
|
|
The saying goes that to forget (or in some cases blatantly ignore) the mistakes of the past is to be doomed to repeat them. ODBC. BPEL. JDBC. All three are extensible standards in the software industry that cause no end of headaches and increased management overhead for folks attempting to deal with them. None of them are interoperable; you can't use the ODBC driver for Oracle to hook up to a SQL Server database, nor you can use the same BPEL produced by one BPM solution as within another. Because they're "extensible" and that extensibility leads,...
posted @ Monday, November 17, 2008 4:45 AM |
|
|
While I was at SD Best Practices in Boston last month I got to talk to a lot of engineers, developers, and architects about their environments and about what F5 does for application delivery. One of the developers glibly told me he wasn't sure we could help him out because his environment was the international space station. Yeah, how cool is that? Now that's cloud computing. Another architect, who turned out to be a friend of a friend who I've conversed with but never met in person said the same thing, but...
posted @ Friday, November 14, 2008 3:08 AM |
|
|
As a general rule, we spend far more time worrying about external appearances than we do internal. We are more concerned with our external web applications and how they look - and perform - than we are likely to regarding our intranet or internal only applications. This blog post was interesting in that rather than encouraging folks to optimize web sites and improve end-user response time for web applications for the sake of the user experience, it focused on the relationship between page load time and impact on Google AdWords quality scores. Which is a bit different than...
posted @ Thursday, November 13, 2008 3:36 AM |
|
|
Whenever there is a shift in architectural thinking about technology, such as is happening right now with cloud computing and virtualization, we start thinking forward, past the now, and into the future about how that technology might be leveraged. We start looking at the impact to architecture from the top of the stack to the bottom. For a company that's focused on application delivery, that means taking a good hard look at how that new technology might impact the architecture of applications. It's been suggested that perhaps, just maybe, we'll see service-oriented clouds; that the concepts of SOA...
posted @ Wednesday, November 12, 2008 8:52 AM |
|
|
It is often the case that application server clustering and load-balancing are mistakenly believed to be the same thing. They are not. While server clustering does provide rudimentary load-balancing functionality, it does a better job of providing basic fail-over and availability assurance than it does load-balancing. In fact, load balancing has effectively been overtaken by application delivery, which builds on load balancing but is much, much more than that today. Clustering essentially turns one instance of an application server into a controlling node, a proxy of sorts, through which requests are funneled and then distributed amongst several...
posted @ Tuesday, November 11, 2008 7:05 AM |
|
|
When SOA was the hot topic of the day (not that long ago) everyone was pumped up about the ability finally align IT with the business. Reusability, agility, and risk mitigation were benefits that would enable the business itself to be more agile and react dynamically to the constant maelstrom that is "the market". But only half of IT saw those benefits; the application half. Even though pundits tried to remind folks that the "A" in SOA stood for "architecture", and that it necessarily included more than just applications, still the primary beneficiary of SOA has been applications...
posted @ Monday, November 10, 2008 8:23 AM |
|
|
Many people are concerned with virtualization security (already coined VirtSec), and they're applying that concern from the virtual images all the way down the stack, to the network infrastructure through which virtualized application traffic is delivered. The desire for network infrastructure to be itself virtualized is growing out of a perceived need to isolate application traffic at every point in the infrastructure. But the technology to isolate application traffic at layer 2 and 3 of the infrastructure already exists, and has been essentially virtualized for years.
The sudden desire for everything in the infrastructure to be virtualized completely is borne...
posted @ Friday, November 07, 2008 6:33 AM |
|
|
Just about every large organization, a whole lot of startups, are trying to leverage the potential of social media in their marketing efforts. We all read great articles containing tips and tricks regarding how to use social media for business purposes, and how to gauge whether or not we are successful. The discussions often ignore the risks, especially the soft risks, of engaging the market and so-called citizen journalists at the Internet's watercoolers. Soft risks are always part of the equation of the return on investment for a product or piece of software. Soft risks are...
posted @ Thursday, November 06, 2008 3:10 AM |
|
|
The VirtualDC has asked the same question that's been roaming about in every technophile's head since the beginning of the cloud computing craze: what defines a cloud? We've chatted internally about this very question, which led to Alan's questions in a recent blog post. Lori and others have suggested that the cloud comes down to how a service is delivered rather than what is delivered, and I’m fine with that as a long term definition or categorization. I don’t think it’s narrow enough, though, to answer the question “Is Gmail a cloud service?” because...
posted @ Wednesday, November 05, 2008 6:53 AM |
|
|
If you're in the US, and even if you aren't, it's nearly impossible to ignore the fact that we're in the midst of a presidential election that will be resolved today. And we're quite passionate about the process. That's because the concepts of democracy are ingrained in us from the time we are small children and permeate almost every aspect of our lives, even though we may not realize it. Even our technology is colored by our belief in the democratic process. Remember token ring networks? If the "leader" (the active monitor) of the token ring failed for...
posted @ Tuesday, November 04, 2008 2:56 AM |
|
|
How the cloud acts and is used is more important than where it physically resides Cloud computing and SOA suffer from the same lack of prescriptive architectures. They are defined by how they act rather than what they are, or from what they are composed. They are, in a way, existential technology that cannot be confined to a simple architectural diagram but require instead a set of properties or ways of acting in order to be recognized. To over simplify and paraphrase Jean-Paul Sartre's concepts of existentialism, we define ourselves (mankind) through our actions. To apply this to...
posted @ Monday, November 03, 2008 3:29 AM |
|
|
We all understand the lines in the sand (or the architectural diagram) that separate client-side scripting from server-side scripting. It's very clear that client-side scripting, e.g. JavaScript, VBScript, ActionScript, executes on the client while server-side scripting, e.g. PHP, ASP, executes on the server. But what about network-side scripting?
"There is no such thing!" might be the first response to this question, but I beg to disagree. Programmable proxies, a la F5's BIG-IP Local Traffic Manager, that provide a scripting language such as iRules, are simultaneously client-side and server-side, with the best definition to describe their placement in architectures being network-side...
posted @ Friday, October 31, 2008 5:26 AM |
|
|
Greg Ness calls it "connectivity intelligence" but it seems that we're really talking about is the ability of network infrastructure to both be agile itself and enable IT agility at the same time. Brittle, inflexible infrastructures - whether they are implemented in hardware or software or both - are not agile enough to deal with an evolving, dynamic application architecture. Greg says in a previous post The static infrastructure was not architected to keep up with these new levels of change and complexity without a new layer...
posted @ Wednesday, October 29, 2008 4:08 AM |
|
|
I'm off Monday to Boston for SD Best Practices. This is the first time I (and F5) have been at the show, and we're all excited about the opportunity to meet some new folks. Monday is a busy day, with travel and our keynote, "The Best Kept Secret in Building Scalable Applications." Wednesday, fellow blogger Colin and I will be running a technical session on the "9 Things You Can Do to Build Scalable Applications (and 3 You Can't)" that promises to be a lot of fun. In between our speaking engagements, we'll be hanging out...
posted @ Friday, October 24, 2008 8:26 AM |
|
|
I'm in a bit of mood after reading a Javaworld article on server load balancing that presents some fairly poor ideas on architectural implementations. It's not the concepts that are necessarily wrong; they will work. It's the architectures offered as a method of load balancing made me do a double-take and say "What?" I started reading this article because it was part 2 of a series on load balancing and this installment focused on application layer load balancing. You know, layer 7 load balancing. Something we at F5 just might know a thing or two about. But you...
posted @ Friday, October 24, 2008 7:55 AM |
|
|
You have just been promoted to CTO of Widgets, Inc. (Congratulations, by the way!) In your new role, on which of the following will you focus the most attention (and budget): (a) the network (b) the applications (c) the data Trick...
posted @ Thursday, October 23, 2008 4:40 AM |
|
|
Managing a heterogeneous infrastructure is difficult enough, but managing a dynamic, ever changing heterogeneous infrastructure that must be stable enough to deliver dynamic applications makes the former look like a walk in the park. Part of the problem is certainly the inability to manage heterogeneous network infrastructure devices from a single management system. SNMP (Simple Network Management Protocol), the only truly interoperable network management standard used by infrastructure vendors for over a decade, is not robust enough to deal with the management nightmare rapidly emerging for cloud computing vendors. It's called "Simple" for a reason, after all. And...
posted @ Wednesday, October 22, 2008 3:58 AM |
|
|
According to Steve Rubel at Micro Persuasion, I must be way more geeky than your average consumer. (Thanks, Steve!) That's because I'm using RSS (Really Simple Syndication) and Google to peruse myriad feeds in my daily quest to "read the Internet." Steve comments on a recently released Forrester report citing the adoption of RSS as low with no real indication it will get any better in the future. According to the research, of the 89% of those who don't use feeds only 17% say they're interested in using them. In fact Forrester...
posted @ Tuesday, October 21, 2008 4:36 AM |
|
|
Over the years imaginative developers have come up with a number of ways through which they hope to stop the pilfering of their images. Whether due to copyright issues or the increased bandwidth and associated costs resulting from "hot linking", site owners have tried a variety of solutions from JavaScript that prevents the ability to right-click and "save as" to watermarking high-resolution versions to make their images less appealing to image thieves. Regardless of the reason you may want to prevent image theft, there's an easier and more effective method than introducing easily countered JavaScript and costly alternative...
posted @ Tuesday, October 21, 2008 3:31 AM |
|
|
One password to fool them all One password to find them One password to steal them all and in the ether become them [with many apologies to J.R.R. Tolkien] For years we've had it beat into...
posted @ Monday, October 20, 2008 4:02 AM |
|
|
Paul Maritz' keynote at VMWorld this year featured a demonstration of cloud computing using B-Hive, F5 Global Traffic Manager (GTM), and BlueLock. If you missed it, here's your chance to kick back and explore how these technologies fit together to provide a dynamic, virtualized environment. Related Links ...
posted @ Friday, October 17, 2008 4:14 AM |
|
|
Not every infrastructure vendor needs new capabilities to support cloud computing and infrastructure 2.0. Greg Ness of Infoblox has an excellent article on "The Next Tech Boom: Infrastructure 2.0" that is showing up everywhere. That's because it raises some interesting questions and points out some real problems that will be need to be addressed as we move further into cloud computing and virtualized environments. What is really interesting, however, is the fact that some infrastructure vendors are already there and have been for quite some time. One thing Greg mentions that's not quite accurate (at least...
posted @ Friday, October 17, 2008 3:58 AM |
|
|
One of the most dangerous threats to data security is also one of the least talked about: employees. Are Twitter and other microblogging sites yet another avenue through which sensitive data can leak out of the corporate database and into the hands of ... anyone? Perhaps more worrisome, what information are you giving away simply by being a part of the community? Of course Twitter is a potential threat. Like personal e-mail accounts and instant messaging, Twitter and sites of its ilk are primarily messaging mechanisms, which translates into personal channels for exporting sensitive data outside the...
posted @ Thursday, October 16, 2008 4:00 AM |
|
|
There are a lot of SOA governance solutions out there that fall into two distinct categories of purpose: one is to catalog services and associated security policies and the other is to provide run-time management for services, including enforcement of security and performance-focused policies. Vendors providing a full "SOA Stack" of functionality across the service lifecycle (design, development, testing, production) often integrate their disparate product sets for a more automated (and thus manageable) SOA infrastructure. But very few integrate those same products and functionality with the underlying network and application delivery infrastructure required to provide high-availability and scalability...
posted @ Wednesday, October 15, 2008 5:37 AM |
|
|
Silverlight, if you recall, appears to be Microsoft's answer to Adobe's AIR platform. Microsoft released Silverlight 2.0 today, as expected. Part of the big exciting news is that you can now code up Silverlight applications in Eclipse. Yeah, not kidding. I know, you just hit weather.com too and checked to see what the temperature was. But seriously, Microsoft is fully supportive of the Eclipse environment for Silverlight despite its own support with its own free tool, Visual Web Developer Express. I haven't checked out the Eclipse version yet, so I'll be interested to see it and hear how...
posted @ Tuesday, October 14, 2008 1:19 PM |
|
|
AJAX. SOA. Social network API integration. What is TCP Multiplexing? All of aforementioned technologies have one thing in common. Okay, they have more than that in common, but for the purposes of this discussion there's one very TCP multiplexing is a technique used primarily by load balancers and application delivery controllers (but also by some stand-alone web application acceleration solutions) that...
posted @ Tuesday, October 14, 2008 5:10 AM |
|
|
Everybody is jumping on the data center consolidation bandwagon again. It never really went away, it just took a leisurely Sunday drive through the countryside for a few years before turning back up on the streets of busy data centers everywhere.
RELATED LINKS
This time, it's virtualization that's driving consolidation, and this time it appears that the movement may actually have a better chance at...
posted @ Monday, October 13, 2008 4:16 AM |
|
|
I was reading an interesting article on the return on investment for WAN Optimization solutions as discussed by analyst research firm Aberdeen and decided to download the complimentary copy of the report. Reports are generally offered as PDF downloads, not displayed in Macromedia FlashPaper, so it was not easily obtainable for sharing with friends. However, there's a nice "e-mail to a friend" link so I clicked on it, thinking of many folks I know who might be interested in this report. The next thing I know my screen is screaming at me with a warning about malicious content...
posted @ Friday, October 10, 2008 6:00 AM |
|
|
Lately I've been seeing quite a few links to a white paper popping up in my alerts and feed-reader. Regardless of who's linking to it, it generally reads as promising to reveal some grand secret about how web application acceleration is an epic failure. I finally gave in and clicked on a link and ended up directed to download a white-paper, the description for which essentially distilled "web application acceleration" down to "caching". And then promised to tell me why caching wasn't a good way to accelerate web applications. I didn't download the white paper primarily because equating...
posted @ Friday, October 10, 2008 3:17 AM |
|
|
I spent a big chunk of time a few nights ago discussing neural networks with my oldest son over IM. It's been a long time since I've had reason to dig into anything really related to AI (artificial intelligence) and at first I was thinking how cool it would be to be back in college just exploring topics like that. Then, because I was trying to balance a conversation with my oldest while juggling my (fussy) youngest on my lap, I thought no, no it wouldn't. Artificial neural networks (ANN) are good for teaching a system how to...
posted @ Thursday, October 09, 2008 3:57 AM |
|
|
After having recently discussed all the different kinds of proxies that exist, it occurred to me that it might be nice to provide some examples of what you can do with proxies besides the obvious web filtering scenario. This is by no means an exhaustive list, but is provided to show some of the more common (and cool, I think) uses of proxies. What's really awesome is that while some of these uses are available with only one type of proxy (reverse or forward), a full proxy can provide all these uses, and more, in a single, unified...
posted @ Wednesday, October 08, 2008 4:27 AM |
|
|
In the good old days when I was in college I had a generic PC. That's the way we did it back then - we built our PCs out of parts (obligatory "you kids don't know how good you have it these days" look). On that PC is something you don't often see today; a small toggle switch that changed the processor clock rate from 4 to 7 MHz. That's right, I said MHz. Not GHz. That was not that long ago in real years, but in technological years it's been a lifetime. As Moore's law correctly predicts,...
posted @ Tuesday, October 07, 2008 4:10 AM |
|
|
For the past eight years I've been telecommuting, first for Network Computing Magazine and now for F5. In fact, Don and I have been telecommuters (or teleworkers, depending on whom you ask) for so long that our children don't realize that most people actually have to get dressed and go to work on a daily basis. Granted, that's because we happen to live (and want to stay) in that great technological mecca of the midwest (Green Bay) even though F5 is headquartered in Seattle, but F5 being the best high-tech company in the Pacific Northwest (really, I'm not just saying...
posted @ Monday, October 06, 2008 12:54 PM |
|
|
Darren Jefford has an excellent (and detailed with code examples) post Related Posts regarding what could easily be categorized as cloudbursting with BizTalk workflows. In a nutshell, Microsoft allows hosting of BizTalk activities in the cloud at BizTalk labs. Developers then integrate those...
posted @ Monday, October 06, 2008 3:29 AM |
|
|
I read about a "new" TCP flaw that, according to C|Net News, Related Posts puts Web sites at risk. There is very little technical information available; the researchers who discovered this tasty TCP tidbit canceled a conference talk on the subject and have been sketchy about the details of the flaw when talking publicly. So I did some digging and ran into a...
posted @ Friday, October 03, 2008 5:06 AM |
|
|
After proclaiming very publicly that I loved HttpFox and everyone Related Posts should have it there were many comments regarding Firebug, including some that came via e-mail. I've used Firebug in the past, but hadn't really looked at it in comparison to HttpFox and thought that with so many people saying it was "all that and more" with regards to HttpFox, I should...
posted @ Friday, October 03, 2008 3:57 AM |
|
|
We often mention that the benefits derived from some application delivery controllers are due to the nature of being a full proxy. And in the same breath we might mention reverse, half, and forward proxies, which makes the technology sound more like a description of the positions on a sports team than an application delivery solution. So what does these terms really mean? Here's the lowdown on the different kinds of proxies in one concise guide. PROXIES Proxies (often called intermediaries in the SOA world) are hardware or software solutions that sit between the client and the...
posted @ Thursday, October 02, 2008 5:01 AM |
|
|
At Interop this week, security experts have begun sounding the drum regarding the security risks of virtualization and reminding us that virtual server sprawl magnifies that risk because, well, there are more virtual servers to manage at risk.
Virtual sprawl isn't defined by numbers; it's defined as the proliferation of virtual machines without adequate IT control, [David] Lynch said.
That's good, because the numbers as often cited just don't add up. A NetworkWorld article in December 2007 cited two different sets of numbers from Forrester Research on the implementation of virtualization in surveyed organizations.
First we are told that:...
posted @ Wednesday, October 01, 2008 3:43 AM |
|
|
Pet peeve time: screaming technical inaccuracies in blog posts do a huge disservice to the root problem being discussed. If you're going to discuss hijacking DNS errors for the purposes of advertising, then please do so - don't call them DNS "error pages" (there are no such things) or refer to them as "404 errors". 404 is an HTTP status code indicating that the requested resource cannot be found. It is in no way related to DNS and, in fact, such an error code cannot be returned without a successful DNS lookup, which means there's no hijacking...
posted @ Tuesday, September 30, 2008 8:19 AM |
|
|
If you're excited about the automation capabilities of cloud computing and virtualization, you are going to love this solution. In a virtualized environment where applications can ostensibly be popping up all over, and applications are no longer tied to specific servers, there is a need to automatically manage these application instances in a high-availability (load balanced) environment. What you need is the ability to automagically add and remove application instances from the application delivery controller (load balancer) so you don't have to worry about tying those applications down, which could reduce the benefits typically associated with virtualization. If...
posted @ Tuesday, September 30, 2008 4:49 AM |
|
|
It seems that every time a new technology breaks through the surface a hundred "experts", vendors, and standards-bodies appear like moths to a flame attempting to define the term such that only "they" have the answer, the solution, the standard, or the product. When my son mentioned a research paper he wrote on cloud computing (which you still haven't sent me, by the way) he did so while disagreeing with a previous post of mine on the subject. He was quite vehement that grid computing did not equal cloud computing, and seemed almost shocked that I would dare...
posted @ Monday, September 29, 2008 11:07 AM |
|
|
One of the arguments against the deployment of web application firewalls (WAF) is that it takes time to configure these devices to fit each individual environment. This is allegedly one of the reasons that secure coding is preferred over security devices. But it takes time to code solutions and deploy them, too. In fact, depending on the lifecycle management at any given organization, it can take more time to code a solution and get it moved through a phased environment into production. One of the benefits of an application delivery platform and web application security deployed at...
posted @ Monday, September 29, 2008 4:38 AM |
|
|
Whether you're a network architect, a web developer, or a web administrator there's one tool that's a must have in your troubleshooting toolbox: a protocol analyzer.
Like many network focused folks, I traditionally rely upon ethereal (now Wireshark) for protocol analysis. It decodes just about every protocol up and down the stack, and it can import/export to a variety of formats. But being connected to the corporate LAN via an SSL VPN, wireshark is often constrained by it's own architecture. Because it inserts itself into the network stack to gather data, it can't decrypt the SSL encrypted packets, which makes...
posted @ Friday, September 26, 2008 7:24 AM |
|
|
There are a lot of things you can share on the Web today - you can bookmark pages, share pictures on Flickr or twitpic, blast a 12 second audio message out, e-mail links, or post nifty tidbits to your Facebook profile. But rarely do you find an online tool that lets you bring all that disparate content together in one elegant presentation-like format. Flowgram aims to change the way you share content, by allowing you to mashup multiple media formats into a single, audio-backed "flowgram", sharable across a large number of social networking sites as well as via...
posted @ Thursday, September 25, 2008 11:31 AM |
|
|
Don Sears has an informative blog post on a new Nevada law requiring encryption of all transmissions containing personal, identifiable information by, well, every business in the state. The focus seems to be on e-mail, probably because it's a royal PITA to implement for many folks. A recent study1 conducted by CertifiedMail and Osterman Research found that "among those respondents that can send a manually encrypted email, 22% found doing so somewhat difficult or difficult." Interestingly enough, the law doesn't specifically call out e-mail. In fact, it's quite open in describing its applicability (IANAL). ...
posted @ Thursday, September 25, 2008 6:07 AM |
|
|
I've seen some controversial use of terminology to describe technology before but this one beats them all. I'm cruising through my Google alerts, looking for something interesting, when I come across this post: Linux Web Server Hack - How to Write Automated Load Balancing Script! Sounds cool, right? I like Linux. I like hacks. I like load balancing. So, much to my chagrin now, I read it. The script isn't the problem, it's really quite nice - I love a well-written script, especially one that makes use of awk - and it definitely...
posted @ Wednesday, September 24, 2008 5:18 AM |
|
|
Desktop virtualization. Virtual desktops. Application streaming. Whatever you want to call it makes no nevermind to me because the problem driving the entire concept is gone. Eradicated. Made irrelevant by the cloud. Made irrelevant by cloudware, SaaS (Software as a Service), and the ubiquitous browser. I cannot count the number of times I've heard complaints about some form of desktop virtualization/application streaming in the past. It's slow. The server died in the middle of my exam. It's slow. There are no more licenses left. It's slow today (why do you add "today", it's slow every day!). Sensing a...
posted @ Wednesday, September 24, 2008 5:01 AM |
|
|
It often seems that load balancing and high availability are associated with only high traffic sites, like Twitter and Google. But load balancing and high availability isn't just for Web 2.0 phenomenons or web monsters; it can be an invaluable tool in your strategy to maintain service level agreements and customer satisfaction no matter how large or small your customer base - and data center - might be. ...
posted @ Tuesday, September 23, 2008 4:34 AM |
|
|
As a corporate blogger I rarely post "off topic". There's a reason for that, and a reason why I'm doing so now. The core reason for doing so now is that it's a subject that's near and dear to me, having spent the majority of the past eight years writing and blogging in publishing and on the corporate side of the table, and I see far too many posts out there offering advice about blogging that's focused solely on "getting more hits". While that might be sound advice for personal blogs, it's off-key when it comes to corporate efforts. ...
posted @ Monday, September 22, 2008 11:46 AM |
|
|
Sometimes IT folks are tasked with coming up with the justification for purchasing technology. It's not an enjoyable task, and considering the incredible difficulty in trying to pin dollar values on soft factors like increased productivity and an improved user experience the chore can be quite painful. Technology that's become commoditized generally doesn't require ROI justification; when is the last time you were asked what the return...
posted @ Monday, September 22, 2008 4:44 AM |
|
|
No one likes to hear that they need to rewrite or re-architect an application because it doesn't scale. I'm sure no one at Twitter thought that they'd need to be overhauling their architecture because it gained popularity as quickly as it did. Many developers, especially in the enterprise space, don't worry about the kind of scalability that sites like Twitter or LinkedIn need to concern themselves with, but...
posted @ Friday, September 19, 2008 5:09 AM |
|
|
Reuven Cohen of the Elastic Vapor blog, in this article, puts forth the notion that infrastructure is required to enable cloudbursting and then asks an excellent question: To truly enable a capable cloudbursting infrastructure, I feel there needs to be a common consensus on how this may be archived and by what means. So the question in...
posted @ Thursday, September 18, 2008 8:41 AM |
|
|
If your entire data center infrastructure is on one virtualized PC, you're doing it wrong. Where's F5 The comparison between the power of a modern PC and a 1960's mainframe is often made in conjunction with a smug "look how far we've come" look. ...
posted @ Thursday, September 18, 2008 7:26 AM |
|
|
No matter where you deploy it, it's still your application Related Reading Everyone's talking about cloud computing and cloudware (applications in the cloud) services and pointing to the hiccups of several major cloud providers already this year. Reliability, availability, and security are still major concerns, and yet some reports indicate these three "itys" aren't impeding adoption of cloud computing models at all. ...
posted @ Wednesday, September 17, 2008 3:20 AM |
|
|
Tony Bourke of the Load Balancing Digest points out that mega proxies are largely dead. Very true. He then wonders whether layer 7 persistence is really all that important today, as it was largely implemented to solve the problems associated with mega-proxies - that is, large numbers of users coming from the same IP address. Layer 7...
posted @ Tuesday, September 16, 2008 6:03 AM |
|
|
Yesterday it was reported that BusinessWeek had been infected with malware via an SQL injection attack. [begin Mom lecture] Remember when we talked about PCI DSS being a good idea for everyone, even though it's just a requirement for the payment card industry? If I've told you once, I've told you a million times: safer is better, more protection never hurts. ...
posted @ Tuesday, September 16, 2008 5:40 AM |
|
|
Ars Technica is reporting on a recent Pew study on cloud computing and privacy, specifically concerning remote data storage and the kind of data-mining performed on it by providers like Google, indicates that while consumers are concerned about the privacy of their data in the cloud, they still subject themselves to what many consider to be an invasion of privacy and misuse of data. 68 percent of...
posted @ Monday, September 15, 2008 7:07 AM |
|
|
The discussion yesterday on JavaScript and security got me thinking about why it is that there are no good options other than script management add-ons like NoScript for securing JavaScript. In a compiled language there may be multiple ways to write a loop, but the underlying object code generated is the same. A loop is a loop, regardless of how it's represented in the language. Security products that insert...
posted @ Friday, September 12, 2008 4:49 AM |
|
|
Back in the day when I was a technical architect and actually wrote code (yes, they did let me do that once) I got into a discussion with the rest of my team about the impact of our code on performance. I was saying white-space was evil because it can unnecessarily increase the number of packets necessary to transfer data. I wanted to go through the code (mostly JavaScript and HTML output) and reduce the white-space to make application...
posted @ Thursday, September 11, 2008 8:01 AM |
|
|
Don is off in Lowell working on a project with our ARX folks so I was working late last night (finishing my daily read of the Internet) and ended up reading Scott Hanselman's discussion of threads versus processes in Chrome and IE8. It was a great read, if you like that kind of thing (I do), and it does a great job of digging into some of the RAMifications (pun intended) of the new programmatic models for both browsers. But this isn't about processes or threads, it's about an interesting comment that caught my eye: ...
posted @ Thursday, September 11, 2008 4:01 AM |
|
|
There has been much fervor around the outages of cloud computing providers of late, which seems to be leading to an increased and perhaps unwarranted emphasis on SLAs the likes of which we haven't seen since...well, the last time the IT saw outsourced anything reach the hype-level of cloud computing. Consider this snippet of goodness for a moment, and pay careful attention to the last paragraph. From Five Key Challenges of Enterprise Cloud Computing I won’t beat the dead “Gmail down, EC2 down, etc down” horse here. But the truth of the...
posted @ Wednesday, September 10, 2008 7:03 AM |
|
|
We're virtually there! Figuratively speaking, of course. VMWorld kicks off Monday night, and F5 is just putting the finishing touches on everything we've got to bring along to the show (yes, that means trinkets, too). What the heck are we doing at a virtualization show? Pshaw. We've been in the business of network and server virtualization for ... well, forever. Hey, 12 years is forever in this industry, isn't it? We'll be doing a cool demo with BIG-IP GTM in the B-Hive demo, where we'll demonstrate global load sharing between virtual data centers, and Trace|3...
posted @ Wednesday, September 10, 2008 4:18 AM |
|
|
David Linthicum of Real World SOA asks whether SOA governance should be delivered as a service, from the cloud. Core to this proposition is the use of a registry/repository in the cloud: This repository would provide more than just WSDL, but a complete design time and runtime SOA governance system delivered out of the cloud, perhaps linked with a local slave repository within your firewall. One of the problems with this, I see, is that in a SOA where governance is actively used and policies enforced, governance becomes crucial to...
posted @ Tuesday, September 09, 2008 4:17 AM |
|
|
We used to spend a lot of cycles worrying about detecting user agents (i.e. browser) and redirecting clients to the pages written specifically for that browser. You know, back when browser incompatibility was a way of life. Yesterday. Compatibility is still an issue, but most web developers are either using third-party JavaScript libraries to handle detection and incompatibility issues or don't use those particular features that cause problems. One thing still seen at times, however, is the "choose high bandwidth or low bandwidth" entry pages, particularly on sites laden with streaming video and audio, whose...
posted @ Tuesday, September 09, 2008 3:31 AM |
|
|
Developers have an almost supernatural ability to workaround restrictions, even though some of the restrictions on building applications delivered via the web have been akin to a kryptonite. Like Superman fighting through the debilitating effects of the imaginary mineral, they've gotten around those restrictions by coming up with ways to implement functionality and improve the behavior of browsers and thus web applications anyway. The first greatest hack was giving HTTP state. The second? Cookie-based persistence. The third? The CNAME trick. THE PROBLEM The reason the "CNAME trick" came about was a limitation on browser connections...
posted @ Monday, September 08, 2008 4:13 AM |
|
|
For those of you unfamiliar with the idiom, it should be taken to mean "benefiting one at the expense of another." In this case, Paul is the end-user and Peter is the server administrator. Or better yet, Paul is the browser and Peter is the server. All web browsers, including IE (Internet Explorer), impose a per-server connection limit was imposed to reduce overload on servers. This was introduced back when the web was exploding and browsers opened up connections willy-nilly and made server operators cry. Often. The limitation imposed by IE (two connections per host) was harsher...
posted @ Friday, September 05, 2008 4:19 AM |
|
|
Jeremiah Owyang, Senior Analyst, Social Computing, Forrester Research, tweeted recently on the subject of Chrome, Google's new open source browser. Jeremiah postulates: Chrome is a nod to the future, the address bar is really a search bar. URLs will be an anachronism. That's an interesting prediction, predicated on the ability of a browser translate search terms into destinations on the Internet. Farfetched? Not at all. After all, there already exists a layer of obfuscation between a URL and an Internet destination; one that translates host names into IP addresses,...
posted @ Thursday, September 04, 2008 4:52 AM |
|
|
My brother sent over a question to Don and I on a coding problem he's having. Yes, most of my family members are geeks, thank you. You can probably blame that on my COBOL-coding mother. In any case, his signature always contains this lovely quote from Brian Kernighan: Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it. That got me thinking about network topology and...
posted @ Wednesday, September 03, 2008 9:28 AM |
|
|
The cloud computing craze is leading to some interesting new terms. Cloudware and cloudbursting are two terms I particularly like for their ability to describe specific computing models based on cloud computing. Today we're going to look at cloudbursting, which is basically a new twist on an old concept. Cloudbursting appears to be to marry the traditional safe enterprise computing model with cloud computing; in essence, bursting into the cloud when necessary or using the cloud when additional compute resources are required temporarily. Jeff at Amazon Web Services Blog talks about the inception of this term as applied...
posted @ Wednesday, September 03, 2008 5:10 AM |
|
|
In general, we talk a lot about the benefits of SOA in terms of agility, aligning IT with the business, and risk mitigation. Then we talk about WOA (web oriented architecture) separately from SOA (service oriented architecture) but go on to discuss how the two architectures can be blended to create a giant application architecture milkshake that not only tastes good, but looks good. AJAX (Asynchronous JavaScript and XML) gets lumped under the umbrella of "Web 2.0" technologies. It's neither WOA nor SOA, being capable of participating in both architectural models easily. Some might argue that AJAX, being...
posted @ Tuesday, September 02, 2008 3:50 AM |
|
|
You walked past me again today without stopping. I remember when you used to stop and admire my glowing red ball every day. But that was back when I was brand new and you thought I was the center of your data center. I heard you talking to some friends about looking for a web acceleration solution yesterday. You were going to a meeting about it later that afternoon and you were so excited it was almost like old times, until you pointed me out on the way by and said, "Oh yeah, there's our load balancer." ...
posted @ Friday, August 29, 2008 4:05 AM |
|
|
Elasticity (adj) the ability of a cloud computing environment to expand or contract automatically on-demand according to real-time computing needs One of the promises of an on-demand cloud computing environment (that's redundant, I think) is the ability to burst resources. Much in the same way that ISPs have long offered contracts that include the ability of the organization to exceed its allotted bandwidth for a fee, it is expected that cloud computing providers offer a mechanism for "bursting resources" that allows an organization to exceed its agreed upon resources for a fee, based on any number of factors such...
posted @ Thursday, August 28, 2008 7:04 AM |
|
|
As I was reading the Internet this morning I happened across an article with "Tips for Optimizing Your WAN (Wide Area Network)" and I thought, "Huh. That's pretty ... generic." While the article uses SAP applications as an example, it speaks in terms of generalities. Selective ACKs, quality of service, data reduction techniques, and HTTP compression. That's when I said, "Whoop de doo." Really, these techniques have nothing to do with SAP and applications and everything to do with packets. Every WAN and acceleration solution can do this stuff. I'm not really picking...
posted @ Wednesday, August 27, 2008 5:14 AM |
|
|
Don and I were discussing security as a service and, as usual, he spouted off some wisdom in the form of an analogy that was too good to not to share. When you're walking down the street with your entourage and an angry, I mean really angry, man steps out in front of you with a lead pipe where should your bodyguard be? Yeah, that was my thought, too. He should be in front of me to stop the threat before I have to react. Even though the threat may not hit...
posted @ Tuesday, August 26, 2008 5:01 AM |
|
|
No, it's not this one. It's not even mine. It's this one on High Scalability written by Todd Hoff. Not only does he explain latency and its sources, but its costs. Then he goes on to offer a plethora of ways to reduce latency. A couple of suggestions he offers are: Use a TCP Offload Engine (TOE). TOE tech offloads the TCP/IP stack from the main CPU and puts it on the network controller. This means network adapters can respond faster which means faster end-to-end communication. Network adapters respond faster because bus...
posted @ Monday, August 25, 2008 8:49 AM |
|
|
David Bressler of Progress Software, who acquired SOA vendor Actional in January 2006 wrote a very thought provoking post on marketing that really ended up being a post about SOA and where Progress fits into the "SOA continuum". He raises some questions, and problems, with SOA and product categories that ties in nicely with an excellent blog post on the subject Todd Biske wrote a while back containing some concepts that he presented at Burton's Catalyst 2006. One of the confusing things about any market is the wide variety of names used to describe the products and solutions that...
posted @ Monday, August 25, 2008 7:40 AM |
|
|
Greg Ferro over at My Etherealmind has a, for lack of a better word, interesting entry in his Network Dictionary on the term "Application Delivery Controller."
He says:
Application Delivery Controller (ADC) - Historically known as a “load balancer”, until someone put a shiny chrome exhaust and new buttons on it and so it needed a new marketing name.
However, the Web Application Firewall and Application Acceleration / Optimisation that are in most ADC are not really load balancing so maybe its alright.
Feel free to call it a load balancer when the sales rep is on the ground, guaranteed to...
posted @ Friday, August 22, 2008 4:49 AM |
|
|
My son was bemoaning the fact that while his WoW (World of Warcraft, a.k.a. Digital Crack) character has "epic" shoulders (that still cracks me up), he's still wearing green shoes. Of course I asked what that meant because he made "green shoes" sound like some kind of digital disease. Apparently in WoW (I am a gamer, but I stick to table-top games. MMORPGs hold little fascination for me) the power and effectiveness of items are represented by color. Green shoes are magical, but they're only one step away from "the shoes you left home to...
posted @ Wednesday, August 20, 2008 4:31 AM |
|
|
Abhik, in a reply to "Why can't clouds be inside (the data center)?" says that "the whole point (and primary benefit) of cloud computing is that someone else manages the computing resources. That set of resources is drawn as a cloud in a network diagram because you, the developer or the company using cloud resources, neither knows or cares to know the specifics of the computing infrastructure. An in-house cloud would require procurement, management, maintenance and continuous cost even during idle time -- it is just a grid."
Is it? Is that the primary reason enterprises might be considering cloud computing?...
posted @ Wednesday, August 20, 2008 3:46 AM |
|
|
Ken Oestreich of the Fountainhead blog has an interesting take on cloud computing. Ken cites many examples of cloud computing experts who essentially claim that cloud computing cannot be done "inside" the data center. Then he postulates that yes, yes in fact it can. In general, I agree with Ken's assessment. A CRM (Customer Relationship Management) system is still a CRM whether it's hosted inside the data center or remotely by a SaaS (Software as a Service) provider. Similarly, a cloud is still a cloud regardless of whether it's implemented in someone else's data center, such as Amazon,...
posted @ Tuesday, August 19, 2008 9:40 AM |
|
|
One of the "real world" lessons rarely taught in the university setting is that in the "real world" you're going to have to follow coding standards. Back in the day, when I was allowed to code, I often railed against some of those coding standards on the basis that they impaired application performance. Anyone with a firm grounding in computer science knows that the introduction of a local scope necessarily means more work (and thus memory and cycles consumed) to set up the stack: copying variables, pushing parameters, etc... That means that a conditional statement with just one...
posted @ Tuesday, August 19, 2008 5:29 AM |
|
|
An interesting InformationWeek article asks whether SOA intermediaries such as "enterprise service bus, design-time governance, runtime management, and XML security gateways" are required for an effective SOA. It further posits that SOA governance is a must for any successful SOA initiative. As usual, the report (offered free courtesy of IBM), focuses on SOA infrastructure that while certainly fitting into the categories of SOA intermediary and governance does very little to assure stability and reliability of those rich Internet applications and composite mashups being built atop the corporate SOA. Effective SOA Requires Intermediaries via InformationWeek ...
posted @ Monday, August 18, 2008 5:00 AM |
|
|
Green IT is a fairly well hyped topic at the moment. While the term may be seen as hype, there are tangible benefits to employing green tactics within IT. Even research firm Gartner sees it as one of the hyped technologies organizations can use now to see real benefits. Jackie Fenn, vice-president and Gartner Fellow on green IT via The Standard Another set of technologies that's benefit to companies now is green IT, which is valuable in more ways than one, Fenn said. "The happy...
posted @ Friday, August 15, 2008 5:32 AM |
|
|
SC Magazine reports that (1) cloud computing environments may not be very secure and (2) a VPN can improve the security of cloud computing environments. Countering cloud computing threats via SC Magazine Technology such as two-factor authentication systems, when married to encrypted VPN connections, can secure an internet connection into a cloud computing-based service. That's the verdict from the Information Systems Audit and Control Association (ISACA), which concludes that using such techniques would tend to make interception of files and transmissions almost impossible. Sarb Sembhi, president of the...
posted @ Thursday, August 14, 2008 8:43 AM |
|
|
As a child of the 80s's I lived under an umbrella of fear surrounding nuclear everything. Living fairly close to a nuclear power plant, we all heard the words "chain reaction" a lot, and though we didn't understand the science we did know that it was a Very Bad ThingTM and like children in the 60's we were taught to hide under a desk in the event of a catastrophe. Now, one of the benefits of SOA is reuse. Business services provide consistency across multiple applications when they are reused both for data and for processes. This is...
posted @ Thursday, August 14, 2008 3:32 AM |
|
|
Nothing. At least not from an attacker's perspective. A blog is an individual content management system, requiring storage (either database or flat file) and the ability to write to that storage. Comments allow discussion but also require access to files and or databases. It's an app, and that means it comes with all the baggage today's web applications necessarily come with: vulnerabilities. Those vulnerabilities are likely to become more visible as more organizations adopt blogging and other Web 2.0 applications in the next two years. Analyst firm Gartner recently highlighted 27 technologies in its 2008 Hype Cycle for...
posted @ Wednesday, August 13, 2008 3:35 AM |
|
|
The debate on whether infrastructure devices, particularly those providing security, should fail open or closed is far from over. One of our field system engineers, Aidan Clark, has some thoughts on scenarios in which you should fail open, and provides some compelling arguments for his view point. He's graciously allowed me to post his thoughts as his response seems to be irritating the comment gremlins. The View from the Trenches Lori, Now you already know this, but other readers might not. My standard disclaimer first: I am an F5 employee. I...
posted @ Tuesday, August 12, 2008 7:25 AM |
|
|
Modern load balancers (application delivery controllers) blend traditional load-balancing capabilities with advanced, application aware layer 7 switching to support the design of a highly scalable, optimized application delivery network. Here's the difference between the two technologies, and the benefits of combining the two into a single application delivery controller. LOAD BALANCING Load balancing is the process of balancing load (application requests) across a number of servers. The load balancer presents to the outside world a "virtual server" that accepts requests on behalf of a pool (also called a cluster or farm) of servers and distributes those requests...
posted @ Tuesday, August 12, 2008 4:44 AM |
|
|
We all know that SOA stands for Service Oriented Architecture, right? Gaurav Sharma over at Infosys-Oracle has another definition of SOA and it really fits well with both the business and IT goals surrounding SOA. Gaurav redefines SOA as Scalable, Open, and Adaptable, and then walks through how Oracle solutions fit this definition. This actually makes a lot of sense, because open and adaptable are inexorably tied to SOA as an architectural methodology. SOA is built on open standards like SOAP, WSDL, and XML and its meta-data driven execution style is highly adaptable, making it flexible or, in...
posted @ Thursday, August 07, 2008 5:20 AM |
|
|
No, that's not a typo. That's the reality of virtualization terminology today: a single term means multiple technology implementations. Server virtualization is used to describe at least two (and probably more) types of virtualization. 1. Server virtualization a la load balancing and application delivery 2. Server virtualization a la VMWare and Microsoft Server virtualization as implemented by load balancers/application delivery controllers is a M:1 virtualization scheme. An application delivery controller like BIG-IP can make many servers look like one server, a virtual server. This type of server virtualization is used...
posted @ Thursday, August 07, 2008 4:14 AM |
|
|
One of the most well-kept secrets in technology is the extensibility of HTTP. It's one of the reasons it became the de facto application transport protocol and it was instrumental in getting SOAP off the ground before SOAP 1.2 and WS-I Basic Profile made the requirement for the SOAP Action header obsolete. Web browsers aren't capable of adding custom HTTP headers on their own; that functionality comes from the use of client-side scripting languages such as JavaScript or VBScript. Other RIA (Rich Internet Applications) client platforms such as Adobe AIR and Flash are also capable of adding HTTP...
posted @ Wednesday, August 06, 2008 4:07 AM |
|
|
Slashdot is discussing a recent rant regarding Mozilla FireFox 3's SSL policy regarding self-signed certificates. The rant claims that the policy is "bad for the web."
Nat Tuck Thu on Mozilla SSL policy bad for the Web
Mozilla Firefox 3 limits usable encrypted (SSL) web sites to those who are willing to pay money to one of their approved digital certificate vendors. This policy is bad for the web. Not only does it make users less secure overall by reducing the number of encrypted connections, it damages the basic principle of equality among web participants.
The problem...
posted @ Tuesday, August 05, 2008 10:59 AM |
|
|
Who is responsible for security in the cloud? Let's say you just developed a web app through which customers can order widgets. You're pretty sure your widgets are going to be the hit of the year and you want to make sure that you don't suffer outages and performance issues like many retailers have in the past, especially around Black Friday. So you've decided to take advantage of the fact that a cloud computing provider can and will shoulder the responsibility for scaling your application even in the face of hundreds of thousands of customers knocking on your...
posted @ Tuesday, August 05, 2008 4:56 AM |
|
|
Cloud computing promises customers the ability to deliver scalable applications on-demand without the overhead of a massive data center. The visibility - and flexibility as well as control - you have into and over the cloud computing environment depends on whether the provider you select offers an opaque or a transparent cloud computing environment.
OPAQUE CLOUD COMPUTING MODEL
In an opaque cloud computing model all details are hidden from the organization. The hardware and software infrastructure details are not necessarily known or controlled by the organization but are completely managed by the cloud computing provider. This allows for a completely...
posted @ Monday, August 04, 2008 5:04 AM |
|
|
In reading through ZapThink's latest post regarding the "Great ESB Controversy of 2008" it occurred to me that it is quite possible, and probably likely, that the issue of ESB use primarily revolves around whether you're doing SEA or SOA. Yes, I know. You've never heard of "SEA" before. That's because I just made it up to describe the difference between a service-enabled architecture and a service-oriented architecture. And there is a difference. A SOA (service oriented architecture) implies that an architecture has been designed around the concept of services. A SEA (service enabled architecture) implies...
posted @ Friday, August 01, 2008 8:02 AM |
|
|
An application delivery controller (ADC) essentially acts a reverse proxy. That means that client requests interact with the ADC, and the ADC interacts with web and application servers on the client's behalf. This mediation offers the chance to implement acceleration, availability, and security features without requiring changes to existing applications. There are many, many more features in an ADC that provide significant value. These eight capabilities are the most commonly employed features in reverse-proxy application delivery solutions that provide immediate benefits to web applications, and all can be used without modifying applications or the servers on...
posted @ Friday, August 01, 2008 4:56 AM |
|
|
Forrester Research recently conducted a survey on virtualization, citing server consolidation as one of the primary drivers behind the 73% of enterprises already or planning on implementing virtualization technology. But virtualization, particularly operating system virtualization, assumes you have additional cycles on servers to spare. In some cases, that's just not true. Your application servers are working as hard as they can to serve up your applications and virtualizing them isn't going to change that fact. But application acceleration technologies can change that, and offer you the chance to consolidate servers. I know that sounds crazy. How can...
posted @ Thursday, July 31, 2008 5:49 AM |
|
|
Alistair Croll has a great post on GIGAOM discussing how networking vendors will need to change in order to support a cloud computing infrastructure. He outlines two options for networking vendors that will keep them relevant in a cloud computing environment. In option number one he postulates that virtual appliances are the way to go, that the "pendulum swings back to software". Option number two revolves around sales strategy, and he suggests that networking vendors will need to sell to the providers of the cloud. That makes sense to me. If you want to be a...
posted @ Wednesday, July 30, 2008 5:11 AM |
|
|
Gartner has released its much anticipated (well, much anticipated if you're in the application delivery controller space) 2008 Application Delivery Controller Magic Quadrant. The interesting thing that happened is that for the first time in many years there were no new vendors added, but six vendors have been dropped, largely due to either not meeting new revenue requirements (2% of the total ADC market in 2007) or, in the case of Juniper, the abandonment of its application delivery controller line (the DX it acquired from Redline Networks a few years back). That narrows down the serious contenders in...
posted @ Tuesday, July 29, 2008 3:09 PM |
|
|
I read with interest an article on port knocking as a mechanism for securing SOA services on CIO.com. If you aren't familiar with port knocking (I wasn't) then you'll find it somewhat interesting: From Nicholas Petreley's "There is More to SOA Security Than Authorization and Authentication" For the sake of argument, let's say you have an SOA server component for your custom client software that uses port 4000. Port knocking can close off port 4000 (and every other port) to anyone who doesn't know the "secret method" for opening it. Any cracker who scans your...
posted @ Tuesday, July 29, 2008 9:21 AM |
|
|
Outside of the technology world a lot of products are billed as "one size fits all". Anyone who's purchased such a product generally knows, no, no they don't. They're close, but never a truly good fit. Inside the technology world we know better. Software and solutions are never a "one size fits all" proposition, that's why so many business software solutions are "customizable": ERP (enterprise resource planning), CRM (customer relationship management), workflow, automation, and portals. Just about every software solution you can purchase these days takes a customizable approach to actually meeting the needs of the business. ...
posted @ Monday, July 28, 2008 6:46 AM |
|
|
I'm going to give you an engine low to the ground. An extra-big oil pan that'll cut the wind underneath you. That'll give you more horsepower. I'll give you a fuel line that'll hold an extra gallon of gas. I'll shave half an inch off you and shape you like a bullet. When I get you primed, painted and weighed... ...
posted @ Friday, July 25, 2008 11:30 AM |
|
|
IPv6 was supposed to eliminate NAT (Network Address Translation). But in order to make the transition from IPv4 reasonable and less painful, it's being added to IPv6. It's intended use in being included in IPv6 is to create gateways that bridge between IPv6 and IPv4 while the transition occurs. The IETF is not thrilled however. It's description of how it feels about NAT and the necessity to include it make it sound like school-children forced to allow that kid to play in their game of kickball. And then they put him in far right field. And I mean...
posted @ Friday, July 25, 2008 4:14 AM |
|
|
There is an interesting war being fought in the blogosphere over the use (or overuse) of ESB (enterprise service buses) to build out a SOA (service oriented architecture). It certainly appears that Dave Linthicum is taking on the role of Leonidas and the Spartans at the battle of Thermopylae while everyone else is on the side of Xerxes and the Persians. Dave is defending his view that ESBs are overused and often, apparently, misused against a host of ESB and SOA focused bloggers like Joe McKendrick and Jeff Schneider. But everyone is talking in abstractions, and...
posted @ Thursday, July 24, 2008 5:35 AM |
|
|
Apache is a great web server if for no other reason than it offers more flexibility through modules than just about any other web server. You can plug-in all sorts of modules to enhance the functionality of Apache.
But as I often say, just because you can doesn't mean you should.
One of the modules you can install is mod_security. If you aren't familiar with mod_security, essentially it's a "roll your own" web application firewall plug-in for the Apache web server.
Some of the security functions you can implement via mod_security are:
Simple filtering
...
posted @ Wednesday, July 23, 2008 5:53 AM |
|
|
Of all the reasons you need an application delivery controller capable of bi-directional inspection of application data this is one of the best. I was trying to check out the results of a poll on PollDaddy.com and ended up with this beautiful Microsoft .NET error page, filled with so much valuable information that potential attackers must even now be laughing in that "evil genius" laugh you so often hear in retro-cartoons. This error page tells me so many things about the application, it's environment, and its associated infrastructure that it should be a crime to let this information...
posted @ Tuesday, July 22, 2008 8:46 AM |
|
|
I do an awful lot of talking about SOA: problems, challenges, concepts, solutions, security, products. But I don't often present "the big picture", and certainly rarely discuss how F5 and SOA go together like ice-cream and pretzels. I know, that isn't a traditional simile, but if you've ever tried hot pretzels and ice-cream you might agree with me in saying that while they don't sound like they go together they really do, and they do so well. It's also applicable because when you think of ice-cream you don't immediately think of pretzels, and I'm fairly certain...
posted @ Tuesday, July 22, 2008 4:17 AM |
|
|
There is a lot of hype around all types of virtualization today, with one of the primary drivers often cited being a reduction in management costs. I was pondering whether or not that hype was true, given the amount of work that goes into setting up not only the virtual image, but the infrastructure necessary to properly deliver the images and the applications they contain. We've been using imaging technology for a long time, especially in lab and testing environments. It made sense then because a lot of work goes into setting up a server and...
posted @ Monday, July 21, 2008 4:33 AM |
|
|
I ran across an interesting site containing an algorithm that predicts your sex based on browser history. This algorithm uses demographics from popular sites, determines which popular sites you have visited by digging through your browser history, and then predicts what gender you are based on your browsing habits. This algorithm sounds a lot like an adaptation of the Turing Test. But instead of predicting which of two participants in the test is human, this one predicts what gender they are. The Turing Test has long been the standard for judging the intelligence of a computer system, even...
posted @ Friday, July 18, 2008 5:11 AM |
|
|
With more and more focus on cloud computing one theme seems to be running consistently: the "cloud" is public, and anyone who claims to be building a "private" cloud, a.k.a. mini-cloud or enterprise cloud, is just doing it wrong. John Foley @ InformationWeek has it mostly right when he says that what's important is the technology. The Rise of Enterprise-Class Cloud Computing That's an oxymoron since cloud computing, by definition, happens outside of the corporate data center, but it's the technology that's important here, not the semantics. [emphasis added] ...
posted @ Thursday, July 17, 2008 5:49 AM |
|
|
No one questions the need to secure applications today, we just argue over how we should do it. Let's take a break for a minute from that debate to ensure that we don't get so focused on layer 7 (application) that we forget about the rest of the stack and the importance of securing it as well. Just as a chain is only as strong as its weakest link, an application is only as secured as its most vulnerable layer in the stack. If your application is well secured, but the network layer (IP) is wide...
posted @ Wednesday, July 16, 2008 8:24 AM |
|
|
Cisco CEO John Chambers recently announced that the slowdown in corporate IT spending will continue until 2009. NEW YORK (Fortune) -- Cisco chief John Chambers has some bad news for the technology sector: He no longer expects the recent slowdown in tech spending to pick up until next year at the earliest. IT is still spending dollars, but not as freely as in past years. In a constrained budgetary environment, IT now has to ask the question, "What's going to give me the best bang for my buck?" ...
posted @ Tuesday, July 15, 2008 5:16 AM |
|
|
Neil McAllister @ InfoWorld has a great blog post on The Web development skills crisis. He postulates at that "The most agile developers, however, are those who approach programming with a firm grounding in computer science."
Amen, brother. Say it again, only this time loud enough my son hears you.
The basic premise of Neil's post revolves around the frenetic rate at which programming technology is changing. It isn't just languages, though that is certainly part of the mix, it's also the increasing number of libraries and frameworks from which web developers can choose to develop web applications.
In order to...
posted @ Monday, July 14, 2008 8:31 AM |
|
|
The increasing webification of applications both for external and internal consumption combined with the concept of outsourced data centers and applications, i.e. cloud computing and Software as a Service (SaaS), may resolve in a perfect storm for proponents of telecommuting.
Consider the scenario: A small to medium organization needs more horsepower but it really doesn't have the budget yet to build out its own enterprise-class data center. Cloud computing offers an off-site, managed data-center that can be used to deploy applications for use by both external and internal constituents. Take advantage of SaaS offerings such as those from Salesforce.com and you've...
posted @ Monday, July 14, 2008 5:15 AM |
|
|
The English language is one of the most expressive, and confusing, in existence. Words can have different meaning based not only on context, but on placement within a given sentence. Add in the twists that come from technical jargon and suddenly you've got words meaning completely different things. This is evident in the use of persistent and persistence. While the conceptual basis of persistence and persistent are essentially the same, in reality they refer to two different technical concepts. Both persistent and persistence relate to the handling of connections. The former is often used as a general...
posted @ Friday, July 11, 2008 5:12 AM |
|
|
Cloud computing is, at its core, about delivering applications or services in an on-demand environment. Cloud computing providers will need to support hundreds of thousands of users and applications/services and ensure that they are fast, secure, and available. In order to accomplish this goal, they'll need to build a dynamic, intelligent infrastructure with four core properties in mind: transparency, scalability, monitoring/management, and security.
Transparency
One of the premises of Cloud Computing is that services are delivered transparently regardless of the physical implementation within the "cloud". Transparency is one of the foundational concepts of cloud computing, in that the actual implementation of...
posted @ Thursday, July 10, 2008 5:45 AM |
|
|
Keynote, well known for its application performance testing and monitoring services, just announced a new version of its KITE (Keynote Internet Testing Environment) that is now capable of testing Web 2.0 sites that make use of AJAX, Flash, and other "hidden" methods of obtaining content. Announcement of KITE 2 Performance testing dynamic and HTML websites is now a fairly straightforward process, however the rise of Web 2.0 sites that don’t rely on clicking to reveal another new page have been almost impossible to test. However Keynote has now developed a scripted system that allows you to...
posted @ Wednesday, July 09, 2008 5:06 AM |
|
|
CNet is reporting that Google is ditching XML for a faster, more compact alternative known as ProtocolBuffers. I'm going to type this post really fast before Don finds out and starts laughing at me because he's always had this thing against XML, claiming it was too bloated and slow. Apparently Google, the 800-pound gorilla, is on Don's side of this argument, as it just blogged about its newest creation, ProtocolBuffers. From CNet's Blog PostGoogle thought of using XML as a lingua franca to send messages between its different servers. But XML can be complicated to work with...
posted @ Wednesday, July 09, 2008 4:31 AM |
|
|
Not all DoS (Denial of Service) attacks are the same. While the end result is to consume as much - hopefully all - of a server or site's resources such that legitimate users are denied service (hence the name) there is a subtle difference in how these attacks are perpetrated that makes one easier to stop than the other. SYN Flood A Layer 4 DoS attack is often referred to as a SYN flood. It works at the transport protocol (TCP) layer. A TCP connection is established in what is known as a 3-way handshake. The client...
posted @ Tuesday, July 08, 2008 4:31 AM |
|
|
After reading this discussion on Slashdot regarding an anti-virus agent pretending to be Internet Explorer and flooding sites with requests I waited to see a response come from an Apache fan on using mod_rewrite to detect and stop the flood of useless traffic coming from these robots. It was sure to come, particularly after the first post in the discussion pointed out how to use an iRule to detect and "nuke from orbit" these nasty little requests. I was not disappointed. It's not the case that the solution won't work. It will, and it's certainly a viable solution....
posted @ Monday, July 07, 2008 6:18 AM |
|
|
I read a very nice blog post yesterday discussing some of the traditional pros and cons of load-balancing configurations. The author comes to the conclusion that if you can use direct server return, you should. I agree with the author's list of pros and cons; DSR is the least intrusive method of deploying a load-balancer in terms of network configuration. But there are quite a few disadvantages missing from the author's list. Author's List of Disadvantages of DSR The disadvantages of Direct Routing are: Backend server...
posted @ Thursday, July 03, 2008 4:29 AM |
|
|
Bob owns a widget shop. Now this widget shop is not your ordinary widget shop, because the widgets are made from Swarovski crystal. Very expensive stuff. Bob is aware that losing any number of his widgets would be financially devastating, and the negative press he'd receive would darken his shop's reputation. So he's invested in a very modern physical security system that utilizes electronic locks on all the doors, and includes all the newest laser motion detection technology. It's further connected to a monitoring service just in case, so he'll know if security has been breached and can...
posted @ Wednesday, July 02, 2008 4:58 AM |
|
|
Web 2.0 is built on primarily two technologies: AJAX and RSS. AJAX is used to develop interactive, real-time applications while RSS is primarily used as for integration and syndication. Import a feed, share a feed, drag-n-drop a gadget, widget, or component. It's all RSS (XML) today. It's further becoming a requirement of Web 2.0 sites that they provide some sort of API through which developers can write add-on applications. Twitter, Tumblr, Facebook. They all offer APIs that are quite heavily used at this time and startups are following suit. Other sites offer richer media, like video or slideware,...
posted @ Tuesday, July 01, 2008 4:53 AM |
|
|
This past week there's been some interesting commentary regarding Twitter's change to its API request throttling feature. Request throttling, often used as a method to ensure QoS (Quality of Service) for a variety of network and application uses, is used by Twitter as an attempt to not overwhelm the system such that they are forced to display the now (in)famous Twitter fail whale image. One of the things you can do with a BIG-IP Local Traffic Manager (LTM) and iRules is request throttling. Why would you want to let a mediating device like an application delivery controller control...
posted @ Monday, June 30, 2008 3:43 AM |
|
|
Been wondering what the impact of Web 2.0 on the network might be? Click on over to this Articulate presentation and find out! You'll discover how Web 2.0 applications and its associated technologies affect the network, and what you can do about it.
Technorati Tags: MacVittie,F5,Web 2.0,networking,application delivery,challenges,presentation
posted @ Friday, June 27, 2008 10:01 AM |
|
|
| View | Upload your own
If you prefer, you can listen to the audio as a podcast.
Get the Flash Player to see this player.
Technorati Tags: MacVittie,F5,Web 2.0,application delivery,slideshare,presentation,podcast,audio
posted @ Friday, June 27, 2008 9:57 AM |
|
|
One of the premises of a greener IT is to reduce the number of servers necessary while maintaining performance levels and meeting capacity needs.
Chances are that many of the HTTP requests received that result in a 404 (not found) message are typos, bots, or bad guys attempting to find a way into your web applications. The thing is that the server must respond to these requests, and it often requires some disk I/O to discover the file doesn't exist. That's expensive in terms of resources and can increase the total power consumption of your servers.
If you're finding enough...
posted @ Friday, June 27, 2008 4:06 AM |
|
|
One of Dre's reasons (#7 to be exact) to wait on Web Application Firewalls (WAFs) involves the use of WAFs at notable sites that have been breached. Dre says: 7. Every organization that has installed a blocking WAF has also been in the media for known, active XSS and/or SQL injection I'm assuming that what Dre really meant with this one was that every organization in the media known for being breached has also had a blocking WAF deployed, not that every organization with a blocking WAF has been breached. If I'm...
posted @ Thursday, June 26, 2008 3:41 AM |
|
|
Back in the "winter review from hell" I installed, configured, integrated, orchestrated, tested, and evaluated eight separate ESB (enterprise service bus) products for Network Computing Magazine. Yes, I was a busy gal. I've tested some difficult products in the past, but nothing - not even CRM suites - compared to this review. One of those products was Progress Software's Sonic ESB. One of them was not IONA's Artix. That was because IONA's Artix was just preparing to make its entry into the ESB market, while the Sonic ESB was already well-established, like its competitors. Throughout the...
posted @ Wednesday, June 25, 2008 1:33 PM |
|
|
Andre Gironda (Dre) has declared war on WAF (Web Application Firewalls). I found his attack on WAFs a bit amusing because the belief that secure coding will take care of all web application vulnerabilities is quite utopian, and thus more compatible with a more passive-aggressive strategy and not a frontal assault with a war-declaring-gut-stomping-heated list of reasons to discount a technological solution to the problem of web application threat defense. Today I'm going to focus on reason #2, because I don't believe it's peculiar to WAFs at all. The "number 2" reason to wait on WAFs, according...
posted @ Wednesday, June 25, 2008 5:18 AM |
|
|
Multi-tenant applications are extremely popular in the SaaS (Software as a Service) world. Almost all SaaS delivered CRM (Customer Relationship Manager) and SFA (Sales Force Automation) applications are necessarily multi-tenant. These applications use a meta-data driven model to enable the customization of applications on a per customer basis. This allows the provider to deploy a single application to scale vertically, supporting a wide variety of industries with a single code base. In order to scale horizontally, however, it is necessary to deploy multiple instances of that single code base. To enable a scalable architecture to properly support (hopefully)...
posted @ Tuesday, June 24, 2008 5:35 AM |
|
|
One of the primary tenets of environmentalism is that we ought to minimize waste. When we apply these concepts to "green" computing initiatives, we often translate that to mean we need to waste fewer resources - RAM, CPU, and storage. A golden rule of IT over the past decade was to not run critical infrastructure past an acceptable point of resource usage, usually somewhere between 60 and 70 percent of CPU utilization. Green IT, however, tells us that we ought to push that limit further and stop wasting those resources. Whether we achieve more efficient use of those...
posted @ Monday, June 23, 2008 10:53 AM |
|
|
Remember way back when we talked about dynamically updating a WSDL to present the appropriate endpoint when being delivered through a BIG-IP? You may recall the basic problem: automatically generated WSDL docs contain the local web/application server's IP address/FQDN as the endpoint and not the IP address/FQDN of the BIG-IP, leaving clients with a non-reachable service endpoint. Since that original blog post, a couple of users have asked for the appropriate iRule to dynamically update those auto-generated WSDL docs. Colin was kind enough to code up just such an iRule, and wrap it up with some...
posted @ Monday, June 23, 2008 5:52 AM |
|
|
The good folks at Verizon Business who recently released their 2008 Data Breach Investigations Report sounded almost surprised by the discovery that "Intrusion attempts targeted the application layer more than the operating system and less than a quarter of attacks exploited vulnerabilities. Ninety percent of known vulnerabilities exploited by these attacks had patches available for at least six months prior to the breach." This led the researchers to conclude that "For the overwhelming majority of attacks exploiting known vulnerabilities, the patch had been available for months prior to the breach. [...] Also worthy of mention is that no...
posted @ Thursday, June 19, 2008 5:24 AM |
|
|
Verizon Business recently released its 2008 Data Breach Investigations Report, covering more than 500 different security breach incidents occurring in the past four years. It's a fascinating read and should be mandatory for business and IT professionals alike. The report should be of assistance to those attempting to decide whether to comply with requirement 6.6 of PCI DSS by deploying an application firewall or engaging in code reviews. The answer? Both are necessary; not because the standard requires both, but because employing both will provide the best coverage across a varied set of attacks. Verizon's report indicates that...
posted @ Thursday, June 19, 2008 4:08 AM |
|
|
Application delivery controllers, and load balancing in general, are often seen as solutions waiting for a problem to solve. We know what those problems are, but until we experience them we often don't feel a sense of urgency in acquiring and deploying an application delivery controller. While it's certainly true that an application delivery controller can solve many problems that arise, it's also true that there are benefits to acquiring and deploying an application delivery controller before it becomes absolutely necessary in order to save your application, your site, or your job. So here are six...
posted @ Wednesday, June 18, 2008 7:59 AM |
|
|
Several years ago it became necessary for browsers to put limitations on the number of simultaneous connections allowed not only to be open, but how many of those could be open to a single domain. This helped prevent unintentional (and, in some cases, intentional) denial of service situations where a site's poor web server just couldn't keep up with the demand. After all, managing TCP/IP connections is expensive and if one user hogs all the available connections (as determined by web server configuration and RAM) there may be hundreds of users out there that are denied access to the latest...
posted @ Tuesday, June 17, 2008 8:00 AM |
|
|
One of the most basic attacks against data-driven sites generated dynamically through scripting languages like PHP and ASP is to use the weaknesses of the language against the developer. Attacks against sites that make use of scripting languages often attempt to exploit system level calls that can lead to all sorts of nastiness with very little work on the part of the attacker. One of the ways to guard against this is to write secure code, of course, but we all know that we can only code against known attacks. The unknown is something we just...
posted @ Monday, June 16, 2008 7:46 AM |
|
|
Yes, I've got gaming on the brain after this month's release of the latest edition of D&D and a weekend with friends "geeking" out with polyhedral dice and imaginary monsters. You might recall that Don stood in line at midnight earlier this month to pick up our copy of the newest (4th) edition of Dungeons & Dragons (D&D). Since then we've been dissecting the game, noting its similarities and differences from earlier versions. Bemoaning the loss of some features while nodding our heads appreciatively at some of the other changes. It took me most of...
posted @ Monday, June 16, 2008 5:44 AM |
|
|
Apparently quite a bit if it can be turned into an acronym... Quick. Say the acronym "ROC" out loud. Now choose the picture that immediately came to your mind. A B ...
posted @ Thursday, June 12, 2008 4:48 AM |
|
|
Kevin Saitta, a solution consultant, has a nice blog post on architecting a Microsoft BizTalk 2006 R2 solution. Unfortunately, amidst the goodness, is a statement regarding load balancers that needs to be corrected. Kevin is not alone in his beliefs regarding load balancers, unfortunately, I've seen a lot of posts lately that seem to indicate that folks out there still have a circa 1999 knowledge set regarding the capabilities of load balancers. Kevin writes Load Balancer A load balancer balances the load between servers, but more importantly, if one server...
posted @ Wednesday, June 11, 2008 5:12 AM |
|
|
Everyone's now familiar with last week's Amazon outage, it's been all over the web. Amazon is still not detailing what went wrong, but lots of folks are speculating on the reasons for the failure. Alistair Croll over at gigaom had a nice recap of the recent Amazon outage, including a list of facts and what we can deduce them, and the rumor mill is, of course, churning away with fantastic stories of what went wrong. Rather than add to the speculation on the reasons behind Amazon's outage - because we may never know the truth - it's a...
posted @ Tuesday, June 10, 2008 5:50 AM |
|
|
I've been cruising around trying to understand Microsoft's Silverlight platform, after a post on Slashdot regarding ARAX (Asynchronous Ruby and XML) and the possibility (or is it probability) that developers will be able to natively use Ruby on the desktop rather than translating their Ruby code into JavaScript. After ending up at the developer documentation I finally "get" it. From "Getting Started with Silverlight" XAML is a declarative markup language that you can use to define the UI elements for your Silverlight-based application. When you create a new Visual Studio project, a Page.xaml file is created...
posted @ Monday, June 09, 2008 6:55 AM |
|
|
In an interesting, if not annoying to those affected, situation it appears that Windows XP SP3 has been named the culprit in a string of broadband router crashes and reboots. This is obviously causing a great deal of stress to those affected, who must certainly find it difficult to obtain the necessary firmware upgrades released by the router manufacturer without access to the Internet. Dan Warne writes: Broadband modem/router maker Billion says XP SP3 has been causing its BiPAC 5200-series routers to go into a constant crash and reboot cycle. ...
posted @ Monday, June 09, 2008 5:08 AM |
|
|
In researching the MySpace deprecated API exploit I came across the details on MySpace's REST (Representational State Transfer) API. I'm going to ignore the debate surrounding the definition of "high REST" versus "low REST" and concentrate on the bridging aspect, as it's something I've already touched on and find to be of more value than worrying over what it's called or whether it's a standard or whatever else might be the focus of these arguments. You may recall that part of the problem with a true REST implementation is that many browsers do not support PUT and DELETE....
posted @ Friday, June 06, 2008 9:02 AM |
|
|
Someone's been playing with the MySpace APIs and found a way to exploit some deprecated [according to MySpace] services through which "private" photos suddenly became public. Jeremiah Grossman, chief technology officer at White Hat Security, a Web application security company, attributed it to "insufficient authorization," which he said are common on all types of Web sites, not just social-networking sites. Jeremiah's explanation is evident if you walk through the details of the exploit. You must authenticate to MySpace by logging in - it's the authorization to view the private photos that was completely broken. ...
posted @ Thursday, June 05, 2008 7:44 AM |
|
|
"@blahblah Can't twitter from work :-("
From some of the tweets on twitter it appears that some organizations are blocking the strangely popular and addictive social networking site. Even Don has expressed concern that "tweeting" could be dangerously distracting and decrease productivity, not to mention that tweeting during business hours costs the organization money. That led us to a conversation in which we tried to determine the financial cost to organizations of tweeting.
To do so, we have to make certain assumptions. Those assumptions are:
The average WPM typing speed of a twitterer: 70
...
posted @ Wednesday, June 04, 2008 8:21 AM |
|
|
At some point (you hope!) it becomes necessary to implement load-balancing for your applications. So you went out and got one, either from a hardware vendor or maybe downloaded a solution, and put it into place. Now you're ready to go, right? Maybe not just yet. Do your applications require persistence? Yes? You did remember to validate that your solution is capable of performing persistence-based load-balancing, didn't you? If you're shaking your head wondering why this application thing is important to load balancing, read on. Persistence is one of the best examples of why it's so...
posted @ Wednesday, June 04, 2008 4:50 AM |
|
|
I was out trying to trim the hedges the other day, and doing...poorly. I tried, I really did, to make them as neat as the guys I hired last year, but alas, I just couldn't. Oh, it's "good enough", that's for sure, but it isn't as good as it could be. And when I went to clean up the landscaping - picking up small pieces of hedges and leaves - I couldn't help but think that those guys had some kind of secrets to doing this much more efficiently than I. Which got me thinking about application networking....
posted @ Tuesday, June 03, 2008 6:35 AM |
|
|
Understanding Internal and External PR One of the first things to learn about press relations is there are two types of PR folks: internal and external. Some companies, usually those who are very large, very popular, or just well established have both types of PR, like Oracle, Microsoft, and F5. Internal PR folks are employees of the company. They manage the relationship between you and corporate/product management, write the press releases you receive, approve interviews, and generally manage all press relations. External PR folks are employed by a PR firm, and retained by a...
posted @ Tuesday, June 03, 2008 6:05 AM |
|
|
After a rather interesting exchange with Martin McKeay on the subject of NDAs and blogging, we tweeted some more on the subject. While I agree with Martin that bloggers and PR folks need to be educated on communicating with one another, I don't necessarily think it's the role of PR folks to be the educators of bloggers. The problem with that, of course, is where can bloggers go to educate themselves? In that respect, Martin's got a point - there's really no place for bloggers to "go" to learn the ins and outs of dealing with PR folks....
posted @ Tuesday, June 03, 2008 6:03 AM |
|
|
An issue that often comes up for users of any full proxy-based product is that the original client IP address is often lost to the application or web server. This is because in a full proxy system there are two connections; one between the client and the proxy, and a second one between the proxy and the web server. Essentially, the web server sees the connection as coming from the proxy, not the client. Needless to say, this can cause problems if you want to know the IP address of the real client for logging, for troubleshooting, for...
posted @ Monday, June 02, 2008 4:20 AM |
|
|
I read Robert McMilan's article on backscattering with great interest, primarily because my personal account has been a "bounceback" victim for the past couple of weeks. His article contains a great explanation of what backscatter is and why it happens; it's the kind of article I'd send to my friends who are asking about all the bouncebacks they're seeing these days.
What is backscatter?backscatter -- bounceback messages from legitimate e-mail servers that have been fooled by the spammers.
Spammers like to put fake information in their e-mail messages in order to sneak them past e-mail filters....
posted @ Friday, May 30, 2008 4:52 AM |
|
|
As an industry - both security and application delivery - we talk a lot about securing the application infrastructure (databases, web and application servers) by making sure that the data going into the applications is "clean". After all, we know that GIGO (Garbage In Garbage Out) is a true statement in terms of web applications and data. Unfortunately we tend to worry a lot more about the GI than the GO. While it's better for everyone to prevent that SQL injection or XSS attack from polluting our databases and potentially distributing malicious code to hundreds or thousands of...
posted @ Thursday, May 29, 2008 5:46 AM |
|
|
After reading most of what's available on the Adobe Zero Day Exploit, and getting an idea of how it propagates (Flash and JavaScript inserted via an SQL injection attack), I turned to iRules guru Colin for some help crafting an iRule that might stop a site from serving up infected content to a user. This is particularly helpful for those who are running a BIG-IP but who aren't running a web application firewall like ASM (Application Security Manager) and may have been inadvertently infected.
After looking through the screen capture of some JavaScript that attempts to load the malware from...
posted @ Thursday, May 29, 2008 5:40 AM |
|
|
Organizations trying to make their presence known on the Internet today run into an interesting dilemma - there's just not enough IP addresses to go around. Long gone are the days when any old organization could nab a huge chunk of a Class A or even Class B network. Today they're relegated to a small piece of a Class C, which is often barely enough to run their business. This is especially true for smaller businesses who are lucky if they can get a /29 at a reasonable rate. While we wait for IPv6 to be fully adopted...
posted @ Wednesday, May 28, 2008 6:38 AM |
|
|
Individual servers in a farm may be expected to fail, but the site - that's a different story Tom's Hardware has an interesting look at an architecture I'm going to call "built to fail". This architecture is focused on building a fault tolerant site, not necessary a fault tolerant web application infrastructure. While the author of the article implies that this architecture is something new, it's really not except in the sense that today's Web 2.0 app providers might not care if a server is lost because it's cheap to replace while other, more cost conscious organizations...
posted @ Tuesday, May 27, 2008 5:00 AM |
|
|
What, did you think I was kidding? Have a great weekend! Imbibing: Mountain Dew Technorati Tags: MacVittie,F5
posted @ Friday, May 23, 2008 8:37 AM |
|
|
A recent article discussing the recent challenges to enterprise service bus (ESB) products by XML/SOA gateway products contained a sentence that I found extremely puzzling. Puzzling sentence ...the technology behind both solution-sets is based on deep XML packet visibility and manipulation capabilities. I know what the author was trying to say, but this sentence really is full of epic fail. "Packet" visibility is even more irrelevant to XML than it is for HTML or any other application layer protocol, for that matter. The problem with putting "XML" and "packet" together is...
posted @ Thursday, May 22, 2008 12:12 PM |
|
|
With the deadline of June 2008 quickly approaching for retailers who need to be compliant with PCI DSS (Payment Card Industry Data Security Standard) there's a lot of focus in IT shops on requirement 6.6, the somewhat hotly debated requirement which states organizations must implement either a web application firewall or perform code reviews (and address vulnerabilities discovered) in order to be compliant with the standard and continue accepting credit cards. So much focus is on this standard and online retailers that it seems like the "bad guys" might consider other avenues of attack. Malicious code (malware) and...
posted @ Thursday, May 22, 2008 4:42 AM |
|
|
When the OSI defined its model it included a transport layer which was supposed to handle end-to-end connections and address communication reliability. In the early days of the web HTTP sat at the application layer (layer 7) and rode atop TCP, its transport layer. An interesting thing happened on the way to the 21st century; HTTP became an application transport layer. Many web applications today use HTTP to transport other application protocols such as JSON and SOAP and RSS. Applications now "speak" using a variety of languages to communicate, but underlying them all is HTTP. This...
posted @ Wednesday, May 21, 2008 5:41 AM |
|
|
If you've ever used the quite popular Prototype framework, you've noticed that there are some unique options available that are designed to help reduce the number of connections made to the server when automatically updating specific content. The decay rate in Prototype's PeriodicalUpdater is designed to help reduce the number of requests made to the server when content is not refreshing on every request. Ajax.PeriodicalUpdater("content-id", "url", { frequency: 10, decay: 2, method: 'get'} ) This code will start making a call to url and updating content-id every 10 seconds. If the content hasn't changed, decay will...
posted @ Tuesday, May 20, 2008 4:36 AM |
|
|
This is an interesting little article on load balancing that's very close and yet very far from being completely accurate in today's world. Overall the author does a good job of hitting upon the basic concepts of load balancing, why it's important, and what some of the benefits are. But there's just one thing that I absolutely must address. Even distribution? Load balancing is the even distribution of computer processing and communication activities so that a server is not overwhelmed. Load balancing is especially important for networks where it is difficult to predict the number of...
posted @ Monday, May 19, 2008 9:43 AM |
|
|
I recently made a passing remark about the value of being able to write the code for a linked list. The night before Don and I had been arguing with our oldest son about whether he should be using a stack or a linked list to implement a Java version of Freecell, hence data structures had been on my mind. Because he, like many college students (and graduates) today, hasn't had the proper instruction in the basics of these data structures he's somewhat at a loss to understand why a linked list is, in fact, a better solution...
posted @ Monday, May 19, 2008 4:53 AM |
|
|
The role of "application delivery expert" is really coming into its own of late, along with the understanding that the traditional siloed approach to management of applications in IT no longer makes sense. TechTarget :: How networking professionals can prove their worth Jim Metzler [vice president of Ashton, Metzler & Associates] recently worked with NetQoS to survey more than 175 NOC and non-NOC IT professionals about how the evolving role of the NOC affects both network and IT professionals. Metzler moderated several sessions at Interop that had...
posted @ Wednesday, May 14, 2008 11:29 AM |
|
|
According to a recent ComputerWorld article, most retailers aren't ready for the forthcoming June deadline for PCI DSS compliance. From ComputerWorld :: Few expected to make June 30 PCI deadline for Web application security Most retailers will not meet the June 30 deadline for complying with new Payment Card Industry Data Security Standard (PCI-DSS) requirements for securing web applications. Companies can achieve compliance with either a specialized firewall or web application software code review, which entails finding vulnerabilities and fixing them. Many retailers appear to be opting for firewalls, which are "quick fixes,"...
posted @ Wednesday, May 14, 2008 7:03 AM |
|
|
At Web 2.0 Expo Microsoft essentially stole the show with the introduction of its Live Mesh platform. Live Mesh is, essentially, an integration hub that incorporates and manages Internet connected devices that today are unrelated and managed individually using open standards. Microsoft might not like the term "integration hub", but that's basically what it is. Yes, on the surface it's a platform that enables inter-device communication and seamless access to a variety of services, but under the hood it's got to be doing some pretty complex integration work. While Microsoft plans on using open standards, that doesn't mean...
posted @ Tuesday, May 13, 2008 7:06 AM |
|
|
Anyone who's listened to Bob Rivers' Twisted The Twelve Pains of Christmas can probably relate to the angry husband screaming, "When one light goes out they all go out!" because, yeah, we've all been there. Imagine now, if you will, a data center. A data center filled with servers humming along, each running three or four applications in virtual machines a la VMWare. Imagine now - it shouldn't be hard at all - that one of those servers suddenly just stops working. Let's say the drive crashes. After the blue smoke dissipates and the screams of...
posted @ Tuesday, May 13, 2008 6:07 AM |
|
|
There's a lot of things that BIG-IP can do to improve the reliability, scalability, and performance of Web 2.0 applications. But there are always two sides to every story, and so it is with BIG-IP and Web 2.0, or specifically, AJAX. This latest article, Getting Started with iControl and AJAX, offers advice and code to get you started building a custom AJAX-based dashboard for BIG-IP. Imbibing: Coffee Technorati Tags: MacVittie,development,iControl,BIG-IP,F5,AJAX,Web 2.0
posted @ Tuesday, May 13, 2008 5:05 AM |
|
|
This is an interesting article from Network World about how CIOs in Australia and New Zealand perceive security as being easier than reducing costs. The IDC Annual Forecast for Management report surveyed 363 IT executives from Australia (254 respondents) and New Zealand (109 respondents) across industries including finance, distribution, leisure and the public sector. CIO Challenges ...
posted @ Friday, May 09, 2008 8:15 AM |
|
|
Tech Republic blogger Toni Bowers discusses five high-tech skills that are waning as far as ability to command high salaries according to a recent Network World article. At the top of the list? HTML. Denise Dubie writes in the Network World article: As companies embrace Web 2.0 technologies such AJAX, demand for skills in HTML programming are taking a back seat. According to Foote Partners, pay for skills in technologies such as Ajax and XML increased by 12.5% in the last six months of 2007, while IT managers say they don’t see a...
posted @ Friday, May 09, 2008 5:38 AM |
|
|
File virtualization and storage are gaining a lot of mindshare lately, probably because the longer a business runs the more data they have to store. And with compliance regulations, sometimes that means not only more data to store (like all your e-mail) but storing it for a very long time. And then there's building out large farms of servers to support high volume sites. File virtualization makes a lot of sense when you're trying to manage large numbers of servers, especially if they're essentially clones. And let's not ignore the other kinds of...
posted @ Thursday, May 08, 2008 12:15 PM |
|
|
With apologies to the writers of Amadeus MOZART [The fresh SOA Architect] But it's new, it's entirely new. It's so new, people will go mad for it. For example, I have an activity in the second step - it requires calls to two services in parallel. Then a third service is called to verify the name of the customer, and a fourth to perform some security checks. Then a logging service makes five and so on. On and on, six, seven, eight! How long do you think I can sustain that? ...
posted @ Thursday, May 08, 2008 10:56 AM |
|
|
The Green Tech Blog on CNET News postulates that the next green trend will be to s l o w down the innertubes, or more accurately, the flow of data. Now that slow down is apparently measured in terms of milliseconds, and is "not enough for Web surfers to notice" according to researchers. But as we recently discussed, milliseconds at every hop can potentially add up to seconds, and seconds will certainly be noticeable by Web surfers - particularly those who might be engaged in sensitive financial transactions like selling and buying stocks. And we won't even discuss the...
posted @ Wednesday, May 07, 2008 11:04 AM |
|
|
a.k.a The morning Lori was wrong I got an e-mail newsletter yesterday with a link to BEA's Virtualization TCO calculator. As my team is engaged in a lively debate regarding virtualization and its alleged benefits (you can tell which side of the fence I'm on at the moment) I visited the calculator to see what it would say. Then I sent the following results to the team, a smug smile on my face because the virtualized OS environment turned out to be more expensive than the non-virtualized environment. TCO Summary Non-Virtualized Virtualized OS...
posted @ Wednesday, May 07, 2008 7:29 AM |
|
|
According to a recent CIO article and survey data, the top challenge to virtualization success today is balancing server workloads and maintaining application service levels. That makes sense; if you're going to create 3 or 4 or 99 virtual servers you need to be sure that the workload isn't going to suck dry the resources available on any particular machine. And, too, you'll probably need some solution to load balance those applications across virtual instances.
That part, at least, seems easy: get thee a load balancer, pronto. Turns out that the concern regarding balancing server workloads is more complex than most likely realize. A load balancer will,...
posted @ Tuesday, May 06, 2008 6:38 AM |
|
|
There's more than one way to go green with application delivery networks The past few months have seen a high volume in the number of "green" products announced, many of them in the application delivery realm. Almost universally these announcements have focused on the products themselves as a method of reducing power consumption both in power required to run the device and in lessening the amount of heat generated that requires cooling. But there's another way to "go green" with application delivery, one that doesn't necessarily rely on the application delivery controller being "green" itself. The Three "R"s ...
posted @ Monday, May 05, 2008 12:19 PM |
|
|
The shortest distance between two points is, according to geometry, a straight line. Unfortunately for everyone, there's no way we can hope to physically have a straight line between us and any server - unless we're in the data center troubleshooting a problem. Whether it's because of physical distance limitations, location, or the device we're using, there's bound to be many points along the path between our client and any given server. But when we diagram network architectures we often obscure in a cloud the actual representation of the network - either because there's just too many devices (the...
posted @ Monday, May 05, 2008 6:52 AM |
|
|
One of the problems with having kids and Internet access in the same house is dealing with the problem of someone duping your kids into believing they are someone they aren't. And it's not just predators that you have to worry about; kids are devious, they know they can pretend to be someone else (and often do) on the Internet and thereby mess with their friends' heads. One of the reasons it's so easy to socially engineer someone else into believing you are whoever you want to on the Internet is that there's no real way to verify identity....
posted @ Thursday, May 01, 2008 7:50 AM |
|
|
Sometimes it seems that all we do is listen to complaints - about application performance, about security policies, about broken web sites, about the need to track a single HTTP request across 4 different systems and 9 separate - and uncorrelated - log files. It's overwhelming, at times; this complex web of technology that takes up most of our time and attention during the day and, for some, the night as well. In the midst of all that rushing around just stop for a minute and look around you. Look at all the blinking lights, the cables that connect you to the...
posted @ Wednesday, April 30, 2008 7:11 AM |
|
|
I didn't say it was your fault, I said I was going to blame you. When the issue of application performance rears its ugly head like some kind of ancient dragon hell-bent on destruction (yours) it is often the application developer that ends up shouldering the blame. It's also often the case that neither the network admin or the developer can do anything to banish the evil dragon of poor performance. That's because sometimes the fault lies somewhere between the network and the application, in the murky middle layers of the OSI stack - above the network layers. ...
posted @ Wednesday, April 30, 2008 5:52 AM |
|
|
I had several requests for access to my presentation at Web 2.0 Expo. Today, the fine folks at O'Reilly indicated that the presentation is now available for download. Enjoy! Imbibing: Mountain Dew Technorati tags: MacVittie, F5, presentation, Web 2.0 Expo, application delivery, scalability, Web 2.0
posted @ Tuesday, April 29, 2008 8:36 AM |
|
|
History says integration wins, will that trend continue? Andrew Storms has a nice writeup on PayPal's recent decision to limit the supported browsers used with its service (i.e. this is a one browser site, buddy) in an effort to "protect customers". This isn't just a case choosing IE over Firefox, or vice-versa, this move is about requiring a certain set of security functions to be available and active in a browser, and will not necessarily block out the major browser vendors - just older versions of those browsers. Apparently one of those features required will be EV SSL...
posted @ Monday, April 28, 2008 8:12 AM |
|
|
The dirty secrets of Web 2.0 There's something a lot of people don't want you to know about Web 2.0. People who are trying to sell you on Web 2.0 as the greatest thing to hit technology since the first web page appeared at CERN. And while undoubtedly Web 2.0 is having a huge impact on organizations across a broad spectrum - from the enterprise to startups - when you peek under the covers you may be surprised to learn that things haven't changed all that much. Oh, Web 2.0 appears magical indeed but from the view of an...
posted @ Monday, April 28, 2008 7:05 AM |
|
|
When explaining the benefits of an Application Delivery Network (ADN) it's a good idea to explain what it is first. Really. Like many people with deep knowledge of a particular subject, I sometimes forget that not everyone shares the same foundational knowledge. So when one of the Web 2.0 attendees who'd sat in on my session on scaling architectures for growth (which, of course, heavily relies on an application delivery network) visited me in F5's booth and essentially asked "What is it?" I realized my faux pas. I forgot to explain what it was in addition to what it did...
posted @ Thursday, April 24, 2008 8:02 AM |
|
|
On the Streets For the first time I can recall I really wished I had a camera at a show because I'm not sure you'll believe this one. I know that Web 2.0 is all hip and trendy, but I'm still not sure what to think of the black sedan outside the Marriot Hotel with the sign in the back that reads it is reserved for "PORN". Seriously. You just can't make this kind of stuff up. Overheard in the Women's Restroom There was a line. A LINE, I say! In all my years of attending technology trade...
posted @ Wednesday, April 23, 2008 3:42 PM |
|
|
The second session I attended today was hosted by Blaine Cook (formerly of Twitter) and discussed the problems inherent in building the real-time web. His reason for dismissing HTTP as a method for building the real-time web: hard to scale for frequent updates and frequent polling. I call shenanigans. HTTP is not hard to scale in those situations if you have the right infrastructure. In fact, just about every application delivery controller in existence can easily scale HTTP - even under circumstances described by Blaine. The frequency of updating and polling is similarily a problem with any real-time web application,...
posted @ Wednesday, April 23, 2008 3:28 PM |
|
|
John Musser, from ProgrammableWeb.com, just gave an interesting session on enterprise mashups. ProgrammableWeb is an API/mashup aggregation site that tracks open APIs and mashups from around the web for use in both personal and enterprise mashups. John pointed out that while many of a mashup's attributes can be found in earlier technologies such as: Portals - Presentation Layer EAI (Enterprise Application Integration) - Application Logic Layer EII (Enterprise Information Integration) - Data Layer that mashups are difference primarily because they are faster to create, less complex, and are based on primarily open standards. John went on to...
posted @ Wednesday, April 23, 2008 9:51 AM |
|
|
All 8500 (or so) of us Well, tomorrow I'm off to San Francisco for the Web 2.0 Expo. Apparently a lot of folks are going to be there (estimates are in the 8500 range) so this ought to be an interesting and well-attended show. That's not too surprising given a recent Forrester report that claims: "As a standard enterprise tool, Web 2.0 has a bright future, one that companies are expected to spend $4.6 billion by 2013 to integrate into their corporate computing environments." That's a lot of cash to be spent on Web 2.0 in general, and the Web 2.0...
posted @ Monday, April 21, 2008 9:59 AM |
|
|
Perhaps not, but then you don't really need two arms, either. Anyone who has broken an arm, especially the one with their dominant hand, can tell you that while it probably wasn't any fun they learned to manage just fine with a single arm until the other one healed. They'd also likely tell you that they were glad they had two arms in the first place, because without two they'd have been hard-pressed to do anything productive with only one arm and that one broken, in a cast, unusable. There's a lot of FUD out there regarding whether or...
posted @ Monday, April 21, 2008 6:17 AM |
|
|
On the heels of seeing a job posting for an Application Delivery Support Analyst this ComputerWorld article lists "Application Delivery" as #5 of the top 10 IT skills needed today. Unlike the job posting, this article actually seems to get the role of an application delivery expert right. While the author only cites the appropriate skills in general terms, at least she hit on all three of the primary categories and, to my surprise, added in the rarely cited fourth domain of application delivery: storage. Application delivery networks, according to Gartner, are required if companies want to deploy...
posted @ Friday, April 18, 2008 12:21 PM |
|
|
Tony Bourke has a fun little post on "Gotchas of Load Balancing" that really end up being your fault. Sorta. All very true and common mistakes that many people have made when configuring load balancers. But that got me thinking - and laughing - about a couple of "gotchas" that were my own fault back in the Network Computing lab. When Bits Don't Match You cannot plug a 10/100 port into a GigE only port and expect things to work. Really. One of the core routers in our lab had a GigE only blade and for some reason...
posted @ Friday, April 18, 2008 10:12 AM |
|
|
This is an interesting, albeit very short, post on web acceleration options. The author, Todd, gives a pretty quick "hit list" of reasons to use hardware (such as an application delivery controller) over the built-in capabilities of your web server: 1. Compression 2. Caching 3. TCP enhancements (optimizations) There are additional benefits to using a hardware solution with specific features/functionality that address web acceleration that Todd doesn't mention, perhaps because these options are not necessarily available for web servers and operating systems. 1. Better browser control. Many web application acceleration products are capable of manipulating the...
posted @ Thursday, April 17, 2008 9:02 AM |
|
|
Anxiety's attacking me, and my air is getting thin.I'm in trouble for the things I havent got to yet.I'm chomping at the bit, and my palms are getting wet, sweating bullets. --Megadeth, "Sweating Bullets" If you can relate to the kind of stress and anxiety sung about by Megadeth - and it's coming from the workplace - you aren't alone. Last fall InformationWeek ran a short story based on a survey they conducted and concluded that "two out of three IT managers say they're kept awake at night worrying about work, and 75% admit ongoing anxiety about application performance concerns."...
posted @ Wednesday, April 16, 2008 6:19 AM |
|
|
Hey website! Prove you are you. I got a call last week from my insurance company - or someone claiming to be from my insurance company. The nice lady on the other end wanted my credit card information to pay for the co-payment required for some "speciality meds" for our youngest son. Even though the caller-id had identified the caller as my insurance company, still I hesitated. The cold, cruel reality of the Internet has apparently made me even more cynical than normal. We're often told never to give out our credit card information to anyone who requests...
posted @ Monday, April 14, 2008 5:38 AM |
|
|
[ Imagine seven dwarves whistling the appropriate tune here ]
Despite Disney's insistence that the plural of dwarf is dwarfs, the rules of English and the Dungeons and Dragons Player's Handbook (PH) says it is dwarves. As the PH is obviously the authoritative source on demi-human races, it wins. Besides, dwarfs is a verb, dwarves is a noun. 'Nuff said.
The point of this post is not really to engage in a grammar war regarding dwarves and spelling, it's about the upcoming Web 2.0 Expo (April 22-25). I'm starting to think more about the conference as it's approaching quickly and...
posted @ Friday, April 11, 2008 11:21 AM |
|
|
I read with some interest a short announcement that Symantec was acquiring AppStream. Using application streaming enables end users to perform functions by accessing parts of a software program over the network as needed, without having the program fully installed on the client computer. OH RLY? In the past I've sat through many a briefing on "application streaming" products. The description offered of application streaming is exactly the same story I've been sold during those briefings. But when you read that description it suddenly appears that what's being sold is almost a form of SOA (Service Oriented Architecture), or...
posted @ Thursday, April 10, 2008 10:35 AM |
|
|
There's been a lot of talk about event-driven architectures lately, and mostly in the context of SOA (Service Oriented Architecture). Event-driven is an almost ancient (by technology standards, anyway) concept that involves executing some sort of logic when some event happens. Anyone who's ever had the (mis)fortune to code for early versions of Windows will remember well the event-driven handlers you had to code that were required to build an application. This paradigm followed us to the web, where functions are now coded in Javascript to handle just about any user - and system - event that might affect...
posted @ Thursday, April 10, 2008 7:04 AM |
|
|
Like many people, I scour the Internet using Google Alerts that focus on keywords pertinent to my employer's business. Just this morning a digest from Google searching for the term "application delivery" landed in my inbox with an interesting job title: Application Delivery Support Analyst. My first thought was "Hey, that's cool!" I haven't seen such a title before and I got a little excited thinking that perhaps application delivery was finally coming into its own. Then I read the requirements and job description. Technical Skill sets Experience using SQL/ PL-SQL, SQLServer and Oracle to identify and...
posted @ Tuesday, April 08, 2008 10:59 AM |
|
|
I was listening to some Primus yesterday - To Defy The Laws of Tradition, to be precise- and it got me thinking about architectures and decisions that defy the laws of (IT) tradition. One IT tradition that seems extremely difficult to overcome is that applications should authorize users. After all, the application should control, based on some kind of policy, what users can and cannot do while interacting with it. In fact it's almost a law within IT that while applications may accept the authentication of a user from a trusted source, it is still the authoritative source for authorizing...
posted @ Monday, April 07, 2008 10:23 AM |
|
|
Do you have a .plan for your .com? You should. Remember when users had a .plan? When the screech of a modem was the most annoying sound you'd hear while online? When multiplayer interaction meant joining a MUD, MOO, or MUSH? When FTP was the only way to transfer files, and if you wanted to chat you'd hop on #IRC? When discussions were for newsgroups, if you ignored alt.binaries.pictures.anything, which was certainly not for discussions. It wasn't necessarily the proliferation of broadband that caused a massive leap in users on the Internet. Just as there are plenty of...
posted @ Thursday, April 03, 2008 4:09 PM |
|
|
By deploying multiple point solutions when one would suffice I know it doesn't rhyme but honestly, between the number of words that rhyme with "weave" and the meter it was nearly impossible for my sleep deprived brain to come up with one that made sense. Feel free to come up with one and add it via the comments or mail me. Now it's time for a little story: In the beginning OSI created a model. Now the network was formless and empty, darkness was over the optical connections, and the spirit of the OSI was hovering over the web. ...
posted @ Tuesday, April 01, 2008 11:32 AM |
|
|
You keep using that word. I do not think it means what you think it means. Integration isn't a four letter word, but for many hapless IT folks stuck with the chore of integrating applications, it probably should be. SOA promised to make the world of application integration a painless, happy process in which the traditional basement sacrifice of live chickens and wild gyrations near a glowing rack of servers were no longer necessary. In many cases, the live chicken sacrifice was no longer necessary, but the wild gyrations were still a fact of integration experts' lives, mostly executed out of pain and frustration when systems failed...
posted @ Tuesday, March 25, 2008 12:17 PM |
|
|
How to apply SOA principles to traditional web application architecture I promised kudos and comments last week for Ronald Schmelzer's ZapNote on the requirement for a service proxy in SOA implementations and so I shall right now. While Ron didn't come right out and say it, a major reason the service proxy is an essential component of a successful SOA implementation is that it protects the concept of loose-coupling, a primary foundational principle of SOA. Loose-coupling is generally applied to consumer-producer relationships and essentially requires that there be no code or logic on the consumer (client) that binds it tightly...
posted @ Tuesday, March 11, 2008 9:49 AM |
|
|
Why do web app developers make URLs so hard to remember?!? Rewriting for Fun Over the course of the past few weeks I've sent out a link to our personal Gallery installation to share pictures of our new son many times. Now I love Gallery and even though I can recite PI to 42 significant digits, I can't recall the exact URL to the album containing his pictures. I'm constantly looking it up and cutting and pasting it into my e-mail and quite frankly, it's getting annoying. It's long and confusing and not easily remembered. I can't rewrite...
posted @ Thursday, March 06, 2008 9:47 AM |
|
|
The language of application delivery and SOA finally meets in the middle Ronald Schmelzer at ZapThink wrote a recent ZapFlash titled, "Why Service Consumers and Service Providers Should Never Directly Communicate." Yes, I agree, the title is way too long, but you should read it anyway. The basic premise of this one is that there is a need for a service proxy to protect your investment in SOA. I'll save my kudos and comments for another post, but in general I agree with Ron and his vision of SOA and the need for a proxy/intermediary to prevent the loss...
posted @ Tuesday, March 04, 2008 9:33 AM |
|
|
Using application fluency and layer 7 routing to implement of an efficient, scalable, and cost-effective application architecture There is a subtle difference between the word balance and distribute. Balancing implies a simple decision process. If I have three boxes and three people, I give one box to each person in order - regardless of the weight of those boxes and the ability of the people to carry them. Distribution, on the other hand, implies some form of intelligence behind the decision process. I give the boxes to the people most capable of carrying their weight so that no person gets overloaded...
posted @ Wednesday, February 27, 2008 10:15 AM |
|
|
A Quick History Lesson Back in the day, server-load balancing vendors figured out that connection management (the setup and teardown of TCP/IP connections) was actually quite a burden on servers. You see, the server not only had to spend time setting up and tearing down the connection, but it also had to keep track of those connections in something we like to call a "session state table". The problem was, and still is, that a server has a limited amount of memory and can only manage X number of connections concurrently. This is primarily a matter of configuration of...
posted @ Thursday, February 21, 2008 9:13 AM |
|
|
Over the past three weeks Don and I have had a lot of time to chat whilst making the trek back and forth between home and the hospital where the newest member of our family was keeping residence. Mostly we talked about our new son and speculating as to when he might be allowed to come home (Feb 17), but as is our wont we often ended up talking about work. That's one of the benefits of working "together" and in the same field, at least we think so. One of those discussions revolved around iControl and the fact that...
posted @ Tuesday, February 19, 2008 9:42 AM |
|
|
Nine months is forever in the world of high tech. Innovations and product changes happen quickly, and there's always something new and exciting happening. Nine months is also forever when you're expecting, and just as excitement builds during the last weeks before the launch of a new product like VIPRION, so does the excitement build in the last weeks before it's time to "launch" a new member of the family. Imagine both happening at the same time. Biggest stress over the past week? Worrying about going into labor before product launch day and yet wishing I would anyway. As...
posted @ Friday, January 25, 2008 10:16 AM |
|
|
It's been a month of imagining a lot of changes in the way we think about application delivery networks. Imagining unmatched performance, manageability of a system that's both green as in cash as well as in grass, and intelligence beyond what is currently available in most of today's application delivery controllers.
It's been a long road to get here, but it's finally arrived: a bladed, chassis-based application delivery controller from F5.
That's right - bladed and modular and with all the flexibility and intelligence you've come to expect from F5 combined with performance that's counted in the millions of transactions per...
posted @ Wednesday, January 23, 2008 9:52 AM |
|
|
Every morning while I drink my allowed daily allowance of caffeine I peruse through my news and blog feeds via Google Reader. I expect, and am not disappointed, to find that those items I marked as "read" yesterday are still marked as such, and that those I "starred" for follow up are also still marked as such. And of course every feed I've subscribed to still exists, just as it did the night before. This seems like a trivial thing, because we've come to expect that our web applications are intelligent enough to remember our personal settings and configuration....
posted @ Wednesday, January 16, 2008 2:25 PM |
|
|
We don't often consider the impact of manageability of technology in our daily lives, even though it's become an integral part of just about every aspect of our lives. Likely most prevalent amongst technology management issues is how we deal with our home entertainment systems. From a desire to manage all the devices that deliver and control various forms of media - cable, DVDs, games, etc... - with a single, intelligent mangement device evolved what we like to call the "universal remote". These little management devices are able to control every component comprising our home entertainment system, greatly reducing the cost...
posted @ Wednesday, January 09, 2008 2:31 PM |
|
|
Google. Amazon. Facebook. LinkedIn. Salesforce.com. While certainly not an all inclusive list, these very recognizable web monsters all offer access to their "platforms" via a web-based API, a.k.a. services. With the notable exception of Salesforce.com, most have implemented these services as a REST (Representational State Transfer) or REST-like set of interfaces, but in general these APIs meet the criteria necessary to be referred to as services. They're SOA as surely as any other service out there. These services are being incorporated at a rapid pace into other web-based (dare I say Web 2.0) applications, and a plethora of others...
posted @ Friday, January 04, 2008 10:09 AM |
|
|
Every industry measures performance, we just use different jargon to discuss it. When we talk about the raw power of a car engine we talk in terms of horsepower; of harnessing the performance of hundreds of horses such that they work together as a single unit. In the world of computing we use terms like MIPS (million instructions per second), and in the world of application delivery we measure performance in terms of transactions per second (TPS). The problem in the world of computing is, unfortunately, that simply adding more "horses" to the mix doesn't linearly increase performance. Generally...
posted @ Wednesday, January 02, 2008 2:12 PM |
|
|
An analyst friend of mine recently asked about F5's Application Ready Networks. The question was, "Isn't that just a bunch of templates?" Now it's true that this particular analyst friend is not an application analyst, so the question was a good one coming from his background, but it got me to thinking that if he was confused, maybe others were as well. So what's an Application Ready Network anyway? F5 has a long history of deep strategic partnerships with application vendors like Oracle, BEA, Microsoft, and SAP. Through these partnerships, and F5's comprehensive technology center in Seattle, our...
posted @ Wednesday, December 19, 2007 9:47 AM |
|
|
This was just one of those press releases that was so close to being right and yet was missing half the picture. Chicago-based managed dedicated server provider, SingleHop, Inc., advises shoppers to be prepared to suffer through the dreaded "high traffic volume" warnings this holiday season as retailers may be hit with higher than average website traffic.
That's really no surprise, after all I'm fairly certain my shopping alone is enough to cause outages. If you've run into an outage lately, my apologies. I'll be finished shopping shortly. I promise.
In any case, Zak Boca, President, SingleHop, goes...
posted @ Friday, December 14, 2007 11:20 AM |
|
|
With the increasing number of "data leaks" involving large numbers of affected consumers there is an increased focus on products that prevent such leaks from occurring in the first place. Many of these products have grown out of the IDS (Intrusion Detection System) market and others have been built from the ground up. Some, like F5's BIG-IP Application Security Manager (ASM), have grown out of the WAF (Web Application Firewall) product set. So what's the difference between them? One of the biggest differentiators in these product sets is the way in which they are deployed, which is necessitated by their architecture....
posted @ Thursday, December 13, 2007 12:27 PM |
|
|
Tis the season for overzealous security to kick in. Is there such a thing as too much security? Rock --> consumer <-- Hard place There's been nearly as much hype about the (non)mythical "Cyber Monday" as there is surrounding "Black Friday" this year. While a lot of attention has been focused thus far on how slow (in terms of performance) some major online-shopping sites have been, there's been very little discussion about the impact of automated fraud detection systems on online transactions. I don't know anyone that would argue that these systems are a Bad Thing. After...
posted @ Thursday, December 06, 2007 8:33 AM |
|
|
Alan Shimel applauded a recent blog post by Eric Ogren regarding the "Advances by Intel and AMD in compute power with multi-processors and management with virtualization" claiming that these advances "have shifted the game for security vendors who are bringing their products to market as a high performance appliance." Nevis Networks posted a rebuttal, and the comments responding to Eric's post were generally of the same bent: ASICs are not likely to be replaced by general purpose (commodity) processors, regardless of their capabilities. While this current debate is focused on the security market and security-specific ASICs, this isn't a new...
posted @ Tuesday, November 27, 2007 2:23 PM |
|
|
You've just deployed a Web 2.0 application that includes an AJAX-based real-time updating component. Maybe it's something like Twitter, or a stock chart, or sports scores. Whatever the content is, you've been hearing from users that sometimes those updates just ... fail. Upon further investigation you might discover - will likely discover - that users for which the updates fail have high-latency or low-bandwidth connections. Or both. You don't want to penalize broadband users for whom the app works just fine, but you don't want to alienate those users stuck on dial-up or poor connections. Worse, you can't know...
posted @ Monday, November 19, 2007 9:26 AM |
|
|
Most people, upon hearing the term "load balancing" immediately think of web and application servers deployed at the edge of the network. After all, that's where load balancing is most often used - to ensure that a public facing web site is always as available and fast as possible. What many architects don't consider, however, is that in the process of deploying a SOA (Service Oriented Architecture) those same web and application servers end up residing deeper in the data center, away from the edge of the network. These web and application servers are hosting the services that make...
posted @ Wednesday, November 14, 2007 9:19 AM |
|
|
The importance of an application ready network I've been talking a lot about how AJAX and SOA impact the network of late, specificially focusing on the increase in traffic - both the amount of data and frequency of requests. Saturday night I was reminded of how important a properly tuned network can be to applications, especially those based on AJAX. TimeWarner Cable, our only choice in broadband providers, has thoughtfully reconfigured its network as part of a consolidation in the midwest. That shouldn't affect me, it's mostly about routing and such, right? That's what I thought, but it's...
posted @ Monday, November 12, 2007 9:49 AM |
|
|
This article is just full of interesting ideas. First we're told that the only way to secure Web 2.0/SOA/Web applications is to rewrite the code. This "rewrite the application code" to address any number of delivery issues - security, performance, availability - is old and busted. There are other more efficient mechanisms that can certainly be used to address application delivery issues, such as an application delivery network comprising appropriate intelligent, application aware devices capable of ensuring that all applications are fast, secure, and available. These solutions do not require that the application be rewritten, and in fact in...
posted @ Tuesday, November 06, 2007 1:22 PM |
|
|
One of the premises of REST (Representational State Transfer) is that it is simpler to use well-known HTTP methods (PUT, DELETE, GET, POST) to perform actions upon resources than it is to construct complex SOAP or traditional HTTP-based application messages. REST resources are identified by URI (Uniform Resource Identifiers) that are specific to the resource. For example, instead of retreiving information about a city with a URI something like this: http://www.example.com/getcityinformation.php?city=Madison&state=WI you would use the GET HTTP method along with a URI that looks more like this: http://www.example.com/Madison/WI You could also (ostensibly) use the PUT method to...
posted @ Friday, November 02, 2007 8:54 AM |
|
|
One of the core components of an application acceleration solution is almost always compression, and almost always implemented using industry standard algorithms supported by the ubiquitous browser. Compression is used as an application acceleration technique to decrease the total amount of data that needs to be transmitted, thereby reducing the total number of packets that must traverse the network. This results in an overall decrease in the amount of data and protocol overhead required which ultimately means the client gets the data faster. Developers and architects might be thinking: "Hey, my web/app server can compress content, I just have...
posted @ Friday, October 19, 2007 8:16 AM |
|
|
Lei Zhu @ Digital Web Magazine has an interesting article on Client Side Load Balancing for Web 2.0 Applications. It is interesting in that it presents an alternative mechanism for implementing high-availability without the use of an intermediate load balancing solution. His solution relies solely on the client and takes advantage of the dynamic nature of Web 2.0. The problem with Lei's article is that there are a few assumptions made that are simply inaccurate. Lei contends that the negatives to using an intermediate load balancing solution are: There is a limit to the number of...
posted @ Monday, October 08, 2007 8:28 AM |
|
|
The evolution of programming languages and environments and the impact on performance Chances are that if I ask my son, a third-year computer science major, about Big(O) I'll either get that look - the one that says he's had that discussion with his father years ago and he really doesn't want to discuss such things with his mother - or he'll dismiss it as not relevant to today's computing environment. Big(O) and algorithmic performance is just not that important to today's generation of developers who are too often being taught to code within a vaccuum, or to be more accurate,...
posted @ Tuesday, October 02, 2007 9:23 AM |
|
|
More bandwidth can't always solve your application performance problems We have, over the years, come to the realization that application performance issues cannot always be solved simply by increasing the amount of bandwidth available. The concept was inherently flawed from the beginning anyway. You can increase the number of lanes on the highway but that doesn't mean that you'll get to your destination faster, it just means more people can get where they're going in about the same amount of time. This is because there is an upper bound on the speed of a car, just as there is an...
posted @ Thursday, September 27, 2007 1:30 PM |
|
|
What's the difference, really? There are actually quite a few differences, even if you ignore that clustering is generally used to refer to the capability of a software product to provide load-balancing services and load-balancing is often used to refer to a hardware-based (or at least third-party software) solution. Clustering is most often used in conjunction with application servers such as BEA WebLogic, IBM WebSphere, and Oracle AS (10g). So are load-balancing features found within Application Delivery Controllers (ADC) like BIG-IP. In the world of hardware load balancers the term "pool" or "farm" is used to describe a grouping...
posted @ Tuesday, September 25, 2007 4:02 PM |
|
|
Our own Deb Allen posted a great tech tip yesterday on conditional logic using HTTP::retry with iRules. This spawned a rather heated debate between Don and myself on the importance of performance versus reliability and application delivery, specifically with BIG-IP. Performance is certainly one of the reasons for implementing an application delivery network with an application delivery controller like BIG-IP as its foundation. As an application server becomes burdened by increasing requests and concurrent users, it can slow down as it tries to balance connection management with execution of business logic with parsing data with executing queries against a database with making...
posted @ Thursday, September 20, 2007 9:35 AM |
|
|
Is to head on over to Michael Botis' blog and read this entry on the impact of Web Services on the network. The reason is because Michael is looking at the impact from a global perspective whereas I've primarily concetrated on the affect of services on the local network and infrastructure. Michael points out that BIG-IP Global Traffic Manager (GTM) can assist in ensuring reliable access to servers across geographically disperse locations. Two scenarios come to mind that take advantage of GTM: global failover and distribution of services. The former is a fairly straightforward use-case, the latter is more complex...
posted @ Friday, September 14, 2007 10:56 AM |
|
|
Performance. Everybody wants to know how things perform, whether it be cars, laptops, XML gateways, or application delivery controllers. It's one of the few quantifiable metrics used to compare products when IT goes shopping, especially in the world of networking. Back at Network Computing I did a lot of testing, and a large portion of that testing revolved around performance. How fast, how much data, how many transactions, how many users. If it was possible, I tested the performance of any product that came through our lab in Green Bay. You've not had fun until you've actually melted an SSL...
posted @ Monday, September 10, 2007 7:06 AM |
|
|
Yesterday Don voiced his opinion that XML tagging is a broken proposition. One of his basic premises is that because tags, a.k.a. meta-data, are generated by people and people aren't always as, shall we say, obsessive about doing so, that the entire system is broken. Obviously I disagree or I wouldn't be penning this post. :-) Web 3.0, a.k.a. the Semantic Web, is going to require tagging, or meta-data if you prefer. Without it there's not a good way to establish the relationships between content that forms the basis for connections. But people are only part of the equation,...
posted @ Thursday, August 30, 2007 9:28 AM |
|
|
Occassionally I get to chat with the guys in the trenches about ongoing implementations involving BIG-IP. Often these involve deploying BIG-IP in front of XML/SOA gateways for load balancing and high-availability (a la failover) duties, as well as session management capabilities. This is primarily due to a lack of support for these options on the part of XML/SOA gateways combined with the need to horizontally scale out the gateways to deal with high volume throughput. I got to thinking about this deployment scenario during a chat with very smart SOA guys Tony Bishop and Jim Haughton and we decided that...
posted @ Wednesday, August 29, 2007 3:39 PM |
|
|
Diving more deeply into the issue of speeding up JavaScript and the load balancing question, Scott Conroy points out: The single URL strategy has a major downside, though it is certainly cleaner than having to deal with many URLs. Since HTTP 1.1 says that user agents and servers SHOULD have only two concurrent connections, requests for multiple resources can easily develop into blocking operations. If, say, I have a page that includes twenty images to download, my browser (in its default config) will only download 2 images at a time. If I put those images on multiple "servers"...
posted @ Monday, August 27, 2007 8:34 AM |
|
|
An interesting article on "How JavaScript is Slowing Down the Web (And What To Do About It)". The basic premise is that Web 2.0 applications like blogs are using so much JavaScript to load widgets and perform other functions that it's causing the initial page load to be s l o w. That's so true. The author has many (okay, there are five) suggestions for improving performance, but one sticks out in my mind, probably because it's core to F5 and its products - and it's not entirely accurate. 3. Load-balance requests by generating different...
posted @ Friday, August 17, 2007 9:55 AM |
|
|
There have been a lot of questions about the recent announcement of our intention to acquire Acopia Networks, with the most oft repeated question being "Why?"
I'm guessing "why not" isn't an acceptable answer. But before we dive into the why, let me tell you a little story...
The Death of a NAS
Our home network is always growing. Because Don and I both work from home and he's doing a lot of interesting integration work with Java and iControl and I like to play with interesting ways to use iRules, we have incorporated a BIG-IP into our home network. It fronts several...
posted @ Thursday, August 09, 2007 10:41 AM |
|
|
ZapThink has a great article regarding the granularity of services; that is, how fine or coarse grained services are in terms of the services and interactions available.
What is mentioned, but not highlighted, and appears to be somewhat assumed (at least in this article), is that the end-result, regardless of the process used to build services, revolves around business processes.
[The] concept of granularity is incredibly important to the enterprise architect because it has a direct impact on two major goals of Service-orientation: the composability of loosely-coupled Services, and the reusability of individual Services in different contexts. Before an architect...
posted @ Friday, August 03, 2007 11:56 AM |
|
|
In a world of 4G languages, regular expressions aren't something with which developers are necessarily familiar. Regular expressions are the thing of scripts, and *nix, and vi. In the fast growing arena of XML, XPath and XQuery have all but supplanted regular expressions by necessity, and yet many XML-focused appliances support regular expressions as a mechanisms for matching and even extracting data in certain circumstances. iRules and its parent scripting language, TCL, rely heavily on regular expressions much like other scripting languages such as PERL. While system administrators likely find this comforting, it can be daunting for developers new...
posted @ Wednesday, August 01, 2007 11:59 AM |
|
|
REST (Representational State Transfer) has been growing in usage, especially with support from early service adopters like Amazon, Google, and eBay. One of the issues often raised in conjunction with REST is the lack of a WSDL (Web Services Description Language) like contract that describes the resources available. The folks over at java.net have come up with what may well be the answer: WADL (Web Application Description Language). Example of WADL for Amazon's Search Service from the specification: <application xmlns="http://research.sun.com/wadl/2006/07" xmlns:aws="http://webservices.amazon.com/AWSECommerceService/2005-07-26" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><grammars> <include href="AWSECommerceService.xsd"/></grammars> <resources base="http://webservices.amazon.com/onca/"> <resource path="xml"> <method href="#ItemSearch"/> </resource> </resources> <method name="GET" id="ItemSearch"> <request> <param name="Service" style="query" fixed="AWSECommerceService"/> <param name="Version"...
posted @ Wednesday, July 25, 2007 9:34 AM |
|
|
Improving the performance of AJAX applications by switching servers isn't always feasible in a real environment It's nice to see the analysis of AJAX I did last year being validated, especially by one of the creators of the popular AJAX-focused toolkit, Dojo. While I agree with Dylan's assessment of where to begin the "search & destroy mission" and the reasons behind poor performance of AJAX-based applications, I just can't get behind his suggestion to switch Web servers simply to resolve highly aggressive polling-based applications. The best place to begin a thorough search & destroy mission is with...
posted @ Tuesday, July 24, 2007 12:57 PM |
|
|
Over the past few weeks we've examined the issues inherent with Web 2.0 and in particular AJAX-based applications. These issues need to be dealt with, but they should not be considered "show stoppers" to moving ahead with your Web 2.0 initiative. Consider the security ramifications of the design, implementation, and deployment of your new application carefully. Build security into your new application up front and you'll certainly be able to decrease the potential risks associated with this growing technology. Consider the following methods to CUT the RISK associated with deploying Web 2.0 applications: •Check VA tools for AJAX...
posted @ Monday, July 23, 2007 8:29 AM |
|
|
This is Part 4 of a series on Web 2.0 Security.
A good way to remember things is to use mnemonics, so when you're trying to list the security issues relevant to Web 2.0 just remember this: it's a MASHup.
More of everything.
Asymmetric data formats
Scripting based
Hidden URLs and code
This episode is brought to you by the letter "H".
Hidden URLs
AJAX and Web 2.0 works because of the use of the XMLHTTPRequest object via JavaScript to invoke remote calls on...
posted @ Wednesday, July 18, 2007 12:38 PM |
|
|
KPI (Key Performance Indicators) are quantifiable metrics that can be measured against organizational goals. KPIs vary from business to business, based on what the company does. If it's a sales oriented company, a KPI might be something like "increase sales by X% year over year"; if it's a retail company it might be both "increase sales" and "increase customer retention". The key is that a KPI must be measurable in some way. That's why most KPIs are directly related to revenue, customer retention/churn, and other quantifiable aspects of doing business. Aggregating this measurable data is generally the responsibility of...
posted @ Friday, July 13, 2007 9:36 AM |
|
|
This is Part 3 of a series on Web 2.0 Security.
A good way to remember things is to use mnemonics, so when you're trying to list the security issues relevant to Web 2.0 just remember this: it's a MASHup.
More of everything.
Asymmetric data formats
Scripting based
Hidden URLs and code
This episode is brought to you by the letter "S".
Scripting-based
Web 2.0 technologies, specifically AJAX, are based on the execution of scripts. As we mentioned in Part I of...
posted @ Wednesday, July 11, 2007 1:11 PM |
|
|
When being chased by a dragon, you don't need to be faster than the dragon. You just need to be faster than the halfling behind you.
I had a lot of discussions at RSA this past week, and of course some of them centered on performance. One of the challenges often associated with pure proxy-based application anything involves dealing with the argument that proxies degrade performance, especially in something as intense as an application firewall. That's because of the associated computational cost of buffering input, reassembling packets, and parsing through data in addition to the requirement of managing TCP connections...
posted @ Monday, February 12, 2007 12:49 PM |
|
|
No Service is An Island
No one has ever claimed that processing of XML was speedy. Indeed, my reaction to the results of the first test I ever conducted on SOA Security Gateways back in 2003 was to test them again. And again. It turns out that this was actually okay, as a subsequent review of the application servers these devices were protecting weren't capable of keeping up anyway.
But that was back in 2003, right? Things have gotten better, haven't they?
Well, yes and no. Another round of testing in 2005 showed that while the devices offloading XML processing...
posted @ Friday, January 19, 2007 12:09 PM |
|
|
Is the pipe half-full or half-empty?
David Linthicum does a good job of pointing out the factors that can affect performance of your SOA in his recent Real World SOA entry: When to Consider SOA Performance.
I particularly liked rule #3:
"Third, use of too many fine grained services may cause performance problems. Indeed, you should not be afraid to leverage fine grained services within your SOA. However, you need to understand the performance issues with doing so, taking careful consideration of the network bandwidth and how other applications leverage the services."
You should indeed take the network into careful consideration when...
posted @ Wednesday, December 20, 2006 1:27 PM |
|
|
|
|
|
|
