do your web-applications deliver on expectations? svwg november 2003
DESCRIPTION
Do your Web-Applications Deliver on Expectations? SVWG November 2003. Agenda. Framework Key Enterprise Challenges Comprehensive Testing Helps Summary. Internet . Router. Perimeter Security. IDS. Firewall. Enterprise Intranet . Firewall. SSL. SLB. Finance . Server Farm . - PowerPoint PPT PresentationTRANSCRIPT
Analyze Assure Accelerate
October 2003
TM
Do your Web-Applications Deliver on Expectations?
SVWG November 2003
Analyze Assure Accelerate October 2003 Do not redistribute without permissionTM
Agenda
• Framework
• Key Enterprise Challenges
• Comprehensive Testing Helps
• Summary
Analyze Assure Accelerate October 2003 Do not redistribute without permissionTM
What are We Trying to Solve?
Internet
Server Farm
Enterprise Intranet Enterprise Intranet
Engineering Finance
SLB
SSL
Firewall
Perimeter Security IDS Firewall
Router
Analyze Assure Accelerate October 2003 Do not redistribute without permissionTM
Enterprise Challenges
New Applications
New Attacks
Performance Degradations
Daily maintenance
Do More with Less ?!Do More with Less ?!
Analyze Assure Accelerate October 2003 Do not redistribute without permissionTM
The Easy Way Out
Analyze Assure Accelerate October 2003 Do not redistribute without permissionTM
A “Realistic” Approach
Web Application Developers
Regression Testing Deployment TestingDeployment Testing
Enterprise Security
Vulnerability Testing Risk MitigationRisk Mitigation
Network IT Infrastructure
Asset Management Uptime: 24x7xforeverUptime: 24x7xforever
COMPREHENSIVE Testing is key to all three focus areas
Analyze Assure Accelerate October 2003 Do not redistribute without permissionTM
Web-application Rollout Process
Highest Risk: Lab Evaluations to Live Deployments Highest Risk: Lab Evaluations to Live Deployments
“Realism” Simulations
Feedback from live deployments
Evaluate solutions to new business
drivers
Application Requirements
Analyze Assure Accelerate October 2003 Do not redistribute without permissionTM
What are “Web Applications”
WebServer
DatabaseServer
ApplicationServer
Firewall LoadBalancer
SSLScaler
Router
Web Application
3 tiers by 3 tiers
Analyze Assure Accelerate October 2003 Do not redistribute without permissionTM
Web Applications: Challenges
• Inability to scale across more users
• Asymmetric load across multiple tiers
• Tuning issues
• Resource allocation issues
• Bottleneck and fault isolation in 3 tiers
• Bad user experience: adaptability to load and devices
Plus: Security + IT infrastructure challenges
Analyze Assure Accelerate October 2003 Do not redistribute without permissionTM
Web Applications: Example
• DMV in Mid-West
• Customer wanted to roll-out to handle 100s of requests per second
• Architected solution for that
• Brought us in to test
• Actual result – handled only 10s of requests per second
• Had to re-architect entire site - application server was not fast enough!
Analyze Assure Accelerate October 2003 Do not redistribute without permissionTM
Other Effects: Example - Link Speeds
Internet Use by Connection Speed
Broadband17%
56K Dialup64%
28.8/33.6K Dialup15%
14.4K Dialup4%
* Source: Nielsen/Netratings, July 2001
Analyze Assure Accelerate October 2003 Do not redistribute without permissionTM
The Effect of Link Speed
Maximum Open Network Connections
7098
4264
2357
972317 86 30
010002000300040005000600070008000
9.6KbpsWAP
28.8KbpsDialup
53 KbpsDialup
128KbpsISDN
384KbpsDSL
1.5MbpsT1
100MbpsLAN
Average Estimated Server Processing Time
0.712
0.503
0.271
0.1130.038 0.011 0.0030
0.10.20.30.40.50.60.70.8
9.6 KbpsWAP
28.8KbpsDialup
53 KbpsDialup
128KbpsISDN
384KbpsDSL
1.5Mbps T1
100MbpsLAN
milli
seco
nds
* Source: Caw Networks Realism Study, February 2002
Analyze Assure Accelerate October 2003 Do not redistribute without permissionTM
Effect of Link Speed on Users
Average Application Response Time (ms)14371
48212616
1081 352 86 190
2000400060008000
10000120001400016000
9.6 KbpsWAP
28.8Kbps
Dialup
53 KbpsDialup
128KbpsISDN
384KbpsDSL
1.5Mbps T1
100MbpsLAN
milli
seco
nds
Analyze Assure Accelerate October 2003 Do not redistribute without permissionTM
Aspects of Security
• Security Policies =
Processes + People + Network + Applications
Focus on: Network and Application-layer security
Analyze Assure Accelerate October 2003 Do not redistribute without permissionTM
Security Implementation Challenges
• Enterprise-wide buy in to policies
• Wrong choice of topology
• Incorrect choice of devices
• Poor configurations
Analyze Assure Accelerate October 2003 Do not redistribute without permissionTM
Security Testing Solutions
• An example of a real live benchmark for a security consulting company: Testing with data Testing with multiple protocols Testing at realistic load points
• Candidate: High-end 10,000 connections per second firewall
Analyze Assure Accelerate October 2003 Do not redistribute without permissionTM
Max CPS with Data
With HTTP FW able to accomplish 2234 CPS
Breakpoint
Analyze Assure Accelerate October 2003 Do not redistribute without permissionTM
Multi protocol: HTTP and FTP CPS
Addition of FTP cuts performance by more than 75%!!!
Most Network administrators
wouldNever even test
for this
Real traffic, Real applications make a difference
Analyze Assure Accelerate October 2003 Do not redistribute without permissionTM
Effect of Open Connections
IncompleteTransactions at 100K open
Analyze Assure Accelerate October 2003 Do not redistribute without permissionTM
Net Result: Poor User ExperienceUnfortunately most experience timeout
Analyze Assure Accelerate October 2003 Do not redistribute without permissionTM
What are “IT Infrastructures”?
Analyze Assure Accelerate October 2003 Do not redistribute without permissionTM
Recommended Testing Practices
• Key methodologies: Device testing Network testing End to end system testing
• Test before deployment
• Test every change
• Test with realism!
Analyze Assure Accelerate October 2003 Do not redistribute without permissionTM
IT Infrastructure Impact
What can go wrong?
• Unknown bottlenecks in end-to-end devices
• Bad firmware/software updates
• Guessing during rearchitecture/consolidation
• Inability to localize faults quickly
• Availability under attack
Analyze Assure Accelerate October 2003 Do not redistribute without permissionTM
Summary
• Web Applications are more than Web Applications
• Identify and mitigate risk with comprehensive testing
• Actually do more with less!
Analyze Assure Accelerate
October 2003
TM
Thank You!
Contact us: