do your web-applications deliver on expectations? svwg november 2003

Analyze Assure Accelerate

October 2003

TM

Do your Web-Applications Deliver on Expectations?

SVWG November 2003

Analyze Assure Accelerate October 2003 Do not redistribute without permissionTM

Agenda

• Framework

• Key Enterprise Challenges

• Comprehensive Testing Helps

• Summary


What are We Trying to Solve?

Internet

Server Farm

Enterprise Intranet Enterprise Intranet

Engineering Finance

SLB

SSL

Firewall

Perimeter Security IDS Firewall

Router


Enterprise Challenges

New Applications

New Attacks

Performance Degradations

Daily maintenance

Do More with Less ?!Do More with Less ?!


The Easy Way Out


A “Realistic” Approach

Web Application Developers

Regression Testing Deployment TestingDeployment Testing

Enterprise Security

Vulnerability Testing Risk MitigationRisk Mitigation

Network IT Infrastructure

Asset Management Uptime: 24x7xforeverUptime: 24x7xforever

COMPREHENSIVE Testing is key to all three focus areas


Web-application Rollout Process

Highest Risk: Lab Evaluations to Live Deployments Highest Risk: Lab Evaluations to Live Deployments

“Realism” Simulations

Feedback from live deployments

Evaluate solutions to new business

drivers

Application Requirements


What are “Web Applications”

WebServer

DatabaseServer

ApplicationServer

Firewall LoadBalancer

SSLScaler

Router

Web Application

3 tiers by 3 tiers


Web Applications: Challenges

• Inability to scale across more users

• Asymmetric load across multiple tiers

• Tuning issues

• Resource allocation issues

• Bottleneck and fault isolation in 3 tiers

• Bad user experience: adaptability to load and devices

Plus: Security + IT infrastructure challenges


Web Applications: Example

• DMV in Mid-West

• Customer wanted to roll-out to handle 100s of requests per second

• Architected solution for that

• Brought us in to test

• Actual result – handled only 10s of requests per second

• Had to re-architect entire site - application server was not fast enough!


Other Effects: Example - Link Speeds

Internet Use by Connection Speed

Broadband17%

56K Dialup64%

28.8/33.6K Dialup15%

14.4K Dialup4%

* Source: Nielsen/Netratings, July 2001


The Effect of Link Speed

Maximum Open Network Connections

7098

4264

2357

972317 86 30

010002000300040005000600070008000

9.6KbpsWAP

28.8KbpsDialup

53 KbpsDialup

128KbpsISDN

384KbpsDSL

1.5MbpsT1

100MbpsLAN

Average Estimated Server Processing Time

0.712

0.503

0.271

0.1130.038 0.011 0.0030

0.10.20.30.40.50.60.70.8

9.6 KbpsWAP

28.8KbpsDialup

53 KbpsDialup

128KbpsISDN

384KbpsDSL

1.5Mbps T1

100MbpsLAN

milli

seco

nds

* Source: Caw Networks Realism Study, February 2002


Effect of Link Speed on Users

Average Application Response Time (ms)14371

48212616

1081 352 86 190

2000400060008000

10000120001400016000

9.6 KbpsWAP

28.8Kbps

Dialup

53 KbpsDialup

128KbpsISDN

384KbpsDSL

1.5Mbps T1

100MbpsLAN

milli

seco

nds


Aspects of Security

• Security Policies =

Processes + People + Network + Applications

Focus on: Network and Application-layer security


Security Implementation Challenges

• Enterprise-wide buy in to policies

• Wrong choice of topology

• Incorrect choice of devices

• Poor configurations


Security Testing Solutions

• An example of a real live benchmark for a security consulting company: Testing with data Testing with multiple protocols Testing at realistic load points

• Candidate: High-end 10,000 connections per second firewall


Max CPS with Data

With HTTP FW able to accomplish 2234 CPS

Breakpoint


Multi protocol: HTTP and FTP CPS

Addition of FTP cuts performance by more than 75%!!!

Most Network administrators

wouldNever even test

for this

Real traffic, Real applications make a difference


Effect of Open Connections

IncompleteTransactions at 100K open


Net Result: Poor User ExperienceUnfortunately most experience timeout


What are “IT Infrastructures”?


Recommended Testing Practices

• Key methodologies: Device testing Network testing End to end system testing

• Test before deployment

• Test every change

• Test with realism!


IT Infrastructure Impact

What can go wrong?

• Unknown bottlenecks in end-to-end devices

• Bad firmware/software updates

• Guessing during rearchitecture/consolidation

• Inability to localize faults quickly

• Availability under attack


Summary

• Web Applications are more than Web Applications

• Identify and mitigate risk with comprehensive testing

• Actually do more with less!

Analyze Assure Accelerate

October 2003

TM

Thank You!

Contact us:

[email protected]

[email protected]

do your web-applications deliver on expectations? svwg november 2003

Documents