Secure the bridge, speed the traffic

 

Connecting state and local government leaders

Case study: The Air National Guard deploys proxy appliances to secure Internet connections and enforce network policy on its nationwide WAN ' and gets the added bonus of optimizing its bandwidth.

It was serendipity. The Air National Guard needed a proxy appliance to secure Internet connections and enforce network policy on its nationwide wide-area network. At the same time, it was becoming apparent that either more bandwidth was needed on that WAN or the existing bandwidth had to be used more efficiently. It found that one box could handle both functions.'I don't care how much bandwidth you have, it is still a good thing to have more efficient bandwidth,' said Air Force Lt. Col. Dunkin Walker, chief at the ANG Network Architecture Branch Communications Directorate.The Guard was already looking at the ProxySG Appliance from Blue Coat Systems for its proxy needs because that was on the Air Force list of approved products.'We would have ended up with a proxy anyway,' Walker said. What was surprising was that the proxy being considered also had acceleration functions. 'We didn't expect that. We were overjoyed when we heard that was a part of the product.'The Air National Guard expects to begin installing more than 200 of the appliances in October to handle its network security and WAN bandwidth needs.Getting more from your existing bandwidth is not a trivial task, and more agencies are looking to WAN optimization technologies as a way to get a five- to 20-fold improvement in network performance without leasing more bandwidth. The WAN optimization space, which started as a tactical bandage to fix network congestion problems, is becoming a strategic enterprise service, said Chris King, director of strategic marketing at Blue Coat. 'The level of investment required is much lower.'The knee-jerk approach to speeding up application performance over the network is to add bandwidth or purchase new servers and distribute them across the enterprise to host applications and data that would be closer to users. There are a number of problems with this approach, King said.Distributing applications on servers also goes against the current trend in government. 'There is a tendency for a lot of government organizations to centralize a lot of the data for security management,' King said. However, even in the best of situations, centralizing applications can have a performance impact on large networks.'The distance that the user's traffic is required to traverse to get to the application is significantly greater than the application was designed for,' King said. A WAN can span thousands of miles, and 'as fast as light travels, it still takes time.'Delays can go from a few milliseconds to a hundred milliseconds to cover the distance, depending on network conditions and the number of hops required ' and talky applications can require dozens or hundreds of round-trip exchanges. 'When you're talking about 200 milli- seconds delay round trip, it adds up.'This was the situation the Air National Guard (ANG) was facing with its network, which connects more than 200 locations in 54 states and territories.'The ANG network is as big as the Air Force network,' Walker said. 'It's not a small organization. We have long-haul communications links between all of the locations.'The more than 107,000 air guardsmen make up about a third of the Air Force's totalmanpower, and they are involved daily in training, rescue missions, firefighting support, combat communications and air traffic control. Increasingly, their missions rely on the ANG WAN.'Everything is moving to the network,' Walker said. 'In an ideal situation, the long-haul pipes would grow to meet these needs.'But the real world is seldom an ideal situation. 'The communications were not adequate for everything that is on the network today,' he said. 'We had to pursue another way to increase the bandwidth available across the network.'That turned out to be the ProxySG. Blue Coat started life as a niche company that accelerated commercial transactions on the Internet with a proxy that terminated and reissued connections on behalf of a server. After the dot-com bust, the company became Blue Coat and focused on security controls in its gateway device to complement its optimization features.Enforcement and acceleration go hand in hand because of the network overhead in policy enforcement, King said.'Every time you add a layer of controls, you affect performance,' he said. 'It's going to get harder to do any kind of policy or security without adding acceleration.'The ProxySG has a policy enforcement engine with 500 variables, allowing granular control of where users can go on the Web, what they can do there and what kinds of data can be downloaded. It can block sites, limit the volume of traffic from some sites and disallow some kinds of content from sites that are not blocked. Policies can be tailored for specific sites, workgroups and individuals.Effective policy enforcement can also help improve network performance by controlling the amount of traffic on the network. Every bit that is blocked makes room for another, legitimate bit.After being briefed on acceleration by Blue Coat about a year ago, the Air National Guard tested the proxy appliances in a pilot program at McConnell Air Force Base, Kansas, where the Air Force has its Network Operations and Security Center (NOSC). The test concluded successfully in the summer, and ANG immediately began gearing up for a networkwide deployment.The boxes were all shipped by October, and the job of installing them in 200 locations began. One appliance will be installed in each of the Guard's 88 wing headquarters and 14 other similar-sized facilities. Eighty-two geographically separated ANG units also will get proxies.The appliances will be centrally managed from the operations center at McConnell, and each will have a standard ANG policy for Web use.'If individual wings want to have a more restrictive policy, they will open a ticket with the NOSC,' which will update the policy, Walker said.The ANG project is complicated somewhat by an additional layer of politics that administrators have to negotiate.'The Air National Guard is really a militia that is controlled by the state to a large extent' and nationalized when needed, Walker said. 'The states think of themselves as their own enterprises.'This makes mandates about network architecture and policy difficult.'We have to sell them on the idea that they are a part of something bigger and abide by the same rules,' he said. 'It's more political than the active-duty military,' in which orders are orders.It is not a small or a simple project, but 'we expect to be pretty much done by the end of the year,' Walker said. If done right, the only difference the end users will see is an improvement in network performance.

Air National Guard: Let a pilot show you the way

Deploying any system on a nationwide network serving more than 200 locations is not a simple job, but that's what the Air National Guard plans to do over the next several months. It is installing a previously untested ' by ANG ' appliance to provide both Internet policy enforcement and application acceleration on its wide-area network.

'We have a large, complex network,' said Air Force Lt. Col. Dunkin Walker, who heads the Communications Directorate at the Guard's Network Architecture Branch. The WAN provides connectivity to ANG facilities in each of the 50 states and in four U.S. territories.

The key to making the implementation work is to try it before you buy it. The Guard did a pilot deployment of the equipment, ProxySG Appliances from Blue Coat Systems, at McConnell Air Force Base, Kansas, home to the USAF Network Operations and Security Center.

'We got some good lessons from the pilot,' Walker said.

The first lesson was that the ProxySG did both of the jobs ANG needed to get done: It could handle policy enforcement at the gateways and improve network performance by managing bandwidth and accelerating the applications. Settings and configuration on the boxes were worked out in a controlled environment, and they learned how the appliances interacted with the local network.

But they also found that the proxy does not work well with other proxies, and you should know if you already have such a device on your local network.

'You have to take the old proxy completely out of the loop,' Walker said.
But the most important lesson was that a careful pilot program can help you determine not only what product to buy, but how to deploy it.
' William Jackson

Get more from your bandwidth

Wide-area optimization technologies squeeze more performance from your network through various techniques, including:

Bandwidth management, mapping network traffic to the organization's priorities.

Protocol optimization, which opens multiple connections for talky applications and loads multiple objects in parallel.

Object caching, saving and serving up objects from a local cache, limiting the use of the network to what is necessary.

Byte caching, similar to object caching but with blocks of data rather than complete objects. This allows the downloading only of data that has changed between requests. Both types of caching become more effective over time and with more people using the network.

Compression, or shrinking the size of the files being transmitted by removing the redundant parts and adding them back in at the destination.

Policy enforcement, allowing users access to only applications pertinent to their jobs.

' William Jackson

DOUBLE DUTY: Blue Coat's ProxySG Appliance did both jobs the Air National Guard needed done, helping to secure its Internet connections while optimizing WAN performance.


























































X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.