NetScaler describes its 9800 secure application switch as a secure applications delivery system. What it means by this is a switch that works at the applications layer, optimising “web” traffic in both directions across the switch, in a secure fashion – i.e. it can use secure tunnelling in the form of an SSL VPN and support https/SSL based access to whatever lies either side of the switch with SSL termination at the switch.

Importantly, the combination of features mean that, even when accelerating SSL sessions, you can have a fully encrypted connection from client to server.

So where exactly does the NetScaler 9800 system sit? Typically on one side is the “outside world”, be it the Internet or Intranet, or whatever we call departmental computing these days. On the other side is the data centre – server farms, firewalls, cache.

NetScaler’s big claim to fame is its patented “request switching” suite of technologies. This is designed to handle web traffic as efficiently as possible by analysing and directing incoming traffic at the application request level. The company says the capability to examine within the actual payload will be added to a future release. But what it can do now, it does very, very well indeed. This includes TCP offload and optimisation, data compression, static and dynamic caching, SSL acceleration, DDOS attack, and other security intrusion prevention.

The NetScaler 9800 system is towards the high end of a range that starts with a cut-down traffic accelerator, but the basic architecture and code is the same throughout. Key here is that NetScaler separates the generic device OS – FreeBSD – from the custom device kernel which carries out the vast majority of the processing requests. So there is no overhead coming into play when the device has to request assistance from the OS regularly, as is the case with some of the other Layer 7 switches. This is especially important in applications such as SSL acceleration, for example.

Traffic breakdowns
Device management is via either a CLI – used to setup the initial configuration, IP address - or a browser-based GUI. The latter provides you with a broad subset of the manageable features of the switch, but the CLI – including shell access to the FreeBSD OS – is required for some configurations. In addition to the browser-based manager, there is also a “dashboard”, a statistics/monitor screen providing you with a number of different performance and traffic breakdowns in graphical or tabular format.

Using Spirent WebAvalanche and WebReflector Internet traffic client/server generators we put the NetScaler to the test in a number of different ways. We created a test-bed using these tools plus a range of real servers, firstly to test the 9000 Series’ TCP offload capabilities. The idea here is that a web server spends a huge amount of its processing power and memory resource processing TCP requests – millions of them. The result is that scenario we all know only too well – dog-slow server access. Sitting the NetScaler 9800 system in front of the servers however, enables us to offload those TCP requests onto the NetScaler box.

The result is impressive for something so simple to configure. Want to turn an old Pentium II box into a superserver? Running http/https web traffic directly at the server, then offloading it via the NetScaler gave us a best figure of a 3,000 percent improvement in performance – a 30 times increase in server traffic handling capability in other words.

Even with well-specified, Pentium IV servers we were getting a six times increase in performance capability. In practice, it meant that our old PII servers, with the assistant of the NetScaler, were performing five times faster than the PIV servers running without assistance.

Our pure SSL termination tests – terminating traffic at the NetScaler, rather than the HP PIV server use for testing – resulted in 307,745 successful transactions out of an attempted 345,203, as opposed to just 11,090 successes out of 233,029 attempted, running the same test back-to-back, but terminating at the server.

We also set up a simulated 56K modem link to test low-bandwidth access to http applications, simulating attachments, to test the compression capabilities of the NetScaler and got a more down to earth 300 percent improvement, but this without being “compression friendly” with our test methods. Cache-based testing gave us a 400 percent improvement, using the integrated caching capabilities of the NetScaler.

What is really impressive is that the 9800 is capable of supporting all these (and SSL VPN) services simultaneously. Even when we were pushing the device really hard, the NetScaler CPU levels rarely rose above 25-35 percent utilisation, with memory likewise.

Overall, then, we were very impressed with the NetScaler 9800. It doesn’t do everything at layer 7 that some other switches on the market do, but nonetheless offers features that work very well indeed.

OUR VERDICT

It’s a simple case of doing your sums. Our guess would be that the NetScaler ROI time, in many cases, would be very short indeed.