Application-specific traffic control, including application-based security and load balancing, are becoming the hot topics in networking, according to Foundry Networks' Chandra Kopparapu.
Kopparapu, the VP and general manager of Foundry's service provider and multilayer switching business unit, points to the growing use of SSL in a new age of Internet privacy, and of course the increasing threat posed by denial of service (DoS) attacks and viruses, as reasons why Layer 4-7 switches need evermore intelligence, scalability and power.
"You need the ability to look deeper into the packet and do SSL off the server," he says. "The challenge is to do Layer 4-7 switching at wirespeed, especially with the migration of Gigabit copper to the edge of the network - the price difference for Gigabit on a server now is zero."
This migration is, in turn, pushing more organisations to adopt 10Gig Ethernet backbones, in order to feed those hungry Gigabit server connections, and as Kopparapu notes, it is a lot more complex to do Layer 4-7 work at 10Gig.
Foundry's response was its recent launch of upgraded models in its ServerIron range, which it claims are the first Layer 4-7 systems with 10Gig uplinks. Kopparapu says it had to develop a new generation of network processors and new ASICs to make these speeds possible.
Even then, each ServerIron 450 or 850 unit is limited to one or two 10Gig uplinks, although at the same time their Gigabyte Ethernet port count is doubled from the previous 400 and 800 models.
These systems, along with a new modular SSL acceleration box called ServerIron GT and upgrades to ServerIron's TrafficWorks operating system, are symptomatic of just how much is now moving to the application layer within switching networks.
Application layer threats are more complex too, pushing companies such as Foundry to work ever harder in areas such as content analysis and pattern recognition. This of course means scanning at greater depth, as well as faster.
"ServerIron GT is a load balancing system with integrated SSL," says Kopparapu. "It lets you terminate SSL on the load balancer and do switching on it based on cookies or URLs. It doesn't replace the external firewall but protects against other threats such as server viruses."
"With TrafficWorks we have taken a unified approach to content analysis, so you can write rules and take actions. We can scan up to eight packets together. There's no limit to how much more you could scan, but we generally find 8000 bytes is enough."
One problem is that this kind of analysis can only be performed for applications that the switch knows and understands. Obviously this should include all the common ones, but for others only Layer 4-5 protection can be offered, unless you write your own rules.
Kopparapu says that this means anyone looking at doing Layer 4-7 work must first carry out a careful traffic analysis and then match their application list against the feature sets of the available boxes.
He adds that this same approach applies to application and even email switching, too: "You can use pattern matching to look for BEA cookies, say, then persist them to a specific server where that user's context and information is. Similarly, you could send a known sender's email straight to the trusted zone."
Layer 4-7 switches could also defend against emerging threats, he says, in particular those to DNS security and availability.
"People forget to secure DNS, but it's the gateway to your Web services. A hacker could hijack your site, either maliciously to divert your callers elsewhere, or as a prank," he explains. "We can sit in front of the DNS, protect it and distribute the load."
Foundry's interest in the Layer 4-7 market is understandable when you consider that while Kopparapu reckons it is a $400m market world-wide, he says it is only 10 to 15 percent of the company's revenue today. As he points out, Layer 2 switching is a commodity now, and most Layer 2 products are also Layer 3-capable.