Cisco ACE 4700 Series Application Control Engine Appliances

Executive Summary

Challenges

Cisco ACE Application Switch Solves Application-Delivery Challenges

Figure 1. Cisco ACE Application Control Engines

• Improved application availability and scalability: The Cisco ACE application switch improves application availability and uptime while dynamically scaling application resources as business requirements grow.

• Cost reductions through data-center consolidation: The Cisco ACE application switch facilitates data-center consolidation, reducing the quantity of servers and load balancers needed and reducing power and cooling requirements. In addition, it reduces application deployment cycles and ongoing time required to manage application infrastructure.

• Accelerated applications: The Cisco ACE application switch accelerates application response time and increases business transaction throughput to any remote user. It offloads up to 90 percent of server processing power, reducing the number of servers and application licenses required.

• Secured applications: The Cisco ACE application switch protects applications and the data center from network and application attacks.

Figure 2. Cisco ACE Application Switch Core and Advanced Application-Delivery Services

• Intelligent server load balancing (SLB): The Cisco ACE application switch delivers a high-performance and intelligent application switching solution using various dynamic and adaptive load-balancing algorithms. It provides server load balancing for all IP applications and powerful persistence of information in the header for packaged, custom, and Extensible Markup Language (XML) applications. It is designed to deliver high stateful availability at the physical or virtual device level.

• Advanced application-acceleration techniques: The Cisco ACE application switch accelerates applications through a combination of functions, such as features that reduce client-server round trips, optimize bandwidth using compression, and offload server-processing cycles for Secure Sockets Layer (SSL) and server TCP connections setup

• Network and application security: The Cisco ACE application switch secures the data center and applications, including Web applications from a wide variety of network and application attacks, both known and unknown. It provides this protection through highly scalable packet and content filtering, protocol inspections, and advanced encryption.

• Powerful virtualized architecture: The Cisco ACE application switch virtualization allows you to partition a physical device into multiple isolated virtual devices, each with all the capabilities of the physical device. This virtualization capability allows you to reduce the number of physical application-delivery devices deployed in the data center.

• Purpose-built application-delivery device: The Cisco ACE application switch uses multicore network processors to provide excellent Layer 4-to-Layer 7 server load balancing. In addition, it allows service concurrency without performance degradation by using optional daughter cards.

• Customizable role-based administration (RBA): The Cisco ACE application switch provides eight predefined roles and also allows you to create custom roles to adapt to different organizational structures. As a result, IT network and application groups are not required to coordinate among themselves to make configuration changes.

Improved Application Availability and Scalability

Figure 3. Cisco ACE Application Switch Load Balances Client Requests Across Multiple Servers

• Adaptive load-balancing algorithms: Unlike traditional load balancers that use static information about the server to make load-balancing decisions, the Cisco ACE application switch uses both static and dynamic information to make intelligent load-balancing decisions. In addition to server information, the Cisco ACE application switch also uses application and content information to make intelligent load-balancing decisions. The switch supports various applications and content-aware load-balancing algorithms, including hashed header, hashed cookie, hashed URL, and application error-response codes. Based on the load-balancing algorithm configured, the Cisco ACE application switch performs a series of checks and calculations to determine the server that can best service each client request for improved performance and availability.

• Intelligent application and content switching: The Cisco ACE application switch supports load balancing and persistence on any value in the HTTP header for packaged and custom applications.

• Session persistence: Many packaged and e-commerce applications store information about the client in the server memory for use throughout a session. A session, as used here, is defined as a series of transactions between a client and a server over some finite period of time (from several minutes to several hours). These applications require the client to become "stuck" to one server after the connection is established. The Cisco ACE application switch supports a feature called stickiness that allows the same client to maintain multiple simultaneous or subsequent TCP or IP connections with the same server for the duration of a session. Depending on the configured SLB policy, the Cisco ACE application switch "sticks" a client to an appropriate server after it has determined which load-balancing algorithm to use. If the Cisco ACE application switch determines that a client is already stuck to a particular server, it sends further requests from the same client to that server, regardless of the load-balancing criteria specified by the matched policy. If the Cisco ACE application switch determines that the client is not stuck to a particular server, it applies the normal load-balancing rules to the client request. The Cisco ACE application switch is completely application-aware and provides various session persistence methods, including source or destination IP addresses, cookies (dynamic cookie learning and cookie insert), SSL session IDs, HTTP headers, information unique to packaged applications and protocols, and any custom value(s) in protocol headers.

• Application health monitoring: The Cisco ACE application switch supports advanced server and application health monitoring to track the state and health of a server or application using out-of-band probes. The Cisco ACE application switch verifies server responses or checks for network problems that can prevent a client from reaching a server. Based on the server response, the Cisco ACE application switch can place the server in or out of service and can make reliable load-balancing decisions. The Cisco ACE supports up to 4096 unique probe configurations, including Internet Control Message Protocol (ICMP), TCP, HTTP, hardware-accelerated SSL/secure HTTP (HTTPS), and other predefined health probes. In addition to these probes, the Cisco ACE also supports more flexible scripted health probes that allow you to upload and execute custom Tool Command Language (TCL) scripts. Script probes operate similarly to other predefined health probes available in the Cisco ACE software. As part of a script probe, the Cisco ACE executes the script periodically. The exit code that is returned by the executing script indicates the relative health and availability of specific real servers. The health probe can be applied to a server farm.

• Route health injection: The Route Health Injection (RHI) feature allows the Cisco ACE application switch to advertise the availability of a virtual IP (VIP) address throughout the network. You can use the RHI feature to create multiple instances of a VIP for disaster recovery, global SLB, and Cisco ACE application switch scalability. With RHI, the Cisco ACE application switch sends advertisements to the Multilayer Switch Feature Card (MSFC) when VIP addresses become available and withdraws advertisements for VIP addresses that are no longer available. The Cisco ACE application switch uses health probes to determine VIP availability. The MSFC adds an entry in its routing table for each VIP address it receives from the Cisco ACE application switch. The routing protocol running on the MSFC sends routing-table updates, including availability and hop-count routing information for each instance of a VIP address to other routers. The client router uses the routing information to choose a route based on best available path to that VIP address and also where the Cisco application switch is logically closer to the client system.

• Asymmetric server normalization (ASN): ASN allows Cisco ACE to load balance the initial request from the client while directing return traffic from the real server directly to the client, bypassing the Cisco ACE application switch. This feature accelerates server-to-client communications and reduces the amount of traffic processed through the Cisco ACE application switch. With the ASN feature, Cisco ACE sends traffic to a real server with the VIP address as the destination address and the MAC address of the real server. Here the real server needs to be configured with an IP address, as it would normally be, but it also needs to be configured with the IP address of the VIP on the loopback interface.

• High availability and stateful redundancy: Many mission-critical applications require transparent and sub-second failover if an application-delivery device becomes unresponsive. The Cisco ACE application switch is designed to deliver robust stateful redundancy at the physical and virtual device levels. The stateful redundancy feature of Cisco ACE can enhance your experience by helping to ensure that network services and applications are available regardless of device failure.

• Virtual device redundancy: You can configure the Cisco ACE application switch to provide redundancy between two Cisco ACE modules in the same Cisco Catalyst 6500 Series Switch, in the same Cisco 7600 Series Router chassis, or in two physically separate chassis. The Cisco ACE also supports redundancy between two appliance form-factor devices. Compared to traditional solutions, the Cisco ACE supports high availability at both physical and virtual device levels. The Cisco ACE application switch can be partitioned into up to 250 virtual devices, each with its own configuration files, resources, and management interfaces. Each virtual device has all the capabilities of the actual physical device, and each virtual device is independent and isolated so that it appears to be a unique physical device from the viewpoint of the network and the network administrator. The Cisco ACE application switch provides the flexibility to configure redundancy only for selected virtual devices. Configurations in one virtual device do not affect configurations in other virtual devices. As a result, virtual partitioning provides an innovative way of protecting a set of services configured in several virtual devices from accidental mistakes, or from malicious configurations, made in another virtual device. A configuration failure on Cisco ACE is limited to the scope of the virtual device in which it was created. A failure in one virtual device has no effect on other virtual devices in the Cisco ACE, maximizing uptime for critical applications, especially when Cisco ACE is deployed in a redundant high-availability configuration.

• Active-active redundancy: The Cisco ACE application switch supports a flexible active-active redundancy configuration between two physical devices. This setup allows you to distribute workload between both physical Cisco ACE devices rather than using only one of the devices in active mode. Figures 4 and 5 illustrate two possible Cisco ACE active-active redundancy configurations, where N is the number of Cisco ACE virtual devices configured for redundancy. In the first example (Figure 4), the virtual devices are evenly distributed between the two physical Cisco ACE devices. The letters (A, B, C, and D) represent the active virtual devices, whereas the primed letters (A', B', C', and D') represent standby virtual devices. In the second example (Figure 5), the virtual devices are unevenly distributed between two physical Cisco ACE devices. This scenario is applicable if applications hosted on virtual devices A, B, C, and D require only half the resources that are required for applications hosted on virtual devices E and F.

Figure 4. Cisco ACE Application Switch Active-Active Redundancy: Example 1

Figure 5. Cisco ACE Application Switch Active-Active Redundancy: Example 2

• Stateful failover: The Cisco ACE application switch replicates connection flows on the active virtual device to the standby virtual device. The replicated connection flows contain all the flow-state information necessary for the standby virtual device to take over the flow if the active virtual device becomes unresponsive. The former active virtual device transitions to a standby state to fully back up the current flows to the newly active virtual device. With this feature, end-user applications do not need to reconnect to maintain the same network session during the failover and failback. Thus, the Cisco ACE stateful failover and failback redundancy capability provides true transparent failover for applications regardless of device failure.

• Tracking and failure detection: The Cisco ACE application switch supports tracking and failure detection of several network items, including servers and VLANs, and performs transparent switchover from an active Cisco ACE physical or virtual device to a standby Cisco ACE device if the tracked network resources become unresponsive. All active flows that exist at the time of the switchover continue uninterrupted on the new active Cisco ACE device. When the failed tracked network device comes back up, the Cisco ACE application switch evaluates the priority between active and standby Cisco ACE devices. If the resulting priority of the standby Cisco ACE device is greater than the priority of the active Cisco ACE device, the Cisco ACE performs transparent switchover to the original active Cisco ACE device. The Cisco ACE can be configured to track several network devices such as gateways or hosts, interfaces, and Hot Standby Router Protocol (HSRP) groups. For example, the Cisco ACE can track the HSRP group and perform transparent switchover from an active Cisco ACE device to a standby Cisco ACE device if the HSRP group is unresponsive. In this scenario, the ability of the Cisco ACE application switch to track and switch over reduces traffic on the Inter-Switch Link [ISL] between two distribution layer switches.

Cisco ACE: One of the Industry's Most Efficient Application-Delivery Platforms

• Purpose-built hardware: Application-delivery devices usually follow two main types of architecture: server-based or hardware-based. Server-based application-delivery devices are usually general-purpose hardware running a standard or modified freeware operating system such as Linux or FreeBSD. The server-based approach reduces code development and enables faster turnaround of new features, but it comes with a severe penalty on performance. Customers usually must trade performance for features with a server-based approach. In addition, the software-based approach also forces vendors to rearchitect their software operating system to obtain scalability or performance improvements, possibly resulting in an unstable product. Unlike software-based application-delivery devices, the Cisco ACE application switch is a hardware-based application-delivery device. It uses purpose-built multicore network processors to perform software tasks much faster and more efficiently than a general-purpose processor. The Cisco ACE application switch is available in both appliance and module form factors for Cisco Catalyst 6500 Series Switches or Cisco 7600 Series Router platforms.

• Virtualization: Traditional data centers consist of many physical server load balancers and other Layer 4-7 devices. These devices are either shared or dedicated to customers, operational groups, and business units or applications dependant on organization business structure and application or service requirements. These physical devices tend to develop a variety of deployment and operational inefficiencies, including:

– Underused physical resources

– Device sprawl due to certain applications requiring isolation for business criticality and security reasons

– Increased cooling requirements and power consumption in the data center due to device sprawl

– Increased acquisition costs and deployment time for applications or services that may require new physical devices

– Increased application deployment costs due to additional cabling and power requirements for the physical devices

– Increased operational overhead due to management and maintenance of several physical devices

• To solve these challenges, the Cisco ACE application switch virtualizes a physical device into multiple virtual devices. It is the only application-delivery product in the industry that provides true virtualization. Each Cisco ACE virtual device has all the capabilities of an actual physical device and the virtual devices are isolated from each other. With virtualization, each Cisco ACE virtual device has its own configuration file, management interface, resources, routing tables, VLAN interfaces, and access-control policies. Access-control privileges are assigned to users based on their administrative role. In addition, each virtual device is independent and isolated such that it appears as a unique physical device from the network and administrator's point of view.

• The Cisco ACE application switch allows you to limit and manage various resources such as bandwidth, connections per second, management connections per second, SSL connections, and access lists for each virtual device. You can allocate minimum and maximum amounts of each resource or all resources in terms of percentages for each virtual device. In addition, the Cisco ACE provides flexibility to allocate its resources to a virtual device in three different ways: limited, oversubscription, and free-for-all. To help ensure resources for an application, the Cisco ACE allows you to limit minimum and maximum amounts of all Cisco ACE resources or each resource for a virtual device. For example, you can limit the Cisco ACE resources to 20 percent for an application hosted on a virtual device by setting the virtual-device minimum and maximum resource limit to 20 percent. The Cisco ACE also supports oversubscription by setting the maximum resource limit to unlimited, allowing an application hosted on a virtual device to use the Cisco ACE resources that are allocated but are not consumed by other virtual devices. As an oversubscription example, you can partition a physical Cisco ACE device into four virtual devices, and allocate each virtual device a minimum of 25 percent of the resources and a maximum of an unlimited amount of the resources. In this example, the Cisco ACE allows an application hosted on each of the virtual devices to consume more than the allocated 25 percent of Cisco ACE resources if any of the other three virtual devices are not consuming their minimum allocated 25 percent. In the free-for-all default setup, the Cisco ACE permits all virtual devices to have full access to all the resources on a first-come, first-served basis.

• Virtualization in Cisco ACE delivers many important business and technical benefits, including:

– Reduced data-center resource requirements: The Cisco ACE application switch allows the administrator to roll out applications more quickly by simply deploying virtual devices within the same physical Cisco ACE rather than deploying additional hardware. As a result, device sprawl is reduced, and additional cabling and rack-space requirements are eliminated. In addition, the Cisco ACE virtualization feature significantly reduces power and cooling consumption in the data center because fewer physical application switches are in the network. The total power consumption of the Cisco ACE application switch remains constant regardless of the number of virtual devices created on it.

– Complete isolation of applications, departments, and customers: With Cisco ACE, administrators can create virtual devices for each application or multiple applications and allocate required resources. Any configuration failure on the switch is limited to the scope of the virtual device in which it is created, thus maximizing overall application availability.

– Collapsed multitiered application architecture: Customers have typically deployed multitiered application architectures using separate load balancers and firewalls at each of the Web, application, and backend database tiers. Using the Cisco ACE virtualization, firewall, and scale capabilities, you can collapse the three distinct load-balancer and firewall tiers into a single physical device, reducing costs and network complexity.

• Exceptionally high performance: The Cisco ACE module uses a single interconnect to the Cisco Catalyst 6500 Series Switch fabric to support up to 16-Gbps throughput. It has five major hardware components:

– Parallel multicore network processors to handle data-plane traffic

– An application-specific field programmable gate array (FPGA) to distribute traffic across two network processors

– A dual-core processor to handle management (control-plane) traffic

– A dedicated cryptographic processor to handle SSL encryption and decryption

– Two optional daughter cards to support advanced application services such as Web application security and application acceleration

• The Cisco ACE application switch module data plane consists of four of the five main hardware components. Because it uses multicore network processors, the Cisco ACE module provides powerful performance for application-delivery services. Moreover, this hardware-based application-delivery module maintains good performance levels compared to application-delivery devices based on general-purpose processors when most commonly used features are selected. You do not have to trade off features to obtain a desired level of performance with the Cisco ACE module. The Cisco ACE hardware architecture delivers 16-Gbps throughput, 4,000,000 concurrent connections from client to server, 64,000 access-control-list (ACL) entries, 1,000,000 Network Address Translation (NAT) entries, and 4,000,000 Port Address Translation (PAT) entries. These performance numbers are difficult to achieve on software-based application-delivery devices.

• Scalability up to 64-Gbps throughput: The Cisco ACE application switch is the only application-delivery product in the industry that provides linear scalability up to 64-Gbps throughput. If you need more than the 16-Gbps throughput provided by a single Cisco ACE module, you can deploy up to four additional modules within the same Cisco Catalyst 6500 Series Switch chassis without adding cables or rack space. Miercom, an independent network test vendor, verified tests results that show that four Cisco ACE modules in a Cisco Catalyst 6500 Series Switch chassis can deliver close to the theoretical limit of 64 Gbps without reaching any chassis or backplane limitation. The Cisco ACE modular architecture reduces the operational and data-center power, space, and cooling costs compared to appliance-based solutions. It can also help you consolidate your server-based application-delivery devices, resulting in more effective use of your application server infrastructure.

• Investment protection: The Cisco ACE module is designed to support two daughter cards for additional capabilities. These daughter cards can help you run many more advanced application-delivery services such as application security and application acceleration. Support for these daughter cards helps ensure that you do not have to discard your initial investment to obtain additional capabilities. With server-based application-delivery appliances, you have to perform complete equipment upgrades in order to obtain next-generation hardware appliances for incremental performance improvement or for additional functions.

• Intelligent proxy architecture: By default, many application-delivery products perform full TCP and application proxy even for basic server load balancing. As a result, the performance of these products is significantly lower when basic features such as source IP Persistence, dynamic load-balancing algorithms (such as the "least-connections" algorithm) are enabled. However, the Cisco ACE application switch is designed to intelligently perform full proxy only when needed in order to maximize performance and scalability. In particular, the Cisco ACE can automatically select one of the three following mechanisms to handle connections based on load-balancing policies:

– Layer 4 SLB: In many customer deployments today, many server load-balancing decisions still rely on basic information about the client and services that they request. Usually these load-balancing decisions are made at the IP and TCP layers (IP or MAC address, TCP, or User Datagram Protocol [UDP] port numbers) that do not require a SLB device to proxy TCP connections. Hence, the Cisco ACE does not proxy the TCP connections for SLB policies based on Layer 2-4 information -- in fact, proxying connections by default provides no added benefit. Server load balancers that do proxy merely add complexity and exhibit poor performance and scalability.

– Delayed binding for Layer 7 SLB: As applications and offered services become more complex, there is an increasing need to provide load-balancing decisions at layers above the transport layer (TCP layer) -- the point at which Layer 7 load balancing applies. Layer 7 load balancing requires proxying of TCP connections to inspect packet payloads and identify headers and fields to enable intelligent load balancing of user requests. The Cisco ACE application switch is the only product that can proxy, unproxy, or reproxy TCP connections as needed based on load-balancing policies and features that you configure. For example, some features such as HTTP URL-based load balancing or cookie-based session persistence require Cisco ACE to parse HTTP headers or other Layer 5-7 data and terminate TCP connections as any proxy would do. However, the Cisco ACE "unproxies" TCP connections after it analyzes the data required to make the appropriate load-balancing decision. This approach, also called "delayed binding", accelerates processing for subsequent data packets, hence improving performance for your system. At the same time, the Cisco ACE can "reproxy" connections whenever a feature requires it. For example, HTTP 1.1 connection persistence requires parsing additional client requests sent at a later time over the same TCP connection. The Cisco ACE can switch the connection from unproxy to reproxy mode to look for this additional information. The ability of Cisco ACE to switch individual connections between proxied and unproxied mode offers a significant performance advantage in real-world deployments.

– Full proxy for advanced SLB features and services: Some of the more advanced SLB features involve processing (parsing or modifying) the entire data stream and require a full-proxy approach. For example, application-acceleration features such as SSL Offload, TCP Reuse, FlashForward, and Delta Encoding require the Cisco ACE application switch to proxy client connections. The Cisco ACE application switch supports all these features with its hardware-based state-of-the-art full-proxy architecture. For each new connection, the switch can select whether or not full proxy is required, thus offering the best trade-off between highest performance and most-advanced processing.

• Role-based administration: In many customer environments, application-delivery devices are managed by multiple functional groups (network administrator, application administrator, system administrator, security administrator, etc.) within IT. With traditional application-delivery solutions, application deployments are often slow because of complex workflow coordination among them. In order to deploy a new application or to test or upgrade an existing application, the application group may have to work with the network administrator or whoever owns the device. Complex coordination is required to execute the desired configuration changes on the application-delivery device. To solve this challenge, the Cisco ACE provides customizable and granular role-based access control (RBAC) per virtual device. The Cisco ACE is the only application-delivery product in the industry that offers customizable RBAC capabilities. The Cisco ACE RBAC mechanism allows device administrators to assign roles to users based on their function and the resources that the users need to access. A role defines a set of permissions for accessing resources and user-created objects such as real servers, server farms, VIPs, and the actions (create, modify, delete, or monitor) that can be performed on them. The Cisco ACE provides eight predefined roles and also allows you to create custom roles to adapt to different organizational structures. Cisco ACE virtualization with RBAC allows the network administrator to create an isolated configuration domain for other functional groups within IT. By assigning roles (configuration privileges) within a single virtual device to functional groups in IT, network administrators can remove themselves from the workflow while eliminating misconfiguration risks to existing applications enabled in other virtual devices. This improved workflow creates a "self-service" model in which the application group can independently test, upgrade, and deploy applications faster than ever before.

• Hierarchical management domain: In addition to customizable RBAC, the Cisco ACE application switch provides a hierarchical management domain capability that allows administrators to group user-defined objects such as real servers, VIP addresses, and server farms into a domain and assign the domain to users who manage the device. The role assigned to you determines the operations that you can perform on the user-defined objects in a domain and the command set available to you. By default, the Cisco ACE creates a default domain when the virtual device is created; all objects are assigned to the default domain. The global device administrator or each virtual device administrator can create additional domains based on their specific needs. When the user or administrator creates new objects, the objects are automatically added to the appropriate user domain. With the hierarchical management domain capability, you can restrict access to a specific set of objects. For example, if multiple applications (apps1 and apps2) are hosted on a virtual device but managed by separate teams, the administrator can group all objects of application apps1 (VIP, real servers, and server farms) to a domain (domain1), and assign domain1 access privileges to users who manages the application apps1. The users of apps1 would be able to access and manage only the objects of apps1, and conversely for application users who manage apps2, simplifying configuration and helping ensure complete application isolation for improved application availability.

• Management: You can manage, monitor, and report on the Cisco ACE application switch using a variety of tools and formats depending on your sophistication and customization requirements. These capabilities include using a command-line interface (CLI), a GUI, the Simple Network Management Protocol (SNMP), and the XML interface.

– XML interface: The Cisco ACE application switch supports a powerful and flexible XML interface that facilitates remote configuration and monitoring from network management stations (NMSs). The Cisco ACE XML interface supports all Cisco ACE CLI commands by exchanging XML documents over HTTP or HTTPS. Moreover, you can configure the Cisco ACE switch to transfer show command output to a NMS in XML format for monitoring and analysis. The Cisco ACE provides XML Document Type Definition (DTD) schema that you can use to format CLI queries or parse the XML results.

– SNMP: The Cisco ACE application switch contains a virtualized SNMP agent that supports Cisco ACE device monitoring and configuration. Each Cisco ACE virtual device can have its own SNMP settings, and also can send traps to up to 10 SNMP management stations. In addition to standard and enhanced application network services (example: server load balancer) MIBs for monitoring, the Cisco ACE also supports configuration SNMP MIBs to create and manage the Cisco ACE virtual devices, including resource allocation for these devices. The Cisco ACE supports SNMP Version 1 (SNMPv1), SNMPv2c, and SNMPv3. The SNMPv3 agent provides secure access to devices by using strong authentication and encryption, and you should use SNMPv3 instead of SNMPv1 and SNMPv2c wherever possible. The Cisco ACE SNMP agent implements RFCs 3414 and 3415, including the user-based security model (USM) and RBAC. With Cisco ACE, you can centralize SNMPv3-based user management at the authentication, authorization, and accounting (AAA) server level. This centralized user-management capability allows the SNMP agent running on the Cisco ACE to take advantage of user-authentication services of AAA servers to help ensure secure access to Cisco ACE management capabilities.

– CLI: The Cisco ACE application switch provides a comprehensive CLI to configure virtual devices and display various device statistics. The Cisco ACE CLI uses syntax identical to that in Cisco IOS® Software to make configuration and management easier for Cisco IOS Software-familiar customers.

– GUI: The Cisco ACE application switch provides both an embedded device manager¹ and centralized Cisco Application Networking Manager (ANM) software to provision, monitor, report on, and troubleshoot the Cisco ACE device. The Cisco ANM software facilitates management of multiple Cisco ACE devices in the data center. With Cisco ANM, network managers can create, modify, and delete Cisco ACE virtual devices, as well as control the allocation of resources among the virtual devices. Within these virtual devices, Cisco ANM allows complete configuration of all application network services (example: load balancing and SSL offload). The Cisco ANM software runs on any x86 platform with Red Hat Enterprise Linux v4 Enterprise Server (ES) 4 Update 2 or later or Advanced Server (AS) V4 Update 2 or later. The Cisco ANM provides many critical benefits, including:

Simplified device management: The Cisco ANM facilitates rapid creation and modification of prestaged or immediate deployments of common application network services by operators of all skill levels by including a varying set of provisioning forms for the basic, advanced, and expert user. Using the basic forms, even operators new to the system can get value from their Cisco ACE systems "right out of the box" by provisioning the most common services quickly and easily. Using the advanced forms, a more knowledgeable user can just as easily exercise the more powerful features of Cisco ACE without having to master the Cisco ACE system itself. Even more advanced users can make complex configurations of services through the ANM expert mode or template-based configuration management.

Template-based rapid provisioning: For expert users seeking to implement advanced functions in Cisco ACE without using the CLI or programmatic methods, Cisco ANM template-based provisioning speeds deployment of complex configurations and supports the standardization of those configurations for virtual devices and services. Because you can create templates through the expert mode interface or by "cloning" existing configurations, you can make templates out of configurations created by the basic or advanced forms-based provisioning. You can then expand these templates to support more intricate, specialized service implementations. After you create a configuration within a template, you can protect it from further editing by using version "tagging", which helps ensure that what you put in a template and used for service creation or auditing cannot be changed in the future without clear traceability. This feature also facilitates proper auditing control and, when necessary, facilitates rapid rollback of erroneous or problematic configurations. With this capability, organizations can work toward eliminating variation in their operations -- an important factor in increasing network and service reliability while also reducing overall operational expenses.

Configuration auditing: Cisco ANM auditing features allow comparison of the running configuration of a physical or virtual device against the last validated configuration or any other running configuration. The ability to easily compare configurations enables rapid evaluation of the differences between any two physical devices, virtual devices, or templates. This evaluation facilitates troubleshooting of configuration errors and addresses one of the most common causes of network problems.

Monitoring and reporting: The Cisco ANM provides up-to-date information about the health, performance, and use of the managed Cisco ACE virtual devices and services through real-time device and service monitoring. Operations staff can use this monitoring to pinpoint the source of a problem. The Cisco ANM also supports real-time and historical reporting. Using both the impromptu and scheduled, recurrent reporting capabilities of Cisco ANM, system and network managers can simplify operations, enable service usage reporting, and plan for resource demands.

Granular access control and auditing: For all Cisco ACE functions, the Cisco ANM uses an administratively defined RBAC security model that facilitates delegation of authority and responsibility for operations, administration, and monitoring of Cisco ACE, including activation and suspension of selected load-balanced servers. The Cisco ANM administrator can define the tasks and options that are available to individual users or user groups. The Cisco ANM user auditing helps ensure that all activities by all users are securely logged. This information is made available only to authorized users for audit purposes.

Operations-delegated server management: The Cisco ANM provides productivity gains for services and server managers by offering operations-specific displays. Cisco ANM helps managers monitor their virtual (VIP) and real servers, keep track of the current number of connections active on their servers, and also perform daily management tasks. Such tasks include taking one or more real servers in and out of service, with options for graceful shutdown or cleared connections, and without needing to have knowledge of network topology or other network operations.

• Troubleshooting tools: The Cisco ACE application switch supports various troubleshooting tools to simplify operational management.

– Packet-capture tools: The Cisco ACE application switch can capture packet information for network traffic that passes through it. The captured packet can be stored to a file in flash memory on the Cisco ACE application switch or to a remote server. The packet-capturing tool aids in troubleshooting connectivity problems with the Cisco ACE application switch or for monitoring suspicious activity. In addition to packet capture, the Cisco ACE application switch also supports tcpdump of network traffic that passes through it.

– Syslog messaging: The Cisco ACE supports logging of system messages and allows sending the logged messages to one or more output locations. System log messages provide logging information for monitoring and troubleshooting. The flexible logging function of ACE allows the administrator to customize many aspects of how the Cisco ACE handles system messages (for example, logging of connection setup and teardown messages, controlling [[or another word?]] the severity level of a message, limiting message generation, etc.). The Cisco ACE syslog message logging capability can be enabled or disabled at the virtual device level.

– Configuration rollback: The configuration rollback feature helps you immediately revert to the last known stable configuration without rebooting in case any unforeseen problems occur because of new configuration changes. The Cisco ACE application switch supports a maximum of 10 checkpoints of known stable configuration per virtual device.

• Separate control plane and data plane: Cisco ACE is the only application-delivery product in the industry that provides clear separation between in-band and out-of-band communication channels. In other words, any management traffic destined to the Cisco ACE module and allowed by the user-defined policy is sent to the dedicated control-plane processor for processing the traffic. The control plane provides the management interface to the Cisco ACE module and supports many features, including generation of server health probes, XML interface, device management through the CLI, SNMP MIBs, syslog messages, Address Resolution Protocol (ARP) resolution, routing protocols, and ACL compilation. The control plane neither initiates nor receives connections or packets directly from the Cisco Catalyst 6500 Series Switch. The management traffic always crosses the network processors because they provide more advanced protection such as permit or deny management traffic based on protocol or client source IP address, limit the number of concurrent Telnet or Secure Shell (SSH) Protocol sessions, and limit the number of management connections or traffic for the control plane. In addition, the control plane communicates with the rest of the hardware components on a separate out-of-band interconnect. Thus, the control plane is not affected for health monitoring, high availability, and access to the management interface -- even when data traffic on the data plane is heavy.

• Pay as you grow: The Cisco ACE application switch meets the requirements of small to large enterprises and service providers. With its unique software license feature, you can scale from 1 to 2 Gbps on appliance form factor and from 4 to 16 Gbps within a Cisco ACE module as your business grows. For example, you can start with 4-Gbps throughput and procure additional upgrade licenses to reach 8- or 16-Gbps throughput without having to conduct a complete system upgrade. You can perform the software license upgrade without having to take your applications offline. In addition, Cisco ACE provides incremental licenses for other advanced features such as virtualization (50 to 250 virtual devices) and SSL.

• Tight integration with Layer 2 and Layer 3 devices: Although the standalone Cisco ACE application switch appliance is an excellent fit in small environments, medium to large environments can greatly benefit from the Cisco ACE application switch module that transparently integrates with the switching and routing data-center infrastructure. The tight integration of the Cisco ACE application switch module with the Cisco Catalyst 6500 Series Switch or Cisco 7600 Series provides many benefits, including:

– Offers reduced cables and space requirements: The Cisco ACE application switch module has a 16-Gbps full-duplex connection to the Cisco Catalyst 6500 Series backplane, and occupies only one slot in the switch.

– Offers reduced power and cooling requirements

– Uses Layer 2 and Layer 3 features of Cisco IOS Software on the Cisco Catalyst 6500 Series Supervisor Engine to simplify configuration tasks

– Provides higher port density for increased cost-effectiveness

– Helps enable up to four Cisco ACE application switch modules within the same Cisco Catalyst 6500 Series Switch for powerful performance and scalability

– Offers enhanced security: Integration with the Cisco Catalyst 6500 Series Switch adds an extra layer of security features such as user-based or per-flow rate limiting and private VLANs. The Cisco ACE application switch module can act as a private VLAN "promiscuous port", as shown in Figure 5, allowing it to communicate with any server in any of the secondary VLANs while taking advantage of the Cisco Catalyst 6500 hardware to block all communications between devices on isolated ports or belonging to a different community.

– Offers simplified management: You can access the Cisco ACE application switch module from the Cisco Catalyst 6500 Series Switch Supervisor Engine. You can also send all or critical syslog messages to the supervisor engine, and you can upgrade the Cisco ACE application switch module independently of the supervisor-engine operating system.

– Offers extended virtualization and network segmentation of Layer 2 and Layer 3: You can map the Cisco ACE application switch virtual device not only to VLANs but also to Virtual Route Forwarding (VRF) instances, thus associating a separate network instance on the supervisor engine, as shown in Figure 6.

Figure 6. Cisco ACE Application Switch Acts as a Private VLAN "Promiscuous Port"

Figure 7. Cisco ACE Application Switch Hardware Platforms

Advanced Application Acceleration

• Server offload features to return server-processing cycles for core business transactions

• Bandwidth-reduction features to optimize bandwidth

• Latency-reduction features to minimize client-server round trips caused by chatty protocols such as HTTP and Common Internet File System (CIFS)

• Server offload: Many organizations are surprised at how much server power is needed to support Web capabilities and applications. Cisco ACE incorporates a wide variety of server offload functions in ways that are pertinent and appropriate for enterprise IT deployments. The following features can combine to reduce server cycles by up to 90 percent:

– TCP setup overhead offload: Servers spend their valuable CPU resources to set up and tear down TCP connections for every client request, but these valuable resources could be used to process the actual application running on the server. The Cisco ACE application switch TCP Server Reuse feature offloads CPU-intensive TCP setup and tear-down functions from servers. It reduces the number of simultaneous open connections on a server by allowing connections to persist and be reused by multiple client connections. Miercom, an independent network test vendor, verified test results that showed that a test server established only 400 TCP connections for 80,000 client connections using the Cisco ACE TCP Server Reuse feature (Figure 8).

Figure 8. Cisco ACE TCP Server Reuse Feature

• SSL offload: The SSL protocol has become the industry standard for providing security, privacy, and confidentiality for enterprise business transactions. SSL processing is CPU-intensive and is gated by the server platform. To offload and accelerate SSL transactions, the Cisco ACE application switch handles all of the SSL functions, including server authentication, private-key and public-key generation, certificate management, data packet encryption and decryption, and server response condensation through delta optimization and FlashForward capabilities. With all these functions, the Cisco ACE can dramatically reduce the number of SSL-based transactions and increase SSL capability as much as fourfold. In addition, the Cisco ACE provides the flexibility for customers to create certificates and key files on each virtual Cisco ACE device. The Cisco ACE creates a secure storage area in flash memory for storing the certificates and keys associated with each virtual device. You can configure the Cisco ACE application switch to act as a client or server during an SSL session. The Cisco ACE supports all three types of SSL applications (SSL Termination, SSL Initiation, and End-to-End SSL), as shown in Figure 9:

Figure 9. SSL Connectivity Supported in Cisco ACE

– Lazy-request evaluation: Many Web applications are regularly brought down to globally update Web content and, in effect, end users' access to applications is blocked for some period of time. For example, a user request can initiate a recompile, and during that time any other requests that come in may be queued, possibly causing all users to wait. With lazy-request evaluation, you can configure the Cisco ACE application switch to always serve a cached copy upon request and, when the back-end processing is complete, to automatically refresh the copy from the origin server. With this feature, the device always serves content out of the dynamic cache and, in effect, separates the client request from the origin server response.

– Caching: The Cisco ACE application switch supports static caching, which offloads client requests for frequently requested static objects, such as images and applets. This fully configurable feature adds to the overall application performance and transaction throughput.

– Adaptive dynamic caching: The Cisco ACE application switch can even cache dynamic content. It offloads CPU resources from application and database servers to fulfill dynamic content requests. With configurable dynamic caching, the Cisco ACE can cache multiple responses for a given URL based on specified cache parameters, such as URL query strings, HTTP headers, and cookie values. In effect, it allows dynamic content to be treated as static content for accelerated performance. With a simple script, even personalized data can be dynamically cached, leaving more resources on servers for core transactions.

– Load-based dynamic caching: Sophisticated content-expiration policies help ensure the freshness of dynamic content. The Cisco ACE application switch monitors server load in real time and makes intelligent closed-loop decisions on content expiration time-to-live (TTL) events to optimize site performance. This feature is configurable according to load, timing, and URLs.

• Bandwidth reduction: Often the challenge of application delivery is not just about overcoming network latency. Organizations also want to minimize their use of bandwidth for cost, availability, or performance reasons. The Cisco ACE application switch can achieve a 70- to 90-percent reduction in bandwidth usage, while delivering high performance as seen by users, by applying the following techniques:

– Delta encoding: Webpage caching enables subsequent requests for static pages served from cache instead of the server. However, HTML pages today largely contain dynamic resources and Web content to allow users to have interactive experiences. These dynamic resources and Web content cannot be cached and must be retrieved from the servers, in turn increasing bandwidth usage, server load, and response time. To solve this challenge, Cisco has introduced a patented technology called Delta Encoding to encode and deliver to the client just the differences between the cached original page and the updated new page. This innovative approach helps enable client systems to dynamically reconstruct new pages from cached pages by applying small deltas. This process is both automatic and transparent and requires no changes to browser clients, application server, or content.

– Compression: The Cisco ACE application switch supports not only standard compression such as GZIP and DEFLATE but also many advanced compression techniques such as Delta Encoding optimization and adaptive dynamic caching (discussed later in this paper) to compress content from the servers. Devices that incorporate a simple byte-reduction technique reduce the page size by two to five times. In contrast, Cisco ACE Delta Encoding can often reduce page size by 10 to 50 times, depending on how much the page actually changes. In addition, Cisco ACE uses byte compression to further reduce the size of an already-shrunken delta-optimized page. Unlike existing GZIP and DEFLATE implementations in traditional application-delivery devices, the Cisco optimized GZIP compression is fully compatible with all browser types, including Mozilla Firefox.

– Dynamic browser caching: Many enterprise applications for customer relationship management (CRM) and for portals often mark some objects, such as images, JavaScript files, ActiveX control files, or binary files, as noncacheable. This practice can result in slow download performance, especially for remote users with limited bandwidth. Cisco ACE Just-in-Time Object Acceleration technology on the Cisco ACE application switch automatically tracks the freshness of each of these objects in real time. If a requested object has not changed, the client uses its cached version. The Cisco ACE delivers the object only when it has changed in that specific context.

– Smart image optimization: The Cisco ACE application switch compresses image files intelligently to optimize image quality, resulting in faster image download times, faster page renders, and more efficient bandwidth usage. Other schemes compress images uniformly, a policy that can severely degrade the quality of some images while missing opportunities to compress other images further. Some images can be highly compressed, but others need to maintain their detail. For example, a JPG photo for an accident claim can be kept at the highest resolution, whereas a scanned insurance policy document can be highly compressed without compromising readability.

• Latency reduction: Network and application protocols such as HTTP, TCP, and CIFS are chatty protocols that introduce a considerable number of round trips between client and server. The Cisco ACE application switch provides a wide variety of technologies to reduce the number of round trips between client and server. You can apply the following latency-reduction features to a broad range of IP and Web-based applications, including Oracle, SAP, Microsoft SharePoint, and Microsoft Exchange.

– FlashForward: Most Webpages contain embedded objects such as images, style sheets, and JavaScript files. These objects are cached in the client's browser. However, the browser needs to validate the freshness of these objects, and each validation involves a separate conditional HTTP request from the client to the origin server. Webpages that embed many objects must wait to be rendered until the validations (client-to-server round trips) are completed. These unnecessary client-to-server roundtrips increase the response time to render a Webpage. In order to eliminate the unnecessary browser cache validation, Cisco introduced a new and patented technology called FlashForward. This technology allows Cisco ACE, which sits next to the servers, to take the responsibility of validating object freshness. The Cisco ACE FlashForward feature caches all embedded objects, transforms them with additional information, and then rewrites objects references in the pages to the transformed objects. On subsequent visits, the client browser does not need to validate the objects. Cisco ACE performs all the objects validations on behalf of the browser and sends only modified objects, if any. This feature can be used for any Web applications.

– SmartRedirect: HTML meta tags can be used to redirect a client request after a certain interval. However, it is generally considered to be a poor method of redirection because such redirects force the browser to explicitly check the freshness of each object embedded in the redirected page. The Cisco ACE Smart Redirect feature speeds Webpage redirects by converting HTML meta tag-based redirects into more efficient HTTP header-based redirects, which do not trigger browser cache freshness validation requests. The result is significantly faster page response time that does not sacrifice the flexibility and productivity of meta tag-based redirection.

– FastRedirect: HTTP responses with 301/302 status codes redirect the browser to another location, resulting in two round trips to render a requested Webpage and causing delayed response to end users. The Cisco ACE FastRedirect feature speeds HTTP header-based 301/302 redirects by reducing the round trips required from two to one. It processes the 301/302 HTTP status-code response and fetches the redirected resource over the LAN in the data center, resulting in fast response the to end user.

– FlashConnect: The Cisco ACE FlashConnect feature improves browser performance by allowing responses to be processed in parallel rather than in serial. By default, Microsoft's Internet Explorer Web browser fetches objects over only two TCP connections established for each domain name it sees in an HTML container page. This limit means that requests are often queued unnecessarily, and first-visit performance suffers. FlashConnect allows you to increase the number of TCP connections used per domain to significantly accelerate data downloads.

Secured Applications

• Network security: Many organizations continue to attribute a significant percentage of their corporate "cyber losses" to inside attacks. Well over a third (39 percent) of the corporate respondents to the 2006 Computer Crime and Security Survey, for example, attributed 20 percent or more of these losses in 2005 to internal attacks. This annual survey is conducted by the CSI with the participation of the San Francisco FBI Computer Intrusion Squad. Of the 616 respondents to the 2006 CSI report, 313 were able or willing to estimate their losses associated with Internet crime in 2005. To protect against internal threats, a growing best practice in recent years has been to deploy firewalls not only at the traditional network perimeter where the private corporate network meets the public Internet but also in the data center, as well as at the WAN edge of branch-office networks.

• Placing firewalls in the data center also helps organizations comply with the latest corporate and industry governance mandates. Sarbanes-Oxley, Gramm-Leach-Bliley (GLB), the Health Insurance Portability and Accountability Act (HIPAA), and the Payment Card Industry (PCI) Data Security Standard, for example, contain requirements about information security auditing and tracking.

• Using highly scalable packet filtering, Network Address Translation, protocol inspections, and Deep Packet Inspection, the Cisco ACE application switch can help protect your data-center network from interior and exterior attacks. In its role as the last line of security defense, the Cisco ACE application switch can be deployed between corporate LAN switch ports and Web, application, and database server farms in the data center.

– Packet filtering: The Cisco ACE application switch inspects all traffic that passes through it, and drops unwanted or unknown traffic based on packet-filtering policies defined using ACLs. An ACL consists of a series of statements called ACL entries that collectively define the network security rules or policies. Each entry permits or denies network traffic (inbound and outbound) to the parts of the data-center network specified in the entry based on criteria such as source address, destination address, protocol, protocol-specific parameters, and so on. The Cisco ACE application switch denies all traffic on network interfaces by default. You must explicitly configure ACLs for traffic that needs to be permitted. The Cisco ACE supports both extended (control network access for IP traffic) and EtherType (control network access for non-IP traffic) ACLs. The Cisco ACE application switch provides highly scalable ACL entries (up to 64,000).

– Network Address Translation (NAT): When deployed between the client and the server, the Cisco ACE application switch can either preserve the client IP source address or translate that source IP address to a routable address in the server network before passing the client's request to the server. The Cisco ACE application switch supports Dynamic NAT, Dynamic PAT, Static NAT, and Static Port Redirection. The Cisco ACE application switch provides up to 4 million NAT and 1 million PAT translations.

– Network-based heavy volume attacks: The Cisco ACE application switch protects server farms from denial-of-service (DoS) attacks. DoS attacks are launched by a single person or a group of people to maliciously disrupt service to a single system or an entire network. An attacker uses this type of attack to overburden and overuse system or network resources. With a DoS attack, an attacker's goal is to prevent the system or network users from using its services. The Cisco ACE application switch blocks common types of network-related DoS attacks, including:

Land attacks: In land attacks, the attacker sends the target host (victim) a TCP SYN packet that contains the same IP address as the source and destination addresses. The purpose of this attack is to make the target host send reply packets back to itself. To protect against this type of attack, the Cisco ACE TCP/IP normalization capability verifies that the source and destination IP addresses of a connection are valid and drops the connection if the addresses are not.

Teardrop attacks: While a packet is traveling from the source machine to the destination machine, it may be broken up into smaller fragments, through the process of fragmentation. A teardrop attack creates a stream of IP fragments with their offset field overloaded. The destination host that tries to reassemble these malformed fragments eventually crashes or reboots. The Cisco ACE blocks these types of attacks using IP fragmentation security checks.

– IP normalization: IP normalization is a Layer 3 security feature that consists of a series of checks on IP packets that the Cisco ACE performs by default at line rate. These security checks include fragmentation security checks, IP fragment reassembly, header length, automatic antispoofing (Source IP address = Destination IP address), unicast RFP checks, IP options verification, illicit IP addresses, ARP inspection in transparent mode, and unknown Internet Control Message Protocol (ICMP) types. If a packet fails one of these checks, the Cisco ACE takes appropriate action, including discarding a packet, depending on the IP parameters that are configured

– TCP normalization: TCP normalization is a Layer 4 security feature that consists of a series of checks that the Cisco ACE application switch performs by default at various stages of a flow, from initial connection setup to the closing of a connection without any performance degradation. Cisco ACE provides the flexibility to control many segment checks by configuring one or more advanced TCP connection settings. At line rate, Cisco ACE uses these TCP connection settings to decide which checks to perform and whether to discard a TCP segment based on the results of the checks. It also discards segments that appear to be abnormal or malformed. Cisco ACE uses the TCP normalization capability to block insertion and evasion network attacks, including Session Hijacking, Xmas scan, Bonk, Jolt, Bloop, Targa, Boink, Fraggle, and null scan.

– Protocol inspection: The Cisco ACE application switch performs stateful application protocol inspections to enforce secure use of applications and services in the data center. The Application Protocol Inspection feature helps to verify protocol behavior and identify unwanted or malicious traffic passing through the Cisco ACE application switch. Based on user-defined traffic policies, the Cisco ACE application switch can accept or reject specified packets.

To improve performance, some protocols open secondary TCP or UDP ports using the initial session on a well-known port. The Cisco ACE Application Protocol Inspection function monitors these sessions, identifies the dynamic port assignments, and permits data exchange on these ports for the duration of the specific session.

Several applications embed IP address information in the data payload of the packet. The need to translate IP addresses embedded in the payload of protocols is especially important where NAT (explicitly configured by the user) is deployed and for server load balancing (an implicit NAT). Using the Application Protocol Inspection function, the Cisco ACE application switch translates embedded IP addresses and updates any checksum or other fields that are affected by the translation.

• The Cisco ACE application switch currently supports inspection for following protocols:

– Domain Name System (DNS) inspection: The Cisco ACE application switch blocks all DNS exploits. The Cisco ACE DNS inspection function matches DNS requests and responses, enforces maximum label and domain name lengths, tears down UDP connections after reception of a reply, and translates the DNS A-record based on the NAT configuration.

– FTP inspection: The Cisco ACE application switch blocks FTP abuse. The FTP inspection function matches FTP requests and responses, drops truncated commands, enforces RFC compliance, checks the size of RETR/STOR commands, verifies the range of dynamically negotiated ports, blocks command and reply spoofing, and allows users to restrict specific commands.

– ICMP Inspection: Without performing Stateful Inspection, ICMP can be used to attack data-center networks. The Cisco ACE application switch performs ICMP Inspection by default without any performance degradation. The ICMP Inspection function helps ensure that there is only one response for each request and that the sequence number of the request is correct. It prevents injection of unsolicited ICMP errors and supports countermeasures specified in the internet-draft draft-gont-tcpm-icmp-attacks.txt file. The Cisco ACE ICMP Inspection feature blocks attacks such as ping of death and ICMP flooding (Smurf attack).

– Real Time Streaming Protocol (RTSP) Inspection: RTSP is used by RealAudio, RealNetworks, Apple QuickTime 4, RealPlayer, and Cisco IP/TV® applications. RTSP applications use the well-known port 554 with TCP (rarely UDP) as a control channel. This TCP control channel is used to negotiate data channels that are used to transmit audio and video traffic, depending on which transport mode is configured on the client. The Cisco ACE RTSP Protocol Inspection function monitors sessions, identifies dynamic port assignments of the data channels, and permits data exchange on the appropriate ports for the duration of the specific session.

• Web application security: Web application security represents a new breed of information security technology designed to protect Web applications from attacks. HTTP is extensively used to transport Web data and services. It comprises about 75 percent of network bandwidth usage today and natively uses application port 80. In most firewalls, port 80 is left open at all times, thus admitting all traffic destined for port 80. Hackers, worms, and viruses might use this pinhole, however, to attack a Web application and to possibly gain access to sensitive data. Network firewall and intrusion detection systems cannot prevent these attacks. To protect against first level of Web application attacks, the Cisco ACE application switch performs a stateful Deep Packet Inspection of the HTTP protocol to determine exactly what HTTP application traffic is attempting to enter the network. Deep Packet Inspection is a special case of application inspection where the Cisco ACE application switch examines the application payload of a packet or a traffic stream and makes decisions based on the content of the data. It can also determine whether the application protocol (in this case, HTTP) is behaving irregularly.

During HTTP inspection, the main focus of the application inspection process is on HTTP attributes such as the HTTP header, URL, and payload. Using HTTP protocol inspection, the Cisco ACE application switch can block various HTTP attacks, including the following:

– Encrypted channel attacks: The Cisco ACE is equipped with a powerful SSL offload or termination processor, giving it full visibility into attacks hoping to get around security devices by riding on top of an encrypted SSL channel.

– Worms and day-zero attacks: The Cisco ACE HTTP inspection engine contains a powerful fully customizable regular expression engine. Using regular expressions, you can develop signatures that can block worms and attacks for which no known remedy is yet published. You can apply the Cisco ACE regular expression matching policy on HTTP headers and URLs.

– RFC compliance: The Cisco ACE HTTP inspection engine automatically enforces RFC 2616 compliance and drops any methods, mime types, or transfer encodings that you define.

– Buffer overflows: The Cisco ACE can enforce maximum HTTP header, content, and URL lengths and protect against buffer overflow exploits.

– Directory traversals: The Cisco ACE regular expression filter can block any attempt at working one's way up the directory structure of an HTTP server by using ../.. in HTTP GET requests.

– Malicious URLs: Using a mix of escaped-encoding and Unicode character representation in the URL, it is often possible for an attacker to craft requests that may not be filtered by a traditional network firewall. For example, consider the following scenario: A traditional network firewall is configured with a security policy to drop any URL request that contains cmd.exe. However, the attacker can bypass this policy by sending an encoded URL request: http://www.example.com/app/../../../winnt/system32/%63%6d%64%2e%65%78%65?/c+dir. The Cisco ACE always transforms a URL request into a normalized or canonical URL and then applies security policies to defeat any attacks relying on encoded URLs.

– Peer-to-peer, Instant Messaging, and HTTP Tunnel attacks: As security awareness has increased, organizations have added a traditional network firewall between Internet and Web servers. However, network firewalls have their limitations, and you can use HTTP tunneling to circumvent access-control restriction on these firewalls. HTTP tunneling creates a bidirectional communication channel between a client and an intended server by encapsulating traffic within HTTP headers. The Web server that receives the client HTTP request parses encapsulated traffic and redirects the packet to the intended server. You can configure the Cisco ACE that sits in front of the Web servers to block HTTP requests that contain encapsulated traffic in HTTP headers.

– URL mapping: In another security measure, the Cisco ACE application switch URL mapping capability hides URLs within the HTML source by swapping them with arbitrary URL strings. This swapping helps isolate the back-end infrastructure by preventing end users from seeing the actual URL structure used by the origin server.

• XML and Web services firewall: The Cisco ACE XML Gateway is an exceptionally high-performance XML firewall. It is currently available as a separate appliance product. However, it is tightly integrated with the Cisco ACE application switch. The Web-based user interface for the Cisco ACE XML Gateway allows you to configure both the Layer 7 XML security policy and the Layers 4-7 load-balancing and application-delivery features of the Cisco ACE Application Switch. The Cisco ACE XML Gateway provides following XML and Web services firewall capabilities:

– Protects security threats through multilayer deep message inspection

– Recognizes attacks against Web service operations, users, and messages

– Monitors transactions from transport and session to the data level

– Inspects and categorizes Simple Object Access Protocol (SOAP) and XML traffic for risk

– Authorizes Web services for Web Services Security (WS-Security), XML Digital Signature, and X.509

Summary

For More Information