The Web application acceleration market is proving to be a bonanza for vendors as organizations strive for better performance from ever more complex – and increasingly Ajaxified – Web-based applications. In the last quarter of 2006 alone the market experienced sales growth of 7 percent to $1.5 billion, according to research from research house Gartner.
The reason they want better performance is that waiting on a Web application is no fun at all, and when it’s your employees doing the waiting it’s worse than that – it’s a drain on productivity. The advantage of using Web application acceleration on an internal network is that instead of using asymmetric acceleration, with software or an appliance at the server end alone, you can use symmetric acceleration, with software or an appliance at both ends: in front of the servers, and at branch offices and other buildings where employees connect to Web applications over a WAN link.
With symmetric systems, there’s a whole load of tricks available to you that go beyond the caching, offloading SSL processing, connection handling and load balancing offered by asymmetric systems. Symmetric systems help make applications work faster by offering offer WAN acceleration, a mixture of bandwidth prioritization for certain applications, protocol optimization, object caching, byte caching – replacing commonly used groups of bytes with smaller “tokens” – and advanced data compression.
But where does this leave mobile employees? It’s unlikely that a road warrior is going to check in to the Holiday Inn with an acceleration appliance duct-taped to the base of his laptop, and how many companies are going to provide home workers with a hardware device to stick next to the family PC? Yet these sorts of workers can benefit from application acceleration just as much as workers in more conventional branch office environments.
The good news is that vendors such as Sunnyvale, CAL-based Blue Coat Systems are introducing Web acceleration clients, programs that mobile and home workers can load on their machines to get many, but not all, the benefits of symmetric acceleration systems. “Our client enables caching, protocol optimization and compression on the fly, but not bandwidth management and byte caching,” says Nigel Hawthorn, VP International Marketing at Blue Coat. “Computers are so powerful now that they are quite capable of handling tasks like compression on the fly themselves, whereas a couple of years ago that wouldn’t have been practical because the computers just weren’t up to it,” he says.
In fact this type of client is not restricted to corporate employees, because a few megabytes of software can be downloaded in a couple of moments by anyone with a broadband connection. Large Web 2.0 sites could easily provide visitors with the option of a one-off download to accelerate browsing on all subsequent visits – both to that site and to other sites that used the same technology.
In fact it’s not a big step further to imagine that these accelerator clients could also be incorporated into popular browsers as plug-ins. “There’s no reason why this technology couldn’t be built in to a browser, or the stack of a PC. All that’s important is that both sides understand what is going on,” says Hawthorn.
So symmetric Web accelerators can speed up WAN links, but what about asymmetric application acceleration systems? What can they do that’s special? As it turns out, they have a few tricks up their sleeves as well.
The Asymmetric Angle
If you think about it, a typical asymmetric accelerator works as a kind of pre-processor for one or a bank of servers, doing compute-intensive tasks like SSL processing so the Web servers themselves don’t have to. Another task they can do is request sanitization, ensuring that database requests from browsers can’t be used to carry out buffer overflow exploits or cross site scripting attacks. UK-based vendor Zeus Technology has made this one of the key features of its range of acceleration products through its TrafficScript customization language.
Using TrafficScript, it’s a fairly straightforward process to write rules for the accelerator to apply to browser requests to help ensure these sorts of exploits are unsuccessful. For example, if your corporate logins and passwords are a maximum of, say, twelve characters in length, you could use Traffic Script to monitor all log in and password data submitted by a browser and refuse to accept any credential if it is longer than the maximum twelve characters. By doing this it’s possible to prevent anyone from attempting to overflow a data buffer by submitting an unexpectedly long password, even if the Web application does not check and sanitize submissions itself.
This can be very useful in cases where a vulnerability is discovered, but the application has not yet been patched, says Owen Garrett, a product manager at Zeus. “Many vendors and organizations are not particularly agile, and it can take days or even weeks to produce a patch for an application, test it thoroughly, and get it applied,” he says. “Using TrafficScript it’s possible to drop in a rule and effectively patch the problem without patching the application itself. It’s very easy to test the rule to ensure it does what you expect it to, and it can be deployed very rapidly. Then you can look at the security problem in more detail and fix the application later,” he says.
Web application accelerators are turning out to be unexpectedly useful bags of tricks, lowering hardware and bandwidth costs, increasing productivity, giving customers better Web experiences, and increasing security for good measure. It’s no wonder the market continues to grow rapidly as an increasing number of large corporations turn to them.