amid new apps and virtualization, here’s how you’ll take

THE BUSINESS VALUE OF TECHNOLOGY
Mobile app dev needs agile 10 | Oracle ups its analytics game 13 | WAN optimization vendors ranked 16 | 4 steps to secure virtualization 44 | U.S. is tops in tech 52
OCT. 17, 2011
[PLUS] INSIDE OPENFLOW
Networking standard challenges the status quo p.38
Amid new apps and virtualization, here’s how you’ll take better control of your network p.33
By Art Wittmann
Copyright 2011 UBM LLC. Important Note: This PDF is provided solely as a reader service. It is not intended for reproduction or public distribution. For article reprints, e-prints and permissions please contact: Wright’s Reprints, 1-877-652-5295 / [email protected]
13 38
COVER STORY
New Way To Network Software-defined networking threatens to disrupt Ethernet and TCP/IP technologies
Inside OpenFlow The networking protocol still has much to prove in order to bring flexibility to the virtualized data center
13 Speedier Data Analysis Oracle has its answer to rivals’ in-memory database appliances
14 API Advantage Effective APIs for developers can help business expand
16 WAN Optimization Vendors Three vendors lead the way with WAN optimization appliances
18 Better Backup Cloud providers build globally dispersed chains of data centers
[QUICKTAKES]
CONTENTS THE BUSINESS VALUE OF TECHNOLOGY Oct. 17, 2011 Issue 1,313
33
informationweek.com Oct. 17, 2011 1
2 Oct. 17, 2011 informationweek.com
44 Virtualization Security Checklist These four steps can help you protect assets and respond to threats
Contacts 6 Editorial Contacts 6 Advertiser Index
4 Research And Connect InformationWeek in-depth reports, events, and more
8 CIO Profiles Put family’s needs ahead of career, CRST International’s CIO advises
10 Global CIO Agile development keeps pace with the mobile world
50 VMs Vs. The Network IEEE addresses virtualization’s switching and security problems
52 Down To Business U.S. still ranks highest in IT innovation, study finds
[CONTENTS]
INFORMATIONWEEK (ISSN 8750-6874) is published 22 times a year (once in January, July, August, November, and December; twice in February, March, April, and October; and three times in May, June, and September) by UBM LLC,
600 Community Drive, Manhasset, NY 11030. InformationWeek is free to qualified management and professional personnel involved in the management of information systems. One-year subscription rate for U.S. is 199.00; for
Canada is $219.00. Registered for GST as UBM LLC. GST No. 2116057, Agreement No. 40011901. Return undeliverable Canadian addresses to Pitney Bowes, P.O. Box 25542, London, ON, N6C 6B2. Overseas air mail rates are: Africa,
Central/South America, Europe, and Mexico, $459 for one year. Asia, Australia, and the Pacific, $489 for one year. Mail subscriptions with check or money order in U.S. dollars payable to: INFORMATIONWEEK. For subscription
renewals or change of address, please include the mailing label and direct to Circulations Dept., INFORMATIONWEEK, P.O. Box 1093, Skokie, IL 60076-8093. Periodicals postage paid at Flushing, NY and additional mailing offices.
POSTMASTER: Send address changes to INFORMATIONWEEK, UBM LLC, P.O. Box 1093, Skokie, IL 60076-8093. Address all inquiries, editorial copy, and advertising to INFORMATIONWEEK, 600 Community Drive, Manhasset, NY 11030.
PRINTED IN THE USA. .
8
47 DLL Hell Redux NuGet helps .NET developers tame out-of-control third- party components
48 Developer Madness New technologies could make Windows 8 migration costly
InformationWeek Analytics Take a deep dive with these reports
[ ]
Watch It Now [
At the IW 500 Conference, Cata lina Marketing CIO Eric Williams explained how the company uses predictive analytics. informationweek.com/ video/williams
Big Data: Marketer mines data for trends
More InformationWeek[ ] Government In The Cloud GovCloud 2011 lets government IT pros learn the latest on cloud options. Join us in Washington, D.C., on Oct. 25. informationweek.com/government/govcloud2011
Enterprise 2.0 Attend Enterprise 2.0 and see how to drive business value with collaboration. In Santa Clara, Calif., Nov. 14-17. e2conf.com/santaclara
Become A Security Detective In this all-day virtual event, experts will offer insight in how to collect security intelligence and analyze it to identify new threats. It happens Oct. 20. informationweek.com/1311/event
Let The News Find You Get the news topics you follow—including healthcare, business intelligence, security—delivered to your in-box. informationweek.com/getalerts
Subscribe to our more than 800 reports at reports.informationweek.com
Never Miss A Report
>> HP’s Strategy: IT Pros Get Their Say informationweek.com/reports/hpstrategy
>> Service-Oriented IT informationweek.com/reports/serviceoriented
>> Best Practices: Ensuring Reliable UC Coming Oct. 31
Resources to Research, Connect, Comment
Follow Us On Twitter And Facebook[ ]
@informationweek fb.com/informationweek
Links State Of Storage IT teams are packing more information on fewer devices. Find out how smart CIOs will accelerate this trend.
informationweek.com/reports/2011storage
IT Automation Is Just The Start IT’s juggling to keep services running even as business customers pile on new requests. Automation is an important tool to help cope, but it should be coupled with external services and portfolio management.
informationweek.com/reports/itautomation
Safeguard Your VM Disk Files Find out best practices for backing up VM disk files and building an infrastructure that can tolerate hardware and software failures.
informationweek.com/reports/safeguardvm
At Your Service A service catalog is pivotal in moving IT from an unresponsive mass of corporate overhead to an agile business partner.
informationweek.com/reports/servicecatalog
The Data Dedupe Option As the volume of data continues to grow, IT pros are investing in new technologies, including deduplication.
informationweek.com/reports/datadupe
Please direct all inquires to reporters in the relevant beat area.
Index For Advertising and Sales Contacts go to createyournextcustomer.com/contact-us or call Martha Schwartz (212) 600-3015
[ ]
John Foley Editor, [email protected] 516-562-7189
Chris Murphy Editor, [email protected] 414-906-5331
Art Wittmann VP and Director, Reports, [email protected] 408-416-3227
Laurianne McLaughlin Editor In Chief, InformationWeek.com, [email protected] 516-562-7009
Stacey Peterson Executive Editor, Quality, [email protected]
516-562-5933
David Berlind Chief Content Officer, TechWeb, [email protected] 978-462-5315
REPORTERS Doug Henschen Executive Editor Enterprise software [email protected] 201-660-8467
Charles Babcock Editor At Large Open source, infrastructure, virtualization [email protected] 415-947-6133
Thomas Claburn Editor At Large Security, search, Web applications [email protected] 415-947-6820
Paul McDougall Editor At Large Software, IT services, outsourcing [email protected]
Marianne Kolbasuk McGee Senior Writer IT management and careers [email protected] 508-697-0083
J. Nicholas Hoover Senior Editor Desktop software, Enterprise 2.0,collaboration [email protected] 516-562-5032
Andrew Conry-Murray New Products and Business Editor Information and content management [email protected] 724-266-1310
Eric Zeman Mobile, wireless [email protected]
CONTRIBUTORS Michael Biddick [email protected]
Michael A. Davis [email protected]
ART/DESIGN Mary Ellen Forte Senior Art Director [email protected]
Sek Leung Associate Art Director [email protected]
INFORMATIONWEEK REPORTS reports.informationweek.com
Roma Nowak Senior Director, Online Operations and Production [email protected] 516-562-5274
Tom LaSusa Managing Editor, Newsletters [email protected]
Jeanette Hafke Web Production Manager [email protected]\om
Joy Culbertson Web Producer jculbertson@techwe\b.com
Nevin Berger Senior Director, User Experience [email protected]
Steve Gilliard Senior Director, Web Development [email protected]
INFORMATIONWEEK VIDEO informationweek.com/video
INFORMATIONWEEK BUSINESS TECHNOLOGY NETWORK DarkReading.com Security Tim Wilson, Site Editor [email protected]
NetworkComputing.com Networking, Communications, and Storage Mike Fratto, Editor [email protected]
InformationWeek Government John Foley, Editor [email protected]
InformationWeek Healthcare Paul Cerrato, Editor [email protected]
InformationWeek SMB Technology for Small and Midsize Business Paul Travis, Site Editor [email protected]
Dr. Dobb’s The World of Software Development Andrew Binstock, Editor In Chief [email protected]
InternetEvolution.com Future of the Internet Terry Sweeney, Editor In Chief [email protected]
READER SERVICES InformationWeek.com The destination for breaking IT news, and instant analysis
Electronic Newsletters Subscribe to InformationWeek Daily and other newsletters at informationweek.com/newsletters/subscribe.jhtml
Events Get the latest on our live events and Net events at informationweek.com/events
Reports Go to reports.informationweek.com for original research and strategic advice
How To Contact Us informationweek.com/contactus.jhtml
Editorial Calendar informationweek.com/edcal
Reprints Wright’s Media, 1-877-652-5295 Web: wrightsmedia.com/reprints/?magid=2196 E-mail: [email protected]
List Rentals Merit Direct LLC Phone: (914) 368-1083 E-mail: [email protected]
Media Kits And Advertising Contacts createyournextcustomer.com/contact-us
Letters To The Editor E-mail [email protected]. Include name, title, company, city, and daytime phone number.
Subscriptions Web: informationweek.com/magazine E-mail: [email protected] Phone: 888-664-3332 (U.S.) 847-763-9588 (outside U.S.)
ADVISORY BOARD
Robert Carter Executive VP and CIO, FedEx
Michael Cuddy VP and CIO, Toromont Industries
Laurie Douglas Senior VP and CIO, Publix Super Markets
Dan Drawbaugh CIO, University of Pittsburgh Medical Center
Jerry Johnson CIO, Pacific Northwest National Laboratory
Kent Kushar VP and CIO, E.&J. Gallo Winery
Carolyn Lawson CIO, Oregon Health Authority
Jason Maynard Managing Director, Wells Fargo Securities
Denis O’Leary Former Executive VP, Chase.com
Randall Mott Former Sr. Exec. VP and CIO, Hewlett-Packard
Steve Phillips Senior VP and CIO, Avnet
M.R. Rangaswami Founder, Sand Hill Group
Manjit Singh CIO, Las Vegas Sands
David SmoleyCIO, Flextronics
Ralph J. Szygenda Former Group VP and CIO, General Motors
Peter Whatnell CIO Sunoco
CenturyLink www.centurylink-business.com . . . 7
Citrix www.citrix.com . . . . . . . . . . . . . . . . . . . . . . 12
Dell www.dell.com . . . . . . . . . . . . . . . . . . . . . . . . C2
iDashboards www.idashboards.com . . . . . . . . . 43
ManpowerGroup www.manpowergroup.com . . 39
Microsoft www.microsoft.com . . . . . . . . . . . . . . . 9
Print, Online, Newsletters, Events, Research
Career Track How long at current company: I’ve been at this logistics company for seven years.
Career accomplishment I’m most proud of: The creation of Gazette Technologies, a software development company specializing in data warehouse software to serve the media industry.
Most important career influencer: As a young IT manager, I had a great manager and mentor named Tom Redder. Tom had the unique ability to challenge you to do your very best, while teaching by example. In the process, he was able to give you enough rope on a project to let you manage the process, but not enough to let you hang yourself.
Decision I wish I could do over: Many times, it’s very hard to bal- ance the desire for growth in your career with the needs of your family. I’m lucky to have two great daugh- ters and a very understanding wife, who have had to make several moves because of my career. I wish I had taken more time to better understand their needs when making a move. Ask for and listen to your family’s feedback instead of just fo- cusing on new opportunities.
On The Job IT budget: $8.7 million
Size of IT team: 47 employees
Top initiatives: >> We’re migrating our freight management system off the mainframe to an open systems environment. This will let us meet the needs of the business and reduce our technology cost of ownership
STEVE HANNAH CIO, CRST International
Leisure activity: Golf
Favorite president: John F. Kennedy, because of his ability to execute on a vision and be decisive
Last vacation: Caribbean cruise
Favorite sports team manager: Jim Leyland of the Detroit Tigers, who has the ability to develop and get the most out of good players
Tech vendor CEO I respect most: Cisco’s John Chambers
Smartphone of choice: BlackBerry
by moving off the mainframe, while embracing current technologies.
>> We’re redesigning our recovery plans to significantly reduce recovery time. Our new plans include the ability to fail over to an off-site recovery center and an off-site office facility capable of hosting 165 people.
How I measure IT effectiveness: The IT team reports to the business on 20 key items, including hardware performance, help desk call resolutions, software development resource allocations, and computer operations efficiencies. We continue to examine these metrics annually and update accordingly.
Vision One thing I’m looking to do better: Partner with business stakeholders to better understand the issues and how technology can bring better solutions. We’ve created an environment built for growth and business analytics, and now is the time to drive the value home.
Lesson learned from the last recession: The importance and value of a multiyear technology plan for the company. The plan has to be flexible, of course, but such a guiding focus is especially valuable during tough economic times.
Kids and tech careers: The need to understand technology is key in any career decision given today’s environment. I didn’t try to steer my kids toward or away from a career in technology. Both have graduated college and are success- ful in their careers today. Neither are professional technologists but use technology very effectively.
CIOprofiles Read other CIO Profiles at informationweek.com/topexecs
Ranked No. 19 in the 2011
G
L O B A L C I OG
L O B A L C I O Apple is talking up its new iPhone 4S,
just 14 months after releasing iPhone 4, touting a faster chip, voice controls,
and hooks to cloud-based storage. Here’s a question worth asking: Is your company’s application development strategy ready for the blistering pace of the mobile world?
Mobile apps are a different beast from big, conventional enterprise IT projects. They tend to involve smaller teams. They’re often (not always) less complex. Usability factors can make or break a mobile app, many of which are built for the end customer. And the deadline to create a mobile app is almost always terrifyingly short, as companies fret over falling behind smartphone-touting customers, and their competitors.
All these factors make agile development techniques a good fit for many mobile apps. I say “techniques” because companies often rely on elements of agile—like iterative development and frequent re- views by business unit partners—without embracing the complete agile methodology. And they often work with outside partners who do the actual development.
Another agile-friendly feature of mobile apps is that they don’t need to be perfect out of the gate, says Leigh Williamson, a distinguished engineer with IBM’s Rational dev tools divi- sion. Mobile developers will commonly put out an app with a limited slate of features and update it with more later, Williamson says, and that process fits with the iterative nature of agile. “Good enough for 1.0” isn’t a mentality business IT shops tend to embrace easily. Guardians of company brands don’t do so well with it either, so together project leaders need to figure out—on the fly, during development—which features make the cut and which wait for the next version.
Williamson is seeing enterprise IT shops
who had never used agile development exper- iment with it when faced with a mobile project. When business units decide it’s time to build a mobile app, “they set timelines that are typically quite aggressive—six to eight months to get these out in production,” he says.
Another fact that favors agile development is that mobile apps are still the shiny new ob- ject—everyone is interested, and everyone has an opinion. One of the barriers to effective agile development with conventional enterprise apps can be the short attention span of business unit leaders. Will they put in the time to review work every week or two, for months
on end, to make sure the latest code’s doing what they expected?
With mobile apps, “there’s con- stant stakeholder feedback,” Williamson says, since usability is critical and the interest level is sky
high. The challenge is likely to be too many conflicting opinions, in fact.
But better to sort those tensions out early, rather than when the app is nearly “done.”
As my colleague Thomas Claburn notes (informationweek.com/1312/apps), companies with mobile app fever first need a good answer for why customers need an app, and how it will pay off for the company.
After the business strategy, IT leaders face the tough choices about their mobile app dev plan. How much in-house talent do we need, versus relying on outsourcers? Should we invest in iOS and Android skills for native apps, or bet bigger on hybrid apps and HTML5? Does our team even understand our end customers enough to build apps for them? Do our IT security skills transfer to assessing mobile risks?
And if we needed to deliver a new iPhone app for 1Q 2012, could we deliver?
Chris Murphy is editor of InformationWeek. Write to him at [email protected].
App Dev Must Get Agile Enough For Mobile
Creating mobile apps
will require different
techniques and a
Oracle CEO Larry Ellison introduced a new appli-
ance this month aimed at doing faster business data analytics, but he didn’t make a very convincing or exciting business case for it. So we’ll fill in the gaps for him.
Oracle’s new Exalytics Business Intelligence Ma- chine is an appliance using in-memory database processing to do analysis faster.
Exalytics is clearly an answer to in-memory-powered products such as SAP’s Hana Appliance, as well as business intelligence products such as QlikTech’s QlikView and Tibco’s Spotfire. It builds on Oracle’s focus on optimized software-hardware systems, a line that includes Exadata and Exalogic appliances.
The closest Ellison, in his speech at Oracle Open- World, came to articulating the business need for Exalyt- ics was in describing instan- taneous access to information. “Type in ‘36-inch Sa’ and it will instantly fill in ‘36- inch Samsung television,’ ” Ellison said. “Type in ‘36- inch So’ and it will instantly fill in ‘36-inch Sony television.’” It could be automo- tive data or financial data or “it could be anything,” Elli- son crowed—though the de- scription made it sound like a search engine. There were no business-use scenarios.
Ellison did dive into the product details. The hardware includes 1 TB of DRAM memory and 40 CPU cores from four multicore Intel Xeon processors. It scans 20 GB per second, so it can ex- plore the device’s memory in about five seconds. One ter- abyte doesn’t sound big, El- lison said, but the device will compress data by five to 10 times, so it’s equivalent to 5 to 10 TB of user-accessible data.
As for the software behind Exalytics, two in-memory, parallelized databases will be available. A new version of TimesTen, which was developed for transactional workloads, will provide an in-memory relational database engine. And Oracle has adapted its Essbase database to Exalytics to support speed-of-thought multidi- mensional analysis.
Exalytics can be integrated with any server running an Oracle database, but Ellison extolled the virtues of pair- ing the device with Exadata. If the data is in Exalytics’ DRAM memory, the device will provide the ultimate in query performance, and if it’s not in memory, Oracle’s InfiniBand connectivity to Exadata will move the required data into Exalytics in- memory cache nearly as quickly. “I recommend you buy both,” Ellison quipped.
Exalytics will support all current Oracle Business Intelligence Enterprise Edi- tion (OBIEE) applications unchanged. The appliance also runs an in-memory, parallel-processing version of the Oracle Essbase OLAP database, so it will support a company’s existing performance management applications without changes. That’s a marked contrast to SAP’s Hana Appliance, which to date has required a new gen- eration of purpose-built in- memory applications.
Big Data Play For companies with big
data needs, Oracle laid out a strategy, including plans for a Hadoop appliance, Ha - doop data management software, a NoSQL database, and an enterprise-focused release of R analytics software, for statistical analysis.
The breadth of those plans is surprising, given that less than a year ago Oracle was discounting the importance of the NoSQL movement. Hadoop, one NoSQL platform, addresses one of the fastest-growing areas of data—unstructured data
such as Web log files, social media data, and mobile data with geospatial information.
The big caveat: Oracle gave no release dates for the big data appliance or related software. If Oracle doesn’t deliver soon, it may be effectively stalling for time, hop- ing to dissuade Oracle customers from experimenting with third-party NoSQL and Hadoop alternatives.
The promise is interesting. Exalytics, paired with the Big Data Appliance and R software, would bring instanta- neous in-memory analysis to bear on the results of Ha - doop MapReduce jobs, R statistical and predictive models, and graphical analy- ses. The results could then be delivered through the dashboards and reporting capabilities of OBIEE.
Oracle had to act, as competitors including EMC, IBM, and Teradata have been step- ping up their analytics and big data analysis products. Now it’s up to Oracle to show how fast it can become an active participant in the NoSQL and big data markets.
—Doug Henschen ([email protected])
[QUICKTAKES] ORACLE APPLIANCES
Where’s the hard sell?
[
Following on the suc- cessful use of APIs by
eBay, Amazon.com, and Salesforce.com, many companies have published their own such integration code over the last decade to attract outside developers to their businesses. What do developers think of these APIs?
“Hideously outdated documentation ... that will make you want to slit your wrists,” one developer says of the
APIs with which he works. “Authorization sucks,”
says another. “At Facebook, everything
is broken,” says a third, not hesitating to name the source of his ire.
These comments are from a survey by Your Trove, an online service for developers attempting to connect to social media APIs. Survey results were presented earlier this month at the Business of APIs conference, which aimed to advance the art of constructing APIs for use by external developers.
Developers’ biggest com- plaint is that API documentation is unreliable, is out of date, and offers poor guid- ance on how to implement a particular API. They also say error messages they get when something goes wrong
are too vague to help them figure out the cause.
Coming up with effective APIs for developers can help businesses expand, as developers add functionality and bring customers the company couldn’t get on its own. Failing to do so can mean missing a major opportunity Gartner predicts that 75% of the Fortune 1,000 will offer a public API by 2014. How- ever, the Your Trove survey indicates many companies
still have a ways to go before their APIs provide a competitive advantage.
Common Reference Point LinkedIn added a hiring
service through an easy-to- use API, Adam Trachten- berg, director of the professional social networking site’s developer network, said at the conference. Most of LinkedIn’s 120 million users just post a professional profile on the site, but widespread use of its APIs and online apps on other web- sites has made LinkedIn a common reference point.
About 30,000 developers have used LinkedIn’s APIs to establish connections to the site’s services. LinkedIn now derives 48% of its revenue from its Post a Job ser vice, charging $295 for
a 30-day job posting. Data analytics applied
through social media APIs “is a huge opportunity,” said Ryan Sarver, Twitter’s director of platform. Social Flow, for example, pub- lishes aggregate content from an identifiable group, such as Forbes followers, to see what they’re talking about. In doing so, it’s able to anticipate stock market movements 15 to 16 min- utes ahead of Bloomberg business news feeds, Sarver claimed. That’s “huge in terms of market movements,” he said.
Netflix transformed its movie-delivery business from being the largest user of the U.S. Postal Service to one of the largest users of Amazon’s EC2 cloud for its streaming service. It pro- duced APIs that opened its catalog and ordering ser - vices to the iPhone, iPad, Xbox 360, Nintendo Wii, Sony PlayStation, and other consumer devices. Its sub- scriber list expanded from 12 million to 20 million last year as result.
Salesforce offers developers access to its CRM platform through public APIs, a capability that helped the company reach the $2 billion mark in annual revenue a few months ago, said Dave Carroll, director of developer evangelism.
Salesforce didn’t start out making it easy for developers. In 2003, it charged $10,000 for a developer to access its documentation for
its first API, viewing the API as a profit center. There were almost no takers, Car- roll said.
The following year, Sales- force made the API free in order to attract more developers. That meant a Sales- force CRM user could set up links between a back office accounting or inven- tory systems and data in the Salesforce database, making the Salesforce apps more useful to customers, Carroll said. Salesforce then expanded its API set.
In 2006, i t launched AppExchange, where developers could sell Salesforce apps. Salesforce now offers APIs to access its Chatter social networking service and RESTful APIs that work with various mobile devices. It also offers an API that customers can use to build apps on Force.com, its platform-as-a-service environment.
Giving outside developers access to your company’s internal services broadens your business, if done in the right way, Car- roll said. “Your API history ... reflects upon your business history and future evolution,” he added.
Carroll recommends companies keep APIs simple, have good documentation, and maintain backward compatibility. Otherwise, developers who used an early version will suddenly find their applications not working. —Charles Babcock
([email protected])
[QUICKTAKES]
14 Oct. 17, 2011
“Your API history ... reflects upon your business history and future evolution.” —Salesforce’s Dave Carroll
informationweek.com
Before you plunk down money for additional
bandwidth for your branch and remote offices, consider WAN optimization. This tech nol ogy delivers signifi- cant performance benefits and is a win for tight bud - gets because it can let IT de- lay the purchase of larger-capacity connections.
WAN optimization appliances improve use of existing bandwidth by transparently reducing the amount of traffic pumped into the WAN. They smooth over TCP shortcomings via better win- dow management, for example. They optimize chatty upper-layer LAN protocols like MAPI, HTTP, and Win- dows file sharing.
We surveyed 486 IT professionals who use or have evaluated WAN optimization appliances to find out how they perform. Not sur- prisingly, Cisco Systems gets invited to the WAN optimization party by nearly half (49%) of respondents, largely because of its ubiq-
uity in enterprise data centers. River bed is a close second, with 40%, handily beating out the rest of our field. Citrix, Juniper, Blue Coat, and F5 round out the top six.
Blue Coat, Cisco, and Riv - erbed have the highest rank- ings based on 10 evaluation criteria, including product performance and reliability (see chart, below).
While Blue Coat and Riv - erbed lead on performance in our survey, you generally won’t find much variation in raw deduplication rates among products. Where you will find differentiation is in how much data the appliances can pro cess on the LAN side. Vendors tend to scale their appliances based on WAN capacity, from T1 speeds to 1 Gbps and beyond. This scaling doesn’t reflect network performance as much as the size of the internal storage array contain- ing the deduplication data set, the number and types of CPUs, and RAM. The larger
the WAN pipe and the more capacity that’s consumed, the larger the disks must be to build an adequate diction- ary. And, of course, adequate CPU and RAM are needed to be responsive.
Automatic application detection and detection within HTTP are the WAN optimization features that are particularly important as companies “webify” more applications and adopt VDI. Blue Coat and Citrix have long touted their automated application discovery features that can poke into oft- used protocols, such as HTTP, and differentiate Out- look Web Access from Peo- pleSoft and act accordingly. Citrix, in its quest to move everyone to VDI, has a leg up on optimizing its own popular VDI protocols.
Not to be left out, other WAN optimization vendors
say their products can perform some VDI optimization as well, though they’re usually limited to TCP optimizing and packet coalescing. While many optimizers offer manual configuration, where administrators specify the server IP address and other details, having built-in detection means one less task set added to your change- control processes. This is a key distinction to look for when shopping for a WAN optimization product.
Most respondents using WAN optimization are happy with their appliances and aren’t actively looking to re- place them. Still, vendors shouldn’t become compla- cent. Respondents say ad- vances in technology and a more cost-effective offering could spur them to kick out an incumbent. —Mike Fratto
([email protected])
[QUICKTAKES]
71% All data: InformationWeek WAN Optimization Appliance Vendor Evaluation Survey of 486 business technology professionals, April 2011
Weighted, aggregated score across 10 evaluation criteria, maximum possible score of 100%
WAN Optimization Appliance Overall Vendor Performance
Blue Coat
Cisco Systems
Riverbed
Citrix
Juniper
F5
How Top Vendors Stack Up Mean average ratings, based on a scale
of 1 (poor) to 5 (excellent)
Blue Coat Cisco Systems Riverbed
Product performance 4.1 4.0 4.2
Product reliability 4.0 4.1 4.1
Flexibility to meet needs 3.8 3.9 3.9
Pre-sales support quality 3.8 3.8 3.7
Product innovation 3.8 3.8 4.0
Operation cost 3.7 3.6 3.6
Breadth of product line 3.7 4.0 3.7
Post-sales support quality 3.7 3.8 3.8
Service innovation 3.6 3.6 3.7
Acquisition cost 3.5 3.4 3.3
Download the full 31-page report, free with registration, at informationweek.com/reports/wanopt
informationweek.com
Don’t look now, but as telecom companies ac-
quire cloud computing vendors, we’re seeing the begin- nings of cloud networks: chains of linked data centers owned by one company that let two or more data centers back up one another.
Among the acquisitions is Verizon’s January purchase of cloud data center pioneer Terremark for $1.4 billion. Three months later, Cen - tury Link said it would buy managed services host and cloud infrastructure pro - vider Savvis for $2.5 billion. In June, a subsidiary of Japan’s telecom giant NTT bought OpSource to establish a cloud infrastructure business unit.
These pairings are bringing much needed geographic distribution to the backup and recovery capabilities offered by cloud services providers. Compa- nies affected by the April outage at Amazon Web Services’ northern Virginia center would have wel- comed geographically di- verse backup and recovery options.
If you were an AWS customer in the Amazon data center that went down, you couldn’t easily designate the AWS data center in Dublin as your preferred failover site. You couldn’t even select AWS’s U.S. West Coast data center, unless you con- structed the network links to it yourself. You were stuck using a neighboring Amazon “availability zone,”
which in April wasn’t necessarily in a separate data center and in some cases froze up at the same time as the primary zone.
With new linked data center chains in the cloud, automated backup to a separate geographic location is a definite possibility. The CenturyLink-Savvis combination brought together 34 Savvis and 16 CenturyLink data centers in North Amer- ica, Europe, and Asia. The
Verizon-Terremark union combined 13 Terremark data centers with 36 Veri- zon hosted services data centers, for 49 in North America, South America, Europe, and Asia.
These regionalized groups of data centers have a hub that acts as a central facility to connect all customers to the Internet and other network junctions via high- speed pipes.
Geographically separated data centers have been linked before, of course, but these new groupings are being interlinked by a single
telecommunications company that can automatically implement connections as a service over high-speed lines.
Terremark’s Experience I asked Ben Stewart, sen-
ior VP of facilities engineering at Terremark, whether customers could have used a distant Verizon data center as a backup site prior to the merger. It could have been done, he says, but it would have taken a lot of
work by telecom-savvy cloud customers. First, they would’ve had to study the rate tables of the various telecom carriers available on the route. Then they’d have to negotiate with each carrier for network seg- ments that could serve their needs and test to see if it all worked.
And what if something went wrong, like a router failure at a key network junc- tion? The customers would have had to make a half dozen phone calls to find out the source of the trouble.
Now if Terremark cus-
tomers want to link to another data center, they click on an order form box, and the link and additional ac- count are set up. The number of carriers involved and the number of router hops is drastically reduced, improving speed.
Terremark had initiated this approach on its own with its 13 data centers, but “it would have taken us a long t ime to achieve global reach,” Stewart says. “Now, with Verizon, we’re there.”
Terremark last month opened a 25,000-square- foot data center in Amster- dam, where it has quick access over a 20-Gbps line to one of the world’s largest Internet exchanges. The facility is a hub for Terre- mark’s data centers in Frankfurt, London, Madrid, and Paris, providing a sim- plified routing path to the rest of the world.
Amsterdam is directly connected to Terremark’s network access point of the Americas, a huge, 750,000- square-foot facility in downtown Miami. So much traffic converges on the network loops that circle downtown Miami that it’s one of the five best interconnected cities in the world, Terre- mark says on its website. NAP of the Americas is a gateway to other points in the United States and is one router hop from Bogota, Co- lumbia, and two hops from Sao Paulo, Brazil.
“Amsterdam to Miami is
[QUICKTAKES]
18 Oct. 17, 2011
Terremark’s Amsterdam data center is one hop to the world[
informationweek.com
one hop at two-thirds the speed of light over fiber ca- ble. So Terremark customers in London, Madrid, Paris, and Frankfurt are all linked now, just two hops apart through Amsterdam,” Stewart says.
Customer Perspective Global companies, such
as InterContinental Hotels, would like to decentralize their mainframe applications and make them available to serve customers in many different locations. If InterContinental’s hotel room booking and customer relationship systems can be distributed, service to customers will seem in- stantaneous, says Bryson Koehler, senior VP of revenue and guest information. He wants customers to be able to check into their rooms from smartphones while in the taxi from the airport. That will only happen with distributed ser - vices, Koehler says.
Running coordinated distributed systems is difficult to do, but infrastructure as a service in the form of interconnected data centers could make it a check-box option. Having established a workload in the cloud, customers would just check off where else they’d like to have it run and indicate which data center is the primary copy.
Daisy-chained data centers in the cloud will one day host carbon copies of key enterprise applications. In some competitive situa- tions, including the hotel business, distributed applications will make a signifi- cant difference.
In addition to the 49 data centers that make up Terre- mark’s infrastructure as a service, Verizon also operates 200 telecommunications data centers that handle billing and customer service for its phone service customers. Since a telecom data center isn’t much different from a cloud data center, it’s possible that in the future Verizon will reserve space in the telecom facilities to give its data center chain more locations for distributed systems.
The CenturyLink-Savvis combo has 50 data centers around the world, interlinked data centers with access to key network junctions and exchanges. Ama - zon builds its data centers at prime network junctions as well, but at this point, it’s still up to the customer to navigate between one center and another.
In the future, no cloud data center will be an island. No tsunami, hurricane, or earthquake will be able to take down your systems, just because your primary data center loses power or has its operations otherwise disrupted.
Both virtualized systems and cloud workloads can migrate quickly to a new location. A running virtual machine can transfer to a new home in milliseconds; given a few seconds warning, it can migrate with no data lost. Virtualized systems running inside a data center that’s part of a chain in the cloud may prove to be much more durable and available than existing high-availability de- signs. —Charles Babcock
([email protected])
[QUICKTAKES]
[COVER STORY]
he combination of Ethernet and TCP/IP is so powerful and so fundamental to the way we craft data center systems that it’s almost heresy to even suggest we move beyond those protocols. In the 1990s, Gartner famously predicted that Token Ring would supplant Ethernet by the end of that decade,
and Novell created its own networking protocol, as did Apple, rather than take on what they saw to be the flaws of the overly complicated TCP/IP. And yet here we are today: Token Ring is a relic, IPX and AppleTalk are footnotes in the storied past of multiprotocol routers, and Ethernet and TCP/IP are the dominant networking technologies.
While no one in their right mind suggests completely replacing Ethernet and TCP/IP, anyone who’s struggled to automate data center load management in today’s virtualized data centers knows that current networking protocols present a challenge. For companies to make the most efficient use of their virtualized servers, they must move workloads around their data centers, but doing so implies moving network connectivity along with performance assurances, security, and monitoring requirements. Today, that’s either impossible to do automatically, or the method for doing it is highly proprietary. And virtualization isn’t the only challenge—as businesses add more applications to their networks, they need to address the unique needs of those apps at a policy level.
Quite simply: Networking must change if it’s going to keep up with what businesses want to accomplish. Imagine networks that support both lots of live streaming video as well as financial and healthcare transactions at the core. For video, if a network gets congested, the thing to do is drop frames at the source. There’s no point in delivering voice or video data late. Meanwhile, the network never should drop packets of financial data. A smarter high- level policy might be to define separate paths through the network for the two different types of data. In regulated industries, network designers may want to set policies that make it impossible for certain types of data to hit various parts of the network, or ensure that security appliances always look at some flows of sensitive data. Simultaneously, and possibly sepa-
New technology will disrupt the
networking world, which for decades has
revolved around Ethernet and TCP/IP—and
stalwart vendors such as Cisco
By Art Wittmann
T
rately, IT architects will want to create policies to ensure that certain essential services are highly available and protected with a disaster recovery plan.
While it was possible to set up environments that support some of these policies when applications and services were tightly coupled with their servers, virtualization makes such a static configuration hopelessly outdated. Loads change and servers fail—and virtualization lets you deal with all that, but only if the network can respond to a layered set of policies that must be observed in a highly dynamic environment. Network configurations—just like virtual serv - ers—must reconfigure themselves in the blink of an eye, and to do that, bridging and routing protocols must evolve.
So far, they haven’t. Network engineers are still versed in the command line interfaces of the switches they run. Policies involve writing router rules and setting access control lists, usually by crafting them in proprietary formats, and then using scripts to apply those rules to devices across the network. Even where better tools exist, network designers can set the quality of service, VLANs, and other parameters, but the Layer 2 switching rules are set by Ether- net’s Spanning Tree protocol and the routing rules are dictated by TCP/IP. There’s little ability to override those mechanisms based on business rules.
At a conceptual level, the answer has been dubbed “software-defined networking,” or SDN—letting network engineers specify configurations in high- level languages, which are then compiled into low-level instructions that tell routers and switches how to handle traffic. The idea is to give engineers more complete access to the lowest-level functions of networking gear so that they, and not TCP/IP or Spanning Tree, dic- tate how network traffic should move.
At the same time, engineers would work in a higher-level language to more easily describe complex constructs implemented as simple rules on a router or switch. It would be a lot
like how a programmer writes in C++ or Visual Basic, and the commands are then compiled into the machine language of the processor.
Departure From TCP/IP In a software-defined network, a
central controller maintains all the rules for the network and disseminates the appropriate instructions for each router or switch. That centralized controller breaks a fundamental precept of TCP/IP, which was designed not to rely on a central device that, if discon- nected, could cause entire networks to go down. TCP/IP’s de sign has its roots in a day when hardware failures were much more common, and in fact part of the U.S. military’s Defense Ad- vanced Research Projects Agency’s in- tent in sponsoring the original research behind the Internet was to develop Cold War-era systems that could continue to operate even when whole chunks of the network had been va- porized by a nuclear bomb.
Today’s needs are far different. Letting virtualized servers and other network resources pop up anywhere on the net-
work and instantly reroute traffic as they do is far more important than gracefully recovering from router or switch crashes. Large enterprise Wi-Fi networks already make wide use of controller- based architectures, and the SDN con- cept is well proven there. Breaking into the data center and other core enterprise network functions is another matter.
Two major obstacles stand in the way of generalized acceptance of software- defined networks. The first is the ab- sence of a technical specification that describes how hardware vendors should implement the SDN constructs in their products. That problem’s easy to solve, and good progress is being made with the OpenFlow standard, first proposed by Stanford researchers and now on its way to becoming a recognized standard.
The second problem is tougher to solve because it involves convincing the likes of Cisco, Juniper, and Bro- cade—the three vendors of TCP/IP networking equipment to both the enterprise and to carriers and big-data In- ternet companies—that it’s in their in- terests to participate in OpenFlow.
OpenFlow itself doesn’t fully solve
NETWORKING[COVER STORY]
What Are The Most Important Business Goals Delivered Through Virtualization?
2011 2010
52% 40% Ability to deploy IT services faster
51% 52% Disaster recovery
17% 22% Ability to build prototype IT services faster
15% 6% Reduced data center carbon footprint
15% 35% Continuous data protection
13% 8% Ability to use fewer IT staffers in data center
4% 6% Self-provisioning by business units
1% 8% Ability to charge business units for IT resources
Data: InformationWeek Virtualization Management Survey of 396 business technology professionals in August 2011 and 203 in August 2010
the problem of creating a software-defined networking environment, but it adds some important pieces missing from the existing IP network management and control protocols.
First, OpenFlow defines what a controller is and how it can connect securely to network devices that it will control. Second, OpenFlow specifies how a controller will manipulate a switch’s or router’s forwarding table, which specifies how incoming packets get processed and sent on. Previous to OpenFlow, there was no standardized way to directly manipulate the forwarding table, so SDNs were either completely proprietary or functionally handicapped.
What Will Cisco Do? It’s not hard to imagine why industry
heavyweights would be wary of efforts to remove the brainpower from their devices and put it on centralized controllers. That Cisco and other networking vendors enjoy fat profit margins on routers and switches has everything to do with their providing the network hardware, software, and—more often than not—management tools. A fair analogy is the margins earned by Ora- cle/Sun, IBM, and Hewlett-Packard on their proprietary Unix systems vs. the margins on their x86 servers. In the x86 world, Intel, Microsoft, and VMware, not hardware makers, earn the fat margins.
OpenFlow has received enthusiastic support from enterprise-centric networking vendors such as Extreme and NEC, with NEC and startup BigSwitch the first out of the gate with controllers. Both Juniper and Cisco are participating in the Open Network Foundation but have yet to announce products supporting the standard. Bro- cade is an enthusiastic supporter but views telecom carrier networks and very large Internet businesses as the most likely first customers.
At some point, though, the heavyweights may have no choice but to offer OpenFlow-based enterprise products, too. Broadcom and Marvell, which make
the chips for many switches, both support OpenFlow. So whether Cisco likes it or not, enterprise customers will have the option of buying affordable, quality products that support the standard.
OpenFlow doesn’t necessarily doom leaders like Cisco. If Broadcom and Mar- vell become the Intel and AMD for the enterprise switching market, Cisco can recast itself as Microsoft or VMware. No one understands the complex issues of managing traffic like Cisco does, and if it were to position itself as the premier maker of network controllers in an OpenFlow world, its customers would gladly grant it that status. Cisco won’t let another company assume that role. If it doesn’t embrace OpenFlow, it’ll at least try to offer a proprietary equivalent.
However the move to software- defined networks plays out, Cisco in particular has a strong hand to play. Its already tight relationship with VMware and its leadership positions in both storage networking and data networking will make Cisco hard to beat.
The transition to software-defined networks will happen, but predicting the timing is much trickier. There’s no backward compatibility for OpenFlow or any other SDN scheme. Fundamen- tal hardware changes are required to make SDNs perform at high speeds. Cisco paints itself as cautiously enthu-
siastic about OpenFlow. Indeed, if it can see a way to remain the preferred switch vendor with healthy margins, all while supporting OpenFlow, Cisco may see the technology as the magic bullet that forces a networking hardware re- fresh faster than the current five- to eight-year cycle. Meanwhile, other re- lationships are moving ahead. NEC, for example, is developing an OpenFlow virtual switch for use with Windows Server 8 and Microsoft’s Hyper-V server virtualization software.
The final and most unpredictable variable in this equation are network management teams themselves. After being well served for 30 years by Eth- ernet and TCP/IP’s fundamental protocols, they’ll move very cautiously to software-defined networks and centralized controller schemes.
In some environments, where massive data centers and highly parallel throughput server farms are the norm, the transformation can’t happen fast enough. Google, Microsoft, Facebook, and Yahoo are all members of the Open Network Foundation driving Open- Flow. For those with more pedestrian setups, getting comfortable with an SDN will take some time.
Write to Art Wittmann at [email protected].
[COVER STORY] NETWORKING
2.7 Data: InformationWeek 2011 Virtualization Management Survey of 396 business technology professionals, August 2011
Server virtualization
Storage virtualization
Desktop virtualization
I/O virtualization
Network virtualization (e.g., OpenFlow, Cisco Nexus, NextIO, HP)
How important are these virtualization technologies to your company’s overall IT strategy?
1 Not important Very important 5
Virtualization And IT Strategy
(Mean average)
Server virtualization is now a proven practice, creating a cost- effective means of allocating com-
pute resources to changing user and application requirements. But when packets leave the server, they still pass through a traditional switching architecture, which doesn’t have that same level of flexibility.
The goal of software-defined networking (SDN) is to bring the benefits of virtualization—shared resources, user customization, and fast adapta- tion—to the switched network. SDN puts the “intelligence” of the network into a controller or hierarchy of controllers in which switching paths are centrally calculated based on IT-defined parameters, and then down- loaded to the distributed switching architecture.
The cost savings are apparent. The expensive part of a high-end switch is the sophisticated control plane and custom silicon. By moving the control plane to a centralized controller, the architecture can use inexpensive com-
Controller
Switches
Central Network Command
Software-defined networking centralizes the control plane, using a controller through which IT can write and enforce rules for how different types of data are routed. The network keeps a distributed forwarding plane but can use commodity OpenFlow-enabled switches and routers, since the network’s intelligence is in the controller.
By Jeff Doyle
virtualized data center
Is OpenFlow just the latest attempt to centralize network control, or is it something wholly new? People across the industry have been debating whether OpenFlow is really an industry game-changer.
“The ‘new thing’ in my mind is the timing,” says Kyle Forster, co-founder of Big Switch Networks, a startup developing a network controller based on OpenFlow. “The first leg of this is silicon trends—merchant silicon is changing the rules around who makes what. The second leg is supply chain trends. Server vendors must react to the Cisco UCS by expanding into networking. Last, customer requirements are changing. Networks for VMs and for the increasingly disparate types of mobile and embedded devices on a campus LAN are different from networks of five and 10 years ago.” OpenFlow itself is just a definition of instruction and mes-
saging sets between a server-based controller and a group of switches. It’s how the controller uses the instruction set that will determine how disruptive the protocol becomes to the networking industry. Ivan Pepelnjak, chief technology adviser at NIL Data
Communications, has written a number of blog posts (at blog.ioshints.info) questioning whether the expectations being set around OpenFlow are overblown. “I can’t see a single area where a TCAM download protocol—which is what OpenFlow is—can do things that a router or switch could not do. There are things that can be done with OpenFlow that cannot be done with current protocols. But then one has to ask oneself: Why has nobody yet developed a protocol to address those things?” Pepelnjak does see the protocol as a means of consolidat-
ing and streamlining the way networks are controlled. He says OpenFlow will make it easier to implement customized functionality, and it will give third-party software lower-level control in multivendor networks. Forster counters that OpenFlow will make a lot of difficult
networking problems easier to solve. “Automating move-add- change requests, virtual network overlays, multipath forwarding, and automated provisioning are all relatively straightfor-
ward engineering initiatives with an OpenFlow-style centralized control plane,” he says. “While they can be done with a distributed control plane or, practically speaking, with a classic set of networking features and a lot of Expect scripts, these classic approaches tend to be a fragile set of scripts that open up a Pandora’s box of corner cases.” Martin Casado, one of OpenFlow’s developers and currently
CTO of Nicira Networks, says he’s seen some “pretty cool stuff” built on OpenFlow, like network connectivity managed by a high-level language that plugs into an existing, proprietary security framework. The key points are that OpenFlow gives network mangers programmatic control of their networks using industry standards, he says, “using the same distributed system libraries and packages they use to orchestrate the rest of their infrastructure.” Ultimately, the success or failure of OpenFlow—and, more
widely, of software-defined networking—depends on how well controllers integrate with switches and how widely available OpenFlow-capable switches become. “I think we’re a long way out,” Casado says, “before a controller vendor can support an OpenFlow-capable switch without a fairly close partnership between the two companies.” Dave Ward, CTO of Juniper Networks’ Infrastructure Prod-
ucts Group, says the biggest benefit of OpenFlow is giving IT more visibility and control in virtualized data centers. “As end- points move around in the ever-expanding network foot- prints, we think that flexible methodologies are needed to enable and disable certain traffic conditions or to enable and disable certain types of traffic,” Ward says. “Having such functionality via a common interface could prove very valuable for anyone operating an infrastructure that is experiencing high rates of change.” So far, Cisco and Juniper have supported OpenFlow, and Ju-
niper has demonstrated support in some of its products. “The real question about OpenFlow,” Ward says, “is not if it provides additional capabilities in any one device, but whether it can deliver those capabilities across a heterogeneous network.”
—Jeff Doyle
OpenFlow’s Impact: Industry Debate Rages STILL EMERGING
modity switches built with standard silicon. Reducing the cost of each switch by 70% or more, spread across a data center or campus, quickly adds up to real money.
SDN is also about improving performance. A centralized control plane lets companies customize their net-
works without depending on or coor- dinating different vendor operating systems. Networking pros can quickly change what data types get forwarding priority, as business requirements change.
The first step toward SDN is to define a messaging protocol between the
controller and the individual switches making up the forwarding plane. This is where the emerging OpenFlow networking standard comes in. OpenFlow enables open, virtualized, and programmable networks. Each of these elements is key.
Open: The standardized instruction
set means any OpenFlow controller can send a common set of instructions to any OpenFlow-enabled switch, re- gardless of the vendor.
Virtualized: IT can specify different forwarding rules for different data types, creating multiple logical forwarding paths over the same physical network, depending on the needs of a particular app.
Programmable: The still-evolving OpenFlow instruction set lets IT create rule sets that work in combination with a switch vendor’s configuration options, or independent of them. With its roots in academic research networks, OpenFlow lets users try new ideas or create new protocols independent of any vendor. Most important, IT can program a network for specific application requirements.
Roots Of Network Virtualization The separation of the control plane
from the forwarding plane isn’t new with OpenFlow. It has been used in the design of high-end routers since the mid-1990s and telephony switches long before that. The initial motivation was to protect each switch element from a degradation in another: A very busy route processor doesn’t hurt forwarding performance, and peaks in network load don’t pull processing resources away from the control plane. Significantly, that separation—first within a single chassis, and more recently with a single processor controlling multiple switching fabrics—provided an environment for the development of high-availability features.
Multiprotocol label switching (MPLS), another key technology in modern networks, also has features that relate to this trend, since it builds an “intel- ligent” access layer around a relatively dumb but high-performance network core. That structure enables the creation of flexible, innovative services over a homogeneous backbone. MPLS also reflects a trend in networks simi-
lar to what we’re seeing in server virtualization: A single physical network uses a logical component—MPLS—to allow the overlay of multiple virtualized network services.
What’s new and different with OpenFlow is that, in theory, it could work with any type of commodity switch.
Operating in the gap between a centralized control plane and a distributed forwarding plane, OpenFlow defines a protocol that lets a controller use a common set of instructions to add, modify, or delete entries in a switch’s forwarding table. An instruction set might not sound like a technology breakthrough, but it’s all about what people do with that instruction set, says Kyle Forster, co-founder of Big Switch Networks, a startup building networking products based on the OpenFlow standard. If you read the x86 server instruction set, it “isn’t obvious that you could build Linux, Microsoft Word, or the Apache Web Server on top,” Forster
says. “I think OpenFlow is the same way. It isn’t about the basics. It’s all about the layers and layers of software built on top. That is where the benefits are going to be felt.”
Origins Of OpenFlow OpenFlow began at Stanford Uni-
versity, under professors Nick McKe- own, Martin Casado, and others. Their goal was to create an environment in which researchers could ex- periment with new network protocols while using the campus’s production network. It let researchers try out those protocols in a realistic environment without the expense of building a test network or the risk of blowing up the campus network and disrupting production traffic.
The first consideration for using OpenFlow outside of academia was to scale bandwidth in massive data centers. Forster calls this the “million- MAC-address Hadoop/MapReduce” problem. For uses such as Google’s search engine, parallel processing of massive data sets takes place across clusters of tens or hundreds of thousands of servers. For such big data applications, “it doesn’t take much back- of-the-envelope calculating to come to the conclusion that a tree-based architecture will require throughput on core switches/routers that simply can’t be bought at any price right now,” Forster says.
Interest in OpenFlow has since expanded to cloud computing and virtualized services companies. Earlier this year, six companies—Deutsche Telekom, Facebook, Google, Mi- crosoft, Verizon, and Yahoo—formed the Open Networking Foundation (ONF) to support development of SDN and, by extension, the Open- Flow protocol. ONF now has more than 40 members, mostly vendors, which pay $30,000 a year to fund development of the standard.
The version of the OpenFlow specification in most widespread use is ver-
Oct. 17, 2011 41
Get This And All Our Reports—Free
Sign up for a free membership with InformationWeek Reports and get our full report on OpenFlow and software- defined networks at informationweek.com/reports/openflow
This report includes additional analysis, an in-depth tutorial on the OpenFlow protocol, and seven diagrams illustrating software-defined networks.
sion 1.0.0, which in December 2009 defined three components: controller, secure channel, and flow table.
The newest version of the spec, 1.1.0, released in February, adds two more components: group table and pipeline (see diagram, right).
The controller is of course the control plane, and it provides IT pro- grammabil i ty to the forwarding plane. The controller manages the forwarding plane by adding, changing, or deleting entries in the switches’ flow tables.
The controller manages the switches across a secure channel. “Secure channel” is in fact slightly misnamed, since it doesn’t provide any security on its own. While the channel is normally authenticated and encrypted using Transport Layer Security, it can be simple unsecured TCP. Imple- menting an SDN architecture using unsecured communication channels is utter folly, of course, but it can be done. Also, messages across the secure channel are reliable and ordered, but aren’t acknowledged and there- fore aren’t guaranteed.
Who Needs It While the most intense interest in
OpenFlow is in large-scale data center applications, there’s already spec- ulation about how OpenFlow-based SDNs can benefit other industries. The fact that Deutsche Telekom and Verizon are among the founders of the ONF provide some hints at next applications.
In mobile networks, OpenFlow can help solve a notoriously hard problem in IP: monitoring, metering, and serv- icing user traffic. In service provider networks, OpenFlow may provide a more workable alternative to MPLS traffic engineering.
More broadly, the ability of a network operator to create custom functions ap- plicable to its own network, and then apply those functions to switches from
multiple vendors, is the true promise of SDNs. Technology users have always found surprising ways to use the tools available to them, innovating from the bottom up rather than limiting themselves to top-down vendor systems. An open instruction set could accelerate that innovation.
OpenFlow version 2.0 is in the works, bringing with it a generalized networking instruction set, as well as a standardized API to the network operating system that’s planned for 2012 release. That upgrade would make it easier for third-party network management systems and data center provisioning tools to interact with Open- Flow controllers. Manufacturers of commodity switches, including Hewlett-Packard and Extreme Net- works, are starting to line up behind OpenFlow and SDNs, as are new vendors such as Nicira Networks and Big Switch Networks that are focused on network control systems.
OpenFlow has the right combination of industry and academic backing
to ensure that its development and evolution continue. It has the potential to turn the networking world on its head by disrupting the market positions of high-end router and switch vendors, including Cisco and Juniper. Or those vendors have the potential to turn this trend to their advantage (see related story, p. 33).
While still in its infancy, OpenFlow has already been used to demonstrate fixes to old problems. Conventional Ethernet switching architectures have long been stuck in inefficient, inflexi- ble tree structures. Those don’t look sustainable for a lot of what companies will want to accomplish. Open- Flow can be expected over the next few years to change the landscape of large data center and enterprise campus networks.
Jeff Doyle specializes in IP routing protocols, MPLS, and IPv6 and has designed large-scale IP service provider networks. You can write to us at [email protected].
The OpenFlow Model
Flow Table 0
Flow Table 1
Group Table
This diagram shows the OpenFlow 1.1.0 components, including a controller to program the switches, a secure channel to communicate with switches, flow tables that maintain the directions for the forwarding plane, and the OpenFlow protocol.
What’s the most danger- ous threat to your virtualized systems? Hint: it’s not the latest zero-day exploit. The most pressing risk is IT staff who have full privileges in these systems. Take the February 2011 attack by an
IT employee who’d been laid off from a pharmaceutical company. The ex- employee logged in remotely and deleted virtual hosts that ran the company’s critical applications, including email, financial software, and order
tracking. The company sustained about $800,000 in losses from a few keystrokes, the FBI says. We’re not saying your administrators
will go rogue, but our September 2010 survey on virtualization security found that access to virtualization systems is fairly widespread: 42% of respondents say administrators have access to guest virtual machines. It only makes sense to take precautions, such as security monitoring, so that one person,
whether maliciously or inadvertently, doesn’t bring down critical apps and services. Virtualized systems make it harder
to manage risk, but sensible security practices still apply. Here are four steps to help you protect virtual assets and respond to threats and incidents.
1. Secure Layers Virtual environments are made up of
layers, so you’ll want to implement security controls at each layer within the virtual architecture, including controls that you already have in your environment. For example, at the virtual switch layer, redirect traffic out to a firewall or an intrusion prevention system to monitor traffic. Alternatively, use a virtual firewall within the VM cluster. The primary virtual layers to address
include the hypervisor and guest operating systems, the virtual network that connects VMs, the physical network, the virtualization management system, and physical storage of VM images.
2. Define And Document You can’t place security controls
around elements you don’t know are
Virtualization Security Checklist
Yes No 42%
Don’t know
8%
41%
9%
Four steps to a more secure virtual infrastructure
By Michael A. Davis
Oct. 17, 2011 45
[VIRTUALIZATION SECURITY]
there. Thus, it’s vital to have accurate, up-to-date information on your virtual environment. That means being able to identify the components in your virtual infrastructure. Make sure you document the primary functions of these components and their owners and administrators. It’s also critical to understand how
data traffic flows through your infrastructure, because the type of data will determine which controls are needed. For example, most companies take ex- tra steps to secure virtual database servers that store critical business data. However, your backups also have copies of this confidential data. Track data flows from start to finish to identify critical areas where additional security measures are needed.
3. Restrict And Separate Access control and authorization are
core security functions, particularly for virtual environments, where control over a single hypervisor can also mean control over the multiple virtual machines that run on top of that hypervisor. As in the physical world, administrator access to systems and their authorization to perform specific functions should be as specific as possible. Every administrator in your shop doesn’t need to be able to spin up, modify, and shut down every virtual server in your data center. Log- ging is another critical security func- tion. It lets you monitor and track all the activities that take place within the virtual environment. The management consoles from the
major hypervisor vendors provide de- cent role-based access controls that restrict administrators’ permissions to perform basic tasks, and you should take advantage of these capabilities. However, these management consoles don’t validate change requests, log all changes, and implement capabilities such as two-factor authentication. For that, you’ll need third-party soft-
ware from vendors such as HyTrust and Catbird, which provide additional
controls, such as change management. With these controls, major changes can’t be made to critical systems without authorization from another administrator in addition to the one request- ing the change. These third-party tools can also split functions among different IT groups. For instance, the IT security team can be put in charge of managing the logs from the virtualization man-
agement console instead of the server administrators. This separation of duties means no single administrator can modify or disable systems undetected.
4. Secure The Virtual Network The virtual network has the same
problems as the physical one, including the potential for man-in-the-middle at- tacks, in which compromised VMs in- tercept traffic between other VMs. To prevent these, it’s important to take advantage of the security features in your virtual switches. Most virtualization vendors let you set up VLANs that can seg- ment network devices and traffic based on security and management policies.
However, the virtual switch you have in place may lack advanced security and monitoring features of physical switches. For instance, a physical switch lets you create private VLANs, which allow for additional segmentation (think of a VLAN within a VLAN), but many virtual switches don’t support this feature. Vir- tual switches may also lack the ability to provide netflow data, which can be used
for performance monitoring and attack detection. Do your homework to see if you need a third-party virtual switch that provides these advanced capabilities. If you can implement only one of
these steps at the outset, focus on access control and separation of duties. Most companies have procedures and tools in place to control access to physical systems, and these can be applied directly to virtual environments. Virtualization’s risks and challenges can be countered with common security practices.
Michael A. Davis is CEO of Savid Technologies. You can write to us at [email protected].
3.4
3.2
3.0
3.0
2.9
2.8
Data: InformationWeek 2010 Virtualization Security Survey of 684 business technology professionals, September 2010
Interception of communication from virtual desktops and their clients (man in the middle)
Creation of rogue or undocumented guest VMs
Penetration of a guest VM that contains confidential data
Penetration of the hypervisor management system
Access by an attacker to the hypervisor, which provides access to guest VMs
Infection or modification of VM images that affect future VMs
VM-to-VM infection or attack
3.1
3.0
(Mean average)
Oct. 17, 2011 47informationweek.com
R emember the notorious DLL Hell problem? About a decade ago, before the ad- vent of the .NET platform,
most applications were based on dynamic link libraries, and multiple apps often shared DLLs. At that time, DLLs were identified primarily by name, and version info often wasn’t recorded properly. If a new application inadvertently re- placed a shared DLL component, other apps that used that component would break. The solution to this problem came with the .NET platform and Global Assembly Cache, which gives registered components strong names that contain details such
as version and author information. With this problem solved, developers now are grappling with a new one: the third-party DLL Hell. In the beginning of the .NET era, applications used only a few commercial third-party libraries, mostly for user interface needs. The number of these components per application was low, and managers knew which ones they were because they had to pay for them. Today, many more high-quality, third-party components are available.
In addition to top commercial suites of user interface controls, you’ll find quite a few well-done, free open source libraries. Increasingly, .NET software projects are based on a variety of third-party components. On average, a project can use six or seven of them. For example, an ASP.NET MVC project may have an IoC framework, a mocking library, ELMAH or something similar for error handling, perhaps the Mi- crosoft Enterprise Library, DotNe- tOpenAuth for authentication against social networks, NHibernate or some Entity Framework extensions, jQuery and friends, maybe some other facilities for mobile and HTML5 views and
client-side validation. The list goes on and on. There are two problems with third- party components. Companies must ensure that developers can only use an approved set of libraries. And developers face the problem of repeatedly going through the same (often cumber- some) configuration procedure for a given library—a frustrating and time- consuming operation. Referencing some of these third- party components isn’t as easy as referencing an assembly. More often than
not, you must first download binaries to the development machine and then browse your hard disk in order to reference them in the new project. Sometimes you must repeat the operation for multiple assemblies. And sometimes you also have to enter changes in the configuration file of the .NET application and add ad hoc source files to the project. With few exceptions, referencing a third-party component is painful.
Free Package Manager NuGet is a free package manager application aimed at making it easier for developers to reference third- party libraries from within a Visual Studio project. NuGet provides a command line and GUI front end so packages can be quickly installed and uninstalled. It acts as a host for up- loaded packages and lets developers discover them by name and tag-based searches. Integrated in Visual Studio 2010, NuGet lets developers reference a commonly used third-party library with one click. You open the package manager, scroll the list of available packages, pick up the one you’re looking for, accept the license agreement (set by the package author, not Microsoft), and download. Each NuGet package contains files (sources, data, help, and binaries) to be added to the Visual Studio project and instructions for the manager. Once the download is complete, the
Read more about Windows development at drdobbs.com/windows
DLL Hell Redux One way around the latest dynamic link library problem By Dino Esposito
NuGet saves developers time and ensures that they only access an approved set of libraries.
package manager Xcopies the files and sets up the project as appropriate. This means, for example, that assemblies in the package are added to the list of existing project references, and changes required to the configuration file are merged with the current configuration file. In a couple of clicks, you’re set. NuGet definitely saves time.
Vibrant .NET Community According to Phil Haack, one of the NuGet architects, the utility’s primary goal is to foster a vibrant .NET open source community by simplifying the way in which .NET developers share and use open source libraries. In this regard, NuGet was a great success. Launched less than a year ago, it’s one of the most compelling
open source projects. A large and growing number of .NET developers use it, and just the fact that adding a dependency is so easy represents a good reason to add more third-party components and libraries. (I think this is similar to what happened in the ’90s with Visual Basic and VBX components.) Companies often put strict bound- aries around which frameworks and libraries their developers can use, and they often designate a select group of people to approve the third- party components that can be used. Open access to NuGet’s repository doesn’t necessari ly break these policies. NuGet package managers read the feed of available libraries from a Mi- crosoft website where developers can
upload custom packages for others to use. And, unlike the Apple App Store and Windows Phone 7 marketplaces, there’s no approval workflow for sub- mitted packages. NuGet can be configured to point to a shared folder on the intranet, letting a company have its own local NuGet installation. Developers enjoy the benefits of NuGet, while managers ensure that developers access only an approved set of libraries. In addition, you no longer need to produce internal documentation on how to locate and install approved libraries.
Dino Esposito is the author of a number of books about Microsoft pro - gramming technology. Write to us at [email protected].
[DR. DOBB’S M-DEV] WINDOWS 8
Every 10 years or so, Microsoft informs its programmer community that it’s radically chang-
ing platforms. In the early 1990s, it moved developers from DOS-based APIs to Win32 by forcing them through a painful series of API sub- sets: Win16 to Win32s and Win32g to Win32. In the early 2000s came the push to migrate to .NET. Now comes a new migration: to Windows 8’s constellation of new technologies announced at the Build conference in September. In both the Win32 and .NET migrations, Microsoft supported backward compatibility. But by changing the UI, limiting updates, and providing dimin- ished support, Microsoft obliged companies to either rewrite their existing code or, at least, write future code for the preferred platforms. The costs of these past migrations have been enormous and continue to
accumulate, especially for sites that, for one reason or another, can’t migrate applications to the new platforms. (Those that can, of course, still bear the price of migration, but presumably this is a one-time cost.) At least the migration from DOS to Win32 had compelling motivators: a GUI interface and a 32-bit operating system. The migration from Win32 to .NET had a less obvious benefit: so- called “managed code,” which in theory eliminated a whole class of bugs and provided cross-language portability. It’s not clear that the first benefit war- ranted rewriting applications, nor that the second one created lasting value. The just-announced Windows 8 technologies are for writing “Metro” apps. (All previous software is now grouped into the legacy category of desktop apps.) Metro apps have a wholly new UI derived from Microsoft’s mobile offerings and intended to look
like kiosk software with brightly col- ored boxy buttons and no complex, messy features like dialog boxes. Metro UIs can be written in HTML5 and CSS, or by using an XML-like interface definition called XAML. UIs written in HTML5 and CSS run on a JavaScript engine; those using XAML talk directly to a new OS library, called Windows Runtime, principally using C/C++. Desktop apps can still be written in .NET and use Silverlight, for example, but Microsoft hasn’t put forth a long- term road map for these suddenly legacy technologies. It has strongly hinted, though, that the future will look more like Metro and that developers must get on board. Given the lack of stated benefits, however, it’s hard to see how or why they should go with the new paradigm, or even why they should care.
—Andrew Binstock ([email protected])
Windows 8 And Developer Madness Get ready for another costly migration
S erver virtualization has been a boon for IT, but it creates challenges for the network. Virtual- ization reduces the number of
physical servers, but it snowballs the number of virtual and network devices. That causes networking issues because, from a switching perspective, there’s little difference between a virtual network port and a physical one.
This paradox of server simplicity vs. network complexity is analogous to what would happen if thousands of commuters gave up their individual cars for shared minivans, with each passenger going to a different destination. While this would reduce the number of vehicles on the freeway, it doesn’t reduce the number of trips— the driver still must crisscross town dropping off passengers at their offices.
Ride sharing also complicates the routing calculus. Instead of each com- muter finding the quickest path between home and office, the van driver must optimize the pickup and delivery schedule to minimize drive time and distance.
Likewise, many of the switching problems that come up with virtualization have to do with performance and management complexity.
For example, aside from merely increasing the number of network devices, virtualization adds tiers to the switching fabric, increasing latency, power consumption, and complexity. The consolidation of virtual machines on physical servers also affects switching scalability and performance. A hypervisor virtual switch with a workload of 10 to 15 VMs per system extracts a modest overhead of about 10% to 15%,
but that figure that will undoubtedly increase when handling scores of VMs.
Other problems include management and security complications. As more traffic is switched within the hypervisor, traditional network monitoring and security tools lose visibility into a sig- nificant amount of network activity.
Problem Solvers Two new IEEE standards projects
aim to help with these and other problems. Both are amendments to the base IEEE 802.1Q VLAN tagging standard.
The more mature project is 802.1Qbg Edge Virtual Bridging. It’s designed to let multiple VMs share a common port while obtaining services from an external bridge (that is, an edge switch acting as a reflective relay). Normally, Ethernet frames aren’t forwarded back out of the same interface they came in on. This action, called hairpinning, causes a loop in the network at the port. EVB provides a standard way to solve hairpinning. It’s a simple protocol extension that can be implemented on existing hardware with a software upgrade to the switch and hypervisor.
Meanwhile, the 802.1Qbh Bridge Port Extension project tackles policy management. The Qbh port extension standard adds a tag, much like standard VLAN tags, allowing network flows to be mapped to specific VMs and followed as those VMs move about the network.
New technology and standards are emerging to address many of the issues raised by virtualization’s impact on the network, but companies must ensure that virtualization’s benefits in one sec- tor don’t turn into problems in another.
While the journey toward a highly virtualized infrastructure will be long, and at times arduous, the result will bring the enterprise to new levels of performance, reliability, agility, and efficiency.
Kurt Marko is a 15-year IT veteran. Write to us at [email protected].
Virtualization Vs. The Network Server VMs create new switching and security problems By Kurt Marko
[NETWORKING]
Get This And All Our Reports
Our full report on networking and virtualization is free with registration. Download it at informationweek.com/reports/netvirt
This report includes 16 pages of action-oriented analysis and 6 illustrative charts.
What you’ll find:
> Insight into solutions to these problems
> A detailed discussion of forthcoming standards
Amid continued economic upheaval, is the U.S. losing its lead when it comes to IT innovation? Not according to the
Economist Intelligence Unit, whose 2011 IT Industry Competitiveness Index shows the U.S. extending its lead over the 65 other countries in its biennial ranking. The EIU study explores the proficiency of
countries in six categories: overall business environment, IT infrastructure, human capital, R&D environment, legal envi

amid new apps and virtualization, here’s how you’ll take

Documents