Prasad Vellanki, Rajan Nagarajan, Hemanth Ravi, Hong Cho, Subrahmanyam Ongole, Shridhar Raman, and Vasan Srinivasan - Architecting a Highly Secure, High Performance Proxy for Web Application Security and Acceleration

Challenge: NetContinuum sales and marketing had identified a customer problem: Customers wanted to deploy high value business transactions directly over the web but they knew that their apps where vulnerable to new attacks like SQL injection and cross site scripting. Lead architects at the customer’s data center wanted a proxy that could inspect for these types of attacks imbedded within user sessions. The problem was that no proxy available on the market could do this with low latency, high transaction rates and data center availability features. Customers were asking for a high performance, highly reliable, comprehensive application security solution.

The NetContinuum marketing team documented the customer requirements and determined that large data centers required about 20,000 transactions per second of fully inspected, secured and managed HTTP sessions at less than 3 milliseconds of latency. The hard part was that EACH SESSION would require a complete inspection against the modern application attacks which would require significant processing capacity.

As the engineering team began understanding these requirements and combing the marketplace for technology on which to build on, it became clear: no existing proxy code, either open source or for sale, could meet these requirements. Thus began a 3 year project to design, build and productize a high capacity, low latency application proxy.

Prasad Velanki's team: Sridhar Raman, Hemanth Ravi, Hong Cho, Prasad Velanki, Rajan Nagarajan, Subrahmanyam Ongole (from left to right)

Its 2001 and Prasad Vellanki had just joined NetContinuum as the new VP of Engineering. After recruiting and organizing the key team members, he set out to construct a high performance application proxy as documented by the marketing team via their customer and market research.
The first step would be to analyze technology that could be available to be built on. The team reviewed source code, processor technology, SSL technology and reviewed patent information. They were hoping to find a core TCP and HTTP termination engine that could be utilized as a building block to construct their new product with. No silver bullets were found, but a few key notions were built.

The first was that SSL cryptographic chips where coming to market that could handle high transaction and throughput rates. This meant that they could build off of this capability and focus more effort on the application security and throughput aspects of their engineering problem. However, it was clear that SSL would have to be tightly integrated with the end to end solution in order to keep latency low.

The second realization was that standard processors were getting very fast and that multi-core CPUs where coming to market that could be easily built in to appliances. This was an important realization. A high performance proxy would require significant processing resources. The system needs to terminate TCP, terminate SSL (offloading the crypto processing to a co-processor), inspect the session for attack using REGEX expression matching, load balance the session, compress the session, switch the session based on content parameters and finally log each transaction ALL IN LESS THAN 3 Milliseconds. Clearly a high performance processor could do this one session at a time, but how about across 20,000 new transactions per second?

It became clear to the team that a software system capable of leveraging the high performance multi-core roadmaps of Intel and AMD would need to be constructed. The latency and transaction rates called for by the market requirements drove this reality. Building on top of standard CPUs would also have a tangible side benefit: product scalability. The company would be able to build a wide range of price/performance appliances off of the same binary simply by leveraging the wide range of processors available. AMD was chosen for their 64 bit architecture and wide price/performance range.

Tasked with the performance goals laid out by market development research, Prasad Velanki and Rajan Nagarajan set out to architect a solution. The team set out to meet the performance challenge and came up with a light weight threading environment. Essentially, each new session would get a dedicated thread for TCP termination with additional threads being spun out for REGEX security processing and further traffic management. This would accomplish two key goals: low latency and high transaction rates. The threading system was ported directly on to the AMD chips eliminating standard Linux latency. New threads could be spun up for very low overhead. High transaction rates could be achieved by leveraging the AMD multi-core Opteron CPUs. This combination of low overhead threading and fast multi-core processors has become the core engine of the NetContinuum product line. The software environment has been named NCOS and is at the heart of every NetContinuum Application Proxy.

With the core software platform completed, now came the task of creating the usable product. The customers wanted an application security product that could be dropped in to production environments without changing any network architecture or application source code. They also wanted the product to be very easy to use. These requirements drove a number of product features that needed to be developed.

The first of these new product features was the application security capability of examining each inbound and outbound session for any type of attack. Hemanth Ravi was tasked with this challenge and constructed a novel approach of applying Regular Expression (REGEX) matching to screen each session’s content. Due to the variability of HTML content, this was quite a project. Details of forms, parameters, scripting content and the various HTTP put and get scenarios had to be considered in order to truly build a comprehensive protective capability.

Next, SSL had to be integrated in to the system. After all, cryptography can mask an incoming attack as well as scramble user data. Each session would have to be decrypted before it could be examined. Hong Cho was tasked with the SSL integration. The team chose the Cavium Networks chip set, but SSL needs to be carefully tied to the TCP protocol stack. The net result yielded extremely low latency SSL decryption as well as high transaction rates.

Customers had also requested network layer firewall capability as well as load balancing, content switching and application acceleration features. Subrahmanyam Ongole and Shridar Raman built up these capabilities. The engineers realized they could build a fully ICSA compliant stateful inspection firewall because we had full control over the TCP protocol code. They coded in all of the needed NAT, ACL and logging capabilities needed and to date, NetContinuum is the only dual certified (network and application) firewall product on the market. Adding in the traffic management capabilities (load balancing, content switching, caching and GZIP compression) was the next step. This was a lot of work and a lot of quality assurance testing to make sure it was all done well.

And finally, the overall system had to be easily manageable including easy initial installation, real time security status monitoring, and easy on-going system maintenance. Vasan Srinivasan and his team built up the NetContinuum Management System GUI and Dashboard. The team chose a unique architecture of a distributed Java implementation which enables the system managers at customer sights to easily control multiple distributed systems.

A final comment, the number one requirement coming from the customers was reliability. End user access to the mission critical applications they where trying to protect must always be available. The development team invented a unique “stateful application failover” capability such that, in the event of a hardware failure, no system state is lost and users carry on with no outage time.

NetContinuum Web Application Firewalls and Gateways are now installed and operating at over 150 customers. The products are all built around the NCOS Application Proxy software. Customers universally praise the low latency and strong security checking delivered by the products helping them to successfully operate high value business transactions right across the public Internet.  

But possibly more intriguing are the trends we see in customer implementations and product usage. First, the concept of a proxy and the control it delivers to the data center operators is fully taking hold. The full data center team (architects, operators, security specialists and auditors) seems to be rallying around the application proxy as a best practice in securely operating mission critical applications.  

Second, customers are taking full advantage of the richness of capability available on the proxy. Although their initial interest with NetContinuum is primarily the added application security we deliver, once the system is in production, customers begin to see the added benefit of using the application acceleration and traffic management capabilities available on the proxy. Invariably, customers begin to turn on these non-security features to simplify the overall task of operating their applications. We see this as a strong market vote for simplified data center architectures because they lower the total cost of running mission critical applications. We also see that the core NCOS technology created by our development team has been the right investment for our customers.  The marketplace demands low latency high throughput application session processing combined with lots of simultaneous features applied to each session. This is exactly the platform and product line delivered by the NetContinuum development team!

NetContinuum
1705 Wyatt Drive
Santa Clara, CA 95054 USA
Toll-free: 1-888-442-3671
Tel: 1-408-961-5600
Fax: 1-408-986-8997

Recommend this to others: