One of the great web application successes of the past few years is Salesforce.com – once ahead of its time but now a model application/SaaS for the future.
Salesforce.com is used to manage customer information and sales opportunities. Certain uses and workflows may not benefit from optimization technologies. There are many use cases, however, where large amounts of data are transferred, and, often, on a repetitive basis. Reporting dashboards are commonly accessed by multiple users; in addition, data dumps, documents and other large queries and downloads are also common (and can be the most performance constrained use cases of Salesforce.com). For this reason the ability to optimise this kind of environment is critical from our perspective. We created a secure (https) connection across the Internet as before and carried out a series of file transfers using a variation on our file set, including text, Excel, Word, PowerPoint and .csv file types.
Figure 35 – Branch Directly Connected to Cloud via Internet: Cold Run
Looking at the cold runs first, we see that the Blue Coat device largely dominates in terms of best results. Obviously the compression options from Blue Coat are working especially well on the text file here.
Moving on to the warm results, we can see that only the Blue Coat technology was capable of actually accelerating from the cold runs, with everything being accessed instantly, while Riverbed shows no optimisation whatsoever.
5.0
This can be explained only by Blue Coat’s ability to decrypt (then re-encrypt) the SSL traffic stream here at the edge and take immediate advantage of its object cache on the branch device. Since it doesn’t require the head end device to be always in place to decrypt SSL traffic (i.e. to know the private keys at both ends of the connection) it can therefore intercept and optimise that traffic. The Riverbed solution is clearly unable to do this – something that is well documented already.
5.0
Figure 36 – Directly Connected to Cloud via Internet: Warm Run Riverbed’s usual argument here is that terminating SSL before re-encrypting is
fundamentally insecure. However, the Blue Coat argument seemed to stand up during our testing because the last hop from its SG600 to the client is using a known certificate with a known trust relationship. In general, if “unknown” parties are terminating SSL upstream from the client, then it is insecure.
If “known” parties are terminating SSL upstream from the client, and that termination point is a trusted entity within your organisation with a verifiable chain of trust, then it is just as secure as a regular SSL connection.
SUMMARY & CONCLUSIONS
The networking world is changing; the cloud, virtualisation and cloud/software-as-a-service applications are growing fast in adoption – and requirements to optimise.
As such, while classic CIFS and FTP-type WAN optimisation are still important, it is quickly being overtaken by a new wave of applications such as secure web applications,
collaborative environments and – finally – the onslaught of video.
To see if the current crop of WAN optimisation hardware is capable of delivering on these requirements, we tested comparable products from the leading WAN optimisation
vendors: Blue Coat (MACH5 SG600) and Riverbed (Steelhead 1050).
We created a test bed using real traffic across a simulated WAN link (using typical
bandwidth and latency settings). Our application selection for testing was based on typical modern usage patterns and included video, WAFS/file transfer, FTP, email, SharePoint collaboration, BPOS and Salesforce.com.
We found that, when testing with traditional applications such as CIFS and FTP,
performance between these vendors was relatively even with some small advantages for each vendor in different situations. Again, with SharePoint, Riverbed lagged slightly behind Blue Coat. Our email test also showed even performance, with each vendor claiming a small advantage over the other in specific conditions.
Testing of BPOS, Microsoft’s cloud-delivered MS Office over Internet, with symmetric WAN optimisation (assumes data travels onto Internet link, across data centre WAN
optimisation device, then across the WAN to a branch). With traffic backhauled through the data centre, the cold run results were reasonably similar between both vendors. What is more interesting, however, is that when BPOS was accessed from a branch office directly via the Internet, Riverbed could not provide any optimisation. Blue Coat, however, showed extensive performance and bandwidth improvements with just the single appliance.
Looking at another cloud application over a secure (SSL) Internet environment, our Salesforce.com testing highlighted a significant limitation of the Riverbed technology that Blue Coat is able to overcome. Only the Blue Coat product was capable of actually accelerating this type of traffic, with everything being accessed instantly, while the Riverbed showed no optimisation whatsoever. This can be explained only by Blue Coat’s ability to decrypt (then re-encrypt) the SSL traffic stream at the branch. Since it doesn’t require the head end device (data centre WAN optimisation controller) to be always in place to decrypt SSL traffic (i.e. to know the private keys at both ends of the connection) it can therefore intercept and optimise that traffic, while the other could not.
The Riverbed solution is clearly unable to do this – something that is well documented already. Riverbed’s usual argument here is that terminating SSL before re-encrypting is fundamentally insecure. However, the Blue Coat argument seemed to stand up during our testing because the last hop from its SG600 to the client is using a known certificate with a known trust relationship.
In general, if “unknown” parties are terminating SSL upstream from the client, then it is insecure. If “known” parties are terminating SSL upstream from the client, and that termination point is a trusted entity within your organisation with a verifiable chain of trust, then it is just as secure as a regular SSL connection.
In the fastest growing, and arguably biggest component of network traffic today – video – Blue Coat dominated. On a link that was fully saturated at 20 concurrent clients, Blue Coat was able to service 500 streams compared to Riverbed’s modest improvement of 30 streams. On average, Blue Coat was drawing only 6kbps per stream, compared to Riverbed’s 200kbps, an almost 30x advantage for Blue Coat. Even then the SG600 was using minimal bandwidth. R&D investment in specialised video technologies here has clearly paid off.