1 / 25

Do your Web-Applications Deliver on Expectations? SVWG November 2003

Do your Web-Applications Deliver on Expectations? SVWG November 2003. Agenda. Framework Key Enterprise Challenges Comprehensive Testing Helps Summary. Internet . Router. Perimeter Security. IDS. Firewall. Enterprise Intranet . Firewall. SSL. SLB. Finance . Server Farm .

owen
Download Presentation

Do your Web-Applications Deliver on Expectations? SVWG November 2003

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Do your Web-Applications Deliver on Expectations?SVWG November 2003

  2. Agenda • Framework • Key Enterprise Challenges • Comprehensive Testing Helps • Summary Do not redistribute without permission

  3. Internet Router Perimeter Security IDS Firewall Enterprise Intranet Firewall SSL SLB Finance Server Farm Engineering What are We Trying to Solve? Do not redistribute without permission

  4. Enterprise Challenges New Applications New Attacks Performance Degradations Daily maintenance Do More with Less ?! Do not redistribute without permission

  5. The Easy Way Out Do not redistribute without permission

  6. A “Realistic” Approach Web Application Developers Enterprise Security Network IT Infrastructure • Regression Testing • Deployment Testing • Vulnerability Testing • Risk Mitigation • Asset Management • Uptime: 24x7xforever COMPREHENSIVE Testing is key to all three focus areas Do not redistribute without permission

  7. Web-application Rollout Process Evaluate solutions to new business drivers Application Requirements New Drivers Requirements Deployment Lab Evalulation Feedback from live deployments “Realism” Simulations Highest Risk: Lab Evaluations to Live Deployments Do not redistribute without permission

  8. Web Application Firewall Load Balancer Router SSL Scaler Web Server Application Server Database Server What are “Web Applications” 3 tiers by 3 tiers Do not redistribute without permission

  9. Web Applications: Challenges • Inability to scale across more users • Asymmetric load across multiple tiers • Tuning issues • Resource allocation issues • Bottleneck and fault isolation in 3 tiers • Bad user experience: adaptability to load and devices • Plus: Security + IT infrastructure challenges Do not redistribute without permission

  10. Web Applications: Example • DMV in Mid-West • Customer wanted to roll-out to handle 100s of requests per second • Architected solution for that • Brought us in to test • Actual result – handled only 10s of requests per second • Had to re-architect entire site - application server was not fast enough! Do not redistribute without permission

  11. Other Effects: Example - Link Speeds * Source: Nielsen/Netratings, July 2001 Do not redistribute without permission

  12. The Effect of Link Speed * Source: Caw Networks Realism Study, February 2002 Do not redistribute without permission

  13. Effect of Link Speed on Users Average Application Response Time (ms) 16000 14371 14000 12000 10000 milliseconds 8000 4821 6000 4000 2616 1081 2000 352 86 19 0 9.6 Kbps 28.8 53 Kbps 128 384 1.5 100 WAP Kbps Dialup Kbps Kbps Mbps T1 Mbps Dialup ISDN DSL LAN Do not redistribute without permission

  14. Aspects of Security • Security Policies = Processes + People + Network + Applications Focus on: Network and Application-layer security Do not redistribute without permission

  15. Security Implementation Challenges • Enterprise-wide buy in to policies • Wrong choice of topology • Incorrect choice of devices • Poor configurations Do not redistribute without permission

  16. Security Testing Solutions • An example of a real live benchmark for a security consulting company: • Testing with data • Testing with multiple protocols • Testing at realistic load points • Candidate: • High-end 10,000 connections per second firewall Do not redistribute without permission

  17. Max CPS with Data With HTTP FW able to accomplish 2234 CPS Breakpoint Do not redistribute without permission

  18. Multi protocol: HTTP and FTP CPS Addition of FTP cuts performance by more than 75%!!! Most Network administrators would Never even test for this Real traffic, Real applications make a difference Do not redistribute without permission

  19. Effect of Open Connections IncompleteTransactions at 100K open Do not redistribute without permission

  20. Net Result: Poor User Experience Unfortunately most experience timeout Do not redistribute without permission

  21. What are “IT Infrastructures”? Do not redistribute without permission

  22. Recommended Testing Practices • Key methodologies: • Device testing • Network testing • End to end system testing • Test before deployment • Test every change • Test with realism! Do not redistribute without permission

  23. IT Infrastructure Impact • What can go wrong? • Unknown bottlenecks in end-to-end devices • Bad firmware/software updates • Guessing during rearchitecture/consolidation • Inability to localize faults quickly • Availability under attack Do not redistribute without permission

  24. Summary • Web Applications are more than Web Applications • Identify and mitigate risk with comprehensive testing • Actually do more with less! Do not redistribute without permission

  25. Thank You! Contact us: hgodbole@spirentcom.com rchua@spirentcom.com

More Related