Building fast, secure networks has always been Sun's mission. In this interview, Josh Weiss, GM of Sun's networking and switching technologies group, describes how this leadership has been extended with a new line of application switches. Josh has been in the networking industry for 25 years. He came to Sun as part of the acquisition of Nauticus Networks, where he was CEO.

Your team has just introduced a very innovative application-layer switch that changes the nature of e-commerce IT infrastructures. What's so unique about it?

We call it the Sun Secure Application Switch N2000 series. It costs about the same as other switches on the market, but delivers five to 10 times the performance. Because the new switch is so powerful, it also combines functions that previously required separate devices.

Overall, capital acquisition costs are lower because the N2000 can do the job of many less capable devices. At the same time, operating costs are lower because administrators have more powerful tools and a simpler environment to manage.

How is an application switch used in a data center?

The N2000 is designed to help deliver secure Web-based applications to a large number of users. In this environment, the efficient use of hardware and horizontal scaling are important.

As shown in the drawing, the N2000 is an application layer switch (layers 4 – 7) that interconnects groups of servers. Sitting at the point where the Internet traffic enters the data center, it determines which server will process each user request, balancing the workload across the data center as well as providing services such as security and attack protection. The N2000 is easy to add to existing application infrastructures; it can also be used along with Ethernet switches that provide the physical connectivity between servers.

The N2000 provides switching between multiple groups of servers and the Internet.

What differentiates the N2000 from other switches on the market?

Very high throughput is the cornerstone of the design. The N2000 can handle more than 12,500 SSL connections/sec and over 2 gigabits/sec of encrypted throughput. That's five to 10 times the SSL throughput of other products in the same price range.

N2000 Test Results1 Show High Throughput 56,000 Layer 7 application switching connections per second 12,500 SSL connections per second 2.1 gigabits/sec of encrypted throughput

That is quite a move in price/performance. How did you accomplish it?

We used a unique design approach. While other switches are implemented primarily by software running on a microprocessor, we implemented the N2000 with custom-built hardware, so it is much faster — there is no software to execute.

We use FPGAs (field-programmable gate arrays) to implement the logic. In addition to providing the hardware acceleration, FPGAs have the advantage of being reprogrammable. We use that capability to make enhancements over time, just as if the design were based on a software approach. So we have achieved the best of both worlds — the high throughput and low cost of hardware with the flexibility of software.

What unique capabilities of the N2000 are made possible by your design approach?

First of all, the switch provides wire-speed SSL encryption/decryption for end-to-end application security without the performance trade-offs that usually accompany this function. Normally, the servers provide encryption. By building it into the N2000, the servers can be fully used for application processing. That not only reduces the number of servers needed, but it also increases the value of each added server, which makes scaling easier.

The switch functions as a full hardware TCP proxy with the ability to terminate all inbound flows and regenerate new flows directed at the servers. That functionality combined with high performance enables us to provide several value-added security functions. The N2000 does not simply look at data on a packet-by-packet basis; it actually looks at all the streams as they go by, re-creating and analyzing the application data. This gives you full insight into the data, something that you simply can't do with the limited visibility that packet-only inspection provides. By inspecting the actual application data, we can find and protect against the new class of sophisticated application level attacks that have become so pervasive on the Internet today.

Because the N2000 switches at Layer 4 – Layer 7, it also has the ability to spot denial of service attacks and prevent them from affecting the servers. It is the high capacity of the switch combined with its traffic management capabilities gives our customers this unique means of preventing such attacks.

Any data that comes into our switch is decrypted and fully analyzed before it is sent to the servers. As a result, no data ever touches the servers that hasn't been approved. This provides what we call an "air gap" between the wild, wild west of the Internet and the data center. It keeps malicious data out of the data center.

And load balancing is built in, too?

Yes, traditionally load balancing is provided by a stand-alone device. But because of the high-performance design of the N2000, this function is built in. As a result, data center TCO can be lower because you do not need a separate product.

The N2000 determines the best server to receive certain incoming traffic. It can also take action if the traffic exceeds certain thresholds and policies, such as signaling the network management system so that another server can be added to increase throughput.

The N2000 also provides the ability for an IT administrator to create virtual groups of servers. This partitioning enables the switch to simultaneously manage multiple application groups, each with multiple servers. Administrators can quickly reassign servers to other applications to accommodate peaks in demand or replace a failed server. This flexibility can help improve server utilization, performance and availability — it enables a wire-once, provision-instantly real-time infrastructure.

Tell us more about how the N2000 helps improve availability.

The N2000 can detect a failed server via its health checking features — out of band as well as in-band with our patent-pending technology — and send an alarm to the network management system. Using the virtualization feature, an administrator can quickly move a spare server to the virtual application group so the application is again performing at 100 percent.

Because the SSL connection is managed by the N2000, the server switchover can be transparent to users — their connections are not lost. The N2000 can perform SSL cookie switching to make sure users get to the correct new server after a replacement.

How does the N2000 integrate into systems management systems?

The N2000 supports SNMP, XML, the Web, and a command-line interface. All interfaces provide access to all the switch's configurable parameters via the switches management broker. SNMP support enables the product to be managed with existing systems management tools. The command-line interface is available for administrators who prefer that. And the N2000 also has an XML interface to export and import configuration information as well as perform other management functions.

What configurations are available and why would you choose one over the other?

We have two models of the product: the N2040 is targeted primarily at sites with Fast Ethernet interconnects. It has four Gigabit Ethernet interfaces and 40 10/100 Ethernet interfaces. We also have the N2120, which has 12 Gigabit Ethernet interfaces for high-speed interconnects. In addition, the virtualization capability is an option on both models, designated by the "V" suffix in the product configuration.

The product line has been available since November 2004. What has been the acceptance?

There has been broad acceptance across multiple markets. We are seeing it deployed into banking applications and other e-commerce Web sites. The N2000 Series is a great fit there because secure applications need high availability, flexible scaling, and efficient operations. Those are exactly the requirements around which we designed the N2000 Series.

For more information about the N2000 Secure Application Switch, visit www.sun.com/products/networking/switches/n2000/