The Cisco® AVS 3120 Application Velocity System significantly lowers the cost of Web application deployments by accelerating performance and optimizing server and network resources. In addition, more business transactions are achievedper minute, eliminating the need for local data centers. Acceleration is accomplished by reducing latency and bandwidth required for any given Web application. Optimization is achieved by off-loading tasks from the server, such as Secure Sockets Layer (SSL) encryption and decryption, compression processing, and redundant requests from the server. Cisco AVS also adds application security at the edge of the data center, further ensuring security of vital corporate resources. Additionally, the Cisco AVS 3180 provides critical Web application monitoring and measurement capability, thereby reducing troubleshooting time.
Cisco AVS 3120 appliances can be rapidly deployed in any environment and can uniquely accelerate, optimize, and secure the delivery of Web applications. No changes are required for application code, desktop applications, or servers. It can be configured and managed with the Cisco AVS 3120 onboard, browser-based GUI management system or with the Cisco AVS 3180 Management Station (see the Cisco AVS 3180 data sheet).
ARCHITECTURE
The architectural approach behind the Cisco AVS 3120 is standards-based; it focuses on a data-center-centric, one-box approach (or asymmetric approach) for acceleration and security, with an agentless architecture for measuring end-user response times. At the core of the Cisco AVS 3120 solution is a comprehensive Layer 7 Web application processing engine, which not only processes all application content but also provides for optimization and security at the application and session levels. It optimizes across individual sessions and dramatically improves the way that applications perform on the network (Figure 1).
Figure 1. Cisco AVS 3120 Architecture
DEPLOYING THE CISCO AVS IN THE ENTERPRISE
Deploying the Cisco AVS 3120 in the enterprise typically involves a data center installation directly in front of the Web application servers and does not require changes to the Web application, desktop application, or servers. Easy to deploy, configure, and manage, the Cisco AVS 3120 appliance can improve Web application performance by 100 to 500 percent or more.
APPLICATION ACCELERATION
The Cisco AVS 3120 appliance significantly mitigates network latency, reduces bandwidth requirements, adds additional application security, and improves server performance by off-loading tasks to the network.
NETWORK LATENCY MITIGATION
Using patented techniques such as FlashForwarding and Smart Redirect, the Cisco AVS 3120 reduces the latency at which a client accesses an application-one of the largest network bottlenecks. By transforming the browser cache into a dynamic "engine," the Cisco AVS 3120 significantly reduces the amount of data required to complete a page load or transaction by reducing the overall number of network round trips required, typically resulting in a 200- to 500-percent improvement in response times for the client.
BANDWIDTH REDUCTION
The Cisco AVS 3120 Application Accelerator Module can help companies realize a 70- to 90-percent typical reduction in bandwidth usage (Figure 2). The result is a dramatic reduction in bandwidth costs, a delay or elimination of network upgrade expenses, and an overall improved
end-user experience.
Figure 2. Performance Improvement and Bandwidth Saving
SERVER CPU OFF-LOAD
With the Cisco AVS 3120 Application Accelerator Module, organizations can obtain up to an 80-percent typical reduction in server cycles, greatly increasing the effective capacity in their data centers. In addition to achieving better overall performance, organizations can also delay or reduce server purchases and minimize application licenses.
Table 1 lists the acceleration features and benefits of the Cisco AVS 3120.
Table 1. Acceleration Features and Benefits of Cisco AVS 3120
Features
Effect
Benefit
Network Latency Mitigation
• Request aggregation
• FlashForwarding and browser cachemanagement
• Browser TCP multiplexing
• PDF download optimization
• Response redirection control
2 to 5 times typical improvements inresponse time
Dramatically improve end-user performance
Bandwidth Reduction
• Delta encoding
• Dynamic browser caching
• Dynamic image optimization (JPG,GIF, PNG)
• Gzip/deflate compression
• Flexible processing rules
70- to 90-percent typical reduction inbandwidth use
• Reduce bandwidth costs
• Delay or eliminate networkupgrades
• Improve end-user performance
Server CPU Off-Load
• Configurable dynamic caching
• Load-based caching
• Lazy request evaluation
• Single sign-on optimizations
• TCP connection multiplexing
• SSL off-load and acceleration
• Static caching
• Extensible Markup Language (XML)off-load
80-percent typical reduction in servercycles
• Delay or reduce serverpurchases
• Minimize application licenses
• Improve performance
WEB APPLICATION FIREWALL
The Cisco AVS 3120 Web Application Firewall module delivers significant level of attack protection available for Web applications. It can be deployed easily and rapidly by network security professionals, making the Cisco AVS 3120 an ideal solution for immediate risk remediation for all enterprise applications. With unprecedented application layer visibility, the Cisco AVS 3120 provides real-time threat detection and analysis with no-risk network deployment options.
Web Applications-The Weakest Link
It is simple, really. Application security is important because applications are the weak link to the most important resources of your company. For hackers thinking about new hacking techniques, the soft target is not the network or the operating systems-it is the applications. Transactional Web applications give anyone with a browser direct, unprecedented access to critical business data: employee records, customer transactions, credit card numbers, social security numbers, and partner information to name just a few.
Figure 3. Threats are Directed at Application Layer
Powerful Web Application Protection
Built upon bidirectional deep inspection technology, the Cisco AVS 3120 Web Application Firewall can immediately block the most common and damaging attacks against Web applications. It effectively thwarts attacks that threaten business continuity and eliminates the need for "rush" software development fixes and patches. Optimized for custom applications where attack signatures do not apply, the Cisco AVS 3120 protects all Web applications against sophisticated custom-made hacker threats such as:
The Cisco AVS 3120 is the first and only Web application firewall that can easily and rapidly be deployed by network security professionals.
It provides two deployment modes, including out-of band monitoring mode and inline transparent mode. The out-of-band monitoring mode is a no-risk deployment architecture that transmits no traffic into the network, introduces no points of attack for hackers, and adds no delay to traffic on the network. It can be deployed with zero network downtime and without introducing any single point of failure. The inline transparent mode enables the deployment of the Cisco AVS 3120 with zero network configuration changes. It is completely transparent, and security rules can be applied actively or passively. It can be removed from the network with no changes to network configuration or disruptions to application availability.
Figure 4. Out-of-Band Monitoring
Network security professionals can effortlessly secure any Web application in any network without deep understanding of the application. The Cisco AVS 3120 can be deployed in a variety of security postures, from basic protection from random attacks to advanced protection from targeted attacks. Installation and configuration takes only a few hours, and security policies can be generated automatically. Just as a traditional network firewall denies or allows traffic based on connection tables or network access control lists (ACLs), the Cisco AVS 3120 denies or allows traffic by comparing the results of its deep application inspection with Web application ACLs. Configuring the AVS has the same design as configuring the network ACLs on a firewall, so any security professional already familiar with a network firewall can be productive from the beginning. The Cisco AVS 3120 ships with initial predefined rules providing immediate and effective application protection, while permitting easy customization of the application security policy. The Cisco AVS 3120 provides the network security administrator with unparalleled, granular control over Web application security policies, which can be set and enforced at the URL, parameter, and header level to provide superior flexibility and accuracy.
Benefits and Features
• Protection of mission-critical applications and data from attack
– Protection against all major Web attacks
– HTTP normalization
– Bidirectional deep inspection
– Web application cloaking
– Customizable error codes
– Data theft
– Granular application rules set per URL, header, or parameter
• Rapid and risk-free deployment designed for network security professionals
– Out-of-band monitoring mode
– Transparent inline mode
– Application of rules in active and passive
– Auto-recommendation of security rules
EASY DEPLOYMENT AND MANAGEMENT
In addition to outstanding performance, the Cisco AVS 3120 Application Accelerator Module offers enterprises industry-leading deployment and management features that automate mundane tasks and enable IT personnel to easily track network performance with comprehensive reports. Specific features include:
• Cisco AVS 3120 auto-installer helps enable quick and easy deployment with a simple one-command system installation process.
• Graphical reports help IT personnel easily quantify Cisco AVS 3120-enabled bandwidth usage reductions and Cisco AVS 3120 throughput.
• The Cisco AVS 3120 Simple Network Management Protocol (SNMP) MIB helps enable SNMP-based management that is compatible with BMC Patrol, IBM, Tivoli, HP OpenView, and others. It also reduces the time and costs associated with management tasks.
• Cisco AVS 3120 transaction logging provides access to Web data statistics for traffic-accounting and data-mining applications.
• Support for multiple URLs and domains helps enable simultaneous handling of multiple applications.
• Intelligent data inspection optimizes efficiency of the Cisco AVS 3120 for maximum application acceleration.
APPSCOPE END-USER PERFORMANCE MONITOR
The Cisco AVS AppScope Monitor (AppScope) is the industry's only agentless, end-to-end application performance measurement solution. The AppScope management client and database run on the Cisco AVS 3180 Management Station Appliance (refer to Cisco AVS 3180 data sheet). AppScope polls performance measurement data from the Cisco AVS 3120 appliance, providing an easy way for organizations to monitor, measure, and report end-user response times from a central location. AppScope measures the true application performance as realized by real end users-nothing is simulated. It breaks down response times into individual components that allow better allocation of IT resources and greatly reduce mean time to repair.
Figure 5. URL Trend Report
The unique proxy architecture of the Cisco AVS 3120 helps AppScope measure not only the delivery time of both HTTP- and HTTPS-encrypted pages (there are no compromises between visibility and security), but also embedded objects such as images, JavaScripts, and style sheets. In addition, AppScope accurately determines both the server-delay and network-delay components associated with the user experience. Agentless and transparent, AppScope requires no changes to the application or the desktop ("drop-in" deployment) and provides both business- and process-level aggregation. The unique statistical traffic-sampling technology of AppScope helps organizations sample user requests rather than measuring them all-offering a tremendous savings in resources and making AppScope highly scalable for high-traffic applications.
GUI-Based Reporting
AppScope provides a sophisticated GUI-based reporting engine to efficiently track application performance. The reporting engine provides detailed graphical performance-monitoring results with details available for the following:
• URL group-Analyze results for single- and multi-URL transactions.
• Source IP address and group-Monitor results for a specific network client and groups of network clients.
• Source geography group-Monitor results for clients in distributed, remote offices.
When generated, the monitor data is stored in a self-contained relational database for additional flexibility. IT personnel can then use reporting tools such as Crystal Reports, create custom performance-monitoring reports, or integrate the data with all network and system management platforms. AppScope also provides a wizard-based transaction builder and full support for enterprise management systems, including BMC Patrol, IBM Tivoli, and HP OpenView.
System Specifications
Tables 2 and 3 provide system specifications for the Cisco AVS 3120 and the Cisco AVS 3180 Management Station, respectively.
Table 2. Cisco AVS 3120 Specifications
Specification
Description
Software
Cisco AVS 3120 Application Accelerator Module, AppScreen Web application firewall, and GUI single-device management; both the Cisco AVS 3120 appliance and the Cisco AVS 3180 Management Station are required for AppScope performance monitoring
Chassis
1-rack unit (1RU) appliance
Memory
4 GB
CPU
3 GHz
Network Ports
1 available RJ-25 10/100/1000 autosensing Ethernet port for inline traffic; 1 available RJ-25 10/100/1000 autosensing Ethernetport for management; 3 additional Ethernet ports are inoperable and will be used in future software releases
Table 3. Cisco AVS 3180 Management Station Specifications
Specification
Description
Software
Cisco AVS AppScope Monitor performance monitoring client; both the Cisco AVS 3120 appliance and the Cisco AVS 3180 Management Station are required for AppScope performance monitoring; GUI device management for one or more Cisco AVS 3120 appliances
Chassis
1RU appliance
Memory
4 GB
CPU
3.2 GHz
Disk Space
Two 200-GB hard disks
Network Ports
1 available RJ-25 10/100/1000 autosensing Ethernet port; 1 additional Ethernet port is inoperable and will be used in future software releases
