Layer 7 CloudSpan FAW

Document Sample
Layer 7 CloudSpan FAW Powered By Docstoc
					                                          CLOUD SOLUTIONS FAQ




Layer 7 CloudSpan & AMI FAQ

Table of Contents

               What is CloudSpan? .......................................................................................................................... 2
               Is CloudSpan only available as virtual appliances?........................................................................... 2
               Does CloudSpan support clustering?................................................................................................. 2
               Does CloudSpan require specialized tools or skills? ......................................................................... 3
               Is CloudSpan extensible? .................................................................................................................. 3
               Can I publish/update policies on a live “in production” CloudSpan device? .................................... 3
               Is CloudSpan upgradeable? ............................................................................................................... 3
               What third-party identity products does CloudSpan support?........................................................... 4
               Which protocols and standards does CloudSpan support? ................................................................ 4
               How is the Layer 7 SSG AMI priced?............................................................................................... 4
               What is the best practice for scaling Layer 7 AMIs?......................................................................... 4
               What is the best practice for upgrading SSG AMIs? ......................................................................... 5
               Can the SSG AMI utilize RightScale’s EC2 provisioning capabilities? ........................................... 5
               Can the SSG AMI utilize Amazon’s Elastic Block Storage (EBS)? ................................................. 5
               Are SSG AMIs public or private images? ......................................................................................... 5
               Does the SSG AMI work with Amazon CloudFront? ....................................................................... 6
               What performance can be expected for the SSG AMI? .................................................................... 6
                                         FREQUENTLY ASKED QUESTIONS


What is CloudSpan?
                       CloudSpan is Layer 7’s newest family of XML-based products specifically designed to help
                       enterprises solve their issues around securely connecting to, deploying in, and publishing from the
                       cloud:
                            •    CloudSpan CloudConnect allows enterprises to safely consume SaaS and cloud-based
                                 services by providing not only secure single sign-on, but also secure, bi-directional
                                 application integration.
                            •    The cloud is the new DMZ. CloudSpan CloudProtect is designed to deliver DMZ-level
                                 security in public and private clouds by providing a hardened virtual application container in
                                 which organizations can deploy their enterprise applications.
                            •    CloudSpan CloudControl allows cloud-based service providers to secure, manage and
                                 publish their application APIs to partners, customers, and other third-parties using policy-
                                 driven controls.

Is CloudSpan only available as virtual appliances?
                       CloudSpan is available in a number of different form factors in order to support multiple deployment
                       scenarios, budgets and business requirements:
                            •    Hardware – for deployment in traditional datacenters and other high-performance
                                 environments, CloudSpan CloudConnect and CloudControl are available as a 1U 64-bit
                                 multiprocessor platform that features dual power supplies, four GE/FE NICS, and mirrored
                                 hot-swappable drives
                            •    Software – for customers that prefer a do-it-yourself approach using their own hardware,
                                 CloudSpan CloudConnect and CloudControl are available for Sun Solaris 10 (supports both
                                 x86 and Niagara versions), SUSE Linux, and Red Hat Linux 4.0/5.0
                            •    Virtual Appliance for VMware – the entire CloudSpan family is available as Virtual
                                 Appliances supporting VMWare/ESX deployments and is “VM Ready” certified
                            •    Amazon Machine Image – CloudSpan CloudProtect and CloudControl can be implemented
                                 using the existing SecureSpan XML Gateway AMI form factor.

Does CloudSpan support clustering?
                       Yes, CloudSpan appliances (except the AMI) support true clustering, allowing organizations to
                       centrally administer multiple devices in a cluster, as well as multiple clusters.

                       CloudSpan also supports cluster-wide rate limiting, which allows organizations to meter service usage
                       in order to take some action when a preset threshold is reached. For example, Telco’s that meter usage
                       of cellular SMS services can use CloudSpan to block access to the service when the customer’s
                       contractual quota is exceeded. Because the clustered devices maintain and update a shared counter,
                       metering is always accurate. This capability also allows SecureSpan to provide effective protection
                       against replay attacks.




January 4, 2011               This document is being provided for informational purposes only.                        Page 2 of 6
                   The information presented is accurate at the time of publication, but is subject to change.
                                         FREQUENTLY ASKED QUESTIONS

Does CloudSpan require specialized tools or skills?
                       CloudSpan includes an intuitive, graphical policy editor and composer (Layer 7 Policy Manager),
                       allowing anyone with basic scripting skills to create as simple or as complex a policy as required. No
                       knowledge of XSLT or other complex programming language is required. More than 70 pre-made
                       policy assertions are provided out of the box to help you get started.
                            •    Compose inheritable policy statements
                            •    Branch policy execution based on logical conditions, message content, externally retrieved
                                 data or transaction specific environment variables
                            •    Create service and operation-level policies using inheritance, simplifying administration

Is CloudSpan extensible?
                       CloudSpan offers a Custom Policy Assertion SDK, which gives developers the ability to extend the
                       rich palette of Layer 7 policy assertions in order to customize the out-of-the-box functionality to their
                       specific requirements.

                       Custom assertions can be created for proprietary message processing, pattern recognition and filtering,
                       as well as interfacing to third-party products, such as identity management infrastructure, network
                       monitoring applications, or anti-virus systems – all without requiring an application server to run the
                       custom code.

                       Using Java, programmers can create a Layer 7-compatible .jar file that includes all required code
                       and/or interfaces to third-party APIs. Uploading the .jar file to CloudSpan will make it available for
                       use within the policy editor and composer as a policy assertion, which can then be incorporated into
                       both new and existing polices as required.

Can I publish/update policies on a live “in production” CloudSpan device?
                       Yes, while it’s not recommended that new policies be created and implemented on a production
                       version of CloudSpan, it is possible to do so: the next message processed by CloudSpan will be subject
                       to the new/updated policy.

                       The recommended practice is to migrate a tested policy from a QA/test environment to the production
                       CloudSpan device, and then publish it live. In either case, there’s no need to bring down and restart the
                       system to implement new/updated policies.

Is CloudSpan upgradeable?
                       CloudSpan provides maintenance releases as packaged software updates, and major releases as
                       packaged migration upgrades. Both updates and upgrades can be implemented without requiring
                       professional services; can be implemented remotely on soft appliances; and can be rolled back, if
                       necessary.

                       Customers that purchase software or VMware versions of the CloudSpan appliance and remain current
                       on their Support and Maintenance are entitled to soft appliance upgrades at no charge

                       For those customers that remain current on their Support and Maintenance, Layer 7 will refresh their
                       hardware platform when it becomes EOL for a nominal fee. Customers are entitled to retain their old
                       appliance hardware – there is no need to return it to Layer 7.



January 4, 2011               This document is being provided for informational purposes only.                        Page 3 of 6
                   The information presented is accurate at the time of publication, but is subject to change.
                                         FREQUENTLY ASKED QUESTIONS

What third-party identity products does CloudSpan support?
                       CloudSpan supports integration with leading identity, access, SSO and federation systems, including
                       LDAP, Microsoft Active Directory/Federated Services, Oracle Access Manager, IBM Tivoli (TAM
                       and TFIM), CA SiteMinder, Sun Java Access Manager and Novell Access Manager.

Which protocols and standards does CloudSpan support?
                       CloudSpan supports most common Web services/Web 2.0 and PKI standards, as well as a number of
                       transport and security protocols, including:

                        XML 1.0                   SOAP 1.2                    REST                               AJAX

                        FIPS 140-2 Level 3        Kerberos                    W3C XML Signature 1.0              MQ Series

                        SNMP                      IMAP4                       W3C XML Encryption 1.0             Tibco EMS

                        SMTP                      HTTP/HTTPS                  X.509 v3 Certificates              FTP

                        POP3                      JMS 1.0                     SSL/TLS 1.1 / 3.0                  WS-Security 1.1

                        WS-Trust 1.0              WS-Federation               WS-Addressing                      WSSecureConversation

                        WS-Policy                 WS-SecurityPolicy           WS-MetadataExchange                WS-PolicyAttachment

                        WS-I                      WSIL                        WS-SecureExchange                  WS-I BSP

                        WSDL 1.1 3.0              XACML 2.0                   SAML 1.1/2.0                       XML Schema

                        XPath 1.0                 XSLT 1.0                    UDDI                               LDAP 3.0

                        PKCS #10

How is the Layer 7 SSG AMI priced?
                       The Layer 7 SecureSpan XML Networking Gateway Amazon Machine Image (SSG AMI) is available
                       for purchase under a number of models, including:

                            Perpetual License – customers who have purchased a SecureSpan XML Networking Gateway or
                            CloudSpan license can opt to run that license on Amazon Web Services Elastic Cloud Compute
                            (AWS EC2) employing the Layer 7 XML Networking Gateway AMI.*

                            Lease/Rent – customers can pay a set monthly fee to Layer 7 for the right to use the SSG AMI.*

                            Utility Pricing – customers can also “pay as you go” based on the size of the instance (i.e., # of
                            CPU equivalents) and the number of hours run.*
                            *Costs associated with CPU usage, storage, data transfer, etc charged by Amazon would be an additional cost
                            to the customer.


What is the best practice for scaling Layer 7 AMIs?
                       AWS supports both scaling up (running on a single, larger instance that has more computing resources)
                       and scaling out (adding more instances). Scaling up makes sense for applications that have a steady
                       workload with little variance over a typical day or week. Scaling out makes more sense for
                       applications whose workload varies on an hourly or daily basis.



January 4, 2011               This document is being provided for informational purposes only.                               Page 4 of 6
                   The information presented is accurate at the time of publication, but is subject to change.
                                         FREQUENTLY ASKED QUESTIONS

                       For fail-over purposes, as well as the ability to take advantage of EC2’s Auto Scaling capabilities to
                       handle performance spikes, Layer 7 recommends scaling out. Best practices for scaling out involves
                       creating a reserved instance for each AMI to be run. Reserved instances require a one-time, upfront
                       payment per instance in exchange for which:

                       •    Time to availability is almost instantaneous (compared to on demand instances, which can
                            introduce a significant lag as resources are spun up)

                       •    Configuration data is preserved (the image can be preconfigured and is essentially left on stand-by
                            ready for use; on demand instances need to be configured as they come online)

                       •    Static IP addresses are assigned (on demand instances have randomly assigned IP addresses,
                            introducing configuration overhead)

What is the best practice for upgrading SSG AMIs?
                       There are two approaches that customers can choose between depending on their own, internal, IT best
                       practices:

                       •    Recommended: customers can choose to spin up the latest SSG AMI registered in the AWS EC2
                            catalog, and then just export policies from their existing AMI and import their policies into
                            the new AMI.
                                 o Pros: smoother cutover between old/new SSG AMI
                                 o Cons: customers will need to configure the new SSG AMI

                       •    Alternative: customers can also choose to apply the RPM patch that Layer 7 makes available for
                            upgrade purposes to their existing SSG AMI.
                                o Pros: No need to reconfigure the SSG AMI
                                o Cons: Need to offline the SSG AMI while the RPM is being applied

Can the SSG AMI utilize RightScale’s EC2 provisioning capabilities?
                       Layer 7 has been working closely with RightScale to create an Amazon Machine Image that can
                       automate much of the provisioning and configuration details customers currently must perform
                       manually. This functionality is currently undergoing testing and is not yet widely available.

Can the SSG AMI utilize Amazon’s Elastic Block Storage (EBS)?
                       Currently, the SSG AMI does not take advantage of EBS.

                       However, it does support Amazon’s Relational Data Store (RDS), which can be utilized instead of the
                       SSG’s MySQL database in order to provide for greater reliability (RDS can be used to persist data
                       even if the SSG AMI goes down); enhanced performance (RDS elastically scales in a seamless manner
                       as load/demand increase); and backup (storing configuration files in RDS simplifies recovery).

Are SSG AMIs public or private images?
                       Public images are AMIs that vendors have made available to the general public. They tend to be
                       Commercial Off-The-Shelf (COTS) resources that customers can purchase/lease/rent, and then tailor to
                       their specific needs. For example, the SSG AMI is a public image, generally available for any
                       customer to purchase from the AWS EC2 catalog.



January 4, 2011               This document is being provided for informational purposes only.                      Page 5 of 6
                   The information presented is accurate at the time of publication, but is subject to change.
                                                   FREQUENTLY ASKED QUESTIONS

                         Private images are AMIs that customers have purchased/leased/rented from a vendor in the AWS EC2
                         catalog and then secured for their own use using Amazon’s key pair technology, which ensures against
                         unauthorized usage.

Does the SSG AMI work with Amazon CloudFront?
                         Yes, customers can utilize Amazon’s CloudFront capabilities in conjunction with the SSG AMI.
                         CloudFront provides customers with load balancing, firewalling and IaaS management capabilities
                         which can be used to ensure the SSG AMI (and associated services) are properly utilizing EC2
                         resources.

                         Customers may also want to purchase the Layer 7 Enterprise Service Manager (ESM), which allows
                         them to manage and track/report on the performance of each SSG AMI, as well as each individual
                         service being proxied.

What performance can be expected for the SSG AMI?
                         XML processing performance will vary depending on the resources dedicated to the SSG AMI. AWS
                         EC2 offers a number of different instance sizes that come with a preset, base amount of standard
                         computing resources:

                                    Size                    CPU Equivalents                                         Memory     Platform

                                    Small                   1 (1 virtual core with 1 EC2 Compute Unit)               1.7GB      32-bit

                                    Large                   4 (2 virtual cores with 2 EC2 Compute Units each)        7.5GB      64-bit

                                    Extra Large             8 (4 virtual cores with 2 EC2 Compute Units each)         15GB      64-bit

                                    Double Extra Large      13 (4 virtual cores with 3.25 EC2 Compute Units each)    34.2GB     64-bit

                                    Quadruple Extra Large   26 (8 virtual cores with 3.25 EC2 Compute Units each)    68.4GB     64-bit

                         The following graph shows SSG AMI XML processing performance for 1KB and 10KB messages on
                         AWS EC2’s “small” instance:
                     Requests/sec




                                                                                                                Message Size




                         In general, the larger the instance size, the better the performance will be (all other factors being
                         equal).


January 4, 2011              This document is being provided for informational purposes only.                                     Page 6 of 6
                  The information presented is accurate at the time of publication, but is subject to change.

				
DOCUMENT INFO