[an error occurred while processing this directive]


Special reports - Feb 2000 - The technology behind an ASP
Jonathan Moss takes a look at the technologies that make ASP possible.

T.S. Eliot once wrote: "Hell is where nothing connects to anything". Obviously, Eliot never managed a network or he would have said, ‘Hell is where everything connects to everything’. Anyone who manages an IT environment must grapple with the everyday worries of the systems, the networks, the users and the budgets. The constant juggling act of keeping costs low whilst enhancing an organisation’s efficiency (and profits) can make life stressful.

A new breed of ASPs

It is also a well-known fact that businesses now have a much higher degree of IT competence amongst the upper echelons of management, due mainly to the advent of the Internet rather than because of the internal systems. People are used to travelling and picking up their emails but still have great difficulty in accessing their applications and data, upon which they are highly dependent. It is clear, however, that a fundamental shift is taking root in our industry. It is in response to customers who desire the latest software applications to gain a competitive edge, but don’t have the technical and financial resources to support them. These customers are driving a set of hosted application services that are now possible because of three converging factors: the mass adoption of the Internet, increased server processing power and application server software. This environment is giving rise to a new breed of application service providers.

ASPs host software from centralised data centres, renting access over dedicated high-speed networks or over the Internet. Customers of all sizes get real-time access to best-of-breed software – from the latest productivity suites to the most robust enterprise application – without the risks, costs and complexities of maintaining it on their own. They are now able to focus on core business objectives, rather than on arduous IT issues. The application-hosting model combines an ASP data centre, the bandwidth of a Network Service Provider (NSP) and the application-specific expertise of consultants, value-added resellers, systems integrators and independent software vendors.

Of course, some will say that it is easy to Web-enable any application but it is a well-known fact that 99% of software products still work in the traditional manner. It can often take months of programming to change an application to work as a dynamic and fully functional Web-enabled product. Just think, what we used to think of as legacy systems, i.e. traditional mainframe applications, will soon be thought of as non-browser aware applications. The Internet forges one of the most powerful alliances that we have seen - that of computing and communications. It simultaneously supports messaging, publication, voice, video, real-time collaboration, and a variety of other specialised applications. We take for granted the fact that the Internet can tolerate varying packet sizes, varying delay, varying bandwidth, varying error rates and varying topology; and yet it still works!

How do I become an ASP?

An ASP, however, can harness this and can be the answer to many an IT manager’s prayers. An ASP can Web-enable almost any application that can run on Windows NT and deliver it to users within a matter of days; all that’s needed is a Web browser and Internet connection. It’s not just about outsourcing an application, rather it’s about outsourcing the IT department. So what skills and technologies does an ASP need to be able to deliver fast and secure application access? Well, its technical staff require superior knowledge of Networking, Windows NT, Citrix Metaframe, Terminal Server, Security, and the Internet. It also needs to implement Bandwidth Priority, Network Security, User Authentication, and Data Encryption. I will now explain some of these technologies in greater detail.

IP networks can’t differentiate between mission-critical and non-critical traffic. They lack predictability and control and are disconnected from business goals and priorities. Each customer of an ASP needs dedicated bandwidth, and the service level agreement may dictate that extra burstable bandwidth be allocated on an ad hoc basis. In addition, an ASP needs to be able to limit extraneous bandwidth for those protocols which would normally use as much as they can grab; HTTP for instance. By using a technique called Bandwidth Prioritisation between the firewall and the router, one can make the network adapt to the needs of specific applications. To understand how it works one must know a little more about TCP.


Many of the features that make TCP reliable also contribute to its performance problems. It uses sliding window flow control where multiple packets are sent before it stops and waits for an acknowledgement (ACK). The receiver then not only acknowledges that it received the data but also advertises how much it can handle. It also deploys a slow start algorithm to alleviate the problem of multiple packets filling up router queues. With TCP Slow Start, when a connection opens, only one packet is sent until an ACK is received. For each ACK, the congestion window increases by one until a threshold is reached.

We know that flow control is safe but it would be far better if one could implement TCP Rate Control instead and stop router queue buffers filling up in the first place. Data packets will often fail to get through to the receiving station and will be re-transmitted some time later. If this continues then all you get is increased latency, and application response times increase as the flow is extremely ‘bursty’. However, by detecting this and intercepting the sending process we can break it down in to smaller packets and re-transmit it. A similar analogy is taking a pipe and pouring gravel down it; it will probably clog up and need dislodging. However, slowly pour sand down it instead and you get not only a smoother flow, but ultimately more sand (i.e. data) through it. Even cars on a motorway exhibit this property and we’re all far too familiar with the effect of traffic pulsing. Reduce the speed to say 30 mph through a set of road works and the traffic flows evenly (in this case the speed limit signs are the rate control mechanism).

Security concerns

Now, whilst all organisations that allow network access to the Internet should implement a firewall strategy, many don’t. If they do then they often use inferior products or try to minimise the costs by using routers that include basic port blocking mechanisms. An ASP needs far tighter security control as well as good logging and reporting tools, not only because it is allowing its customers to access its Web servers, but also because it is allowing them to access real-time applications and data on the Citrix servers. In addition, many customers are extremely cautious about the security of their data over a public domain such as the Internet so an ASP needs to be able to guarantee a secure private channel to each client. The first line of defence after the router is the firewall which uses a combination of application-level proxies, network circuits and packet filtering to ensure that data traversing the firewall is controlled. In addition, firewalls use algorithms for matching access rules to connection attempts. In this way only access attempts that meet the exacting requirements of specific rules, such as passing of the Citrix ICA protocol for specific ports, are permitted.

Whilst a firewall controls security at a protocol and application level, it is generally not the best technology to look after user name and password. Authentication servers, however, can extend security beyond static IDs and passwords by uniquely authenticating users before granting them network access over dial-up, LAN, Internet or intranet connections. They use two-factor authentication to further strengthen security by requiring something the user has – a token issued by the ASP – and something unique the user knows: a PIN to enable the token.

The final aspect of security is perhaps the most important as far as an ASP’s customers are concerned: that of the security of their data over the Internet. This has been traditionally accomplished by use of Virtual Private Networks (VPN) but presents something of a problem for an ASP due to the fact that it relies upon its own firewall technology being the same as its customers’. What is needed is a SOCKS v5 VPN solution that is firewall ‘blind’ and is able to encrypt the data-stream to securely traverse any firewall using a standard HTTP proxy. In addition, it must tightly integrate strong encryption, application management, and intelligent logging and reporting. The SOCKS server is placed on the de-militarised zone of the firewall and all VPN-enabled clients will communicate transparently over secure encrypted channels, through the server and into the ASP.

So, the world is getting smaller and communications costs are decreasing at the same time that the speed of communications is increasing. It is my belief that the Internet hasn’t even begun to take off yet but people have a level of expectation of global application access that is only just being made possible by the small but growing band of ASPs. We will soon be able to launch an application in the same way that we can pick up a telephone and dial a phone number: without worrying or caring about the technology behind it all.

Jonathan Moss
is Technical Director of iProvide