Over the past two newsletters we've established that there is a wide range of applications running over the typical enterprise WAN. We've also hinted at the fact that sometimes these applications are sanctioned (i.e., Microsoft's SharePoint) but sometimes it is not clear if other applications (i.e., YouTube) are sanctioned. This newsletter is motivated by that growing array of applications transiting the WAN as well as by a panel that Jim chaired at the recent Interop conference in NYC. That panel was entitled Policy and Control. In hindsight, Jim wishes that he had called it Visibility, Policy and Control.

The genesis of the panel was the April 2008 Interop conference in Las Vegas at which Jim moderated 11 panels. One of those was on WAN optimization and one of the speakers was Mark Urban of Packeteer. Mark made a compelling argument that IT organizations needed to understand the applications that are running over their WAN and implement policy to control those applications. In the case of malware or spyware applications, the control that Mark was referring to was to eliminate these applications. In the case of VoIP, the control referred to by Mark was ensuring that the quality of the VoIP calls was not adversely affected by other bandwidth hungry applications.

Another panel discussed the need for a next-generation LAN. One of the speakers, Jeff Prince of Consentry Networks, talked about the need for a new generation of LAN switch that understands the context of each network flow and can apply policy based on that information. According to Jeff, IT organizations can leverage their understanding of user identity and role, tied to applications, both to provide differentiated services to applications and to users, and to improve security through controlled user access to the network and its resources.

Steve Mullaney of Palo Alto networks spoke at a third panel and he made a case that enterprise IT organizations need to deploy a next-generation WAN firewall that can eliminate the blind spots that are associated with most of the current WAN firewalls. An example of this is the inability of most current products to examine the traffic that transits port 80. Steve suggested that a next-generation firewall should be able to decrypt SSL-encrypted payloads to look for application identifiers/signatures. The idea being that once this inspection is performed and policies applied, allowed traffic would be re-encrypted before being forwarded to its destination.

Steve Taylor is president of Distributed Networking Associates and publisher/editor-in-chief of Webtorials. Jim Metzler is vice president of Ashton, Metzler & Associates.