Taking it to the WAN edge
Diving into the new world of SDWAN
This article provides an understanding of the new Wide Area Networking (WAN) edge and similar technology and how they address business requirements.
The WAN edge has developed out of the legacy WAN optimization market which is defined as a set of techniques or technologies that maximize the data flow efficiency across network infrastructure, especially across geographic disparate sites. The worldwide WAN edge market is expected to be in the region of $5 billion in 2019, and includes all the solutions, and services offered by vendors of which there are various deployment types which include:
• Application performance management solutions;
• Network monitoring solutions;
• TCP optimization solutions;
• Network traffic accelerator solutions;
• Mobile WAN optimization solutions; and
• Proprietary network optimization solutions.
The majority of solutions use specialized appliances with some using routers. The routers typically do not have the same ability or feature sets as the appliances. Additionally, there are some cloud solutions built on virtualized images.
The major markets for these types of products are
• Financial services;
• IT and telecommunications;
• Media and entertainment;
• Manufacturing; and
One of the largest proprietary networking edge solutions markets is Software-Defined WANs (SDWANs). SDWANs aim to simplify and enhance WAN connectivity especially branches or business premises. SDWANs use a central controller or hub to enforce policies and direct specific application flows across the most appropriate connection as defined by administrator criteria, including performance and cost. These appliances are focused on flows not on packets to which routers limit themselves.
The SDWAN solution creates an encrypted overlay which provides a unified fabric spanning the physical connections which include leased lines, broadband and other types of Internet connections, and even LTE. The result is that clients have more physical connectivity choices with the benefit that deployments can be faster. Broadband circuits are typically more readily available than leased lines or other similar types of telco circuits.
Finally, SDWANs combine application awareness and analytics so that the controller can respond to changing traffic conditions within the fabric to meet application requirements. They also provide real-time and historical performance data to help administrators manage the WAN, identify and address service issues, and meet business demands.
SDWAN deployments provide meaningful, measurable benefits to both IT and the business. These include availability and uptime.
The following are the main competitive products within South Africa:
- Velvocloud (now part of vmware);
- Cisco (viptela and Meraki variants);
- Silver Peaks;
- Riverbed (via ocedo acquistion);
- Fortinet (renamed existing feature set); and
- Alternative Low end routers
Cisco, Huawei also provide link aggregation and failover abilities in routers and switches but are packet based solutions and not flow solutions. Both Riverbed and Cisco have products in the optimization area, with Riverbed being dominant. Mikrotik plays in the low end market with other products including Billion. There are also VoIP solutions such as Vibe that use the Mikrotik platform. However, the solution does not address the full spectrum of connectivity requirements.
Peplink and Mushroom have mature products and are probably the closest cost effective products using similar topologies as Viprinet. Viprinet is a patented technology build from the ground up to optimize flows and has better abilities than either Peplink or Mushroom Networks. This is because it optimizes flows in a better manner with its Distributed Forward Error Correction ability.
Ethernet link aggregation
Cisco and Huawei provide normal failover and path protection abilities using Link Aggregation protocol (LACP). This is a standards based implantation that requires and Ethernet connectivity based on either copper or fibre on all links. It does not support other technologies such as ADSL, SDSL, UMTS / HSPA+ / 3G, or LTE / 4G.
Although LACP is a standard protocol there are similar proprietary aggregation schemes including Cisco’s EtherChannel and Port Aggregation Protocol, Juniper’s Aggregated Ethernet, AVAYA’s Multi-Link Trunking, Split Multi-Link Trunking, Routed Split Multi-Link Trunking and Distributed Split Multi-Link Trunking, ZTE’s “Smartgroup”, Huawei’s “Eth-Trunk”, or Connectify’s Speedify.
A device using RouterOS, i.e. Mikrotik Routerborad, can use LACP, and also provide compression known as IP packing. This can be beneficial to improving the ability to handle a large number of voice calls as an example.
Another product which does the above is and is focussed on Voip is vibe. This is software that uses the following hardware: Netgear, Mikrotik, VBX, Farsouth Networks Routers.
All these schemes require a layer two connection between the two devices on the link. Bandwidth is not aggregated and a disconnect will result in a higher level protocol failure and disconnect. The technology is often used in high speed backbones which have a different set of requirements to those related to branch offices. The later requirements are fulfilled by SDWAN appliances.
At a basic level the Ethernet link aggregation protocols to not serve the full need of an enterprise and thus within a Cisco environment DMVPN is deployed. Intelligent WAN (IWAN) which runs on Cisco routers with the appropriate licensing is a hashup of DMVPN. IWAN is a collection of Cisco technologies that work together to make dynamic forwarding decisions. For example, IWAN uses DMVPN as the overlay and PfRv3 to monitor path quality, managed by a hierarchical arrangement of policy distribution routers. Network operators will manage the system via the soon-to-be-GA APIC-EM controller.
The background behind many of the SDWAN products are VPNs such as the above mentioned Cisco solution. VPNs exist is various forms:
- Point to Point Tunnelling Protocol (PPTP), is the protocol that is most popular and supported by many devices, the easiest to install, and the least overhead to use. The drawbacks to using PPTP is that it uses a weak encryption key (128 bits) so should not be used with sensitive data transfers.
- Site to Site Protocol is basically the same as PPTP except it does not use a dedicated line and encryption is done at the routers at both ends of the connection. This type of encryption can be done in hardware or software.
- Layer 2 Tunnelling Protocol (L2TP) by itself is not much different than PPTP because it relies on the point to point protocol to connect. L2TP is not secure by itself and is often paired with encryption methods outside of the protocol such as IPSec and 3DES. Adding encryption onto this protocol gives it higher overhead as compared to other protocols.
- Internet Protocol Security (IPSec) is a trusted encryption and tunnelling protocol that uses encryption on the IP traffic over a given tunnel. The disadvantage to IPSec might be the time consuming client installations.
- Secure Socket Tunneling Protocol (SSTP) is considered to have the highest security available in VPN protocols with the 2048 bit encryption. SSTP can be used in place of PPTP and L2TP, and is effective in locations where the use of ports is restricted. SSTP uses SSL so traffic can be restricted to port 443. A drawback to using the higher encryption rate is that the operating systems at the endpoints must be up to the current patch and latest OS levels.
- Multi-Protocol Label Switching (MPLS) is not a protocol used by end users but is a way to securely connect sites using an ISP tuned virtual private network. An MPLS VPN is inherently more difficult to put together which may make it more expensive than other options. With MPLS you may consider a fail-over strategy over Internet lines.
- Open Source has been used by some companies which successfully put together packages that use SSL or IPSec with some of the easier to set up protocols. Open source software like OpenVPN is available to use, functions with most available operating systems and is free to use. One drawback when using open source software is the lack of support when needed.
- Proprietary: Modern approach is to use a blend of transports (such as MPLS and other IP transports) and have the overlay VPN use all the available resources. The key is to leverage a broadband. This creates a cost effective and reliable VPN architecture, ideal for office-to-office connectivity.
Most VPNs have a problem with satellite connections and are unable to operate with optimal throughput as the encrypted traffic nullifies the satellite modem software. However, the viprinet product interoperates with satellites.
An excellent resource for WAN optimization is Gartner’s WAN optimization report.
A note is that although Riverbed is a dominant player in the WAN optimization arena it has was not initially shipping product in the SDWAN space, as was is Cisco. These companies used acquisitions to enter the market. There are some players that have has been shipping working product for 10 years or longer and have a head start against most WAN optimization vendors. Examples are Multapplied and Viprinet.
WAN optimization exists in the enterprise market and Gartner does not mention any Internet Service Provider (ISP) or Managed Service Provider (MSP) focused products!
Gartner’s list of main competitors
- Intelligent WAN at www.cisco.com
- Netscalar at www.citrix.com
Many SDWAN vendors have immature products. Although there is a large number of competitors in the space, clients must be cautious to choose a product that provides as close to 100% uptime as possible.
Administrators and remote office workers
As part of best practice network design, one of the tools a network administrator is required to have to securely manage servers is a jump server.
A jump server is installed in a partitioned section of the network and access is provided to this server using a policy based network path. The jump server is then the only network device that has network level access to the administrative consoles of servers. This prevents these consoles from being accessible to anyone on the internal network were only application level access is provided. Administrators gain access to the jump server using signed certificates which provides a high level of trust and authentication. The normal server challenge methods are then also applied on the server consoles.
Typically, the software to use with a jump server would be one of the built-in VPN clients for Windows such as these tunneling protocols:
- Internet Key Exchange version 2 (IKEv2) Configure the IPsec/IKE tunnel cryptographic properties using the Cryptography Suite setting in the VPNv2 Configuration Service Provider (CSP).
- L2TP L2TP with pre-shared key (PSK) authentication can be configured using the L2tpPsk setting in the VPNv2 CSP.
There are a number of Universal Windows Platform VPN applications, such as Pulse Secure, Cisco AnyConnect, F5 Access, Sonicwall Mobile Connect, and Check Point Capsule. If you want to use a UWP VPN plug-in, work with your vendor for any custom settings needed to configure your VPN solution. One of the most popular open source products is Open VPN but there is also an excellent alternative in SoftEther. However, an extremely secure and robust solution is to use a SDWAN hub and SDWAN VPN client. The hub can perform the functions of a jump server and the client should be available for both for Windows and Apple MAC desktops/laptops.
Jump servers fit well into a best practice network design as it reduces the number of firewall rules required with the additional benefit that the certificate based communications makes it more secure. This type of set-up should be used by all IT shops regardless of the size and when used in a cloud based environment where servers are hosted at a 3rd party, it is a prerequisite. The solution described above is also valid for the remote office worker as it provides a solution for him to work in a secure manner across broadband infrastructure without being compromised.
Many enterprises have leased line products such as MPLS and even carrier Ethernet. In most cases this is a high end product and procuring capacity is cost prohibitive. Often purchasing and bonding two leased line products does not provide failure as the product invariably uses a common path.
The solution is to use a product that has broadband failover such as ADSL or wireless / cellular abilities. The aggregated solution provides better uptime and is cost effective.
SDWAN make this possible for a business as they address the security issues in a cost effective manner.
- Stable connections are automatically enabled without engineers having to modify and constantly tune the environment.
- Traffic optimization, including headers. Immediate 30% traffic performance improvements even on only a single upstream connection.
- Reduced packet loss to near zero levels even when deployed over poor links.
- Optimises connection even in moving vehicles with is patented technology.
- Perfect for voice and even video stream with its low latency and low jitter abilities.
- Layer 2 connection ability. Provides a feature for VLANs which allows a service provider that has an LTE network, the ability to provision layer 2 carrier Ethernet like services in a highly secure manner.
- Path selection using multiple upstream technologies: Link stability: Connections with higher link stability (calculated based on packet loss and connection failure) are preferred; Packet loss: Packet retention is prioritized; Cost: Less expensive connections are used in preference to costlier ones; Latency: Faster connections are preferred; and Bandwidth: Higher- capacity connections are used before lower-capacity ones.
- Ability to deploy IPV6 over a legacy IPV4 network with a minimum of configuration required.
- Ability to integrate and use jumbo frames in a carrier environment that has a high capacity backbone. This results in additional performance improvements not present in other products without this support! Other products introduce a high amount of fragmentation which causes a degradation in performance.
- Overall Cost of product and installation. Network operators do not need to configure individual WAN routers to change policy. Routine changes do not need to be handled by network engineers with deep, specialized knowledge. This frees up engineering staff to work on business enriching projects, reduces human error, brings policy changes to bear more quickly, and improves system availability. Reports and network data is readily available and easy to consume, allowing organizations to spot issues and resolve them quickly.
- Time to deploy. Use a point and click deployment ability using a web fronted making it less administrative intensive than other alternative offerings using a cli.
- Technical differences. Optimization of web and no web traffic. Remote workers able to connect securely. Internet is better than MPLS.
- Performance differences. Provide the ability to make decisions on traffic type, providing the ability to ensure critical communications is always delivered in a state of congestion.
Ronald lives on the southern tip of Africa, where he does his thing for Amastelek!