Jay Botelho, Senior Director, Product Management at LiveAction
Demand for Software Defined Wide Area Networks (SD-WAN) is growing at a tremendous rate – boosted by the rise of hybrid working and increased roll-out of FTTC. However, optimising and troubleshooting SD-WAN links requires a bit of a rethink when it comes to tools, skills and priorities.
Organisations are increasingly looking to SD-WAN deployments for improved performance and reduced cost. In fact, WAN environments are more dynamic and secure with SD-WAN automation. For example, it can provide a direct internet connection from a London headquarters to an office in Manchester, enabling teams to balance between multiple service providers and transport types more easily while making intelligent adjustments to application paths for better performance.
Visibility is key
One of the primary benefits of SD-WAN, is the ability to combine multiple technologies such as MPLS and business broadband connection from different ISPs. This can add capacity, performance and resiliency to any WAN but does bring with it some complexity as organisations must juggle multiple ISP relationships to procure and manage connectivity. In which scenario is each ISP most effective? Is splitting traffic between them the right move? If so, what’s the best way to determine the allocation? These are just some of the questions that undoubtedly come up. Beyond that, organisations must also manage SLAs, monitor for outages or slowdowns, reroute traffic as needed and more.
For example, let’s say that network traffic is split between two ISPs – one for web traffic and the other for all web-hosted productivity apps such as email, CRM and ERP. This works well until one ISP goes down, in which case you’d need to reroute all traffic to the other. That’s when traffic prioritisation issues can cascade into poor connectivity that’ll degrade user experiences and hurt productivity. These types of circumstances are why you must be capable of properly visualising, classifying and prioritising traffic across all ISPs.
Another concern is cyber security risks. Although SD-WAN links tend to be married with VPN technology, the data flows will often traverse across the public internet which requires that organisations enforce best-practice security controls and processes. As more users are working remotely, access from the public internet and connections from it to hosted services and applications are more exposed to security threats.
This path can allow adversaries to avoid most of the security controls IT departments often rely upon, such as firewall rules and any IDS/IPS that has been deployed thus making corporate data protection subject to individual employees’ security practices. Even with the growth in home working following the pandemic, most staff lack high-quality IDS/IPS on their home networks, making them more vulnerable to phishing attempts and various malware attacks. In most cases, the lack of close IT control puts corporate data directly in jeopardy. As such, it is essential to deploy some form of endpoint security on each user’s system that can secure user applications and enforce central defined security rules to allow for monitoring and security policy enforcement. This endpoint control should be integrated with the network monitoring platform to allow for a truly unified management approach.
With the rise of cloud-based applications, connectivity starts to become a critical factor in determining overall application performance. An organisation will struggle to effectively manage application performance without traffic prioritisation, which is virtually impossible to enforce once traffic hits the public internet. With a hub/spoke architecture, an organisation can contract for a big pipe, and average many users across that pipe to ensure consistent performance and at a reasonable cost per user. But as organisations start to embrace hybrid working with more remote users and locations, it is difficult to manage all these remote Internet connections, and guarantee performance.
For example, imagine an employee that needs to transfer massive video, CAD or database files on a regular basis. This could be a 100GB and even when the employee is working at the office, and assuming a 1Gbps Internet connection, transferring a 100GB file could consume the network for over 13 minutes. However, with remote working, most residential networks will rarely have more than 100bps, so it’s easy to see how a single large transfer could bottleneck a poorly managed SD-WAN setup. To counter this, organisations need to set policies within the SD-WAN management engines that make an automated decision based on scenarios such as large file transfers or the priority of a user or task. This can enact upload rate limits for large files – or move traffic from a priority leased line circuit to a lower cost and performance DSL-based connection for non-critical tasks such as social media or viewing content from YouTube.
However, with the benefits of being able to use multiple ISPs, the issue of inconsistent quality can arise. A recent survey found that nearly one in four organisations see inconsistent quality across multiple ISPs as a significant challenge for their business. This is because each ISP uses its own technologies and rolls out updates at its own speed. And IPSs don’t treat all areas equally; they’re focused on servicing the broadest population possible with minimum investment. This can lead to underserved geographies and inadequate quality of service for organisations operating within them.
In each city, ISPs may provide more bandwidth to business parks than residential areas and the maximum bandwidth available may depend on the postcode in which a site is located. The maximum available connection speeds and the demand in the neighbourhood can both limit bandwidth. As users, and therefore the network, become increasingly distributed, controlling user experiences will become extremely challenging. This means that gaining metrics around SD-WAN is vital and to this end, Flow-based network analysis can help perform real-time network topology mapping for devices, interfaces, applications, VPNs and users. It can also help establish critical baselines for SD-WAN deployments, such as site-to-site traffic types and paths, application behaviours and consumption patterns. This type of granular insight is essential to get to grips with SD-WAN and enable the concept to deliver to its full potential.