An MPLS network is used in a scenario where an organization has a number of geographically dispersed branches. These are interconnected using MPLS from network operators.
MPLS is inherently expensive. A link to a branch averages out at about R12k while alternatives are in the region of R3k. Besides the cost, the implementation of these types of networks is difficult and time consuming. High level engineers are required and often extensive troubleshooting is required to operationalize deployments.
MPLS is provided by the larger network opertors, the architecture requires long design, quote, order and implementation cycles. Configuration is also a complex undertaking that can lead to costly errors that take time to identify and fix. Extending MPLS networks into cloud hosting or to reach cloud services requires engaging carriers and network operators in additional design, quote, deployment cycles and will increase costs. Adding cloud services into SD-WAN networks is simple, especially if the cloud service is reachable using Internet connections and the SD-WAN platform can be deployed in containers or virtualized at the cloud or hosting provider.
SD-WAN has become a better alternative as it allows a automated deployment of a branch by resources with limited technical skill. A branch is activated within a period of two minutes. The inherent benefits include better security, overall network management, affordable, AES data encryption, flexible contracts, rapid deployment, carrier redundancy, BYO connectivity, hybrid networks and Quality of service (QoS).
Watch Greg make an excellent case for SD-WAN in the video below...
What makes more sense is to securely connect the edge to a centralized firewall that is hosted in a data centre. This can be a resilient cluster. This firewall will be more powerful than the puny one currently deployed at the edge.
SD-WAN allows a business to consolidated firewalls which also provides a significant administrative benefit as the rule based is significantly reduced and simplified.
A hub and spoke SD-WAN deployment provides the ability to deliver near instantaneous fail-over as well as also aggregate bandwidth via a process known as bonding. However, the biggest benefit is the ability to ensure 100% uptime over the last mile.
The above example shows a last mile that utilizes 3 IPPs. 2 are on fibre, and 1 is a fixed wireless. This type of configuration provides 100% uptime over the last mile especially because it includes a mix of fibre and fixed wireless. Fixed wireless often is able to mitigate last mile outages related to service interruptions such as a back hoe digging up the fibre.
However, one of SD-WAN's abilities is to have floating IPs whereby IP addresses can be used anywhere within the SD-WAN network. In a normal broadband deployment, an IP address is limited to a specific site and cannot be moved to another region. It is thus an arbitrary configuration to migrate IP addresses between sites and locations as what is required for disaster recovery.
SD-WAN has a unique ability to handle and manage threats in an optimal manner. The two enforcement points can be at the aggregator or the edge. One is system wide and the other would be site specific.
At the aggregator we can drop the following traffic: bogons, hijacked domains, dshield top attacking network ranges, as well as malware. The aggregator from Fusion Broadband can be configured with the firehol level 1 block list. This list includes these malware lists sources: feodo, sslbl, zeus_badips, and bambenek_c2. The mechanism used is to implement a list using the IPSET tool. This is achieved using a script.
On the edge, the SD-WAN solution uses DNSMASQ. This allows the use of hosts file in the exact same manner as the famous pi-hole tool. An example of lists that can be used is those hosted on Energized Protection. Another resources is the ultimate list.
The DNSMASQ configuration on the edge can use multiple simultaneous DNS resolves including those from Quad 9 and Cloudflare. This configuration can improve resolution performance by up to 240% especially when the appropriate hardware is implemented at the edge.
A supplementary benefit as mentioned above is achieved using a highly efficient local caching resolver. This can be supplemented by techniques to disable DoH/DoT and redirected all DNS queries using firewall rules on the SD-WAN to the local caching resolver.
The assumption is often that fibre is by default better than wireless. Regardless that most sites have wifi so there is wireless in the connectivity chain regardless, the problem is that packet loss on fibre is more difficult to detect. The manner in which this manifests itself is great local speeds but poor international speeds. This is due to the nature of the protocols being used which impact speeds more over long distances!
TCP acceleration is a mechanism by which the congestion control algorithm is changed to accelerate access to the cloud. A good example is BBR.
The Fusion Broadband solution uses a TCP proxy mechanism to accelerate specific ports by multiplexing these streams as well as apply a better congestion control mechanism.
Another factor is DNS. A local resolver with good performance makes a world of difference. The Fusion Broadband South Africa resolver is excellent and can improve speeds by up to 240%.
In the seventies when the short two hour television broadcast in South Africa was not being transmitted, there was a test pattern. Any time of the day you could switch on the Telefunken in the corner and see the status of the signal. In the first few days we watched the test pattern for longer periods than the actual television broadcast. It was a comfortable feeling that during the forthcoming scheduled broadcast, things would work!
When using any connectivity solution the test pattern signal is mandatory, In SD-WAN this is achieved using network performance management metrics and dashboards. Additionally, traffic visualization is also provided optional down to the application and user experience level.
The Fusion Broadband SD-WAN solution has excellent NPM. All the necessary metrics are displayed on a single pane of glass which includes latency, bit rate, packetloss, outages, load and quality of service. This is described in an article on MyBroadband: Fusion SDWAN traffic visualisation unmasks cyber and other incidents. The article includes describing how the user experience and application level traffic visualization is provided. Included is mitigation on cybersecurity monitoring including those such as the Sunburst breach.
The biggest problem associated with kiosks is that often the only viable connectivity is from mobile providers. This usually involves a 3G router attached in this neck of the savannah to either Vodacom or MTN. But often, even when the better connection in an area is selected there are still outages.
The next level in router provided the ability to use two SIM slots with the ability to fail-over. The problem with this strategy is that the mobile providers disable SIMs which have not pinged the network for a few days. So when the fail-over is required, it ironically fails!
Enter Fusion Broadband with its innovative Jaguar based SD-WAN edge that uses two active radio modems to connect to mobile providers. The architecture ensures a continuous keep alive ping to both SIMs and thus the above scenario where fail-over does not work is prevented.
Additionally, Fusion's SD-WAN is able to aggregate the mobile data bandwidth using bonding, thereby also being able to increase performance and throughput at the kiosk.
The primary functionality required for work from home is the ability to communicate back to the office. Many offices in South Africa still have a significant number of servers install on premise at the office and require employees to access them remotely when working from home.
DO NOT IMPLEMENT PORT FORWARDING DIRECTLY TO A SERVER USING A PROTOCOL LIKE REMOTE DESKTOP PROTOCOL (RDP)!
The recommended manner to access the office is to use a Virtual Private Network (VPN). The implementation of this has a number of attributes such as the encryption and authentication mechanisms implemented. But it is important to reduce the vulnerability of the implementation by installing the VPN concentrator in a demilitarized zone (DMZ). Deploying the VPN in a monolithic manner on a firewall results in potential compromise. The DMZ could potentially be a virtual container.
The SD-WAN will ensure reliable an non-stop access for the work from home users. In normal times people working from the office could still access local servers and continue working when the Internet links failed. Working from home this is not a possibility. The Internet links need to be up 100%.
Multiple locations and even companies can share a Bastion concentrator.
Large co-location data centres work for service providers and the enterprise but not really for small business. The requirements for a small business do not extend to the full rack level, but a partial one. Additionally, the small business wants their infrastructure as close to their business as possible. This is where edge computing solves the problem with c-location sites in decentralized and small scale data centres, typically refereed to as edge computing.
Edge computing will rely on multiple paths to the main data centre where IP transit and peering exists via Internet Exchanges. At the Internet Exchanges multiple SD-WAN aggregators would exist to make the solution fully resilient.
Most broadband providers have a consumer and a business product. The product is supplied across the exact same infrastructure and the attributes of the two products have few technical attributes that uniquely distinguish them. Often the only feature of the business product is that a priority phone number is provided where a ticket can be logged to escalate repair. In the significant number of cases the service provider isn't even able to proactively provide notification of outages and the business needs to call in to log a fault. Clearly this is not business grade Internet.
The Fusion SD-WAN solution changes broadband links to be reliable with 100% uptime. These also include out of the box dashboards and monitoring with no third party tools required.
The best method to connect the edge to a data cente is via a hub and spoke mechanism. If a mesh is used at this level it does not scale and the processing and path decisions become onerous.
Fusion Broadband caters for the SD-WAN hubs which are located in regional data centres and known as aggregators to be meshed. This means that country wide private wide area networks can be established in a simplified manner, unlike the complexity involved with MPLS. The meshed aggregators use VXLAN and Babel.
The support required as well as the associated charges for a legacy network deployment are significant. SD-WAN keep ISPs honest as they provide a new single plane of glass that verifies the connectivity as well as other metrics.
The nature of the service provides visibility to the network for troubleshooting and causation of problems. This includes traffic visualization.
The problem types identified and correct are:
- Identifying packet loss on the last mile
- Identifying latency issues on the last mile
- Determining congestion on the last mile and identifying the traffic types causing congestion
- Determine path and mtu problems
- Determine outage and SLA breaches
- Identify name resolution problems
- Determine peering exchange problems
- Identify long distance problems
- Capture packets to analyze problems
The Fusion Broadband SD-WAN solution reduces the time to execute support tasks significantly.
The cloud connector is an interesting use case for SD-WAN. An example would be of a South African company install servers in a co-location data centre in London. If there is no CDN involved locally then the performance is not optimal.
Fusion Broadband solves this problem by install a cloud connector in the remote data centre that is associated with a local aggregator. This improves the performance of the access to these servers by the use of TCP multiplexing and the use of more efficient congestion control algorithms.