The company network operations are outsourced to multiple managed services partners. Each partner has their own technology domain related fault manage-ment and performance monitoring solution for their reactive and capacity man-agement purposes.
Current mainstream the company in-house network monitoring tools are Cacti and NetFlow Tracker. Cacti are monitoring WAN-link utilizations and possible interface errors. Information is collected from CE-routers. NetFlow Tracker il-lustrates detailed NetFlow information and is typically used to identify reasons behind WAN-link congestion on an individual user and/or application basis.
4 GLOBAL SOLUTION STRATEGIES 4.1 Expectation from this POC
As discussed in section 3.3, the company offices are connected through MPLS and IPsec connection. Currently, the company has few entry points to the Inter-net. Since more and more branch offices, remote locations are connected to corporate network, the company costs keep growing at a high pace. This cost growth added to their applications performance challenges force them to re-think the way they do networking today. Approximately 70% of company’s traffic can be considered non-critical, leaving the remaining 30% in need for closer attention.
The company expectation from this Proof of Concept is to have tested success-fully the new network architecture solution. They believes a mashed network will suite their current needs and put them in an edge position for the next 5 to 10 years for increase performance, increase service and keep costs down.
4.2 Network architecture consideration
Future network design is expected to loosen the current data center centric star-topology architecture. Reference architecture is seen to be driven by following areas:
a. Performance: Internet break-outs moving from data centers to-wards remote sites.
b. Security: Data center level security mechanisms have to be main-tained on the distributed architecture.
c. Financials: Affordable and easily deployable small site connectivi-ty and securiconnectivi-ty appliances.
d. Management: Efficient centralized solution management and monitoring capability.
Above-mentioned four key drivers have all their respective influence to the op-timum architectural design fundamentals.
4.3 Business requirements
The company has different functionality in different offices (more information Appendix 1). But from a network point of view there are some common re-quirements which can be found all types of office levels. Those rere-quirements are as follows:
4.3.1 Security
a. Corporate network must be protected against internet treat and certain level of control what user can access in internet and those different functionality can be integrating in same device or sepa-rately.
b. All firewall must manageable from a central management system.
c. Proxy policies must be centrally managed but should accommo-date local regulation. For example, china has different types of policies to access internet.
4.3.2 Application performance
a. User must experience same or better latency as it is now, when they will access corporate applications, which are in corporate datacenter. Thanks for offloading (internet, email etc.) traffic from corporate MPLS network.
b. Latency reduces and user will have better experience when they access to internet and any other cloud based applications, thanks to the local internet breakout.
4.3.3 Application management and monitoring
a. The future solution should include a management platform or in-tegrate with current management system.
b. The future solution should provide at least same level of visibility (monitoring) as it is now and more.
4.3.4 End-user experience
a. Simplify data path to improve end user experience.
b. Guest/contractor access must be provided (internet only).
c. User/visitor should able to bring their devices and at least get in-ternet access.
d. Wi-Fi enables office, so that users are able to move frequently in their office and still connected to the network.
e. Wired and wireless network must be combined to get unified ex-perience.
f. Users are able to use VoIP softphone in their machine via wireless network.
4.4 Centralized networking management and monitoring
Proposed network solution must include relevant network management (OSS) tool-set. OSS should have the function to facilitate provisioning, operation, ad-ministration, maintenance, and control of all the network elements. Such func-tions should be accessible at minimum from all corporate locafunc-tions, but various cloud-based OSS extensions can be considered as well.
Critical OSS core elements can be placed into a preferred target company data centers, but possible needed sub-systems may be distributed to other centers or as mentioned above, to cloud as well.
5 DIFFERENT VENDOR SOLUTIONS
The target company has received a solution proposal from five different ven-dors. After the preliminary analysis, the company decided to test three different vendor solutions. Those three vendors were Juniper Networks, Fortinet and Aruba networks. Below we will delve into more detail of those vendors’ solu-tions.
5.1 Juniper network
The Juniper networks SRX series is an all-in-one device solution providing con-solidated network and security. The SRX series for the branch runs Junos OS, which is used by the top 100 service providers around the globe and is a very reliable and proven operating system. The SRX series devices can be managed by the easy unified management system. Figure 7 shown Juniper STRM series security threat response managers system. The Junos single OS platform for all SRX can help businesses reduce time and effort to plan, deploy and manage. It also provides stable delivery of new functionality in a steady time manner. The Juniper Networks’ Network and Security Manager (NSM) is very useful for large-scale deployment. (Juniper Network, Inc., 2014).
Figure 7. Juniper STRM Series Security Threat Response Managers System (Juniper, 2009)
5.1.1 SRX Features and Benefits
The Juniper SRX series is a feature rich appliance. It is a fast, highly available switching, routing, security, and applications control capability in a single de-vice. Figure 8 shown Juniper SRX series UTM dede-vice. Some of the features are as follows:
a. Security: The SRX appliance has a firewall, police based VPN, IPS, AppSecure, antivirus, enhanced web filtering and antispam capa-bilities in one product.
b. Routing and switching: Routing features such as RIP, OSPF, BGP, Multicast, IP4 and IP6 are included. There is also J flow, RPM, Lay-er 2 switching and OPE options available.
c. Wireless LAN and 3G/4G WAN: To support the business user’s needs, there are wireless LAN and 3G/4G WiMax and LTE features available.
d. Physical interface: Ethernet, serial port, T1/E1, DS3/E3, xDSL are all available options for WAN or Internet connectivity to securely connect to the corporate network.
e. Managing network: It is possible to manage the corporate network using a command- line interface, scripting capability and also with a web based graphical user interface (Juniper Network, Inc., 2014).
Figure 8. Juniper Network SRX Series Gateway (Juniper Network, Inc., 2014).
5.2 Fortinet
Fortinet offers a wide range of products to the service provider, large enterpris-es and small/medium branch officenterpris-es. In this thenterpris-esis, we only discussed about the FortiGate products that the target company used for their POC project. The For-tiGate product is an all-in-one network security appliance, which combines firewall, IPSec and SS- VPN tunnel, application control, intrusion prevention, anti-malware, antispam, P2P security and web filtering into a single appliance (Fortinet, Inc., 2015). Smaller FortiGate (see Figure 11) devices are available with a built-in wireless access point. This gives instant WLAN for small offices, where the device can be located so that adequate wireless coverage is achieved (Fortinet, Inc., 2015).
FortiGates and FortiClents can be centrally managed with FortiManager and it is shown in Figure 9. FortiManager allows the network management team to use centralized configuration templates, making it easy to deploy standardized configurations on a large number of appliances. FortiAnalyzer is used for cen-tralized logging and reporting. It gives visibility throughout the network infra-structure (Fortinet, Inc., 2014).
Figure 9. Fortinet Management Portal Called FortiManager (Fortinet, 2012).
5.2.1 FortiGate Features and Benefits
FortiGate is a simple, powerful, secure appliance that has lots of features and benefits available. However, we will only discuss a few of the key features and how they are useful to the business network.
a. Application control: Helps the organization determine which application generated traffic on the business network, along with the ability to control the business application.
b. Advance threat protection: The FortiGate appliance has an on device and cloud based detection mechanism that is able to block Advanced Persistent Threats (APT) that can aim to target specific employees or business functions within an organization.
c. Web/content filtering: Web content filtering lets an organiza-tion control what kinds of web traffic a user may view. By using web content filtering, the business can highly decrease their employees’ exposure to spyware, phishing, pharming, and in-appropriate web sites.
d. Integrated wireless LAN controller: Every FortiGate can act as a wireless controller, so it is possible to manage FortiAP thin ac-cess points and FortiWiFI thick acac-cess point through the Forti-Gate appliance. In addition, comprehensive threat management and same policy enforcement can be implemented in both wired and wireless network and it shown in Figure 10.
e. Intrusion prevention system: The system can monitor packet logging, identify malicious activities and be able to block those activities.
f. Anti-malware: The FortiGate appliance has the capability to do real-time monitoring and protection against the installation of malicious software (Fortinet, Inc., 2014).
Figure 10. FortiGate 800-600 Series (Fortinet, 2015)
Figure 11. FortiWiFI 60D and FortiGate 60D-POE Appliances (Fortinet, 2015)
5.3 Aruba network
The Aruba network provides a high- performance mobility solution to an en-terprise, which enables employees’ secure access to their data corporate net-work, voice and video applications across wireless and wireline networks. The company’s main products are remote access points, mobility controllers and network management software, which they named AirWave management (Wikipedia, 2015), which shown in Figure 12.
Figure 12. Aruba AirWave Management Platform for Wireless, Wired and Remote Net-works (Aruba NetNet-works)
5.3.1 Mobility controller features and benefits
The Aruba mobility controller is a simple, compact and affordable solution for the corporate network. Figure 13 shown Aruba mobility controller and Figure 14 shown remote access point from Aruba network. The mobility controller not only manages access points, but it is also capable to handle many different kinds of operations that were usually handled by some dedicated network hardware devices. The controller acts as an IPsec virtual network private net-work tunnel concentrator for site to site and client based VPNs. Some of the mobility controller features are as follows (Aruba network, Inc., 2010).
a. Its acts as a user role-based firewall.
b. Centralized security, control and management
c. The Mobility controller is working as layer 2 switching and layer 3 routing.
d. Identity-based security gateway
e. It is able to detect and block unsafe traffic.
f. It provides separate guest access.
g. The Mobility controller has advanced radio frequency services with adaptive Radio management and spectrum analysis.
h. Seamless integration with existing corporate VPNs
i. Easy to deploy and expend without interruption to the wired net-work
j. Able to provide location services and has a radio frequency “heat map” feature
Figure 13. Aruba 3000 Series mobility Controllers (Aruba network, 2010)
Figure 14. Aruba RAP-5WN Remote Access Point(Aruba Network, 2011)
5.4 Vendor sections decision matrix
As we discussed in chapter 5 after a preliminary analysis, the target company decided to test three vendor’s hardware devices for this proof of concept project.
However, selecting the right vendors would not be easy if the company does not have any standard vendor selection guidelines. So based on the project re-quirements, the project team came up with a list of test criteria, which need to be performed during the implementation time as well as on the live network. A more detailed breakdown of the vendor selection matrix is shown in Table 1.
Table 1. List of Test need to Performed During Implementation and Testing Period
Test Field Site Type
Implementation test Hub and satellite office Line up
Implementation test Hub and satellite office Preconfigure equipment installed
Implementation test Hub and satellite office IPSec connection Implementation test Hub and satellite office LAN connection Implementation test Hub and satellite office Wireless connection Implementation test Hub and satellite office SAP application
Implementation test Hub and satellite office Web based tendering application
Implementation test Hub and satellite office CAD/CAM document management application Implementation test Hub and satellite office VoIP and video
Implementation test Hub and satellite office Intervention planning application
Implementation test Hub and satellite office Sharepoint Implementation test Hub and satellite office Browsing Implementation test Hub and satellite office External email
Implementation test Hub and satellite office SaaS application (mainly saleforce.com)
WAN performance Hub office Reducing the pressure
on the MPLS connection by using internet gate-way “load”
WAN performance Hub office Reducing the pressure
on the MPLS connection by using internet gate-way “max bandwidth”
WAN performance Hub office Latency in MPLS and
Internet
WAN performance Hub office Reducing the pressure
on the MPLS connection by using the internet gate Hub office way
“less discard out”
WAN performance Hub office Reducing the latency to reach the datacenter over the IPSec tunnel
WAN performance Hub office Network traffic from the satellite office to MPLS
connection over Internet WAN performance Hub office Internet breakout
statis-tics
WAN performance Hub and satellite office Core application statis-tics, ping, timeout
WAN performance Hub and satellite office Outage length (timeout) User acceptance Hub and satellite office Internet access first
im-pression (bad, even, bet-ter)
User acceptance Hub and satellite office Application performance (bad, even, better)
User acceptance Hub and satellite office Network availability (bad, even, better)
User acceptance Hub and satellite office IP telephony (bad, even, better)
Firewall performance Hub and satellite office Don’t allow any incom-ing and only outgoincom-ing traffic
Firewall performance Hub and satellite office Antivirus
Firewall performance Hub and satellite office Content filter/ app filter-ing
LAN performance satellite office Wireless (easy to config-ure )
LAN performance satellite office Printing over LAN and WAN
Vendor Comparison Hub and satellite office Cost of solution per of-fice
Vendor Comparison Hub and satellite office Easy to implement and move
Vendor Comparison Hub and satellite office Scalability
Vendor Comparison Hub and satellite office Monitoring capability and reporting
Vendor Comparison Hub and satellite office Remote configuration (deploy and configure from anywhere)
Vendor Comparison Hub and satellite office Easy to troubleshoot
6 NETWORK REDESIGN CASE STUDY
The basic idea of this proof of concept project was to reduce MPLS network us-age by providing local, secured internet access at all levels. In small offices, MPLS can be completely replaced with Internet. This is done by the deploying vendor’s solutions at all offices, providing secure Internet access along with a VPN connection and MPLS access.
6.1 High level view of network design for POC
Before deploying any larger scale of an Internet breakout solution into the cor-porate network, it is a good idea to test the vendor’s devices to see how well they perform in the real world network. For this proof of concept project, the target company decided to test the Juniper network, Fortinet and Aruba net-work solution (discussed in chapter 5) in three countries within eight different cities. Due to the project time constraints, not all vendor solutions could be test-ed at every location, so the company decidtest-ed to test the Juniper network solu-tion in China, the Aruba network solusolu-tion in Finland and the Fortinet solusolu-tion in the United Kingdom. It is discussed in more detail for each country’s test network setup in later sections in this chapter.
To successfully test those new devices and at same time not interrupt everyday business operations, all test locations received new Internet connections for In-ternet breakout and for the IPSec tunnel. The plan was to check if any problems occurred during the implementation or testing period, so that the office net-work could fall back to an old connection that has been net-working previously to help minimize risk. Therefore, the smaller branch offices (discussed in chapter 3.6), where not so many users were working will only have an Internet connec-tion, and at regional offices or headquarter offices, it will complement the MPLS network and Internet connection. At larger offices with both Internet and MPLS
connections, critical traffic and applications which were hosted in the datacen-ter such as SAP, Voice over IP, and SharePoint are routed through the MPLS network. Noncritical traffic, Internet access like email, browsing, YouTube, and saleforce.com will send though Internet line. This can be achieved either through regular routing or through policy routing. These VPN connections can be also act as backup connection for the MPLS network to increase network re-liability. Automatic failover of connections can be achieved either through dy-namic routing or through static multipath routing with link failure detection.
Internet bound traffic is naturally sent directly to the Internet.
6.2 Finland test plan
The target company has selected two small branch offices as test locations for the Aruba network solution. Each location had around seven users. It was the company’s internal decision to test Aruba devices only for small offices where no more than 10 users were located and the office does not perform any critical operations. For this project, each location had one new business class Internet connection. Deploying the Aruba Remote Access Point (RAP) in small branch offices was easy (discussed in chapter 6.2), but installing the Aruba mobility controller in the datacenter was a bit difficult because of datacenter’s own fire-wall. Once that was sorted out, it worked very well and is discussed further in chapter 5.3. The Aruba mobility controller had a firewall feature but in this pro-ject, the firewall feature was not tested.
Previously, all small branch offices connected through the IPSec tunnel to the datacenter. To access Internet and corporate applications, small offices had to travel through the datacenter and from there access Internet and corporate ap-plications. There was no Internet breakout from each country, as all Internet breakouts happened from regional datacenters. The small branch offices are the ones affected by poor network performance because of a long distance path to datacenters and low bandwidth connections.
In this architecture, a Remote Access Point (RAP) device provides similar func-tionality to a VPN client but allows for shared access to multiple devices through wired and wireless LAN interfaces. The mobility controller, which was located in the datacenter, acts in an analogous manner to a VPN concentrator.
Each RAP communicates with the controller over one or more WAN or more secure, encrypted IPSec tunnels. This communication provides access to the devices/users connecting through the RAPs to the company’s core network and to the applications and services that exist there. The connection between the controller and RAPs are shown in Figure 15.
Figure 15. RAPs are Communicating with the Controller over WAN
6.3 United Kingdom test plan
With the current company network architecture, satellite offices had a single Internet connection. As mentioned in chapter 6.2, not every country had their own Internet breakout or datacenter. All small offices that were connected through the IPSec tunnel had to go through a long path to the regional datacen-ter to access Indatacen-ternet and corporate critical applications. All regional offices or corporate office’s network traffic went through a MPLS connection to reach the datacenter or half–datacenter to access hosted applications and for accessing
With the current company network architecture, satellite offices had a single Internet connection. As mentioned in chapter 6.2, not every country had their own Internet breakout or datacenter. All small offices that were connected through the IPSec tunnel had to go through a long path to the regional datacen-ter to access Indatacen-ternet and corporate critical applications. All regional offices or corporate office’s network traffic went through a MPLS connection to reach the datacenter or half–datacenter to access hosted applications and for accessing