Building Enterprise Compliance & High-Performance Networks

by Adam Gervin

Mode should be in your SD-WAN's future

Dear readers: I'm taking a break this week. You've heard my perspective across 20 blog entries. It's time for someone else. And that someone else is a very special guest blogger. Searl Tate.

Searl is the recent CIO and Managing Director of Paul Hastings, an Am Law 100 law firm, one of the largest in the world, and focused on servicing Fortune 100 companies. Searl is a veteran when it comes to maintaining the highest standards in an Enterprise Network, from high performance and availability to strict security, and Enterprise and client compliance.

At Mode, our goal is to work with the on-premises SD-WANs to deliver a No-Worry Network that helps folks like Searl sleep better at night.

We hope you enjoy his blog.

Let's start by covering the current state of networking. Particularly in light of our highly regulated conditions that all but mandate some form of special compliance above and beyond what many of us are already doing today.

If you have achieved your network compliance goals, congratulations. I suspect there are at least a few of us left wondering what cost-effective solutions are available as an option to upgrading our legacy network circuits. Yes, I regard MPLS as a legacy technology.

This blog is entitled Building Enterprise Compliance & High-Performance Networks since that's the path I see most technology managers debating when faced with their own network upgrade decisions.

I believe this is especially true in our current climate of extreme governance. While my experiences are colored by my time in professional services in Big Law, I think any enterprise manager will appreciate this discussion.

My aim is to cue a few provocative points that may stimulate your own questions, concerns, and challenges.

Our Carrier Journey

What is "Enterprise-Grade Security" and how do you achieve and maintain it?

In its most nascent form, enterprise security was simply a private circuit. We couldn't even count on physical separation, necessarily.

This is a case of picking from the options available — often borne of cost consciousness, performance characteristics, or some other non-security facet. It was only after our basic performance and functional needs were met that we were able to turn our attention to matters of security and compliance.

The long swing of the pendulum has landed us squarely in the middle of a security concern reawakening. There is no doubt that some of the fervor is amplified by government regulations, but the industry needs the wakeup call.

I think we can agree that however we arrived here, there is no question that we are expected to provide a stable, reliable, high-performance network at the lowest cost basis possible.

As a car guy, this reminds of me the old mechanics saw of "fast, good, or cheap — pick any two."

Back to security today, we know this means strong encryption and central key management. It's more, too — consider the attack surface your network faces. This is even before we get into application layer concerns. Keep in mind that a secure network can mitigate plain-text client-server communications. It is one of the easiest ways to shore up this basic compliance requirement.

Beyond this, there are issues of non-availability like you might see with Distributed Denial of Service attacks. This highlights the need for path diversity. Ideally, this failover and reconvergence is handled automatically...and without anyone noticing the hiccup. That always happens, right?

A Little History

You could read this as a lightly coded message to mean "only enterprise customers care about security" — and given the marketplace options until recently, you'd be right. We tend to vote with our wallets, and external pressures are making it clear that we must pony up and establish a better and more secure network platform.

Back to history, that has meant private or logically separated circuits was considered good enough.

Frame-relay networks gave way to MPLS, but the fundamental concerns were still there. Yes, there's some separation, but the real driver here was the value proposition compared to the very expensive and truly private network circuit options. Even if you went that uber expensive route, you only bought basic separation and did not necessarily gain strong security.

An examination of the ubiquity of MPLS networks will quickly reveal this was almost entirely fueled as a cost effective alternative to dedicated private links. With the proliferation of Ethernet backhauls, dynamic bandwidth increases were a reality. That may have been the final nail in the coffin. Only the most critical workloads stayed with expensive dedicated and private networks. There are plenty of examples of where even that gave way to cost consciousness in forums you would never think possible.

So, think about our homegrown IP VPN solutions as a parallel to the newer SD-WAN offerings.

We gained security at the cost of administrative overhead. I guess you could say this delivered cheap and fast. Good was conveniently left behind with the huge win we saw with the apparent cost savings.

Now, we are finally able to instrument and control Quality of Service and deal with our real-time protocol applications like voice and video. SD-WAN appears to be the answer.

The Need for Edge-to-Edge Security and Performance

One lingering area of concern remains with POP-to-POP optimization. Even CDN options do not do enough to run a typical hub-and-spoke partially meshed 30 office network with mixed workloads. Enterprise America has solved the streaming problem, but it did nothing for real-time protocol needs. You really need edge-to-edge and end-to-end performance and security (WAN optimization, network control, end-to-end encryption, etc.). Like the saying goes, you can buy bandwidth but not better latency.

We've Come to Accept Difficult as Normal

Other concerns come up around third-party reliance.

There are too many moving parts and that may equal poor stability and reliability.

Support headaches from the carrier and even your internal staff are to be expected. If you manage this space, you know exactly what I'm talking about here. For too long, we have just accepted this as ordinary housekeeping overhead.

Then why are performance and availability concerns considered vital components of compliance and security?

Consider whether your shop is pursuing an ISO certification based on client mandates, or you’re simply looking to avoid embarrassing/costly public disclosures, strong and reliable security matters.

Additionally, Distributed Denial of Service attacks are now commonplace. This ephemeral attack vector must be dealt with differently.

Even if you are not the intended target, downstream customers are affected. This is probably the most common way you’ll experience a DDoS attack with your provider. There are many under-documented victims with this type of attack.

Now, the following might sound provocative, but it is more intended as a statement of fact — there are NO cost effective single circuit Distributed Denial of Service attack mitigation solutions. Think about that.

When was the last time you saw an advertisement that promised to keep you safe from such a denial of service attack, only to fail in your time of need? What recourse did you have? Were you satisfied by the meter turning in reverse and issuing you a tiny credit? No, of course not.

Relying on a single high-end provider with a scrubbing center is setting yourself up for inevitable failure. IoT based attacks have proven that an army of nodes can be amassed to overwhelm nearly any size circuit! Even if you are not taken down entirely, you are likely left in a degraded state...for hours, or longer.

Beyond that, think about anything that threatens basic network availability to include path diversity. This is especially true for your last mile. How sure are you that you have true path diversity to your office building?

Many low-cost carriers do not know or cannot achieve actual physical path diversity with the other available network options in your building. The problem is complicated when it turns out your carrier is merely carrying the paper for the actual on-network provider. This could mean you are saddled with multiple down circuits in your time of need. This bit of housekeeping is crucial to your long-term success.

With Mode, you will hear more about the middle mile. This is my favorite space since it is what distinguishes Mode SD-CORE + any SD-WAN from ordinary IP VPN and related solutions. Yes, you can have security and performance with high availability at reasonable cost.

Invest in a Sustainable Solution

...yes, read that as NOT MPLS. I'm okay with that. Competition is good for the consumer, and this is no different. Disruptive forces find their way into our portfolio, and even they must pivot or perish. The world won't need MPLS much longer, and you will soon be telling war stories that were once relegated to the days of frame-relay circuits.

Get Off the Carrier Train

If you have been in this business as long as I have, you know the dance. Every few years you swap your currently failing or under-performing network operator out for one of the handful of other typical choices...Only to do it again in a few years. Was there ever a real technical advantage one carrier had over another? Were you ever happy? It really was our only choice. We had dubious improvements that quickly decayed only to leave us staring down the prospect of yet another contract negotiation. This is probably why we cannot get comfortable with long-term telecom contracts of any kind. They want long-term commitments to assure recurring revenue generation, but what do you get!?

In my experience, it rarely made sense to engage any carrier contract longer than a couple years. At renewal time you could count on getting more bandwidth for the same money — and we were supposed come away feeling like we won. It is not sustainable. What about the real security issue here?

Turns out, MPLS providers know this too. Have you seen how many MPLS providers that are turning to third-party solutions to bolt on a VPN or yet another in-line appliance to boost security features. How do you think support will work when things go wrong?

How Mode Gives you a No-Worry Network

I am not saying you should fire your MPLS provider now, but instead start your SD-WAN journey NOW and you may find that you don't need your backup MPLS provider. You have one of those, right?

So, build your confidence with some demonstrated progress. You will save a lot of money along the way too. In time, you will see you do not need your legacy MPLS circuits at all.

The Secret Sauce is explained by Mode SD-CORE. If you have not had a chance to read the excellent set of white papers, you really need to check it out. If math is your thing, read their CTO's PhD thesis where this whole thing was invented. Dr. Michael and his colleagues are onto something very special here.

To be clear, underlying networks still matter. Elsewhere in our infrastructure, it is the same way server choices still matter. Maybe you're an HP Enterprise shop, or a Cisco shop — lured by promises of Optane, but you are probably not a Dell shop any longer. How you spend here says a lot about how you actually value risk mitigation.

Virtualization was supposed to make brand-name servers a thing of the past, but it did not play out that way for the risk-averse enterprise! We spend the money freely as insurance against the risk poorly managed servers present us. We just do not have the time to deal with that. No, insurance still does not have a Return on Investment!

Still, this SD-WAN advent goes a long way to democratizing secure and high performance networks.

This time around, evolution leads to revolution. Just as we gained confidence with our IP VPN solutions as a backup to MPLS, you can make the jump to SD-WAN to create a truly tier-one primary network — at a cost basis that is nearly the same as your backup network. Depending on your workloads, you just may be able to achieve this overnight. Literally. What does it take to carve out two or three nodes and find out for yourself?

Unlike your IP VPN, you can have QoS with Mode SD-CORE — just like you do with MPLS.

So, what does it take?

What are your biggest security needs?

If client compliance drives the concern, you can follow some pretty well-defined recipes for success. That is, you do everything your client tells you to do, or negotiate terms and apply compensating controls. Sound familiar?

Until now, you could not do it at a price point that is about what you would pay for ordinary IP VPN. Turns out even your VPN solution won't satisfy them completely.

Further, given the risks of the unknown, we can't know actual details of new risks waiting to ambush us — but we know the risk areas, and that is why we absolutely need path diversity. No effective SD-WAN solution can do this with a single path.

Mode Lacks a Pioneer Tax

I like "pioneer tax" as an expression. If you're like me, you have paid your dues!

Anyone else here on their fourth or fifth AppleWatch? Sure, it took a bit, but they really nailed it with the Series 4. It just works...finally. No kidding, it's a thing of beauty.

Sometimes iteration is necessary, but there isn't any pioneer tax with Mode because all of the underlying platforms are mature. It is why you can put nearly any network under the power of Mode SD-CORE and see huge performance benefits while achieving your security goals. It is not advertised here, but I happen to know they have a number of premium networks to power Mode SD-CORE. Ericsson's impressive global network is one such example. Many more are lined up.

One day, the underlying network won't matter nearly as much. As the baseline improves, and even the cheapest providers prove they can deliver, the cost will drop considerably.

I would like to point out the fact that you can implement Mode today. If you spin this up to service utility traffic or a controlled workload, you can see the benefits and begin moving specific network workloads in short order.

What is not covered here are the many ways you can integrate into your existing ecosystem. This means some of your favorite WAN optimization devices will soon offer a drop-down selection to use Mode for your SD-WAN. Drop the folks at Mode a line to hear more about that.

Different Core Categories for SD-WANs

Let's take a look at the following Infographic:


Basic Internet Core is just garden variety Internet access with all the quirks and foibles you've come to love. If you are going this route, you are probably doing it as cheaply as possible. It has its place for basic use cases.

Optimized Internet Core can describe any offering beyond basic Internet service to include CDN, compression, and optimization.

Finally, Private Core is where things get very interesting. It is where you want to be if achieving MPLS performance at much lower costs is your goal.

To further delve into Private Core, I would like to direct your attention to the far right Mode column. You'll see all of the expected performance attributes fully bubbled in end-to-end encryption, high availability and performance, granular SLA, any SD-WAN support, etc. — with the exception of price. It's depicted as 75% of Basic Internet pricing, and that is fair. There's a nominal cost on top of your basic network service.

And now, a few questions and answers:

  1. A lot of SD-WANs use Internet or solutions that use POP optimizations and and Internet Core. How do you feel about these as a CIO?

    That is a very good question. I think part of the unasked question here is why is that not a sufficient solution?

    If your workloads do not have any critical real-time protocol needs, you might be fine dealing with the spiky and unpredictable nature of the Internet.

    If you need quality of service functionality and service level guarantees, you need something like Mode SD-CORE. I have not actually run into anything else quite like it.
  2. Lots of enterprises "trust" MPLS Service Providers with unencrypted data and still do. What's changed and why is end-to-end encryption so important?

    To answer this, I think we need to take a trip down memory lane. The 90s gave us frame-relay circuits, and we parlayed that into MPLS for the 2000s. The problem here is that we were still pursuing performance, distribution, availability, and VALUE over security.

    Private or quasi-private just isn't cutting it for our newest wave of regulation requirements. Our table stakes have changed, and you need strong encryption and good key management. Mode calls it a Zero Trust Network. There's a banality to expressions like that, but it is a necessary evil to convey the sentiment that they cannot ever see your network payload. Also keep in mind that there are logistical hurdles here. You need to handle all of your compression and optimization BEFORE encryption. That's why many existing solutions cannot aid your performance goals like Mode can.
  3. Mode uses the term "Perfect" as in Perfect Network ControlTM, and that seems pretty bold. Can you explain the choice and what it means for their ability to deliver on their claims?

    Ha, that does sound bold!

    Words like perfect scare me, but I think they are referring to the fact that they are working with the mathematical limit and frankly, earth-bound physics. Path selection and reconvergence work as advertised.

    The only thing that will improve is the underlying network performance and maybe some implementation optimizations. I'm thinking about ecosystem integration options here. Otherwise, we really are looking at Perfect Network ControlTM of any backbone that joins its global overlay fabric.