Dave Greenfield Whether you’re opening a new distribution center or rolling out a new factory, secure and effective communications are essential. At one time, building that network was well understood, connecting factories, distribution centers, and the rest of the supply chain with a private network built from MPLS or some other private data service.
Traditional Networks Pose Problems for Manufacturers
But as the pace of business has evolved so too have the problems with MPLS become more apparent. The shift to digital transformation and IoT all but requires an agile network that can be rapidly deployed, easily realigned, and with a cost structure in line with modern business.
MPLS services are far from that description.
Deploying new locations or connecting new factories can take weeks even month with MPLS. Even changing capacity requires opening and submitting tickets that often take days to fulfill.
Bandwidth costs are also out of line with today’s businesses particularly when compared with Internet costs. Justifying spending 80 percent more for an MPLS connection is increasingly difficult when Internet capacity has grown and performance has improved.
And as traffic moves to the cloud, MPLS designs underperform. Classic MPLS architectures consolidated Internet access in one location for reasons of security and control. Backhauling Internet, private cloud, and SaaS traffic often adds latency, undermining the application experience.
The much hyped digital transformation of manufacturing and the rise of sensor-based factories can only be actualized with a comparable change in the network.
Are SD-WANs The Answer?
IT teams in other industries have been able to replace MPLS with Internet communications and software-defined wide area networks (SD-WAN). With SD-WAN, appliances connect locations to one more MPLS or Internet services (xDSL, cable or 4G/LTE). The appliances aggregate the connections together to create a single virtual link that has more capacity and better uptime than any one link. They do this by establishing a mesh of encrypted tunnels across between all locations.
Policy-based algorithms balance traffic across the links to maximize their utilization and direct traffic to alternate links in the event of a failure or slow-down. Performance is improved for all applications by routing them along the optimum path. Routing decisions are made based on real-time traffic conditions, and thresholds defined in application policies.
But typical SD-WANs are a poor fit for manufacturers who need to be concerned that even the slightest outage of a processing plant, the disruption of a supply chain, or that the lack of regulatory compliance will interfere with the business. Connecting sites to SD-WAN pose questions about predictability, security, and compliance that must first be addressed.
Provide Predictable Performance for Remote Users and Locations
The Internet is fundamentally unmanaged, which makes it inherently suspect as the basis of any supply chain network. But the performance problems of the Internet aren’t uniform; they vary depending on the stage of a packet’s journey to its destination. Understanding what changes and why can allow manufacturers to address the performance problems facing SD-WAN.
Unlike office or even campus networks, performance across the WAN is driven more by packet loss and latency than bandwidth. It’s the deadly combination of the two that will significantly degrade the throughput of TCP sessions to remote users and locations when transitioning to SD-WAN. MPLS networks avoided the issue through tight engineering that minimized latency and loss. MPLS SLAs, for example, typically guarantee .1 percent packet loss but in practice average loss is even lower. With the Internet, packet loss can average 1 percent with latencies that will invariably be longer than comparable MPLS routes.
There are two schools of thought when it comes to fixing the latency and packet loss rates of the Internet. One approach is to rely on technology in the SD-WAN edge appliance, the other combines edge technology with a backbone. Both agree that locations should be connected with business-grade Internet services, ideally ones where locations are dual-homed and diversely routed for maximum uptime.
The edge-only approach improves latency in much the way any SD-WAN would tackle latency. The appliance monitors the performance of a tunnel across the end-to-end path to the destination and selects the tunnel with the least latency. The more SD-WAN nodes, the more possible paths that edge appliance can choose from to reach the destination, the more effective the SD-WAN.
As for packet loss, the edge-only approach reduces packet loss through two types of algorithms running in the appliances. Error correction algorithms will insert a recovery packet every “n” number of packets. Should a packet be lost then the remote station uses the recovery packet to derive the lost data without requesting a retransmission, which is what so significantly impacts TCP throughput. Packet duplication algorithms pass packets across two lines. The destination uses the first received packet, discarding the copy.
As you might imagine, the edge-only approaches can work well in Internet regions where the number of routes to a destination are plentiful and density of SD-WAN nodes are sufficient to leverage those routes. But when the number of paths are limited, the edge-only approach becomes more limited. The same is true with high packet loss rates. If packet loss rates are too excessive no correction algorithm will work; the same is true if the correction packet is lost. Packet duplication is helpful in these cases, but that also means wasting bandwidth transporting irrelevant data.
All of which is why you’ve seen network service and cloud providers combine edge technology with a managed backbone. With this approach, locations connect to an SD-WAN across the service provider’s or cloud provider’s backbone. Keeping traffic on their own backbone allows providers to optimize routing and reduce latency. Reducing the length of the connection to just the service provider edge minimizes the likelihood of appliances having to recover lost packets. When excessive packet loss does occur, the shorter distances allows packet recovery to occur much faster.
Combining edge technology with a backbone does come with its challenges. For one, traditional network carriers haven’t always had the best reputation with IT professionals. What’s more such an approach is only effective with a backbone that has sufficiently large geographic scope. Even tier-1 providers can have pockets of coverage, forcing them to move SD-WAN traffic over third party networks.
Security Challenge and Compliance Can Undermine WANs for Manufacturing Networks
Even where performance can be addressed, compliance and security remain an issue. There are expert opinions that believe SD-WANs can be compliant with standards, such as HIPAA, PCI and CFATS. Much has to do with implementation and you’re best advised to work closely with a compliance and networking expert.
Critical for compliance with any regulation will be the level of security implemented in the SD-WAN. Conventional SD-WANs encrypt traffic between locations, a necessity for Internet communications. However, that still doesn’t provide protection against the malware, ransomware and the range of well-known threats in using the Internet. Defending against such threats requires deploying a next generation firewall (NGFW), IPS/IDS, malware protection and the rest of the advanced security stack.
SD-WAN vendors will take one of three approaches in addressing the problem. Some vendors will integrate with external products and services. This approach uses the SD-WAN to direct packets to and from the approved security products from vendors such as Check Point, Palo Alto and ZScaler that may reside in the cloud or at another location. In this way, branch offices can be secured, but deployment is made more complex by having to deploy or integrate with additional products. What’s more costs grow not only from purchasing the additional security products and service but managing them as well.
A second approach, runs security service inside the SD-WAN appliance often using the NFV standard. Manufacturers get the benefit and comfort of running their own security tool in their own edge appliance. However, they also inherit the scalability and operational problems for which appliances are notoriously known.
The third approach moves security into the SD-WAN. With this approach, traffic is inspected when passing through the SD-WAN service. It’s an approach that can be very affordable to deliver and maintain as there’s one only product to manage. However, the provider must be able to build a robust range of security services into the SD-WAN — not a trivial proposition.
Fast and Secure — Even for Remote Factories
SD-WAN promises to allow manufacturers to build a robust, affordable network connecting their factories and offices. But to reap the benefits of SD-WAN companies must pay even closer attention that they implement the necessary performance and security controls to meet business and compliance requirements. SD-WANs can certainly deliver on that promise with the right implementation.
Dave Greenfield is a secure networking evangelist for Cato Networks.
