SD-WAN for home workers? Seriously?

The cultural experiment of long term WFH has been proven and while many organizations have made the commitment to retain home working in a post lockdown world, the technology used to support secure, productive users is invariably still far from ideal. So, what’s the issue, or more likely, the issues facing those looking to progress beyond the VPN and is SD-WAN really a credible option to deploy in the home?

The number one challenge facing your home users is session stability. They don’t care about protocols, packet loss or bandwidth starvation because in many cases they don’t know what’s going on behind the scenes, but when services freeze even the least technical member of staff that is working from home will see the effect of poor network connectivity and often be quite vocal about it.

While some are fortunate enough to have a gigabit FTTP service for a sensible amount of money, there are more home workers who do not. It’s the new version of the north south divide.  Rather than splitting the country in terms of prosperity, the new divide is those who have great consumer internet at home and those who spend a significant proportion of their week hearing the ever present “Can you turn your video off”. Bandwidth starvation is killing productivity and if a new fiber circuit to every member of staff is out of the question, SD-WAN might just be the answer.

Worth a note at this stage that all SD-WAN solutions are far from equal. I’ve genuinely lost count of how many SD-WAN vendors there are, but I know it’s more than 40. As the industry still tries to define what the minimum requirement for an SD-WAN solution actually is, vendors far and wide are sticking an SD-WAN badge on just about anything that vaguely fits the bill. OSPF or HSRP with a fancy GUI? Yeah, why not, someone will buy it, even if it does take around 30 seconds to failover between links. That said, there are a handful of vendors that really focus on UX and they are WFH game changers.

Diverting around the problem

Poor user experience is really down to one of two things at a network level, namely delay in packets reaching their destination due to latency, congestion or jitter (which is caused by congestion) or good old fashioned packet loss where things just go missing. These ‘challenges’ are invariably short lived but significant enough to degrade UX – think latency in a VDI session or video call and you’ll know you don’t need a catastrophic network blackout for service freeze to kick in. SD-WAN gets around this problem by bonding links, MPLS, DSL, FTTC/P in the typical office deployment, with various mechanisms to secure and manage the traffic between those links in an attempt to keep service levels up.

Most home workers don’t have diverse transports to the house, so some vendors offer small form factor SD-WAN devices that supplement home internet with built in 4G and in some cases, dual built in 4G to take SIM cards (or eSIMs) from diverse carriers which in turn makes external connectivity resilience both cost effective and simple. If an SD-WAN solution has 2 or 3 routes to the user from the outside world, it is going to need to be able to steer around real-time, short lived network degradation events in milliseconds or the UX will start to drop. You simply can’t divert around the problem quickly enough if the SD-WAN has tied a user session to a specific transport circuit but that’s how 90 percent+ of the vendors out there do it. A better option is Packet Based Forwarding, where each packet is sent via the best route based on the condition of each transport at the time. Which leads to another question, how does the SD-WAN know the condition of each circuit available to it? The answer is the IT classic, ‘it depends’.

The final piece of the puzzle

Consumer circuits are asymmetric so look for a vendor that measures network condition for each ‘pipe’ in both directions but don’t do it with something like Forward Error Correction otherwise you’ll be filling anything up to 20 percent of your precious bandwidth with synthetic probe traffic rather than production traffic. Ideally you should look for a solution that effectively measures every finite metric of connectivity condition with every packet of production data sent and received, before using this data to establish which path to take on a per packet basis. That way, it can steer around connectivity problems within milliseconds, not seconds, which is essential if you’re delivering VDI, VoIP, video or anything else that’s latency sensitive. This brings us on to another thought, where do services originate from?

While the traditional data center is going to stay around for the time being at least, the adoption of cloud hosting in Azure and AWS or ‘software as a service’ and collaboration platforms has completely changed the delivery model. It’s no longer the data in the center with the users around the outside, the user now typically sits at the edge of a vast interconnected range of services all of which need access control and some form of user accountability for compliance. This new Secure Access Service Edge (SASE) delivery model has become top of the agenda for those responsible for IT security and a key benefit of some SD-WAN offerings. Access to services can be controlled by the device with both real-time and historical user data providing an additional layer of visibility for compliance management. It’s effectively controlling who can do what from where and providing an audit trail after the event. Sound like internet break out at the branch? That’s exactly what it is, with service chaining to web gateways, IP reputation control and DLP thrown in.

The final piece of the puzzle is what happens in the home, more specifically the home wireless network. The never-ending list of home connected devices fighting for Wi-Fi supremacy is one more hurdle for UX and productivity but nothing compared to the risk of unpatched or compromised home devices connected to your corporate network via a trusted laptop on a VPN. If the SD-WAN solution had built in Wi-Fi, you could provision a corporate wireless network for trusted devices in the home just like you would in a branch location. That would solve that problem nicely, especially if it was plug and play for the home worker so you didn’t need to send an engineer round to each house to wire it in.

So, are all SD-WAN vendors going to solve the elephant in the room problems of long-term home working? Not on your Nelly, but do a little bit of homework, choose wisely, and you’ll find a very small number of SD-WAN vendors who can do all of the above. And your users will thank you for it. 

Al Taylor, Co-founder and CTO, cloudDNA

Source link