Simplicity of application access and ease of use are changing the workplace at a pace that’s unprecedented in our industry. This is largely due to cloud-based, multitenant applications being so easy to adopt.
Modern applications often integrate with and use multiple modes of communications. In many cases, IT departments are challenged to provide the infrastructure to support and manage this application evolution. New application use models are introducing new challenges with security, capacity, quality of service (QoS), authentication, monitoring, data governance, and availability. Network architects need to design local- and wide-area networks with an application-first strategy.
Things have changed as functionality at one time delivered in hardware has morphed into software that can run on a smartphone, laptop, or Internet of Things device. The reality is that voice, video, and data are everywhere -- both inside and outside of the workplace network.
The new reality is that your infrastructure needs to be application-aware, able to handle security and QoS for applications that can reside on multiple devices simultaneously (laptop, physical phone, smartphone), connect on different media (wired and wireless), and be in use on the workplace network, at a coffee shop, or from a remote (home) office. Collaboration tools, for example, use multiple modes of communications all in one application.
The network needs to be able to identify and handle multicast traffic on the same connections as voice and data, and have sufficient QoS and capacity to make sure sensitive application packets aren’t dropped and don’t suffer from high latency.
Beyond simple application awareness, the network needs to be smart enough to route different application traffic -- multicast, voice, and data, for example -- with sufficient QoS and capacity to make sure sensitive application packets aren’t dropped and don’t suffer from high latency. It needs to select the most appropriate paths available at that moment. These paths could be on the local network, over the Internet, via MPLS or other WAN links, or across software-defined WAN (SD-WAN) application-optimized connections. Business-critical applications like voice need to be prioritized over less-sensitive applications.
Network and security architects need to have the pulse on the applications that the business is using and have the tools and systems to adapt the network to accommodate these ever-changing needs.
For example, security appliances need to be able to identify the difference between Facebook and LinkedIn, voice (SIP) and WebRTC, and the myriad of other protocols. This application-awareness is even more critical for identifying the difference between malicious and trusted command and control protocols. They’re all entering the network via the same HTTP and SSL ports.
One challenge with detecting these applications is that most of the traffic is now encrypted using SSL. There needs to be a trust relationship between the network security appliances (firewalls) and workstations/devices to enable SSL decryption and re-encryption of traffic leaving the network for inspection, logging, and analysis.
Applications residing in a hybrid of locations (workplace, data center, cloud) bring new network security challenges, as well. Network architects need to consider new, more secure methods for authentication, including single sign-on (SSO), multifactor authentication (MFA / 2FA), certificates, public/private keys, tokens, and FIDO2 keys.
Historically, network security has been focused on network protection. Although still very important, network architects need to put a new high-priority focus on detection and treatment/response for malicious traffic and applications. They must also be vigilant in securing non-user devices such as printers, switches, wireless access points, and other IoT instruments.
The new application-centric workplace is putting a strain on historically well-designed networks. Networks need to be designed for greater agility, capacity, reliability, and application- awareness.
Some key tools in a network architect’s toolkit to accomplish these objectives are:
- Network fabric and software-defined networking (SDN): Most switch manufacturers have made significant investments in network fabric and SDN technology that, if deployed correctly, can significantly improve agility, capacity, reliability, and application-awareness of the workplace network. There are both vendor-specific fabric/SDN technologies and industry-standard (IEEE) fabric/SDN technologies, such as Shortest Path Bridging (SPB).
- SD-WAN: A variety of manufacturers and service providers offer SD-WAN solutions that can significantly improve network agility, capacity, reliability, and application-awareness, often at a lower cost than historical solutions.
- Next-generation firewalls (NGFW): Key NGFW vendors have made considerable advances in application-aware firewalls. They’ve shifted to subscription-based solutions that maintain the firewall’s application and vulnerability awareness current at all times. This enables network management at a new level of granularity. These NGFW’s allow for the decryption of SSL traffic to provide even greater visibility.
This application evolution has also impacted network assessment services. Traditional approaches to test the technical elements of the network are no longer sufficient. Network assessments need to consider applications on local, wide, and cloud networks in conjunction with security, capacity, reliability, and performance considerations.
"SCTC Perspectives" is written by members of the Society of Communications Technology Consultants, an international organization of independent information and communications technology professionals serving clients in all business sectors and government worldwide.