Looking to a Future of Application-Centric Networking
In the enterprise, best-effort networking isn't good enough. An enterprise has to add services on top of its common underlying IP network to support the specific performance and security requirements of critical applications.
For performance, these requirements include:
- Quality -- Especially for external voice along with video and Web conferencing
- Reliability -- 99.999% uptime in this digital 24/7 business world
- Measurements -- Being able to monitor and track performance
For security, these requirements include:
- Regulations -- Being in compliance with HIPAA, PCI, GDPR, and other mandates
- Protecting Data -- Consumer, financial, private, confidential, regulated
- Control -- HR and business rules on what employees and applications can do
Today's IP networks will segment local traffic into VLANs; over the WAN assign specific QoS classes and virtual routing and forwarding, and optimize TCP/UDP flows; and in the data center use VXLAN for segmentation and rely on overbuilding for QoS. A few examples of today's segmented networks are:
- Voice -- Real-time communication with its own network
- Telepresence -- Immersive room-based video systems
- Payments -- Credit-card authorizations
- Guest WiFi -- Non-employee network access
The problem with today's hodge-podge of technologies is that it doesn't allow an end-to-end view, which is becoming especially critical since mobile users and cloud-based applications are on different networks. To solve this problem, networks must become more intelligent. Moving up the stack to Layer 5, the session layer, where intelligent services reside (see diagram below for an overview of the OSI model and the services provided in the session layer).
The session layer, the most critical layer for an intelligent Application Centric Network (ACN), provides the glue between applications and lower-level network functions. It provides the mechanism for opening, closing, and managing a session between end users and applications. Sessions are stateful and end-to-end, which provides more granular network and security controls for application services. Firewalls, proxies, session border controllers, WAN optimization devices, load balancers, and caching/content delivery networks all manage network state and provide higher-level networking and security functions. Instead of requiring the need to bolt on all these "middleboxes," network routers must provide these functions natively in next-generation networks.
A sample of services at the session layer fall into the same buckets of:
- Signaling -- Ability to request and secure network resources at the start of a session, which is a requirement for zero-trust networking
- Identity Management -- Integrating with directories to be able to verify users and devices
- Segmentation -- The rules on who is allowed to access what, and keeping the attack surface to a minimum
- Encryption -- End-to-end TLS and key management
- Anomaly Detection -- Understanding network use with alerts on misuse or hacking
- Optimization -- Managing TCP/UDP flows such as window sizing and rate limiting
- Prioritization -- Dynamic network prioritization and controls, not only at the start of the session but throughout the entire session as other sessions come and go
- Intelligent Routing -- Using multiple paths with mid-session stateful failover
- Content Distribution -- Multi-cast support to distribute videos and files and supporting content at the edge of networks
- Address Abstraction -- Mapping the naming schema used in applications and directories to network IPv4/6 addresses and TCP/UDP port numbers
- Session Detail Records -- Monitoring and managing how network resources are consumed and accounting for network usage for planning and billing purposes
A lot of the focus of the software-defined WAN (SD-WAN) market is to provide the glue between applications and the network. The challenge is that SD-WANs use tunnels and overlays such as IPsec and VXLAN, which are Layer 2 and Layer 3 based. These overlays don't work well through firewall/NAT boundaries, so lack end-to-end user-to-application performance and security controls. SD-WAN vendors also partner with the session players to provide many of the stateful, intelligent network services, but finding one that provides all services is difficult.
Some folks will argue that intelligent routing is a Layer 3 function such as using BGP. While routing is a Layer 3 function, intelligent routing has state and end-to-end performance and security controls. For instance, if a link has a burst of errors or high jitter, a Layer 3 routing protocol won't reroute the application unless the link goes down. Layer 3 routers prioritize BGP keepalive packets that monitor a link's health at the highest level, and thus aren't impacted by network congestion, just network outages.
Just like next-generation firewalls are moving further up the stack, next-generation networking is doing the same. The ACN provides all the intelligent session layer features each critical application requires to ensure performance and security requirements are met.