Strategies for a Healthy WAN-Toward a Well-connected Enterprise

As organizations consolidate their data centers and provide remote access
to their branch offices, the management of WAN infrastructure takes center
stage. We surveyed key CIOs across the country to find out how they were
managing their WAN infrastructures, how were they optimizing their bandwith,
what sort of clauses were they putting in their SLAs to manage service
providers, and much more. In this story, we explore those responses and answers
to some key pain points in WAN management

Two key trends are fueling the WAN market growth today. One is branch office
automation, wherein organizations are trying to empower their branches with IT.
Second is IT infrastructure consolidation, wherein organizations are moving away
from distributed computing and moving their entire IT infrastructure in one
central location. While this ensures better manageability of the IT
infrastructure, it puts additional stress on the WAN connectivity. That's
because most of the processing takes place centrally, and branch offices require
WAN connectivity to access centrally hosted applications.

Under such circumstances, CIOs must have a strategy to not only ensure
availability of their WAN links, but also their bandwidth. Both these factors
are equally important. Availability can be managed in many ways: providing
backup links, going for third party support to monitor your links, and enforcing
stringent SLAs to name a few. Ensuring bandwidth availability on the other hand
is not a one-time process, but an ongoing one.

The third key issue is security, which becomes more important when an
organization uses the Internet to interconnect its various branch offices. The
way out here is by using VPNs. They can provide secure connectivity between both
branch offices and HO, and even between roaming mobile users and the HO. There's
a fourth aspect that's extremely important as well, of SLAs. They play an
important role in not only ensuring high availability of WAN links, but also
ensuring bandwidth and QoS. There's a lot more to SLAs, and we'll cover that
subsequently.

So as one can well imagine, there are lots of issues to be tackled when it
comes to managing WAN links and keeping them healthy. To do this story, we
interacted with CIOs of key enterprises across the country. We tried to find
answers to all the issues we just talked about and how were they handling them.
As one could well imagine, it's not an easy job and requires a well- planned
strategy. In this story, we'll talk about this in more detail.

Identify and manage pain points

The first step in WAN management is to identif y the key pain points with
your existing WAN infrastructure setup. Is it availability of your WAN links? Is
it bandwidth, security, or something else? Let's look at them one by one.

Link availability

More than 50% of our respondents found it to be somewhat of an issue. Lack
of availability in WAN links happens only sometimes. This is possibly because a
majority of them already have backup lines, which takes care of downtime.
However this is not the only solution. Companies could also outsource their WAN
management to a third party, which will ensure that the links are always
available. This is a good and cost effective strategy to adopt for organizations
with a large number of branches, like banks. That's because it would be
unfeasible for them to hire manpower just to manage their WAN links in their
remote branch offices. It's better to hire a third party and let them worry
about it. What the organization should do is implement the right management
solutions to keep track of its WAN links. This would help in immediately
identifying links that are down, so that corrective measures can be taken. The
other thing it should do is put in stringent SLAs that define the time period
within which downtime would be tackled. We've seen situations where a complete
bank branch was unoperational for many hours because its WAN links were down and
there was nobody available to fix it.

Give some basic training to branch staff

Another thing to do is to give some basic training to at least one person in
the branch on what to do should the WAN link fail. This doesn't have to be a
detailed technology walk through. A few basic guidelines would suffice. For
instance, the person should know where the WAN link is terminating in the branch
office, and be able to identify the particular cable. In the case we just
mentioned, the reason for downtime turned out to be a pulled out WAN cable,
possibly by the cleaning staff while cleaning in the morning. If the local
person is given the basic knowledge to check for such things, downtime can be
reduced.

One must keep in mind that in branch offices, these kinds of practical
situations can occur and therefore should not be neglected.

Understand your bandwidth needs

Another critical pain point as far as WAN managment goes is availability of
bandwidth. One of the reasons for this can be the ISP, which can be tackeld by
putting in stringent SLAs. In fact, in our survey, the overall satisfaction
level of the respondents with the level of service offered by their service
providers was quite high.

The bigger issue is judging your actual bandwidth requirements. How many
applications are currently loading your WAN links, and how many more
applications are you likely to add in the future? Are your WAN links geared to
handle the additional load? As infrastructure consolidation and data center
centralization is becoming a trend, you'll be running more applications over
your WAN links. Is your service provider geared to provide you more bandwidth as
and when you add more applications? This may not be much of an issue in case of
a large service provider offering you connectivity in your head office. The
service provider could give you Bandwidth on Demand facilities, allowing you to
scale up as much as you need and charge you only for the duration when you
really used it. The trouble again comes in branch offices. Is the local service
provider for your branch office geared to provide more bandwidth? Again, we've
seen cases where the service provider is just not able to offer this facility.

Even if a WAN service provider does promise such facility, then the next
thing you must check is how long would the service provider take to upgrade your
bandwidth. Would the service provider offer Bandwidth on Demand, or would there
be a bureaucratic process of applying for additional bandwidth?

How many service providers?

The interesting thing we found in our survey was that a majority of the
respondents were using two serrvice providers. However, there were a significant
28% of them who were using three to four service providers.Your choice of a
service provider depends upon a number of things. One of course is reach. Is
your service provider able to offer you connectivity across all your branch
offices? Even if the service provider is, then the next question is related to
availability. Is it worth risking giving your complete WAN infrastructure to a
single service provider? What if the service provider's links were to fail? How
many redundant paths does the provider have to ensure that your connectivity
doesn't get hampered? In some cases, it might make sense to go with more than
one. Some companies we know of have outsourced the complete WAN infrastructure
management to a single service provider. The service provider in turn ties up
with other service providers to offer redundancy, availability, etc.

B/W Optimization Appliances

WAN optimization has been one the most talked about tecnologies for the past
year. It is basically a collection of techniques to enhance the performance of
applications over your WAN. A WAN optimization appliance uses a combination of
various techniques like compression, TCP optimization, WAFS, caching, SSL
acceleration, etc. Strangely, despite all the hype, we didn't get a very
enthusiastic response on using WAN optimization appliances. In our survey only
15% of respondents said they were planning to deploy a WAN optimization solution
in near future, while 47% said they had no plans of doing so at all. Those who
had deployed such solutions did manage to save bandwidth. About 13% of the
respondents said that they had managed to save 20--30% of their bandwidth, while
another 10% saved 30--40% after deploying a WAN optimizer. Most of the bandwidth
shaping is achieved through policy-driven approach i.e. you can limit which
users, or application or an IP can consume how much bandwidth in a particular
time.

Before deploying a WAN optimization solution it's very important to what
exactly is going on your WAN. If you are accessing ERP or SAP application over
the WAN, you might be better off deploying a Application Accelerator than WAN
optimizer.

WAN optimization has also made a mark in DR, as an enterprise needs to backup
huge volumes of data every day at a remote location through a WAN. Again, to
handle many enterprises deploy large WAN links between the remote DR site and
data center. In many cases data replication cannot be postponed to non-peak
hours and backup has to be performed every hour or so.

WAN optimization appliances improve the time taken to transfer data by using
techniques like data reduction, where appliance constantly monitors data flowing
across and if it encounters repetitive data, it will provide it locally. By
reducing the amount of repetitive data sent, WAN traffic is significantly
reduced.

In Compression, appliance uses a common compression algorithm to remove extra
information from the traffic before it is transmitted. The information is
reconstituted at the destination using that same algorithm and there is no
synchronization between two ends. With this technique data transmitted over WAN
is reduced link, but has limitations on how much bandwidth reduction it can
achieve by itself—-and has minimal impact on latency. Another commonly used
technique is caching in which at both ends data transmitted is inspected and the
appliance stores all duplicate data locally on their own cache. This way, every
time the device at the other end asks for this data, only the code for it is
sent and the data is delivered locally. Two commonly used techniques in this are
Byte Caching and Object Caching.

In Protocol optimization inefficient protocols over WAN such as HTTP, CIFS,
MAPI, and HTTP are made more efficient typically by converting a time-consuming
serial communication process into parallel processes where various communication
tasks are handled simultaneously. While protocol optimization does not reduce
amount of bandwidth used by an application, it can accelerate delivery of
applications and reduce latency in the process.

Error retransmission is another reason that makes WAN links slow besides
heavy traffic. This is retransmission due to errors. Bandwidth is actually being
wasted if the appliance has to retransmit data everytime there's an error. For
loss mitigation, most appliances use Adaptec FEC technique. FEC(forward error
correction) looks for bit errors on the WAN traffic and corrects them before
they are passed to other protocols. WAN appliances use FEC at packet-level to
reduce packet loss. An FEC packet or error recovery packet is added after every
few packets. This packet contains all the information required to reconstruct
any packet sent in between two FEC packets. With this there is no need to send
the lost packet again, as it can easily be reconstructed at receiver's end by
using FEC packet. This also helps in improving the response time of
applications.

Other Optimization Techniques

WAN optimization appliances have just come, but companies have been
following other techniques to optimze their bandwidth. On top of the list in our
survey was Continuous monitoring of WAN traffic and usage of policies for
Bandwidth prioritization, access control, and policy routing. Some respondents
even said that creating user awareness worked well for them.

SLA Management

To achieve acceptable levels of quality, uptime, latency, packet loss, SLAs
play an important role. In our survey, a large number of respondents found it
difficult to define SLAs with their service providers. Guaranteed uptime and
penalty for downtime were the top two items that must be addressed in a SLA
agreement. Many respondents said SLAs should have realistic parameters for e.g.
if a branch office is in remote geographic location with limited connectivity,
then most WAN service providers will shy away from uptime clause in such a
situation. Others must have clauses including last mile support, response time,
escalation matrix, and clear definition of problem resolving timeframe, followed
by penalties if not met.

About 37% of the respondents in our survey said that they have faced a breach of
SLA with their WAN service provider while 59% were happy customers. When asked
how did they deal with breach in SLA, most respondents said discussions with
service providers were good enough to resolve the issue while some said they
asked service providers for compensation. When asked what was nature of the
breach, a part of respondents refused to disclose, while some said that the
service provider was ' not able to meet committed uptime.' Other responses
included poor performance, packet loss, and slow response time.

VPN Connectivity

Security becomes extremely important when organizations avail Internet for
WAN connectivity. In such cases, VPN is one option to consider. In our survey,
44% of the respondents said that they were using only site-to-site VPNs, while
another 22% said they were using both site-to-site and access VPN for mobile
users. Another 15% were not using VPN at all. About 48% of the respondents were
using VPNs to access their core business applications while email and web were
the other two applications being accessed via VPN.

The biggest issue that CIOs seem to be facing in VPNs is bandwidth
fluctuations, which lead to performance issues. This is an even bigger issue
than security, which came as the second most important issue, but far behind the
first one.

Types of VPN

IPSec VPN: initially developed for site-to-site connectivity, it is now
largely used by the enterprises in need of extra security and those who have
geographically dispersed employees. IPSec VPNs are mostly used in addition to
MPLS VPNS, works complementary to MPLS VPNs. IPSec allows establishment of a VPN
via Internet and can provide secure gateway to gateway and host to gateway
connections. IPSEC encrypts packets before transmissions and also validates data
by authentication of the source sending the packets.

A recent development in IPSec is DMVPNs (Dynamic Multipoint VPN). In this
using IPSec dynamic tunnels can be created as and when required between
Spoke-to-Spoke or Hub-to-Spoke. Direct spoke-to-spoke connection means two
branch offices can communicate with each other, without any traffic going to HO.
It only modifies the configuration files of IPSec tunnel not the whole tunnel.

SSL VPN

SSL VPNs are deployed in Client-less environment and mostly used for
connecting roadwarriors to the office. It works well when you don't have much
control over the end devices. In our survey ' these many ' respondents said they
are using VPNs for connecting roadwarriors to the corporate network. With SSL
Enterprises you can limit access to specific resources, web applications etc.
SSL at times is also used with IPsec.

Overall WAN mgmt is becoming increasingly critical for organizations, and
requires constant attention.

Anil Chopra and Swapnil Arora