Teleworking is a growing phenomenon as exemplified by its growth over the last decade. The current pandemic has dramatically accelerated teleworking which has put an unexpected strain on enterprise networks. Concerns about security, productivity and cost efficiency all come up when enterprises are asked about their strategy to enable teleworking.
The traditional approach of providing secure connectivity for remote workers using VPN client software on the teleworker’s device has provided a stop-gap solution. It has served us well in the past when the percentage of teleworkers was a fraction of the overall enterprise workforce. But in a new normal where each employee home office needs to be supported by IT administrators as a “mini” enterprise branch location, it presents a significant overhead.
Managed SD-WAN services are ideally positioned to address these new requirements by extending the service to the home office leveraging the same centralized policy control and management infrastructure making the solution seamless, secure and efficient.
Managed service approach with Nuage Networks SD-WAN 2.0
Nuage Networks from Nokia offers their SD-WAN managed service provider (MSP) partners a home office solution that addresses the requirements that enterprise customers are faced with when enabling teleworking for their employees. This solution will allow enterprises to maintain full business continuity by extending the same policy control and network governance to their employee’s homes in an easy to deploy, scalable and cost-effective way without compromising security or productivity. See Figure 1 below.
Figure 1. Extending SD-WAN 2.0 into the home to enable the teleworker
SD-WAN 2.0 provides the ability to create an intelligent end-to-end network fabric that connects users and workloads across all parts of the network (e.g. central and regional HQs, branch locations, private clouds, public clouds, SaaS clouds and Telco clouds) from a single platform and governance model. As depicted in Figure 1, this home teleworking service inherits this capability as it extends its reach to include the home office as part of its scope of visibility and control.
I will touch on several aspects of a managed home teleworking solution empowered by SD-WAN 2.0 that, when taken collectively, really exemplifies the power of this approach to enable enterprise home teleworking needs now and well into the future.
Easy to deploy
To enable this service, a Network Services Gateway (NSG) will need to be deployed in the home. The MSP partner can draw from a large range of Network Services Gateways (NSG) that can fit each unique home enterprise environment. One option may be the NSG-C600 series devices as they represent compact and inexpensive form factors with optional embedded LTE and Wi-Fi AP capabilities. However, this choice will be dependent upon what devices are currently operationalized in the network as well as the specific connectivity requirements of the teleworker. The teleworker can deploy the NSG herself in the home using multi-factor authentication and zero touch provisioning (ZTP) enabling a home networking profile to be securely downloaded in minutes defining her unique network configuration.
By extending SD-WAN 2.0 to the home office, network administrators will have access to granular application specific analytics for devices connecting into the enterprise networks. This is useful not only for compliance and audit reasons but also for capacity planning purposes. By leveraging an intuitive visualization dashboard available through the SD-WAN 2.0’s WAN portal, these analytics can be visualized and archived as reports to further understand and improve the quality of service that each teleworker receives at their home.
Flexible software-defined security
One of the essential elements of extending SD-WAN 2.0 to the home office is the extension of existing software-defined application security policies. The first line of protection is IPSec encryption across all SD-WAN overlay tunnels. Some of the security capabilities embedded directly on the NSG include ACL-based stateful micro-segmentation, URL / Web filtering, Intrusion Detection & Prevention and L7 and SaaS application control. In addition, access to third party NGFW or security functions can be programmed through a network service chain enabling various “security as a service” capabilities that can be accessed from the home office. Local breakout SaaS traffic flows are protected through IPSec tunnels to cloud-hosted third-party security functions.
Advanced routing pedigree
One of the hallmarks of SD-WAN 2.0 is its routing sophistication and scalability. The NSG software is built from the industry leading Service Router Operating System (SR OS). This foundation allows it to scale services like SD-WAN tunnels and provide sophisticated and hardened implementations of edge router capabilities such as NAT/PAT, QoS, etc.
In addition, the Nuage Networks empowered SD-WAN service is equipped with special routing functions called Network Gateways (NGWs) typically deployed at enterprise network boundaries that are built from the ground up to connect heterogeneous network segments. In Figure 1, this function is depicted as “NGW” and their primary function is to connect the internet broadband WAN to the MPLS WAN allowing the SD-WAN L3 domain to seamlessly span across both underlays. Additionally, the NGW nodes act as the secure gateways between the SD-WAN overlay network and the traditional networking domains (e.g. public, private or telco clouds).
The shift toward home teleworking represents an exponential increase in the number of networking nodes or branches that need secure overlay tunnel management. Nuage SD-WAN 2.0 solution was designed to handle such massive scale and supports both hub-n-spoke and full-mesh architectures. As scalability requirements and network complexity increase, SD-WAN 2.0 offers a deployment model that allows NSGs and NGWs to be configured into mesh groups and hub groups respectively. This allows all NSGs within the mesh group (e.g. branch and home office locations in a specific region or country) to directly communicate with each other. All other communication outside of the mesh group is aggregated and proxied by one or more NGWs in a hub group. This approach creates a network hierarchy that effectively increases the scale of a single enterprise network to grow from 100s to 1000s of branch locations.
Optional LTE uplink
The NSG-C601 and other variants are equipped with a built-in LTE module allowing for an optional second network uplink for the home office. This optional capability can be used in a variety of ways including adding resiliency to the home service. Network administrators have full flexibility on when and how to enable the LTE connectivity for a home office and, depending on the commercial considerations the uplink can be configured as stand-by or fully active connection. With dual active uplinks, more advanced routing capabilities can be configured such as load balancing applications across both links to augment the capacity and resiliency at the home. Application aware routing (AAR) can also be configured to optimize the best path for each application.
There are various solutions and approaches in the market today but many of them do not offer the full suite of capabilities offered by an SD-WAN 2.0 powered managed service. By extending SD-WAN 2.0 to the home teleworker, the same capabilities and control normally available in the enterprise branch is extended to the home office in a flexible, easy to deploy and cost-effective manner ensuring business continuity. The benefits of advanced SD-defined security and scalable routing capabilities are all inherited.
The ongoing pandemic has no doubt changed the way organizations operate in the near term. While it is difficult to predict the future, it is clear that the teleworking trend is here to stay. For network administrators, the Nuage SD-WAN 2.0 solution presents an effective and economical path forward without making any compromises to IT security or worker productivity. For more information about our home teleworking solution please download our brochure.