View
232
Download
0
Category
Preview:
Citation preview
8/13/2019 Aerohive Branch Router Buyers Guide
1/13
Copyright 2013, Aerohive Networks, Inc. 1
2012-2013Branch Router Buyers Guide
The definitive guide for evaluating branch networks
8/13/2019 Aerohive Branch Router Buyers Guide
2/13
Copyright 2013, Aerohive Networks, Inc. 2
IntroductionTodays enterprise IT department faces a number of conflicting trends. On the one hand, they
must be flexible and agile enough to change as the business that they support changes. This
flexibility goes beyond simply facilitating user access from the corporate LAN; needs are
changing every day, as more and more businesses become decentralized and as users demand
the ability to work from any place, at any time. These trends are transforming work from a place
that users go to a thing that users do.
Another trend that requires flexibility and elasticity from the corporate network infrastructure is
that of Bring Your Own Device, or BYOD, in which the dispersed user population utilizes their
own mobile devices to access corporate networks. Both the drive to smaller, local branch
offices/teleworking and the BYOD model can introduce significant savings to the enterprise, in
the form of reduced real estate costs and capex expenditures. These trends can also improve
productivity and response time, as well as increase employee and customer satisfaction.
As the enterprise becomes decentralized, however, it faces an opposing challenge. As users
become increasingly remote and mobile, they still require the same access experience that they
would have on the corporate LAN. Because cloud and mobility technology trends now enable
mission critical work to be accomplished anywhere, the overall security profile or remote
connections must be identical to what these users would experience at corporate headquarters,
regardless of their physical location. And to make matters more complicated, this level of
security must be constant whether the device being used to access resources has been issued
and managed by corporate IT (company issued) or it is user-owned (BYOD). In order for the
enterprise to realize the significant benefits posed by decentralized branches running mission
critical applications on consumer devices, a new model designed from the ground up with
simplicity, elasticity, and user-centricity is required. The goal of this model is to ensure that
regardless of where the user is or what they are doing (user context), their security and
experience with their work product is the same as if they were working on the corporate LAN.
And this model must be enabled without overwhelming IT with complexity that is introduced
when retrofitting legacy branch architectures with these new requirements.
8/13/2019 Aerohive Branch Router Buyers Guide
3/13
Copyright 2013, Aerohive Networks, Inc. 3
Table of ContentsIssues with legacy branch network models ............................................ 4
More local users; more and smaller branches ......................................................... 4
More devices must be supported, including BYOD ................................................ 4
Things To Consider ...................................................................................... 4
Cost considerations ..................................................................................................... 5
Consumer level gear is cost effective but not enterprise class .......................... 5
Enterprise-class equipment is too costly ................................................................ 5
Key Requirements ...................................................................................... 7
Architectural Considerations...................................................................................... 7
10 things a branch solution must do ........................................................ 8
Deployment, installation and maintenance ............................................................ 8
Cost ............................................................................................................................... 9Security ....................................................................................................................... 10
Corporate features .................................................................................................... 11
Conclusion ................................................................................................ 12
8/13/2019 Aerohive Branch Router Buyers Guide
4/13
Copyright 2013, Aerohive Networks, Inc. 4
Issues with legacy branchnetwork modelsMore local users; more and smaller branches
Todays enterprise must cope with the issues of provisioning branches and teleworkers in an
efficient way. In many respects, the reason is similar to that which drove high performance,
highly reliable WLANs; these networks are no longer convenience networks. Users at these
branch offices expect the same level of access that they would get at corporate HQ.
The issue facing the modern branch is that while requiring access to corporate resources at a
level never before seen, they are actually effectively shrinking in size. This breaks the return on
investment (ROI) model used in legacy branch office network planning, which typically estimates
the size of the office and then provides a level of service to the office that is proportional to the
number of users in that office. Before the productivity enhancements delivered by cloud
computing and mobility it was fairly easy to say if an office had more users that it must be
producing more, and therefore would require more support from IT. Such incremental
adjustments were easily justified. This legacy idea falls apart in the modern branch, as some of
the most critical interaction taking payment from a customer, remote executives making critical
decisions, remote care in a hospital setting is happening in the smallest office. Just because
there are less than 5 people in an office no longer translates directly to that office being too small
to justify a high-functioning, secure network. Every office today must have robust, secure
access, regardless of size. High performance is required everywhere including the branch
office.
More devices must be supported, including BYOD
Todays trend toward employee owned devices cannot be ignored. In a remote branch or
teleworker environment, such devices also cannot be physically monitored. What is most
significant about this model from a support and architectural standpoint is not only the volume of
data these devices will consume (although this is something that needs to be planned for), but
rather the fact that nearly half of all companies (48.4%) are allowing or requiring a bring your
own device (BYOD) model for at least some groups of users. They may have employees paying
for devices, or have a combination of employee- and company paid models1.
1Nemertes Research, The Ultralight Branch
8/13/2019 Aerohive Branch Router Buyers Guide
5/13
Copyright 2013, Aerohive Networks, Inc. 5
As users become increasingly remote from the corporate office, some requirements remain
consistent. The network must still perform like the corporate LAN, even if the office houses only
a few users. While this requirement is not necessarily a user mandate, many of todaysheavyweight applications, such as VOIP, depend upon this level of performance in order to
function. According to industry analysts, Nemertes, 94% of organizations are deploying VoIP
now or planning to by 2012, and nearly three-quarters have deployed or will roll out Unified
Communications. About two-thirds of these organizations are also deploying or planning to
deploy softphones. More than half plan to deploy desktop video conferencing. 52.3% of
enterprises are deploying virtual desktops, or are projected to be doing so by 2012. A significant
portion of these users are telecommuters2. In a legacy deployment that features multiple
devices, the required network elements may also compete to apply quality of service (QoS),
security, and network policy. This results in a less-efficient network and more complexity, which
creates more points for administrative error. And, of course, there is always the fact that the
larger the number of devices deployed in the network, the greater the chance that configurations
themselves may hamper performance. Voice and video configurations, for example, could easily
be crippled by security considerations.
Things To ConsiderCost considerations
Consumer level gear is cost effective but not enterprise classWhen faced with the task and the cost of provisioning small remote offices or teleworkers, many
enterprises will naturally consider that, based on the size of deployment, consumer networking
gear may suffice. The price point can be compelling, and the devices themselves are typically
built to be deployed by a non-IT end user. Unfortunately, such products are usually unsuited for
branch use, even if there is only a single teleworker in each location. Even if the end user count
is small, the corporate information being accessed is the same material that would be accessed
in the head office. The same applications found on the corporate LAN must work in the branch,
particularly if the user is housed remotely to boost efficiency. The same security policies must
be enforced at all remote locations. This is a particularly thorny issue given the rise of the BYOD
model, since these devices over which IT has little or no control are being invited onto the
company WLAN. The network deployed at the remote location must have the flexibility and
capability to deal with BYOD at the same level as that housed in the corporate headquarters,
making a consumer device far too limiting. Management of the branch device, one of the main
differentiations between enterprise class and consumer, is also a key issue to consider.
2Nemertes Research, The Ultralight Branch
8/13/2019 Aerohive Branch Router Buyers Guide
6/13
Copyright 2013, Aerohive Networks, Inc. 6
While the capital expense is low, the need to configure every consumer device individually in the
face of an ever-increasing number of locations can lead to tremendous management and
support costs.
Enterprise-class equipment is too costly
Even entry-level network devices geared toward the enterprise are probably going to be too
costly to roll out in significant numbers, particularly to users like teleworkers. And the costs are
not only in the capex column; in fact, in most small office deployments, hardware purchase is
only about 20% of the overall cost of the solution. The remaining 80% comes from the ongoing
operating expenses, including:
Provisioning
Deployment
Management Upgrades
These steps require a significant amount of time and expertise to go through. In most cases,
provisioning remote office connectivity and VPN includes:
1. Headquarters IT receives equipment. Devices typically begin deployment with central IT,
due to the complexity of setup.
2. Headquarters IT spends a significant amount of time preparing an IP address plan for
many small offices that are going to be connected to the IP network. IT then employs a
system specifically designed to manage those addresses in the face of ever-expanding
remote office locations.3. Headquarters IT sets up basic configuration. This includes a console connection to the
device, and setup of parameters that include:
a. WAN IP Addressing
b. LAN IP Addressing
c. DHCP Setup
d. DNS Addressing
4. Installation onsite. Once the equipment is configured, it typically requires a technician to
travel to the branch to perform initial setup.
5. Connect devices and complete configuration. This step includes the setup of:
a. IPSec tunnels
b. Firewalls
c. SSIDs, if wireless access is to be provisioned
After the equipment is delivered and deployed at the branch or teleworker location, it must be
tested. Each step in this process is prone to human errors, which are notoriously difficult to
catch. Because most branch deployments, particularly microbranches and teleworker
8/13/2019 Aerohive Branch Router Buyers Guide
7/13
Copyright 2013, Aerohive Networks, Inc. 7
deployments, do not have onsite IT staff, any changes in the network lead directly to helpdesk
calls. This can make simple branch connectivity one of the most expensive propositions that an
enterprise will face.
Key RequirementsThe fact is that the trend toward more and more highly dispersed workforces is not going to go
away. Successful enterprises will embrace this new model, and find new ways to accommodate
the issues it poses. In the next section, youll discover questions to pose to prospective vendors
to ensure that your next round of remote/teleworker deployments is as cost effective as possible.
Architectural Considerations
Legacy branch networks are often thought of and deployed in a hub-and-spoke model. This
model sends all traffic back to the corporate office via encrypted tunnel, then off to the resources
required. Significant latency can result, but if your goal was to ensure security, there may not
have been another way handle the issue other than to take your chances on a portion of your
corporate traffic. In the modern branch office, even micro-branches and teleworkers, having
applications operate faster and with more efficiency and reliability will directly lead to greater
productivity from the remote employee. Eliminating this latency while maintaining the security
profile and policy enforce is a key consideration when working through how your branch office
network will be architected.
Decentralizing the functions of the branch while leveraging cloud technology can vastly increase
the performance and reliability of branch connectivity without compromising integrity of the data
or reducing the productivity of the end user. Cloud services should be considered for on-
demand services. Using the cloud allows security and policy enforcement to occur closer to the
end user and can vastly increase the performance and reliability of the network services. If your
users are sending encrypted traffic to a trusted host, such as Salesforce.com, you should be
able to whitelist this traffic. If you are concerned about web traffic, you can ensure security here
by routing it through a cloud-based security service, such as Websense or Barracuda Online.
Decentralizing the branch office architecture and leveraging cloud services provides many
advantages to the modern branch architecture.
Additionally, by leveraging the cloud to off-load compute intensive security functions, such as
Layer 7 application security and scanning, you can dramatically reduce the cost and complexity
of a highly secure branch office. Legacy branch office architectures require expensive, multi-
function devices to manage the remote users but leveraging the cloud can allow the same
services to be executed in a dramatically smaller branch.
8/13/2019 Aerohive Branch Router Buyers Guide
8/13
Copyright 2013, Aerohive Networks, Inc. 8
Another vestigial remanence of legacy branch architectures and their hub-and-spoke mentality
is the requirement that the VPN termination requires a big iron device to handle sessions. One
way around this issue is virtualization. First, consider where your VPN sessions are terminatingtoday. Likely it is in a large device in your datacenter, but that doesnt need to be the case.
Instead of putting this service into a device that has to be maintained and added to over time,
your needs may be handed well with a virtual VPN Gateway. This approach enables you to
determine what type of hardware the service runs on, as well as how you would like to upgrade it
as you add more users.
One thing in a branch network must be centralized, however, and that is management. Ideally,
you should look for a simple, centralized management system that enables you to see and
modify configurations in any branch network in real time, through a single pane of glass. Such
a system should also allow you to make changes or respond to user issues via a centralized
monitor.
10 things a branch solution
must doSelection of a branch connectivity solution will typically fall into 4 categories:
Deployment, installation and maintenance, which includes the initial setup and
deployment, as well as the day-to-day issues of management
Cost,which includes the price of the hardware and operating expenses
Security, which must consider the security of both the end user and the enterprise
Integration into corporate infrastructure, which pertain to how easily the branch
deployment is incorporated into the overall enterprise architecture
Deployment, installation and maintenance
Your branch/teleworker router must be easy for a non-technicaluser to deploy
Business case: The number of employees that telework continues to grow. According toWorldAtWork3, the total number of people who worked from home or remotely for an
entire day at least once a month in 2010 was 26.2 million. The study notes that this figure
represents nearly 20% of the U.S. working adult population. Clearly, a truck roll for every
3Telework 2011 - A WorldatWork Special Report
8/13/2019 Aerohive Branch Router Buyers Guide
9/13
Copyright 2013, Aerohive Networks, Inc. 9
individual is unworkable. The situation is similar in small, localized branches, where thereis unlikely to be a resident IT staffer.
Requirements: The enterprise branch/telework access solution must be one that is easy
for an average user to install on their own, without having to call IT. The solution should
not assume that the end user knows anything about networks, or that they will
understand any kind of technical jargon. Ideally, the solution should be as close as
possible to plug-and-play.
Your branch/teleworker router must be easy for IT to manage, maintain and upgrade
Business case: If the enterprise is committed to branches and teleworking, then these
remote nodes must be capable of being centrally managed. This model is the only way to
ensure that corporate policy, security, and privacy are maintained. This is a strong
argument for a standardized solution, and another area in which seemingly affordableconsumer offerings fall short. As the enterprise maintains and upgrades software and
policies, it is essential that branch/teleworker access devices can stay in step.
Requirements: Once IT has established a base configuration, the branch/teleworker
access device should be capable of adhering to that config without any user intervention.
Management of all branch/teleworker access devices must be centralized; ideally, they
should be viewable on a single screen. Upgrades must be simple to enact, and involve
only very minimal, non-technical end user participation.
Your branch/teleworker router must facilitate easy troubleshooting
Business case: When something in the access solution isnt working, the enterprise isimmediately losing productivity from the remote worker or branch. When the user has to
place a call to IT to rectify the problem, productivity suffers still more. This situation is
compounded when the end user is not technical, since IT may have to explain not only
what the user should do, but what each troubleshooting step actually means.
Requirements: If the enterprise is going to support teleworkers and branch offices, they
must be prepared to step in when things go wrong. The ideal solution will give IT staff in
headquarters an overall view of the remote network with the ability to monitor based on
an Service Level Agreement (SLA); after all, if a problem is fixed before the user notices
that it exists, productivity stays high and everyone is happier. Central visibility is a key
element to achieving this requirement.
Cost
Your branch/teleworker router must feature reasonable capex
Business case: The move toward teleworking and regional branches has evolved to
better support customers and reduce real estate costs while enhancing employee
8/13/2019 Aerohive Branch Router Buyers Guide
10/13
Copyright 2013, Aerohive Networks, Inc. 10
productivity and satisfaction. If the equipment required to enable these gains is very
expensive, however, the proposition looks less appealing. Another consideration is that
smaller branches and teleworkers may need to set up and take down a connection veryquickly. The base cost of the equipment should not be a barrier to entry. Finally, consider
where VPN tunnels back to corporate are terminated. Do you need to invest in expensive
hardware?
Requirements: In order to retain the balance sheet appeal of the branch/teleworker
model, the capital expenditures to set such users up must be appealing. Keep in mind
that as remote users come and go, the enterprise may well be stuck with obsolete
access gear that has quickly outlived its useful life. Lower capex must be achieved while
satisfying other requirements as well.
Your branch/teleworker router must minimalize operating expense
Business case: While minimizing capital expenditures is generally a compelling argument
for consumer-grade devices, the fact is that the operating expenses incurred in
supporting these devices will quickly outweigh any benefit. Individual consumer devices
cannot be centrally monitored, configured, maintained or upgraded.
Requirements: The ideal branch/teleworker access solution must be centrally managed,
to ensure compliance with corporate policy. Consideration must be given to the cost of
the central management platform, as well. Ideally access to the platform can be provided
through an advanced web application interface from a public or private cloud. This allows
problem remediation from anywhere, anytime. Remember, while the management is
centralized, all of the policy enforcement needs to be distributed to optimize network
performance and end user productivity.
Security
Your branch/teleworker router must feature enterprise class security
Business case: Given the trends toward mobility and ubiquitous connectivity, the fact is
that it doesnt really matter anymore where the end user is located. Wherever they are,
these users need seamless access; and you need security. Opening a VPN tunnel can
also be an excellent way to open your network to threats. This is another reason that
consumer-grade access gear is ultimately not suited for use by teleworkers or branch
offices. In addition to supporting corporate policy, look for a solution that gives you
options to offload traffic from corporate. Another consideration and a strong argument
against the use of consumer grade equipment is that for security policy to be effective,
it must be consistent. That means that users in every remote circumstance should be
subject to the same comprehensive security controls.
8/13/2019 Aerohive Branch Router Buyers Guide
11/13
Copyright 2013, Aerohive Networks, Inc. 11
Requirements: The ideal solution must be able to handle corporate policies of all kinds.
In order to minimize traffic flow to headquarters, consider devices that enable you to
white list some sites that you know and trust, and to scrub other through cloud-basedsolutions.
Your branch/teleworker router must ensure security for all device types, including BYOD
Business case: Todays user expects to be able to use their own mobile devices to get
access to corporate assets and resources. It is important to realize that if mobile devices
are connecting via a VPN tunnel, they are effectively inside the network, and so must be
secured appropriately regardless of where they may be physically. Because BYOD is a
somewhat recent trend, many enterprises are only now starting to equip their campus to
handle it well. Because a VPN tunnel essentially puts a device on your network
regardless of their physical location, consideration to extending BYOD capabilities toteleworker/branch office must be considered.
Requirements The final device selected must be able to enforce corporate use and
quality of service policies on end user devices in exactly the same fashion as they would
if that user were walking around inside corporate headquarters. If corporate policy is to
secure web traffic through application security and web scanning then these features are
also required in the branch. The same holds true for any BYO device policies mandated
by the corporation. Keeping corporate policy enforcement consistent regardless of the
location of the end user is paramount to data loss prevention (DLP).
Corporate featuresYour branch/teleworker router must provide high performance throughput
Business case: Teleworkers and branch office staff are arguably more dependent on
high bandwidth applications like voice or video than their corporate counterparts. Lower
throughput or high latency solutions are simply not up to the task of handling these
heavy applications. In addition, it is important for the administrator to be able to
visualize problems with throughput as quickly as possible after they are reported, and to
handle such problems centrally.
Requirements Branch office and teleworkers require access to the same applications
that are in use in the corporate office. To support them, the access solution must be able
to handle VOIP, video or other heavy traffic. In addition, the ability for the central IT staff
to visualize throughput and other possible issues in real time in as much granularity as
possible is essential for a good solution.
Your branch/teleworker router must be seamlessly integrated with WLANs
8/13/2019 Aerohive Branch Router Buyers Guide
12/13
Copyright 2013, Aerohive Networks, Inc. 12
Business case: Since the advent of 802.11n, the concept of wireless as the primary
access method has become increasingly prevalent. It is a key enabler of the BYOD
phenomenon; in fact, many mobile devices dont even have an Ethernet port! Wirelessaccess must be high performance and seamless to succeed in branch or teleworker
environments.
Requirements: 802.11n wireless connectivity is essential for a good teleworker/branch
solution. The product should seamlessly accommodate a/b/g clients, and feature wired
access as well. Make sure that wireless access has the same robust features that would
be found in any strong corporate office, including security features, seamless failover to
mesh, and more. This can be an argument against controller-based solutions, which are
built around a single point of failure.
Your branch/teleworker router must have a backup mechanism
Business case: The unfortunate truth of any type of connection is that sometimes it fails.
That is as true when looking at a WAN connection as in any other situation. The
difference is that a small branch office often doesnt have an enterprise class SLA with a
service provider in place and the average teleworker certainly doesnt. In the case of
WAN outage, the access solution must have a back means to connect.
Requirements: Ensure that any solution considered features a 3G/4G backup
mechanism.
ConclusionAs enterprises continue to become more and more distributed and remote offices performing
critical functions continues to shrink, reliable access to the central office and cloud applications,
as well as secure Internet access for online applications and resources and support for BYO
devices, is paramount. Changing the requirements from the beginning of a project to account for
mobility and cloud technology trends is the key to successful branch office and remote
teleworker deployments.
A modern branch solution simplifies provisioning, management, monitoring, and troubleshooting
for branch office deployments, even without technical resources onsite. Enterprises can achievesignificant capital and operational savings while maintaining visibility into remote networks,
meeting security objectives and compliance standards, and increasing productivity.
8/13/2019 Aerohive Branch Router Buyers Guide
13/13
Copyright 2013, Aerohive Networks, Inc. 13
For More InformationAerohive Branch on Demand solutions now make it easier and more cost-effective to implement
wired and wireless access to corporate resources everywherefrom the home office to branch
offices and teleworkers. For more information about the Branch on Demand solution, visit
www.aerohive.com/solutions/applications/enterprise.html.
About AerohiveAerohive Networks reduces the cost and complexity of todays networks with cloud-
enabled, distributed Wi-Fi and routing solutions for enterprises and medium sized
companies including branch offices and teleworkers. Aerohives award-winning
cooperative control Wi-Fi architecture, public or private cloud-enabled network
management, routing and VPN solutions eliminate costly controllers and single points of
failure. This gives its customers mission critical reliability with granular security and policy
enforcement and the ability to start small and expand without limitations. Aerohive was
founded in 2006 and is headquartered in Sunnyvale, Calif. The companys investors
include Kleiner Perkins Caufield & Byers, Lightspeed Venture Partners, Northern Light
Venture Capital and New Enterprise Associates, Inc. (NEA).
Corporate Headquarters
Aerohive Networks, Inc.
330 Gibraltar Drive
Sunnyvale, California 94089 USA
Phone: 408.510.6100
Toll Free: 1.866.918.9918
Fax: 408.510.6199
info@aerohive.com
www.aerohive.com
EMEA Headquarters
Aerohive Networks Europe LTD
Sequel House
The Hart
Surrey, UK GU9 7HW
+44 (0)1252 736590
Fax: +44 (0) 1252711901
BG-BR-1206002
Recommended