Aerohive Branch Router Buyers Guide

8/13/2019 Aerohive Branch Router Buyers Guide

1/13

Copyright 2013, Aerohive Networks, Inc. 1

2012-2013Branch Router Buyers Guide

The definitive guide for evaluating branch networks


2/13


IntroductionTodays enterprise IT department faces a number of conflicting trends. On the one hand, they

must be flexible and agile enough to change as the business that they support changes. This

flexibility goes beyond simply facilitating user access from the corporate LAN; needs are

changing every day, as more and more businesses become decentralized and as users demand

the ability to work from any place, at any time. These trends are transforming work from a place

that users go to a thing that users do.

Another trend that requires flexibility and elasticity from the corporate network infrastructure is

that of Bring Your Own Device, or BYOD, in which the dispersed user population utilizes their

own mobile devices to access corporate networks. Both the drive to smaller, local branch

offices/teleworking and the BYOD model can introduce significant savings to the enterprise, in

the form of reduced real estate costs and capex expenditures. These trends can also improve

productivity and response time, as well as increase employee and customer satisfaction.

As the enterprise becomes decentralized, however, it faces an opposing challenge. As users

become increasingly remote and mobile, they still require the same access experience that they

would have on the corporate LAN. Because cloud and mobility technology trends now enable

mission critical work to be accomplished anywhere, the overall security profile or remote

connections must be identical to what these users would experience at corporate headquarters,

regardless of their physical location. And to make matters more complicated, this level of

security must be constant whether the device being used to access resources has been issued

and managed by corporate IT (company issued) or it is user-owned (BYOD). In order for the

enterprise to realize the significant benefits posed by decentralized branches running mission

critical applications on consumer devices, a new model designed from the ground up with

simplicity, elasticity, and user-centricity is required. The goal of this model is to ensure that

regardless of where the user is or what they are doing (user context), their security and

experience with their work product is the same as if they were working on the corporate LAN.

And this model must be enabled without overwhelming IT with complexity that is introduced

when retrofitting legacy branch architectures with these new requirements.


3/13


Table of ContentsIssues with legacy branch network models ............................................ 4

More local users; more and smaller branches ......................................................... 4

More devices must be supported, including BYOD ................................................ 4

Things To Consider ...................................................................................... 4

Cost considerations ..................................................................................................... 5

Consumer level gear is cost effective but not enterprise class .......................... 5

Enterprise-class equipment is too costly ................................................................ 5

Key Requirements ...................................................................................... 7

Architectural Considerations...................................................................................... 7

10 things a branch solution must do ........................................................ 8

Deployment, installation and maintenance ............................................................ 8

Cost ............................................................................................................................... 9Security ....................................................................................................................... 10

Corporate features .................................................................................................... 11

Conclusion ................................................................................................ 12


4/13


Issues with legacy branchnetwork modelsMore local users; more and smaller branches

Todays enterprise must cope with the issues of provisioning branches and teleworkers in an

efficient way. In many respects, the reason is similar to that which drove high performance,

highly reliable WLANs; these networks are no longer convenience networks. Users at these

branch offices expect the same level of access that they would get at corporate HQ.

The issue facing the modern branch is that while requiring access to corporate resources at a

level never before seen, they are actually effectively shrinking in size. This breaks the return on

investment (ROI) model used in legacy branch office network planning, which typically estimates

the size of the office and then provides a level of service to the office that is proportional to the

number of users in that office. Before the productivity enhancements delivered by cloud

computing and mobility it was fairly easy to say if an office had more users that it must be

producing more, and therefore would require more support from IT. Such incremental

adjustments were easily justified. This legacy idea falls apart in the modern branch, as some of

the most critical interaction taking payment from a customer, remote executives making critical

decisions, remote care in a hospital setting is happening in the smallest office. Just because

there are less than 5 people in an office no longer translates directly to that office being too small

to justify a high-functioning, secure network. Every office today must have robust, secure

access, regardless of size. High performance is required everywhere including the branch

office.

More devices must be supported, including BYOD

Todays trend toward employee owned devices cannot be ignored. In a remote branch or

teleworker environment, such devices also cannot be physically monitored. What is most

significant about this model from a support and architectural standpoint is not only the volume of

data these devices will consume (although this is something that needs to be planned for), but

rather the fact that nearly half of all companies (48.4%) are allowing or requiring a bring your

own device (BYOD) model for at least some groups of users. They may have employees paying

for devices, or have a combination of employee- and company paid models1.

1Nemertes Research, The Ultralight Branch


5/13


As users become increasingly remote from the corporate office, some requirements remain

consistent. The network must still perform like the corporate LAN, even if the office houses only

a few users. While this requirement is not necessarily a user mandate, many of todaysheavyweight applications, such as VOIP, depend upon this level of performance in order to

function. According to industry analysts, Nemertes, 94% of organizations are deploying VoIP

now or planning to by 2012, and nearly three-quarters have deployed or will roll out Unified

Communications. About two-thirds of these organizations are also deploying or planning to

deploy softphones. More than half plan to deploy desktop video conferencing. 52.3% of

enterprises are deploying virtual desktops, or are projected to be doing so by 2012. A significant

portion of these users are telecommuters2. In a legacy deployment that features multiple

devices, the required network elements may also compete to apply quality of service (QoS),

security, and network policy. This results in a less-efficient network and more complexity, which

creates more points for administrative error. And, of course, there is always the fact that the

larger the number of devices deployed in the network, the greater the chance that configurations

themselves may hamper performance. Voice and video configurations, for example, could easily

be crippled by security considerations.

Things To ConsiderCost considerations

Consumer level gear is cost effective but not enterprise classWhen faced with the task and the cost of provisioning small remote offices or teleworkers, many

enterprises will naturally consider that, based on the size of deployment, consumer networking

gear may suffice. The price point can be compelling, and the devices themselves are typically

built to be deployed by a non-IT end user. Unfortunately, such products are usually unsuited for

branch use, even if there is only a single teleworker in each location. Even if the end user count

is small, the corporate information being accessed is the same material that would be accessed

in the head office. The same applications found on the corporate LAN must work in the branch,

particularly if the user is housed remotely to boost efficiency. The same security policies must

be enforced at all remote locations. This is a particularly thorny issue given the rise of the BYOD

model, since these devices over which IT has little or no control are being invited onto the

company WLAN. The network deployed at the remote location must have the flexibility and

capability to deal with BYOD at the same level as that housed in the corporate headquarters,

making a consumer device far too limiting. Management of the branch device, one of the main

differentiations between enterprise class and consumer, is also a key issue to consider.

2Nemertes Research, The Ultralight Branch


6/13


While the capital expense is low, the need to configure every consumer device individually in the

face of an ever-increasing number of locations can lead to tremendous management and

support costs.

Enterprise-class equipment is too costly

Even entry-level network devices geared toward the enterprise are probably going to be too

costly to roll out in significant numbers, particularly to users like teleworkers. And the costs are

not only in the capex column; in fact, in most small office deployments, hardware purchase is

only about 20% of the overall cost of the solution. The remaining 80% comes from the ongoing

operating expenses, including:

Provisioning

Deployment

Management Upgrades

These steps require a significant amount of time and expertise to go through. In most cases,

provisioning remote office connectivity and VPN includes:

1. Headquarters IT receives equipment. Devices typically begin deployment with central IT,

due to the complexity of setup.

2. Headquarters IT spends a significant amount of time preparing an IP address plan for

many small offices that are going to be connected to the IP network. IT then employs a

system specifically designed to manage those addresses in the face of ever-expanding

remote office locations.3. Headquarters IT sets up basic configuration. This includes a console connection to the

device, and setup of parameters that include:

a. WAN IP Addressing

b. LAN IP Addressing

c. DHCP Setup

d. DNS Addressing

4. Installation onsite. Once the equipment is configured, it typically requires a technician to

travel to the branch to perform initial setup.

5. Connect devices and complete configuration. This step includes the setup of:

a. IPSec tunnels

b. Firewalls

c. SSIDs, if wireless access is to be provisioned

After the equipment is delivered and deployed at the branch or teleworker location, it must be

tested. Each step in this process is prone to human errors, which are notoriously difficult to

catch. Because most branch deployments, particularly microbranches and teleworker


7/13


deployments, do not have onsite IT staff, any changes in the network lead directly to helpdesk

calls. This can make simple branch connectivity one of the most expensive propositions that an

enterprise will face.

Key RequirementsThe fact is that the trend toward more and more highly dispersed workforces is not going to go

away. Successful enterprises will embrace this new model, and find new ways to accommodate

the issues it poses. In the next section, youll discover questions to pose to prospective vendors

to ensure that your next round of remote/teleworker deployments is as cost effective as possible.

Architectural Considerations

Legacy branch networks are often thought of and deployed in a hub-and-spoke model. This

model sends all traffic back to the corporate office via encrypted tunnel, then off to the resources

required. Significant latency can result, but if your goal was to ensure security, there may not

have been another way handle the issue other than to take your chances on a portion of your

corporate traffic. In the modern branch office, even micro-branches and teleworkers, having

applications operate faster and with more efficiency and reliability will directly lead to greater

productivity from the remote employee. Eliminating this latency while maintaining the security

profile and policy enforce is a key consideration when working through how your branch office

network will be architected.

Decentralizing the functions of the branch while leveraging cloud technology can vastly increase

the performance and reliability of branch connectivity without compromising integrity of the data

or reducing the productivity of the end user. Cloud services should be considered for on-

demand services. Using the cloud allows security and policy enforcement to occur closer to the

end user and can vastly increase the performance and reliability of the network services. If your

users are sending encrypted traffic to a trusted host, such as Salesforce.com, you should be

able to whitelist this traffic. If you are concerned about web traffic, you can ensure security here

by routing it through a cloud-based security service, such as Websense or Barracuda Online.

Decentralizing the branch office architecture and leveraging cloud services provides many

advantages to the modern branch architecture.

Additionally, by leveraging the cloud to off-load compute intensive security functions, such as

Layer 7 application security and scanning, you can dramatically reduce the cost and complexity

of a highly secure branch office. Legacy branch office architectures require expensive, multi-

function devices to manage the remote users but leveraging the cloud can allow the same

services to be executed in a dramatically smaller branch.


8/13


Another vestigial remanence of legacy branch architectures and their hub-and-spoke mentality

is the requirement that the VPN termination requires a big iron device to handle sessions. One

way around this issue is virtualization. First, consider where your VPN sessions are terminatingtoday. Likely it is in a large device in your datacenter, but that doesnt need to be the case.

Instead of putting this service into a device that has to be maintained and added to over time,

your needs may be handed well with a virtual VPN Gateway. This approach enables you to

determine what type of hardware the service runs on, as well as how you would like to upgrade it

as you add more users.

One thing in a branch network must be centralized, however, and that is management. Ideally,

you should look for a simple, centralized management system that enables you to see and

modify configurations in any branch network in real time, through a single pane of glass. Such

a system should also allow you to make changes or respond to user issues via a centralized

monitor.

10 things a branch solution

must doSelection of a branch connectivity solution will typically fall into 4 categories:

Deployment, installation and maintenance, which includes the initial setup and

deployment, as well as the day-to-day issues of management

Cost,which includes the price of the hardware and operating expenses

Security, which must consider the security of both the end user and the enterprise

Integration into corporate infrastructure, which pertain to how easily the branch

deployment is incorporated into the overall enterprise architecture

Deployment, installation and maintenance

Your branch/teleworker router must be easy for a non-technicaluser to deploy

Business case: The number of employees that telework continues to grow. According toWorldAtWork3, the total number of people who worked from home or remotely for an

entire day at least once a month in 2010 was 26.2 million. The study notes that this figure

represents nearly 20% of the U.S. working adult population. Clearly, a truck roll for every

3Telework 2011 - A WorldatWork Special Report


9/13


individual is unworkable. The situation is similar in small, localized branches, where thereis unlikely to be a resident IT staffer.

Requirements: The enterprise branch/telework access solution must be one that is easy

for an average user to install on their own, without having to call IT. The solution should

not assume that the end user knows anything about networks, or that they will

understand any kind of technical jargon. Ideally, the solution should be as close as

possible to plug-and-play.

Your branch/teleworker router must be easy for IT to manage, maintain and upgrade

Business case: If the enterprise is committed to branches and teleworking, then these

remote nodes must be capable of being centrally managed. This model is the only way to

ensure that corporate policy, security, and privacy are maintained. This is a strong

argument for a standardized solution, and another area in which seemingly affordableconsumer offerings fall short. As the enterprise maintains and upgrades software and

policies, it is essential that branch/teleworker access devices can stay in step.

Requirements: Once IT has established a base configuration, the branch/teleworker

access device should be capable of adhering to that config without any user intervention.

Management of all branch/teleworker access devices must be centralized; ideally, they

should be viewable on a single screen. Upgrades must be simple to enact, and involve

only very minimal, non-technical end user participation.

Your branch/teleworker router must facilitate easy troubleshooting

Business case: When something in the access solution isnt working, the enterprise isimmediately losing productivity from the remote worker or branch. When the user has to

place a call to IT to rectify the problem, productivity suffers still more. This situation is

compounded when the end user is not technical, since IT may have to explain not only

what the user should do, but what each troubleshooting step actually means.

Requirements: If the enterprise is going to support teleworkers and branch offices, they

must be prepared to step in when things go wrong. The ideal solution will give IT staff in

headquarters an overall view of the remote network with the ability to monitor based on

an Service Level Agreement (SLA); after all, if a problem is fixed before the user notices

that it exists, productivity stays high and everyone is happier. Central visibility is a key

element to achieving this requirement.

Cost

Your branch/teleworker router must feature reasonable capex

Business case: The move toward teleworking and regional branches has evolved to

better support customers and reduce real estate costs while enhancing employee


10/13


productivity and satisfaction. If the equipment required to enable these gains is very

expensive, however, the proposition looks less appealing. Another consideration is that

smaller branches and teleworkers may need to set up and take down a connection veryquickly. The base cost of the equipment should not be a barrier to entry. Finally, consider

where VPN tunnels back to corporate are terminated. Do you need to invest in expensive

hardware?

Requirements: In order to retain the balance sheet appeal of the branch/teleworker

model, the capital expenditures to set such users up must be appealing. Keep in mind

that as remote users come and go, the enterprise may well be stuck with obsolete

access gear that has quickly outlived its useful life. Lower capex must be achieved while

satisfying other requirements as well.

Your branch/teleworker router must minimalize operating expense

Business case: While minimizing capital expenditures is generally a compelling argument

for consumer-grade devices, the fact is that the operating expenses incurred in

supporting these devices will quickly outweigh any benefit. Individual consumer devices

cannot be centrally monitored, configured, maintained or upgraded.

Requirements: The ideal branch/teleworker access solution must be centrally managed,

to ensure compliance with corporate policy. Consideration must be given to the cost of

the central management platform, as well. Ideally access to the platform can be provided

through an advanced web application interface from a public or private cloud. This allows

problem remediation from anywhere, anytime. Remember, while the management is

centralized, all of the policy enforcement needs to be distributed to optimize network

performance and end user productivity.

Security

Your branch/teleworker router must feature enterprise class security

Business case: Given the trends toward mobility and ubiquitous connectivity, the fact is

that it doesnt really matter anymore where the end user is located. Wherever they are,

these users need seamless access; and you need security. Opening a VPN tunnel can

also be an excellent way to open your network to threats. This is another reason that

consumer-grade access gear is ultimately not suited for use by teleworkers or branch

offices. In addition to supporting corporate policy, look for a solution that gives you

options to offload traffic from corporate. Another consideration and a strong argument

against the use of consumer grade equipment is that for security policy to be effective,

it must be consistent. That means that users in every remote circumstance should be

subject to the same comprehensive security controls.


11/13


Requirements: The ideal solution must be able to handle corporate policies of all kinds.

In order to minimize traffic flow to headquarters, consider devices that enable you to

white list some sites that you know and trust, and to scrub other through cloud-basedsolutions.

Your branch/teleworker router must ensure security for all device types, including BYOD

Business case: Todays user expects to be able to use their own mobile devices to get

access to corporate assets and resources. It is important to realize that if mobile devices

are connecting via a VPN tunnel, they are effectively inside the network, and so must be

secured appropriately regardless of where they may be physically. Because BYOD is a

somewhat recent trend, many enterprises are only now starting to equip their campus to

handle it well. Because a VPN tunnel essentially puts a device on your network

regardless of their physical location, consideration to extending BYOD capabilities toteleworker/branch office must be considered.

Requirements The final device selected must be able to enforce corporate use and

quality of service policies on end user devices in exactly the same fashion as they would

if that user were walking around inside corporate headquarters. If corporate policy is to

secure web traffic through application security and web scanning then these features are

also required in the branch. The same holds true for any BYO device policies mandated

by the corporation. Keeping corporate policy enforcement consistent regardless of the

location of the end user is paramount to data loss prevention (DLP).

Corporate featuresYour branch/teleworker router must provide high performance throughput

Business case: Teleworkers and branch office staff are arguably more dependent on

high bandwidth applications like voice or video than their corporate counterparts. Lower

throughput or high latency solutions are simply not up to the task of handling these

heavy applications. In addition, it is important for the administrator to be able to

visualize problems with throughput as quickly as possible after they are reported, and to

handle such problems centrally.

Requirements Branch office and teleworkers require access to the same applications

that are in use in the corporate office. To support them, the access solution must be able

to handle VOIP, video or other heavy traffic. In addition, the ability for the central IT staff

to visualize throughput and other possible issues in real time in as much granularity as

possible is essential for a good solution.

Your branch/teleworker router must be seamlessly integrated with WLANs


12/13


Business case: Since the advent of 802.11n, the concept of wireless as the primary

access method has become increasingly prevalent. It is a key enabler of the BYOD

phenomenon; in fact, many mobile devices dont even have an Ethernet port! Wirelessaccess must be high performance and seamless to succeed in branch or teleworker

environments.

Requirements: 802.11n wireless connectivity is essential for a good teleworker/branch

solution. The product should seamlessly accommodate a/b/g clients, and feature wired

access as well. Make sure that wireless access has the same robust features that would

be found in any strong corporate office, including security features, seamless failover to

mesh, and more. This can be an argument against controller-based solutions, which are

built around a single point of failure.

Your branch/teleworker router must have a backup mechanism

Business case: The unfortunate truth of any type of connection is that sometimes it fails.

That is as true when looking at a WAN connection as in any other situation. The

difference is that a small branch office often doesnt have an enterprise class SLA with a

service provider in place and the average teleworker certainly doesnt. In the case of

WAN outage, the access solution must have a back means to connect.

Requirements: Ensure that any solution considered features a 3G/4G backup

mechanism.

ConclusionAs enterprises continue to become more and more distributed and remote offices performing

critical functions continues to shrink, reliable access to the central office and cloud applications,

as well as secure Internet access for online applications and resources and support for BYO

devices, is paramount. Changing the requirements from the beginning of a project to account for

mobility and cloud technology trends is the key to successful branch office and remote

teleworker deployments.

A modern branch solution simplifies provisioning, management, monitoring, and troubleshooting

for branch office deployments, even without technical resources onsite. Enterprises can achievesignificant capital and operational savings while maintaining visibility into remote networks,

meeting security objectives and compliance standards, and increasing productivity.


13/13


For More InformationAerohive Branch on Demand solutions now make it easier and more cost-effective to implement

wired and wireless access to corporate resources everywherefrom the home office to branch

offices and teleworkers. For more information about the Branch on Demand solution, visit

www.aerohive.com/solutions/applications/enterprise.html.

About AerohiveAerohive Networks reduces the cost and complexity of todays networks with cloud-

enabled, distributed Wi-Fi and routing solutions for enterprises and medium sized

companies including branch offices and teleworkers. Aerohives award-winning

cooperative control Wi-Fi architecture, public or private cloud-enabled network

management, routing and VPN solutions eliminate costly controllers and single points of

failure. This gives its customers mission critical reliability with granular security and policy

enforcement and the ability to start small and expand without limitations. Aerohive was

founded in 2006 and is headquartered in Sunnyvale, Calif. The companys investors

include Kleiner Perkins Caufield & Byers, Lightspeed Venture Partners, Northern Light

Venture Capital and New Enterprise Associates, Inc. (NEA).

Corporate Headquarters

Aerohive Networks, Inc.

330 Gibraltar Drive

Sunnyvale, California 94089 USA

Phone: 408.510.6100

Toll Free: 1.866.918.9918

Fax: 408.510.6199

[email protected]

www.aerohive.com

EMEA Headquarters

Aerohive Networks Europe LTD

Sequel House

The Hart

Surrey, UK GU9 7HW

+44 (0)1252 736590

Fax: +44 (0) 1252711901

BG-BR-1206002

Documents

Aerohive Branch Router Buyers Guide