aerohive-branch-router-buyers-guide 0313 1a -...

Copyright ©2013, Aerohive Networks, Inc. 1

2012-2013 Branch Router Buyer’s Guide The definitive guide for evaluating branch networks


Introduction Today’s enterprise IT department faces a number of conflicting trends. On the one hand, they must be flexible and agile enough to change as the business that they support changes. This flexibility goes beyond simply facilitating user access from the corporate LAN; needs are changing every day, as more and more businesses become decentralized and as users demand the ability to work from any place, at any time. These trends are transforming work from a place that users go to a thing that users do.

Another trend that requires flexibility and elasticity from the corporate network infrastructure is that of Bring Your Own Device, or BYOD, in which the dispersed user population utilizes their own mobile devices to access corporate networks. Both the drive to smaller, local branch offices/teleworking and the BYOD model can introduce significant savings to the enterprise, in the form of reduced real estate costs and capex expenditures. These trends can also improve productivity and response time, as well as increase employee and customer satisfaction.

As the enterprise becomes decentralized, however, it faces an opposing challenge. As users become increasingly remote and mobile, they still require the same access experience that they would have on the corporate LAN. Because cloud and mobility technology trends now enable mission critical work to be accomplished anywhere, the overall security profile or remote connections must be identical to what these users would experience at corporate headquarters, regardless of their physical location. And to make matters more complicated, this level of security must be constant whether the device being used to access resources has been issued and managed by corporate IT (company issued) or it is user-owned (BYOD). In order for the enterprise to realize the significant benefits posed by decentralized branches running mission critical applications on consumer devices, a new model designed from the ground up with simplicity, elasticity, and user-centricity is required. The goal of this model is to ensure that regardless of where the user is or what they are doing (user context), their security and experience with their work product is the same as if they were working on the corporate LAN. And this model must be enabled without overwhelming IT with complexity that is introduced when retrofitting legacy branch architectures with these new requirements.


Table of Contents Issues with legacy branch network models ............................................ 4

More local users; more and smaller branches ......................................................... 4 More devices must be supported, including BYOD ................................................ 4

Things To Consider ...................................................................................... 4 Cost considerations ..................................................................................................... 5

Consumer level gear is cost effective but not enterprise class .......................... 5 Enterprise-class equipment is too costly ................................................................ 5

Key Requirements ...................................................................................... 7 Architectural Considerations ...................................................................................... 7

10 things a branch solution must do ........................................................ 8 Deployment, installation and maintenance ............................................................ 8 Cost ............................................................................................................................... 9 Security ....................................................................................................................... 10 Corporate features .................................................................................................... 11

Conclusion ................................................................................................ 12


Issues with legacy branch network models More local users; more and smaller branches Today’s enterprise must cope with the issues of provisioning branches and teleworkers in an efficient way. In many respects, the reason is similar to that which drove high performance, highly reliable WLANs; these networks are no longer convenience networks. Users at these branch offices expect the same level of access that they would get at corporate HQ.

The issue facing the modern “branch” is that while requiring access to corporate resources at a level never before seen, they are actually effectively shrinking in size. This breaks the return on investment (ROI) model used in legacy branch office network planning, which typically estimates the size of the office and then provides a level of service to the office that is proportional to the number of users in that office. Before the productivity enhancements delivered by cloud computing and mobility it was fairly easy to say if an office had more users that it must be producing more, and therefore would require more support from IT. Such incremental adjustments were easily justified. This legacy idea falls apart in the modern branch, as some of the most critical interaction – taking payment from a customer, remote executives making critical decisions, remote care in a hospital setting – is happening in the smallest office. Just because there are less than 5 people in an office no longer translates directly to that office being too small to justify a high-functioning, secure network. Every office today must have robust, secure access, regardless of size. High performance is required everywhere including the branch office.

More devices must be supported, including BYOD Today’s trend toward employee owned devices cannot be ignored. In a remote branch or teleworker environment, such devices also cannot be physically monitored. What is most significant about this model from a support and architectural standpoint is not only the volume of data these devices will consume (although this is something that needs to be planned for), but rather the fact that nearly half of all companies (48.4%) are allowing or requiring a “bring your own device” (BYOD) model for at least some groups of users. They may have employees paying for devices, or have a combination of employee- and company paid models1.

1 Nemertes Research, The Ultralight Branch


As users become increasingly remote from the corporate office, some requirements remain consistent. The network must still perform like the corporate LAN, even if the office houses only a few users. While this requirement is not necessarily a user mandate, many of today’s heavyweight applications, such as VOIP, depend upon this level of performance in order to function. According to industry analysts, Nemertes, 94% of organizations are deploying VoIP now or planning to by 2012, and nearly three-quarters have deployed or will roll out Unified Communications. About two-thirds of these organizations are also deploying or planning to deploy softphones. More than half plan to deploy desktop video conferencing. 52.3% of enterprises are deploying virtual desktops, or are projected to be doing so by 2012. A significant portion of these users are telecommuters2. In a legacy deployment that features multiple devices, the required network elements may also compete to apply quality of service (QoS), security, and network policy. This results in a less-efficient network and more complexity, which creates more points for administrative error. And, of course, there is always the fact that the larger the number of devices deployed in the network, the greater the chance that configurations themselves may hamper performance. Voice and video configurations, for example, could easily be crippled by security considerations.

Things To Consider Cost considerations Consumer level gear is cost effective but not enterprise class When faced with the task and the cost of provisioning small remote offices or teleworkers, many enterprises will naturally consider that, based on the size of deployment, consumer networking gear may suffice. The price point can be compelling, and the devices themselves are typically built to be deployed by a non-IT end user. Unfortunately, such products are usually unsuited for branch use, even if there is only a single teleworker in each location. Even if the end user count is small, the corporate information being accessed is the same material that would be accessed in the head office. The same applications found on the corporate LAN must work in the branch, particularly if the user is housed remotely to boost efficiency. The same security policies must be enforced at all remote locations. This is a particularly thorny issue given the rise of the BYOD model, since these devices over which IT has little or no control are being invited onto the company WLAN. The network deployed at the remote location must have the flexibility and capability to deal with BYOD at the same level as that housed in the corporate headquarters, making a consumer device far too limiting. Management of the branch device, one of the main differentiations between “enterprise class” and “consumer”, is also a key issue to consider.

2 Nemertes Research, The Ultralight Branch


While the capital expense is low, the need to configure every consumer device individually in the face of an ever-increasing number of locations can lead to tremendous management and support costs.

Enterprise-class equipment is too costly Even entry-level network devices geared toward the enterprise are probably going to be too costly to roll out in significant numbers, particularly to users like teleworkers. And the costs are not only in the capex column; in fact, in most small office deployments, hardware purchase is only about 20% of the overall cost of the solution. The remaining 80% comes from the ongoing operating expenses, including:

• Provisioning • Deployment • Management • Upgrades

These steps require a significant amount of time and expertise to go through. In most cases, provisioning remote office connectivity and VPN includes:

1. Headquarters IT receives equipment. Devices typically begin deployment with central IT, due to the complexity of setup.

2. Headquarters IT spends a significant amount of time preparing an IP address plan for many small offices that are going to be connected to the IP network. IT then employs a system specifically designed to manage those addresses in the face of ever-expanding remote office locations.

3. Headquarters IT sets up basic configuration. This includes a console connection to the device, and setup of parameters that include:

a. WAN IP Addressing b. LAN IP Addressing c. DHCP Setup d. DNS Addressing

4. Installation onsite. Once the equipment is configured, it typically requires a technician to travel to the branch to perform initial setup.

5. Connect devices and complete configuration. This step includes the setup of: a. IPSec tunnels b. Firewalls c. SSIDs, if wireless access is to be provisioned

After the equipment is delivered and deployed at the branch or teleworker location, it must be tested. Each step in this process is prone to human errors, which are notoriously difficult to catch. Because most branch deployments, particularly microbranches and teleworker


deployments, do not have onsite IT staff, any changes in the network lead directly to helpdesk calls. This can make simple branch connectivity one of the most expensive propositions that an enterprise will face.

Key Requirements The fact is that the trend toward more and more highly dispersed workforces is not going to go away. Successful enterprises will embrace this new model, and find new ways to accommodate the issues it poses. In the next section, you’ll discover questions to pose to prospective vendors to ensure that your next round of remote/teleworker deployments is as cost effective as possible.

Architectural Considerations Legacy branch networks are often thought of and deployed in a hub-and-spoke model. This model sends all traffic back to the corporate office via encrypted tunnel, then off to the resources required. Significant latency can result, but if your goal was to ensure security, there may not have been another way handle the issue other than to take your chances on a portion of your corporate traffic. In the modern branch office, even micro-branches and teleworkers, having applications operate faster and with more efficiency and reliability will directly lead to greater productivity from the remote employee. Eliminating this latency while maintaining the security profile and policy enforce is a key consideration when working through how your branch office network will be architected.

Decentralizing the functions of the branch while leveraging cloud technology can vastly increase the performance and reliability of branch connectivity without compromising integrity of the data or reducing the productivity of the end user. Cloud services should be considered for “on-demand” services. Using the cloud allows security and policy enforcement to occur closer to the end user and can vastly increase the performance and reliability of the network services. If your users are sending encrypted traffic to a trusted host, such as Salesforce.com, you should be able to whitelist this traffic. If you are concerned about web traffic, you can ensure security here by routing it through a cloud-based security service, such as Websense or Barracuda Online. Decentralizing the branch office architecture and leveraging cloud services provides many advantages to the modern branch architecture.

Additionally, by leveraging the cloud to off-load compute intensive security functions, such as Layer 7 application security and scanning, you can dramatically reduce the cost and complexity of a highly secure branch office. Legacy branch office architectures require expensive, multi-function devices to manage the remote users but leveraging the cloud can allow the same services to be executed in a dramatically smaller branch.


Another vestigial remanence of legacy branch architectures and their “hub-and-spoke” mentality is the requirement that the VPN termination requires a “big iron” device to handle sessions. One way around this issue is virtualization. First, consider where your VPN sessions are terminating today. Likely it is in a large device in your datacenter, but that doesn’t need to be the case. Instead of putting this service into a device that has to be maintained and added to over time, your needs may be handed well with a virtual VPN Gateway. This approach enables you to determine what type of hardware the service runs on, as well as how you would like to upgrade it as you add more users.

One thing in a branch network must be centralized, however, and that is management. Ideally, you should look for a simple, centralized management system that enables you to see and modify configurations in any branch network in real time, through a “single pane of glass.” Such a system should also allow you to make changes or respond to user issues via a centralized monitor.

10 things a branch solution must do Selection of a branch connectivity solution will typically fall into 4 categories:

• Deployment, installation and maintenance, which includes the initial setup and deployment, as well as the day-to-day issues of management

• Cost, which includes the price of the hardware and operating expenses • Security, which must consider the security of both the end user and the enterprise • Integration into corporate infrastructure, which pertain to how easily the branch

deployment is incorporated into the overall enterprise architecture

Deployment, installation and maintenance Your branch/teleworker router must be easy for a non-technical user to deploy

• Business case: The number of employees that telework continues to grow. According to WorldAtWork3, the total number of people who worked from home or remotely for an entire day at least once a month in 2010 was 26.2 million. The study notes that this figure represents nearly 20% of the U.S. working adult population. Clearly, a truck roll for every

3 Telework 2011 - A WorldatWork Special Report


individual is unworkable. The situation is similar in small, localized branches, where there is unlikely to be a resident IT staffer.

• Requirements: The enterprise branch/telework access solution must be one that is easy for an average user to install on their own, without having to call IT. The solution should not assume that the end user knows anything about networks, or that they will understand any kind of technical jargon. Ideally, the solution should be as close as possible to “plug-and-play.”

Your branch/teleworker router must be easy for IT to manage, maintain and upgrade

• Business case: If the enterprise is committed to branches and teleworking, then these remote nodes must be capable of being centrally managed. This model is the only way to ensure that corporate policy, security, and privacy are maintained. This is a strong argument for a standardized solution, and another area in which seemingly affordable consumer offerings fall short. As the enterprise maintains and upgrades software and policies, it is essential that branch/teleworker access devices can stay in step.

• Requirements: Once IT has established a base configuration, the branch/teleworker access device should be capable of adhering to that config without any user intervention. Management of all branch/teleworker access devices must be centralized; ideally, they should be viewable on a single screen. Upgrades must be simple to enact, and involve only very minimal, non-technical end user participation.

Your branch/teleworker router must facilitate easy troubleshooting

• Business case: When something in the access solution isn’t working, the enterprise is immediately losing productivity from the remote worker or branch. When the user has to place a call to IT to rectify the problem, productivity suffers still more. This situation is compounded when the end user is not technical, since IT may have to explain not only what the user should do, but what each troubleshooting step actually means.

• Requirements: If the enterprise is going to support teleworkers and branch offices, they must be prepared to step in when things go wrong. The ideal solution will give IT staff in headquarters an overall view of the remote network with the ability to monitor based on an Service Level Agreement (SLA); after all, if a problem is fixed before the user notices that it exists, productivity stays high and everyone is happier. Central visibility is a key element to achieving this requirement.

Cost Your branch/teleworker router must feature reasonable capex

• Business case: The move toward teleworking and regional branches has evolved to better support customers and reduce real estate costs while enhancing employee


productivity and satisfaction. If the equipment required to enable these gains is very expensive, however, the proposition looks less appealing. Another consideration is that smaller branches and teleworkers may need to set up and take down a connection very quickly. The base cost of the equipment should not be a barrier to entry. Finally, consider where VPN tunnels back to corporate are terminated. Do you need to invest in expensive hardware?

• Requirements: In order to retain the “balance sheet appeal” of the branch/teleworker model, the capital expenditures to set such users up must be appealing. Keep in mind that as remote users come and go, the enterprise may well be stuck with obsolete access gear that has quickly outlived its useful life. Lower capex must be achieved while satisfying other requirements as well.

Your branch/teleworker router must minimalize operating expense

• Business case: While minimizing capital expenditures is generally a compelling argument for consumer-grade devices, the fact is that the operating expenses incurred in supporting these devices will quickly outweigh any benefit. Individual consumer devices cannot be centrally monitored, configured, maintained or upgraded.

• Requirements: The ideal branch/teleworker access solution must be centrally managed, to ensure compliance with corporate policy. Consideration must be given to the cost of the central management platform, as well. Ideally access to the platform can be provided through an advanced web application interface from a public or private cloud. This allows problem remediation from anywhere, anytime. Remember, while the management is centralized, all of the policy enforcement needs to be distributed to optimize network performance and end user productivity.

Security Your branch/teleworker router must feature enterprise class security

• Business case: Given the trends toward mobility and ubiquitous connectivity, the fact is that it doesn’t really matter anymore where the end user is located. Wherever they are, these users need seamless access; and you need security. Opening a VPN tunnel can also be an excellent way to open your network to threats. This is another reason that consumer-grade access gear is ultimately not suited for use by teleworkers or branch offices. In addition to supporting corporate policy, look for a solution that gives you options to offload traffic from corporate. Another consideration – and a strong argument against the use of consumer grade equipment – is that for security policy to be effective, it must be consistent. That means that users in every remote circumstance should be subject to the same comprehensive security controls.


• Requirements: The ideal solution must be able to handle corporate policies of all kinds. In order to minimize traffic flow to headquarters, consider devices that enable you to white list some sites that you know and trust, and to “scrub” other through cloud-based solutions.

Your branch/teleworker router must ensure security for all device types, including BYOD

• Business case: Today’s user expects to be able to use their own mobile devices to get access to corporate assets and resources. It is important to realize that if mobile devices are connecting via a VPN tunnel, they are effectively inside the network, and so must be secured appropriately regardless of where they may be physically. Because BYOD is a somewhat recent trend, many enterprises are only now starting to equip their campus to handle it well. Because a VPN tunnel essentially puts a device on your network regardless of their physical location, consideration to extending BYOD capabilities to teleworker/branch office must be considered.

• Requirements – The final device selected must be able to enforce corporate use and quality of service policies on end user devices in exactly the same fashion as they would if that user were walking around inside corporate headquarters. If corporate policy is to secure web traffic through application security and web scanning then these features are also required in the branch. The same holds true for any BYO device policies mandated by the corporation. Keeping corporate policy enforcement consistent regardless of the location of the end user is paramount to data loss prevention (DLP).

Corporate features Your branch/teleworker router must provide high performance throughput

• Business case: Teleworkers and branch office staff are arguably more dependent on high bandwidth applications like voice or video than their corporate counterparts. Lower throughput or high latency solutions are simply not up to the task of handling these “heavy” applications. In addition, it is important for the administrator to be able to visualize problems with throughput as quickly as possible after they are reported, and to handle such problems centrally.

• Requirements – Branch office and teleworkers require access to the same applications that are in use in the corporate office. To support them, the access solution must be able to handle VOIP, video or other heavy traffic. In addition, the ability for the central IT staff to visualize throughput and other possible issues in real time – in as much granularity as possible – is essential for a good solution.

Your branch/teleworker router must be seamlessly integrated with WLANs


• Business case: Since the advent of 802.11n, the concept of wireless as the primary access method has become increasingly prevalent. It is a key enabler of the BYOD phenomenon; in fact, many mobile devices don’t even have an Ethernet port! Wireless access must be high performance and seamless to succeed in branch or teleworker environments.

• Requirements: 802.11n wireless connectivity is essential for a good teleworker/branch solution. The product should seamlessly accommodate a/b/g clients, and feature wired access as well. Make sure that wireless access has the same robust features that would be found in any strong corporate office, including security features, seamless failover to mesh, and more. This can be an argument against controller-based solutions, which are built around a single point of failure.

Your branch/teleworker router must have a backup mechanism

• Business case: The unfortunate truth of any type of connection is that sometimes it fails. That is as true when looking at a WAN connection as in any other situation. The difference is that a small branch office often doesn’t have an enterprise class SLA with a service provider in place and the average teleworker certainly doesn’t. In the case of WAN outage, the access solution must have a back means to connect.

• Requirements: Ensure that any solution considered features a 3G/4G backup mechanism.

Conclusion As enterprises continue to become more and more distributed and remote offices performing critical functions continues to shrink, reliable access to the central office and cloud applications, as well as secure Internet access for online applications and resources and support for BYO devices, is paramount. Changing the requirements from the beginning of a project to account for mobility and cloud technology trends is the key to successful branch office and remote teleworker deployments.

A modern branch solution simplifies provisioning, management, monitoring, and troubleshooting for branch office deployments, even without technical resources onsite. Enterprises can achieve significant capital and operational savings while maintaining visibility into remote networks, meeting security objectives and compliance standards, and increasing productivity.


For More Information Aerohive Branch on Demand solutions now make it easier and more cost-effective to implement wired and wireless access to corporate resources everywhere—from the home office to branch offices and teleworkers. For more information about the Branch on Demand solution, visit www.aerohive.com/solutions/applications/enterprise.html.

About Aerohive Aerohive Networks reduces the cost and complexity of today’s networks with cloud-enabled, distributed Wi-Fi and routing solutions for enterprises and medium sized companies including branch offices and teleworkers. Aerohive’s award-winning cooperative control Wi-Fi architecture, public or private cloud-enabled network management, routing and VPN solutions eliminate costly controllers and single points of failure. This gives its customers mission critical reliability with granular security and policy enforcement and the ability to start small and expand without limitations. Aerohive was founded in 2006 and is headquartered in Sunnyvale, Calif. The company’s investors include Kleiner Perkins Caufield & Byers, Lightspeed Venture Partners, Northern Light Venture Capital and New Enterprise Associates, Inc. (NEA).

Corporate Headquarters Aerohive Networks, Inc. 330 Gibraltar Drive Sunnyvale, California 94089 USA Phone: 408.510.6100 Toll Free: 1.866.918.9918 Fax: 408.510.6199 [email protected] www.aerohive.com

EMEA Headquarters Aerohive Networks Europe LTD Sequel House The Hart Surrey, UK GU9 7HW +44 (0)1252 736590 Fax: +44 (0) 1252711901

BG-BR-1206002

aerohive-branch-router-buyers-guide 0313 1a -...

Documents