sd-wan: is this a secure line? -...

$: SD-WAN: IS THIS A SECURE LINE? - Bitpipedocs.media.bitpipe.com/io_13x/io_130172/item_1300174/Network...BUILDING THE INFRASTRUCTURE TO ENABLE THE CHANGING FACE OF IT MARCH 2016 \ VOL$
BUILDING THE INFRASTRUCTURE TO ENABLE THE CHANGING FACE OF IT

M A R C H 2 0 1 6 \ V O L . 7 \ N 0 . 2

T H E S U B N ET

Plug and Pray: Network Supports Growing Church

D R O P P E D P A C K ET S

WAN Optimization Sounds Great, Until It Doesn’t Work

I N F O G R A P H I C S

Pulse Check

C L O U D U C

Cloud Becomes Cisco and Microsoft’s UC Battleground

B E A C O N S

Bringing Home the Beacon

N ET W O R K I N N O VAT I O N AWA R D

Tempered Networks: HIPswitch

I N F O G R A P H I C S

Data Mine

E D I T O R’ S D E S K

MPLS: Security Blanket or Blanket Security?

kk

kk

kk

kkSD-WAN: IS THIS A SECURE LINE?

Who doesn’t love the Internet? It’s cheap, fast and full of cat videos. But enterprises have

long found it too risky for the branch office. Now SD-

WAN offers a solution.

2 N E T W O R K E V O L U T I O N, M A R C H 2 0 1 6

subnet and packets: slug is blue and bold

edit name is sidebar color

delete the “XX” part on ed letter

SD -WAN DATA MINE CLOUD UC PULSE CHECK BEACONSTEMPERED NETWORKS

DROPPED PACKETS THE SUBNET

When the

Internet seems

like a scary

place, some-

times you just

want to snuggle

up with some

multiprotocol

label switching.

EDITOR’S DESK | JESSICA SCARPATI

MPLS: Security Blanket or Blanket Security?

We all have security blankets: items that bring us comfort. By the time we reach adulthood, how-ever, they usually aren’t actual blankets or stuffed animals anymore—well, barring the 35% of British adults who reportedly still sleep with a teddy bear.

Grown-up security blankets often take the form of beloved ratty T-shirts or chipped coffee mugs. You don’t need them, but you’ve developed an emotional attachment to them, and the thought of having to get rid of them is frightening.

In enterprises around the world, however, the threads are beginning to unravel in one of IT’s most expensive security blankets: dependency on MPLS in the wide area network (WAN). Networking pros have grown frustrated with the high costs, inflex-ibility and long provisioning times for an MPLS connection. It becomes a harder pill to swallow as speeds and reliability continue to go up—while costs go down—on commercial Internet services.

Although the Internet doesn’t come with a ser-vice-level agreement promising five 9s uptime, the emergence of software-defined WAN (SD-WAN) is changing the equation. But what about security? How could anyone possibly be OK with sending sensitive corporate data directly over the Internet? These are some of the questions we asked in our cover story in this issue (“SD-WAN Underpins Hy-brid WAN Security”). The answers—and who they come from—may surprise you.

Also in this issue, find out what the ongoing battle between Cisco and Microsoft in the collaboration market means for your enterprise (“Cloud Becomes Cisco and Microsoft’s UC Battleground”), as well as what you need to know about Bluetooth beacons (“Bringing Home the Beacon”). n

JESSICA SCARPATIFeatures and E-zine Editor, Networking Media Group

http://www.upi.com/Odd_News/2012/02/21/35-percent-of-British-adults-sleep-with-bear/49791329806031/

http://searchnetworking.techtarget.com/feature/The-WAN-connection-waiting-game-Engineers-long-for-faster-provisioning

http://searchcio.techtarget.com/definition/99999

http://searchsdn.techtarget.com/feature/SD-What-Understanding-SD-WAN


feature 1 yellowfeature 2 magentafeature 3 cyan

on turn pages of features the color of the rules match the opener color

hard return after each line of deck.

two body text returns above first paragraph



Ω For all the gripes network engineers have about MPLS, one point of contention remains: Connecting a branch directly to the Internet just doesn’t feel safe. But in the age of SD-WAN, is that even true?

Scott Smith got one of those rare opportuni-ties that most network engineers can only dream about—the chance to completely redesign his com-pany’s legacy branch architecture.

All 3,000 branches belonging to the financial ser-vices company he works for had routed its wide area network traffic over MPLS. An Internet connection was available as a backup, but only as a break-glass-in-case-of-emergency alternative if the MPLS link went down. While it met the company’s strict secu-rity requirements, it was expensive to maintain.

BY JESSICA SCARPATI

CREDIT: ID -WORK/ISTOCK

SD-WAN

SD-WAN Underpins Hybrid WAN Security

BY JESSICA SCARPATI


As Smith and his team worked on how they could make their wide area network (WAN) more effi-cient without increasing their reliance on MPLS, software-defined WAN (SD-WAN) caught their at-tention. This new technology enables enterprises to create hybrid networks that aggregate multiple access technologies, including commercial Internet services, and dynamically route traffic across the best one depending on real-time availability and performance, or other custom policies.

After running lab tests and a small pilot in their production network with startup Viptela’s SD-WAN platform, Smith and his team were sold. They are now in the process of rolling it out to all of their

branches, deploying it with a mix of MPLS, broadband and wireless LTE connectivity at every location.

But for a company with six million customers, that’s a lot of sensitive data flying around the Internet. How can an IT team in banking, of all indus-tries, be on board with that? Many other network engineers

eyeing hybrid WAN architectures are asking them-selves the same question: It can’t be as safe as run-ning everything on MPLS, right?

Although not as robust as a dedicated security appliance, SD-WAN platforms come with enough security features to finally make hybrid networks secure enough for widespread use, according to ex-perts and early adopters.

All of Smith’s WAN traffic goes through end-to-end encrypted tunnels—a feature he says was nonnegotiable when redesigning his branch archi-tecture—and a third party validated the platform’s security in a penetration test.

“Broadband is kind of the Wild West, but we’re doing what we can to ensure the integrity of our data over that transport,” says Smith, an infrastructure engineer who spoke on the condition his company wasn’t identified.

“It’s a different way to think about it. MPLS was always deemed safer,” he adds. “No one was us-ing encryption originally over that, and then they started putting encryption on it. Once you start do-ing that over broadband and everything else, you start thinking, ‘Well, I guess it doesn’t really mat-ter what transport medium I’m actually using if

18%of IT pros worldwide believe virtualized networking poses the biggest security

risk in their data centers.SOURCE: “JANUARY 2016 CYBERSECURITY SNAPSHOT:

GLOBAL RESULTS,” ISACA, N=2,792




I’m encrypted and tunneling end to end. It’s just bandwidth.’”

Most of the hype around SD-WAN has been about its ability to boost WAN performance, availability and cost savings by simplifying the way hybrid net-works are deployed and managed. Without these platforms, engineering a hybrid WAN from scratch was just too difficult for most enterprises, according to Andrew Lerner, a research director at Gartner. Security wasn’t much of a consideration until SD-WAN made hybrid WANs practical.

“SD-WAN is an enabling technology that can ac-tually expose the security problems associated with moving to a hybrid WAN,” Lerner says. “It enables you to do something that was very difficult to do be-fore, which opens up the opportunity to address a security issue that was masked because it just wasn’t possible.”

SD-WAN vendors deliver their security features through an on-premises appliance or a cloud-based security service, often providing the latter via third parties like Websense or Zscaler. But unless you’re sending top-secret government files or high-value monetary transfers, that approach is probably good enough, Lerner says.

“While the conventional wisdom says [the Inter-net] may be less secure, the reality is that it’s secure enough for nearly all enterprises to use, provided they put appropriate levels of encryption on their traffic,” he says.

ON THE SAFE SIDEA voice and data manager at a regional bank in New England, who requested only his initials, D.V., be used due to security concerns, was looking for a way to affordably improve the performance of his WAN last year. Nearly all of the bank’s 100 branches used MPLS as the primary means of connectivity, with commercial Internet as a backup. But the amount of data traversing the WAN continued to grow, and the performance gains from his Riverbed Steelhead WAN optimization appliances were maxed out. Beefing up those private circuits with more band-width, however, was cost-prohibitive.

SD-WAN looked like the solution, but was he wor-ried about security? Did it seem too risky?

“Oh, God, yes,” D.V. says. “Security is networking. I object to the whole idea that security is separate. If you can’t do networking, then you have no business






in security, frankly—and to some extent, the reverse is true. We have a very conservative security pos-ture. We always have an auditor somewhere in my network trying to poke around and get at things, so we were certainly concerned about the security of the solution.”

After evaluating SD-WAN platforms from Cisco,

FatPipe Networks, Ipanema Technologies and Ta-lari Networks, he was most impressed with Talari’s packet-based approach to securing hybrid networks, as opposed to flow-based models from vendors like Ipanema.

D.V. tested Talari in his lab and performed some packet captures to see if the product lived up to its promises. As far as he could tell, it did. An auditor validated those findings with a penetration test. As of last December, the platform is deployed at all of the bank’s locations.

“I was probably convinced as soon as I’d done my initial analysis. I have a strong security background, but I don’t think I knew it was going to fly until I saw the report from our third-party vendor who did the pen test,” D.V. says. “It’s not just me or my col-leagues. It’s someone else saying, ‘Yes, this is OK.’ At that point, you can go up to the information security group and say, ‘Here you go.’”

Although the public Internet always carries some risk, the reality is that MPLS is also a shared me-dium. The protections SD-WAN platforms provide put the two on level ground, D.V. says.

“The irony of an MPLS circuit is that the secu-rity is VLANs—that’s all it is. You have your traffic

Security ranks high on SD-WAN needsWhat characteristics of SD-WAN are most important to you?

SOURCE: “MANAGING TOMORROW’S NETWORKS: THE IMPACTS OF SDN AND NETWORK VIRTUALIZATION ON NETWORK MANAGEMENT,” ENTERPRISE MANAGEMENT ASSOCIATES, DECEMBER 2015, N=150. RESPONDENTS COULD SELECT MUL-TIPLE ANSWERS.

Cloud-based network and

security services

Centrally programmable

network

Hybrid WAN transport

Virtual customer premises

equipment

Application-centric traffic engineering

50%

40%

30%

20%

10%

0%

45%

37%33% 31%

27%




marked and put into a special VLAN, so it’s running over the same pipe as everyone else’s MPLS circuit,” he says. “It’s not a physical layer of security. There’s no special inspection that a firewall might throw in, or an IDS or IPS. None of that is present in an SD-WAN solution, but none of that’s really present in an MPLS solution unless you choose to put it in.”

The idea that anything but an MPLS-only archi-tecture is laden with risk is a tough misconception to overcome among enterprises with more conser-vative cultures, says Tim Coats, director of applied innovation at Trace3, a large systems integrator and reseller based in Irvine, Calif., that designs SD-WAN

implementations using prod-ucts from Cisco, CloudGenix and VeloCloud.

“We often hear, ‘I want the cost breaks of the Internet, but that opens up a whole new set of security worries for me and I get scared,’” Coats says. “We have huge companies [as cli-ents] that are very risk-averse and favor traditional MPLS. We try to work with them to help

them understand that using the Internet is fine, as long as it’s used correctly—and a hybrid approach is usually the best approach.”

BALANCING REQUIREMENTSIt’s all about striking a balance, says D.V. His Talari units can support the strongest encryption stan-dard, AES-256, and the bank’s auditors would prefer he enable it. But he noticed the standard made his network performance suffer, so he’s using AES-128 until the next generation of hardware resolves the issue.

“Neither one is crackable at this point. It’s more about what a security auditor wants. The security auditor is always going to say, ‘Put a belt and sus-penders on. I want everything you can possibly give me,’ but that’s their job,” D.V. says. “It’s not always reasonable, though.”

Smith, the infrastructure engineer using Viptela, runs most internal traffic—not just guest Wi-Fi—over his hybrid networks without much worry. Still, some highly sensitive data only traverses MPLS, and the SD-WAN platform enables him to separate that out at a granular level. He can define traffic

“Using the Internet is fine, as long as it’s used correctly—

and a hybrid approach is usually the best approach.”

—Tim Coats, director of applied

innovation, Trace3




engineering policies not only according to certain applications, but also to individual features within a given application.

“We are still utilizing MPLS, and within the finan-cial sector, I don’t see that going away. There are just too many requirements,” Smith says. “But I think with the use of IPsec tunneling and other security features offered through our SD-WAN solution, and how easy it is to manage, we are able to say, ‘We identify the risks, but now we have better, more pro-active ways of mitigating those threats and vulner-abilities as they arise.’”

While SD-WAN helps close the security gap for most enterprises, Gartner’s Lerner cautions that it may not be the right strategy for ev-eryone, depending on branch requirements.

“If you want to deploy a Swiss Army Knife gateway in your branches—meaning, ‘I want a box that does wireless, that is a server, that does WAN opti-mization, firewalling and call management’—that’s not what

SD-WAN is,” Lerner says. “What I will say, though, is that the majority of enterprises I speak with can get away without applying that fully rich, deep feature set at a given set of branch locations.”

SECURITY MADE EASYIn fact, early adopters of SD-WAN like Smith and D.V. say their WANs are more secure now than ever.

“With a legacy solution, you’d have to worry about the overhead with maintaining numerous secu-rity components, such as certificate servers, PKI, DMVPN, VRF segmentation, GDOI key servers for GETVPN, and key and certificate rotation and expi-ration, along with many other components in your security stack,” Smith says. “It’s not hard when you have a small environment, but once you start scal-ing to a large enterprise and above, that’s when you need people just to manage your security environ-ment for networking.”

The Viptela console simplifies that for adminis-trators by automating those changes, he explains.

“I don’t want to sound cheesy, but they make se-curity easy,” Smith says. “From a learning curve per-spective, they’re not introducing anything that’s a

“We are able to say, ‘We identify the risks, but now

we have better, more pro active ways of mitigating those

threats and vulner abilities as they arise.’”

—Scott Smith, infrastructure engineer




completely new, revolutionary technology. They’re taking stuff that already exists but doing it a lot more efficiently. It wasn’t like I had to sit down with a textbook for a month to figure out what they heck they’re doing.”

At Trace3, the California-based systems inte-grator, SD-WAN is wrapped into a package it calls Connected Business Experience, which helps enter-prises re-architect branch offices to support initia-tives like mobility, cloud and the Internet of Things. The company was drawn to CloudGenix’s tech-nology because of the ease and utility of security controls based on the user’s identity, location and the application he or she is using, rather than just

routes, Coats says. Coats would like to see SD-WAN vendors go one

step further in simplifying how hybrid networks are secured by removing a lot of the manual labor and guesswork out of service chaining.

“Everyone is trying to solve this one little piece, and no one’s looking at the whole picture. And the whole picture is I have users who are everywhere, and my services are distributed on different plat-forms. I need one place I can pull it all together,” he says.

“The part I still get frustrated with in this busi-ness is everyone still tries to do it ‘my way,’ as op-posed to what is the right way.” n

Data Mine




k Down and out: Downtime in the enterprise k Through the wire: Cabling trendsWhat kind of Ethernet cable do you plan to buy for your data center?

SOURCE: “THE COST OF SERVER, APPLICATION, AND NETWORK DOWNTIME: NORTH AMERICAN ENTERPRISE SURVEY AND CALCULATOR,” IHS, JANUARY 2016, N=400

Only one in four smartphone users in developed countries are expected to use their devices to make voice calls in a given week.SOURCE: “TECHNOLOGY, MEDIA AND TELECOMMUNICATIONS PREDICTIONS 2016,” DELOITTE GLOBAL

On average, downtime incidents cost $1 million

annually for midsized companies and

$60 million for large enterprises.

CATEGORY 5 (UTP)

CATEGORY 5E (UTP)

CATEGORY 6 (UTP OR STP)

CATEGORY 6A

CATEGORY 7 (SSTP)

Networks are the biggest cause

of downtime.

SOURCE: ETHERNET BUYERS SURVEY, TECHTARGET, JANUARY 2016, N=142. RESPONDENTS COULD SELECT MULTIPLE ANSWERS.

12%

32%

69%

44%

19%

0 10 20 30 40 50 60 70 80

The average enterprise experiences 5 downtime

events each month, amounting to an average

27 hours per month.








Ω As these two giants wrestle for dominance in unified communications, their fight moves to the cloud. But as their offerings increasingly overlap, how do you decide which best fits your business?

When Cisco and Microsoft came out with plans to strengthen their respective collaboration abilities in the cloud last December, you could empathize with enterprises struggling to figure out the differ-ences between them.

After all, Microsoft’s newly released Office 365 Enterprise E5 and Cisco’s Spark both claim to focus on the core functions of meet, message and call for small to midsized businesses. Both tap the benefits of the cloud to avoid the hassles and upfront costs of on-premises equipment. And while Office 365

BY SANDRA GITTLEN

Cloud UC

Cloud Becomes Cisco and Microsoft’s UC Battleground

CREDIT: ISTOCK

http://searchunifiedcommunications.techtarget.com/news/4500259938/Microsoft-heats-up-SMB-market-with-new-Office-365-features

http://searchunifiedcommunications.techtarget.com/news/4500260350/Cisco-reinforces-Spark-as-cloud-based-PBX-UC-service


Enterprise E5 includes collaborative conferencing tools like Skype for Business Online, Spark has al-ways-on messaging and file sharing and offers video meetings with screen sharing. What’s a buyer to do?

The renewed focus on cloud marks the latest twist in the vendors’ ongoing battle for control of the uni-fied communications (UC) and collaboration mar-ket. Experts say it’s a natural outgrowth of where businesses are headed with their UC strategies.

“Both companies’ moves are a testament to the fact that [businesses] are thinking of moving uni-fied communications to the cloud,” says Marcus

Schmidt, senior director of products at West Unified Communications, a service provider based in Omaha, Neb., that implements both Cisco’s and Mi-crosoft’s UC products.

The greatest clue to deciphering the benefits of each vendor’s approach lies in their origins, he says.

“Cisco comes at cloud-based uni-fied communications from its tra-ditional strong suit of voice, video and larger group meetings,” Schmidt says. “Microsoft comes at it from the

productivity and collaboration angles.”Cisco’s plans for Spark seem to be twofold, ac-

cording to Irwin Lazar, a research leader at Nemertes Research. The goals: to attract a new cus-tomer base and get existing customers more com-fortable with the cloud.

“Cisco and Microsoft both have the long-term goal of delivering an entire breadth of services as hosted cloud solutions,” Lazar says.

But Cisco, whose UC products have historically been closely tied to its hardware, has to tread care-fully. It doesn’t want to cannibalize its existing base of on-premises installations, nor can it risk jeopardizing its channel partners’ hosted services business.

“Cloud is where they are going, though, so they can push out rapid updates, deliver APIs and evolve much quicker than they can with on-premises,” La-zar says.

WHERE THEY FIT INVerticals that might be interested in Spark would in-clude software development, real estate and finan-cial services, according to Lazar. The reason is that

21Percentage of IT pros investing

in unified communications over the next 12 months who

will use a cloud-based platform.SOURCE: UNIFIED COMMUNICATIONS AND

COLLABORATION BUYERS SURVEY, TECHTARGET, JANUARY 2016, N=1,153






Cisco’s new technology is most appealing to compa-nies with distributed teams that need to collaborate in real time internally and externally, he says.

Skype for Business Online might be more tempt-ing for those with more limited collaboration needs. “They might not need real-time persistent chat, but rather require single-click from a calendar entry to join a bridge or Web conference,” Lazar says.

The bigger challenge Cisco faces in gathering market share is that 45% of companies are moving to Office 365 for email and calendar, according to

a Nemertes study. This move makes it easier for those Mi-crosoft customers to then say “yes” to voice services for a few dollars more a month.

“Where Cisco will win, though, is with companies that have strong Cisco relationships already and that have non- Microsoft applications they want to support,” Lazar says.

Bill Leo, president and se-nior consultant at Summit Technology Group, a New

York-based consultancy, is also trying to help busi-nesses decide which approach is best suited for them.

One of his clients, a small tax firm with multiple locations, is considering Spark because it already has a Cisco phone system installed. Spark’s ability to integrate with Cisco’s Unified Communications Manager would allow the firm to continue using its existing IP phones, thus protecting a previous in-vestment. Leo adds that the company also likes the idea of staying with Cisco because of its comfort level with the vendor.

“If you’ve got subject-matter experts in place and you’ve already made the investment, then you stick with what you know,” Leo says.

MIND THE GAPSAnother of Leo’s clients, a small advertising agency with three locations, wants to roll out Microsoft’s full portfolio of applications, including Skype for Business Online, because its staff is most comfort-able with Microsoft’s software.

But Leo warns that the word portfolio is not syn-onymous with the word interconnected, and Skype

SOURCE:“Q4 2015 UC ITDM SURVEY–UC DEPLOYMENTS,” WAINHOUSE RESEARCH, DECEMBER 2015, N=100 NORTH AMERICAN MIDSIZED AND LARGE ENTERPRISES

Cisco vs. Microsoft: Nearly deadlocked

Whose UC platform is deployed

in your production environment?

48%CISCO

46%MICROSOFT

6%OTHER




for Business does not integrate as seamlessly with Microsoft’s other applications. Lazar agrees, saying that while Microsoft may have 20 applications, it fails to present a “unified vision.” Instead, he con-tends, Microsoft encourages customers to use the pieces they want.

Leo has found that disconnect to be a problem in areas like file sharing during a Skype session, which can produce a duplicate version of the document that affects version control, compliance require-ments and storage demands. Also, if video and audio conferences need to be stored and backed up, that could require additional storage space.

“You might even need dedupli-cation capabilities to ensure that storage is optimized,” he says.

With each strategic plan he generates for businesses con-sidering Cisco or Microsoft, Leo also digs into infrastructure requirements.

“I want to see if the network can support additional stresses from video, voice and collabora-tion,” he says. For instance, he

looks at the carrier capacity to ensure it can handle the demands of high-resolution video conferencing and the greater volume of traffic.

At West Unified Communications, Schmidt has uncovered some support hurdles as well. While Cisco has rolled out a feature with Spark that lets users register their phones into the system with a QR code, it only works for certain models.

“Some customers have made a big investment and aren’t willing or able to do a wholesale switch-out of their endpoints,” Schmidt says. As a result, they won’t be able to use all the new features.

Still, he applauds Cisco for keeping its platform open so that developers can create APIs, and he hopes Microsoft follows suit.

“Microsoft should open the Skype for Business Online platform as much as they can so developers can keep doing integration,” he says.

As small and midsized businesses adopt these cloud-based services, Schmidt encourages enter-prises to take notice because both platforms will un-doubtedly move upmarket.

“Both companies are clearly investing in the cloud,” he says, “and clearly believe this is where the industry is going.” n

“Microsoft should open the Skype for Business Online platform as much as they

can so developers can keep doing integration.”

—Marcus Schmidt,

West Unified Communications

Pulse Check




k ABCs of BYOD networking needsWhat tools do you plan to buy in the next 12 months to support BYOD on your wireless LAN?

k School of hard NOCsWhat did your networking team have to learn more about in order to support SDN and network virtualization?

71% Mobile device management

62% Network access control for mobile devices

49% User and device-based monitoring

48% Wireless intrusion prevention system

42% Location-based monitoring

25% of IT pros say their companies would be willing to pay a ransom to hackers to prevent a cyberattack, and 14% would pay more than $1 million.

SOURCE: “THE CLOUD BALANCING ACT FOR IT: BETWEEN PROMISE AND PERIL,” CLOUD SECURITY ALLIANCE, JANUARY 2016, N=209

SOURCE: “MANAGING TOMORROW’S NETWORKS: THE IMPACTS OF SDN AND NETWORK VIRTUALIZATION ON NETWORK MANAGEMENT,” ENTERPRISE MANAGEMENT ASSOCIATES, DECEMBER 2015, N=226. RESPONDENTS COULD SELECT MULTIPLE ANSWERS.

SOURCE: WIRELESS LAN BUYERS SURVEY, TECHTARGET, JANUARY 2016, N=316. RESPONDENTS COULD SELECT MULTIPLE ANSWERS.

Vendor certifications

How to integrate SDN

skills with broader

networking expertiseProgramming

Cloud management

systems

New network

protocolsSoftware

development

47%39% 37% 36% 35%

28%








Ω Beacon technology may have turned a corner. What youneed to know, straight from thepeople using it.

If you’re ever killing time inside Orlando Inter-national Airport and need directions to the closest Cinnabon, there’s an app for that.

In fact, the app, called Orlando MCO Airport, can direct you to nearly 1,600 different destinations in-side the airport—everywhere from gates and ticket counters to shops and restaurants to the closest elevators, restrooms and courtesy phones. And it’s all made possible by 1,000 Bluetooth Low-Energy (BLE) beacons.

In some sense, this isn’t news at all. The app, built on the Aruba Networks’ Meridian AppMaker plat-form, has been around for more than a year. It was the first in the air transportation industry to feature a “blue dot” experience, similar to GPS navigation, to show users a path to their destination. More than

BY CHRISTOPHER HEUN

Beacons

Bringing Home the Beacon

CREDIT: ISTOCK




30,000 travelers have downloaded it.The beacon technology has been “rock solid,” and

new features for the app are coming soon, accord-ing to John Newsome, IT director at the Greater Orlando Aviation Authority, which manages the air-port. Those new features will include a mechanism to help visitors navigate parking lots and wait-time estimators for airport security lines.

Is this a sign that beacons have finally matured and gone mainstream? Or is it just that an airport, like a hospital or college campus, is exactly the right location to get the most out of the technology?

“We are an extension of our community,” New-some says of the airport. “We deal with millions of

people, all of whom are here [in Orlando] to have a pleasant experience. We don’t want to screw it up.”

Unfortunately, that’s exactly what has happened with many implementations of beacon technologies, according to Tim Zimmerman, research vice president at Gartner covering the Internet of Things.

“We have found that many projects have failed because the architect was enamored with the mo-bile application capabilities and back-end applica-tion functionality without understanding whether the beacon components could broadcast the right information to the right constituency,” Zimmerman wrote in a recent research note, “Best Practices for Implementing Beacons in IoT Solutions.”

He says that one of the best uses of beacon tech-nology is for applications that provide directions or routes to the end users, such as turn-by-turn direc-tions at sprawling venues like hospitals and shop-ping malls, or for self-guided tours of university campuses.

Houston Methodist Hospital is using beacons to give indoor directions to general amenities like caf-eterias and restrooms. Working with Phunware, a mobile marketing platform vendor, the hospital has deployed beacons about every 100 feet for a proof of concept.

The tricky part is giving consumers the “blue dot” navigation experience with a level of accuracy that they’ve come to expect from GPS. That’s a whole lot more complicated indoors, where directing people down narrow corridors requires greater precision

400mThe number of BLE beacons expected

to ship by 2020.SOURCE: “BLE TAGS: THE LOCATION OF THINGS (LoT),”

ABI RESEARCH, JANUARY 2016




than routing them over highways and city streets.“GPS has set a false expectation” about the level

of detail indoor positioning technology can provide consumers, says George Stefanick, a wireless net-work architect at the hospital. “The common user doesn’t know the difference, but that’s the expecta-tion,” he explains.

A BEACON OF HOPE?Some of the biggest challenges with beacon tech-nologies, however, haven’t been technical, accord-ing to Stefanick. Establishing a champion for the technology on site—someone to manage the project so it meets the expectations of senior leadership—is often a struggle for many enterprises.

“This is not a cheap solution by any stretch. It’s still a new technology,” Stefanick says. “It’s not just that you’re going to install some beacons and walk away. It’s not that simple.”

That is especially true for retailers, who want to know the precise location of their customers—and the products on the shelf that are within an arm’s reach—so that they can tailor their marketing.

“We haven’t gotten to the point where the price

of the overall solution will allow retailers to deploy that. That’s why we’re seeing that [indoor position-ing] is more successful,” Zimmerman says. “With retail, we’re at a standstill, for the most part.”

But that hasn’t stopped some of the country’s biggest retailers from experimenting. Target an-nounced last August that it was testing beacon tech-nology in 50 locations nationwide with an app for the iPhone. Consumers were told to expect to re-ceive product recommendations or coupons based on their location in a store.

Macy’s showed its confidence in beacons by using them during the busiest shopping time of the year. The “Macy’s Black Friday Walk In and Win” game offered shoppers at 700 stores a chance to win $1 million in prizes through its app, connected to bea-cons powered by Zebra Technologies.

To create a better store experience for its shop-pers, Indianapolis-based Marsh Supermarkets tapped inMarket, a mobile marketing company that cites ComScore data to support its claim that in-Market’s technology reaches more than 40 million shoppers every month through beacons—the largest such audience in the country.

Rather than send messages to shoppers as they




move up and down the aisles, Marsh, which operates 78 stores in Indiana and Ohio, sends just a single message via an app on their smartphone, usually as a shopper enters a store or approaches a register.

In other words, it’s enough for Marsh to know the shopper has crossed the threshold of a supermarket; exactly where he or she may go once inside is less

important. “When I enter a store and my phone engages with

the beacon, the Marsh app wakes up, welcomes me, and reminds me of the digital coupons and draws my attention to another great digital offer that I can also clip and use on that trip,” wrote Amit Bhardwaj, senior director of customer loyalty for Marsh, in an email. “It really is as simple as installing a beacon in the store—so long as you have the app scale in place to listen for them.”

NOT ALL BEACONS ‘A SLAM DUNK’But not all beacon deployments live happily ever af-ter, warns one analyst.

“Beacons are great, but they have a lot of issues. The hype doesn’t live up to the reality,” says Maribel Lopez, founder of research firm Lopez Research in San Francisco.

The first barrier is that consumers need to down-load an app for the beacons to talk to. Nationwide retailers are big enough to attract proactive users, but for smaller retailers, the technology just isn’t practical, Lopez says.

There are technical challenges, too: checking for

What is Bluetooth Low Energy?

BLUETOOTH LOW ENERGY (BLE) is a power-conserving variant of Bluetooth’s

personal area network technology, designed for use by Internet-connected

machines and appliances.

Also marketed as Bluetooth Smart, BLE was introduced in the Bluetooth

4.0 specification as an alternative to Bluetooth Classic. Like its predecessor,

BLE uses frequency-hopping wireless technology in the 2.4 GHz unlicensed

radio band to interconnect nearby devices. Unlike its predecessor, BLE maxes

out at just 1 Mbps while consuming 0.01 to 0.5 watts. That’s up to one third of

the speed of Bluetooth Classic, at half the power. Battery life depends upon

hardware, transmit distance and duty cycle, ranging from one to 40 months.

SOURCE: WHATIS.COM

http://whatis.techtarget.com/definition/duty-cycle




interference in the environment, making sure bea-cons haven’t fallen out of place, using the technol-ogy to deliver compelling content, and linking to content management and customer relationship management systems. It’s a tall order.

“The actual management of beacons is not a slam dunk,” Lopez says.

Case in point: At the Brooklyn Museum, Shelley Bernstein, the vice director of digital engagement and technology at the museum, blogged last year about her frustrations installing beacons from Es-timote throughout 500,000 square feet of gallery space.

The beacons didn’t stick well to walls. There was no central manage-ment tool to track them or monitor battery life. There weren’t even serial numbers on each device so that she could replace one easily if it did fall.

“Beacon signal, for instance, is dis-rupted by everything save air … walls, vitrines, objects, people, you name it,” she wrote. “This problem is so bad, in fact, that I can be standing di-rectly beside a beacon on the wall and

will find a stronger signal coming from one across the room.”

Now, multiply all that by 100. If a company has multiple locations, but doesn’t have IT staff in every building, who decides where to put each beacon? Who sticks it on the wall? Who checks to make sure it’s still there six months later? The traditional retail floor employee needs a video or some sort of guide to install beacons properly, Lopez says.

“Back in the day, when you set up a wireless LAN, somebody came out and figured out where to put ac-cess points,” Lopez says. “There was a whole art and science to it.”

“You don’t just pack up beacons in a box, ship them, and say ‘Plug them in,’” she continues. “It’s not a tablet. It’s not a laptop. It took 15 years to get to the point of sending out wireless access points and saying, ‘Plug it in.’”

That may be why some large retailers have chosen a less ambitious approach: attaching beacons to in-dividual shopping carts rather than store walls.

Moxie Retail, which provides technology services to big-box retailers in Canada, uses shopping cart-mounted beacons along with Wi-Fi infrastructure from Ruckus Wireless to track user behavior and

“You don’t just pack up beacons in a box,

ship them, and say ‘Plug them in’. It’s not a

tablet. It’s not a laptop.”

—Maribel Lopez, founder, Lopez Research

https://www.brooklynmuseum.org/community/blogosphere/2015/02/04/the-realities-of-installing-ibeacon-to-scale/




optimize store layouts. Using beacons this way also avoided any privacy concerns consumers may have, says Peter Townsend, senior vice president of strat-egy and insights at Moxie Retail.

At Houston Methodist Hospital, Stefanick sees a similar use for beacons in the near future: as a

location-based service. Instead of sticking beacons on walls, the hospital could attach them to assets like wheelchairs or infusion pumps. Tracking them using Bluetooth Low Energy could be much less expensive than doing so over Wi-Fi, the current practice. n

Network Innovation Award




Tempered Networks: HIPswitch

k S P E E D S A N D F E E D S

Physical HIPswitches include the 100 Series (8 Mbps), 200 Series (15 Mbps), 300 Series (100 Mbps; pictured here) and 400 Series (1.3 Gbps). Throughput on virtual switches (100v and 300v Series) depends on the host.

k W H Y W E L I K E I T

HIPswitch does more than put a Band-Aid on existing approaches to network security. Unlike IP addresses, these identities can’t be spoofed. It makes a compelling model for securing Internet of Things devices on the network.

k W H AT I T I S

A portfolio of switches and orchestration software based on Host Identity Protocol (HIP), which replaces IP addresses with cryptographic identities managed through a centralized, automated platform.

k W H AT I T D O E S

Creates an identity-based overlay network with AES-256 encryption for whitelisted devices. Provides secure connectivity over any network, including cellular.

To learn more about why Tempered Networks’ HIPswitch products are our latest Network Innovation Award winner, read the whole story on SearchNetworking.

http://searchnetworking.techtarget.com/feature/Tempered-Networks-HIPswitch-tackles-IoT-management







Um, I thought

this was sup-

posed to make

my network

go faster—not

make it implode.

DROPPED PACKETS | OPINION | LEE BADMAN

WAN Optimization Sounds Great, Until It Doesn’t Work

There I was, all sparkly eyed at the thought of WAN optimization being provided by a new ver-sion of code on my favorite site-to-site VPN end-point devices. I’d worked to find a dedicated WAN optimizer in the past and saw how very expensive magic boxes could make a T1 link “feel” like a T3 through compression and other tricks. When it works, it’s simply glorious.

So when my security appliances were gifted with a WAN optimization feature set, I had wild visions of my branch connectivity getting a leg up for things like Active Directory (AD) profile load-ing, as the domain controllers are hosted at the main network (this was before branch caching was viable). The vendor promised huge perceived gains in server message block and HTTP traffic, and the 1 Tb SATA drives built into the appliances “for future use” would be woken up and turned loose as part of

the WAN optimization feature set. Oh, sweet cheese, I couldn’t wait for my remote users to call up and say, “What did you do to the network? It’s smoking fast!”

And call they did; except it wasn’t to heap praise on me and the network. Instead, I got an earful of, “It looks like the network’s broken. Do you know what’s going on? None of our AD machines are working!”

PULLING THE PLUGI made a call to tech support. The VPN tunnel was still up, and non-optimized traffic was fine. Pretty soon, I opted to end a lengthy data-gathering ses-sion with the vendor’s support engineer and dis-able the new WAN optimization feature. As if a switch was flipped, all was well again with the traffic

CREDIT; YUOAK/ISTOCK




flows—except nothing was being optimized at that point. My high-latency WAN connection would stay high latency for a few weeks, until the vendor was ready to try again with new code. That failed too. As did the next attempt. And the next. Over a year later, after multiple attempts at WAN optimiza-tion on this hardware, the vendor threw in the towel and pulled the feature for good.

So, why am I sharing this fairly gloomy chapter in my WAN history? First of all, it happened rather recently with a vendor that tends to consistently knock it out of the park with the code that runs its networking gear. Second, there is a tremendous

amount going on with WAN evolu-tion right now. A lot of it rides the rising software-defined networking (SDN) tide, which means it’s time for a reality check.

At a recent Networking Field Day event, there was a fair amount of dis-cussion about SD-WAN and simi-lar shadings. In my own world, I’m getting acclimated to Cisco’s new-ish Intelligent WAN offerings with self-optimizing path selection and

other snazzy-sounding features. With commodity Internet prices coming down and the power of 4G edge routing, these are exciting times for affordably connecting remote locations in ways we couldn’t dream of just a few years ago. I applaud anyone and everyone in the WAN game who is trying to bring new mojo (whether it’s SDN-fueled or not) to cach-ing, compression and automated quality-of-ser-vice management. And I love that, one day, thanks to WAN optimization, all WAN links might intelli-gently reroute when packets are dropped.

FOCUS ON THE BASICSIn the meantime, I have a message to vendors from the WAN trenches: Whatever you’re proposing or selling under the heading of “Exciting Develop-ments in WAN” has to actually work. The WAN itself has to work—consistently and reliably, as it always has. It’s that simple.

Beyond that, all the exciting stuff with WAN op-timization, is just gravy. Far-flung users at the end of WAN links are people, too. They are real workers doing real work, and there just isn’t room for half-baked solutions and crowd-sourced beta testing by

I have a message to vendors from the WAN

trenches: Whatever you’re proposing or selling under

the heading of “Exciting Developments in WAN” has

to actually work.




customers who didn’t know they were being drafted into the quality assurance testing role.

I’ve been on the losing end of a new WAN opti-mization feature set that didn’t live up to its hype despite the promises of a trusted vendor, and I suf-fered for it. Though I’m good at damage control and seeing stuff for what it is when it comes knocking,

I still took bruises to my professional reputation and my organization looked foolish for a bit. Worse, my clients were impacted, and that just can’t be tolerated.

Evolve away, but do so responsibly. And please, don’t bring your WAN Big Idea to market until it’s ready. n







n Tim Broad

n IT Director

n Traders Point Christian Church

n Whitestown, Ind.

THE SUBNET | Q&A | JESSICA SCARPATI

Plug and Pray: Network Supports Growing Church

Football stadiums, convention centers and airports are the typical venues that come to mind when it comes to building a wireless network that can support densely populated and often transient user populations. But in the suburbs of Indianapo-lis, the IT team at Traders Point Christian Church—a self-described gospel-based church—faces the same challenges but with far fewer resources.

In terms of production value, its sermons look more like TED Talks than the stern or somber atmo-sphere found at many churches around the world. Divided into two campuses in Carmel and Whites-town, Ind., the church sees an average weekend at-tendance of 6,500 to 7,000 people. They may not only attend services, but also linger at the church’s indoor playground or coffee shop, or return later for a live concert. The church also has its own mo-bile app, which allows users to replay video or audio from previous sermons, or access relevant scripture

passages during a live sermon.Tim Broad, the IT director at TPCC, shares how

all this activity influences his network design, based on infrastructure from HP Enterprise and Aruba Networks, as the church expands its footprint.

What networking projects are you working on now?We are going through some expansion of addi-tional campuses across the Indianapolis area. We are what’s called a multi-site church, and what that means is we are one church that meets in multiple locations. From a networking perspective, as a large church, it means we have a heavy emphasis on the production side of worship services. There are a lot of lights, video and sound, and all of those things are networked. It’s always preferential to have all of those things operate on the same network, even across multiple physical locations around the city,

http://www.tpcc.org/sermon/a-watery-grave/




the country or even around the world. The challenges that come along with that can be

daunting at times. From a project management per-spective, it really requires getting the right people in the right places at the right time. A lot of pieces don’t necessarily all have to fall in the right place at once, but actually at different points on a timeline so the next thing can go.

This expansion is really critical for our vision. So what we look at from an IT standpoint is how can we, as the operations side of the organization, put in networks, systems and servers that support that vision? Be it MPLS or a point-to-point VPN con-nection between controllers, [the technology we choose] will look a little different in each situation because the campuses might have different ISPs ser-vicing each area, the rack space might look different in the building or the bandwidth availability might be different in those places.

A lot of people don’t associate churches with cut-ting-edge technology. Can you talk more about how it plays a role at Traders Point Christian Church?We hear that question a lot from an IT standpoint. I asked the same question, coming from corporate

America. When I was being offered this position, I said, “I go to this church, but is there really that much [technology] that you need to bring in some-one with this skill set?” Well, it’s absolutely the case, because using technology is such a mission-critical part of achieving our vision. Whether you’re a non-profit or for-profit, you’ve got a mission statement. To some degree, technology should be a part of achieving that mission statement.

We have a mobile app that we engage people very heavily with. There’s a giving component where people can donate [to the church]. They can use it to follow along with the current sermon series that’s going on or find ways to engage with others. Because it’s such a large church, people can engage with one another on social media. For us, the app is even a key part of how we do ministry. To run and support that app on the weekend in our campuses, you’ve got to have a strong network—not only a strong physically wired network, but also a very strong and robust wireless network with low latency, great coverage and great bandwidth.

What does your network look like?We have three ISPs that service our building, and




we’ve bonded those together to make sure we have uptime at all times. Our primary [WAN] connection is through Bright House Networks’ fiber, and while it’s capable of receiving up to 10 gigs, we are only contracted with them for 200-by-200 megabits. The reason for that is just cost; we’re stewarding resources, one of them being a budget, so we want to be very conscious of that.

We have 802.11ac access points, in some cases ca-pable of delivering in excess of a gig over Wi-Fi, and our wired network is equally robust, if not more so, depending on what you’re dealing with. We’re giving that full bandwidth to our staff, but we do limit our guest network to 5 or 10 megs. That’s just so they’re not downloading a whole bunch of app updates and eating up the bandwidth for everyone else.

What’s your biggest technical challenge these days?When it comes to networking multiple campuses, it can be very expensive and time-consuming to set things up and then have systems in place to monitor those networks. One of our bigger challenges right now—and it’s a challenge we welcome with open arms—is thinking of new, innovative ways we can

work around your traditional site-to-site network-ing solutions like MPLS.

We’re looking at solutions like a firewall-to-fire-wall VPN connection when we can do that. It’s still sort of a trunk that’s open between locations. Our challenge there is to try these things in a live envi-ronment, sometimes during weekend operations, just because we can’t really test them properly with-out completely barraging the network infrastruc-ture with our weekend workload.

For someone in corporate America that deals with these things all the time, it’s not going to seem like a big thing for them, but the complexity comes in in a church or a nonprofit setting, where we can’t just take a solution and plug it into the next campus that we roll out. There’s a degree of autonomy that exists with these different campuses. There are differences between them; they kind of have their own DNA. From a networking perspective, we have to answer that situation with a customized network approach.

How does the density influence your Wi-Fi design?You have this constant ebb and flow of different people coming in. It’s like a mall or airport, in a




way. When people are coming in and joining Wi-Fi, you have to make sure—even down to the details of a DHCP scope on a server—that you’re releasing DHCP addresses in a very particular time range, and you’re bringing those DHCP resources for new peo-ple who haven’t come in yet. There are some things that are a bit different from a corporate network, where you have generally the same people coming in day to day. We just have a constant refresh.

For wireless infrastructure, it was between Aruba and Ruckus Networks. The go-to is always Cisco, but it’s not necessarily great in an arena setting. We were looking at arenas, baseball stadiums or football

stadiums—the affinity there is you have that constant refresh of people—where you not only need coverage, but also access points that are going to be able to process that traffic and han-dle that density of people in a confined area.

And Aruba did that the best?I had found Ruckus made some claims their access points are

not quite capable of living up to. I did my own inde-pendent “case studies,” aside from what I was hear-ing from Aruba reps or other people in the industry. I went to some locations that I knew were using Aruba infrastructure, and I was even able to meet with their network admins. I got some really good, unbiased, lay-it-all-out-on-the-table feedback.

One of the greatest things about the Aruba infra-structure is their controller will see a radio client—a cellphone or an iPad—that’s traveling throughout different areas of the campus. The controller will see that movement just based on the dB strength that the device is receiving and sending at. It will move that client to the next AP as they’re moving through-out the building. Some other wireless providers claim to be able to do this, and some of them can do it fairly well, but not with the density and coverage requirements that we have.

Let’s talk careers. How did you get into IT?I started to take an interest around the age of 8, when my dad purchased a couple of nonworking Apple IIes from a silent auction at our local public school. He said to me, ‘OK, I’ve got two nonwork-ing computers. Can you take parts from these two

“You need not only coverage, but also access points that are

going to be able to process that traffic and handle that density of people in a confined area.”

—Tim Broad, IT director, Traders Point Christian Church




and get one of them working?’ It wasn’t because he needed a computer or wanted a computer, but he wanted me to reach out to people for help or do re-search. Of course, Google wasn’t around back then, so he wanted me to figure this out.

That was the start for me and is what I’ve always done—just gone in and figured things out. Now it’s really important to me to be networked with others in the industry who can inform me on things or I can bounce ideas off of. If I’ve got a project coming up, I have resources I can reach out to.

My first official position in the industry was managing expansions of business operations at family entertainment venues. I was managing every technical aspect of those projects and even some of

the construction components. After doing that for several years, I was called upon by my local church, and it has been something that’s great to be involved in and is challenging in a very different way.

Here’s our rotating pop culture question: Star Wars or Star Trek, and why?You know, I am not much into sci-fi, but if I had to choose between one of the two, I would choose Star Wars. I am an action movie fanatic, and I feel like there’s more action in Star Wars.

My grandpa used to watch Star Trek, and I just remember falling asleep to it. I know I was pretty young, but I think that’s the source of my baggage surrounding Star Trek. n




SANDRA GITTLEN is a freelance journalist in the greater Boston area. A former editor at Network World, Gittlen now writes about technology, business and lifestyle for an array of industry publications, including StateTech magazine, Computerworld and Wharton Magazine.

CHRISTOPHER HEUN is a freelance writer and former editor at InformationWeek. His work has appeared in the Baltimore Sun and Evening Sun, BtoB Magazine, Folio, SciFi.com, the Budapest Business Journal and the Hungarian edition of Reader’s Digest. In 2010, he won a Baltimore Addy in the direct marketing category.

JESSICA SCARPATI is features and e-zine editor of Network Evolution in TechTarget’s Networking Media Group. Scarpati was previously the site editor for Search-CloudProvider and the senior news writer for the Net-working Media Group. Prior to joining TechTarget, she worked as a reporter for several newspapers in the Boston Metro area.

Network Evolution is a SearchNetworking.com e-publication.

Kate Gerwig, Editorial Director

Jessica Scarpati, Features and E-zine Editor

Kara Gattine, Executive Managing Editor

Chuck Moozakis, Executive Editor

Antone Gonsalves, Director of News

Linda Koury, Director of Online Design

Anita Koury, Graphic Designer

Marty Moore, Senior Production Editor

FOR SALES INQUIRIES, PLEASE CONTACT:

Doug Olender, Senior Vice President/Group Publisher [email protected]

STAY CONNECTEDFollow

@NetworkingTT today.

TechTarget, 275 Grove Street, Newton, MA 02466

©2016 TechTarget Inc. No part of this publication may be transmitted or reproduced in any form or by any means without written permission from the publisher. TechTarget reprints are available through The YGS Group..

About TechTarget: TechTarget publishes media for information technology profession-als. More than 100 focused websites enable quick access to a deep store of news, advice and analysis about the technologies, products and processes crucial to your job. Our live and virtual events give you direct access to independent expert commentary and advice. At IT Knowledge Exchange, our social community, you can get advice and share solutions with peers and experts.

EMAIL Contact us

@WEBSITE Visit us

http://searchnetworking.techtarget.com/

https://twitter.com/NetworkingTT

http://reprints.ygsgroup.com/m/techtarget

mailto:editor%40searchnetworking.com?subject=

http://searchnetworking.techtarget.com/

sd-wan: is this a secure line? -...

Documents