Step 1: The Basics
If your company has more than one building and you want the networks within those buildings to be able to talk to one another reliably, rapidly, and securely, you have 5 choices on what you can do.
1) You can lay cables between the buildings. This is called an “air-gapped” connection.
2) You can lease space on a quasi-dedicated cable from the telecom providers that sit between your buildings. For reasons explained shortly, this method is called MPLS.
3) Provided they are close enough, you can beam data between your buildings using electromagnetic waves. There are a number of different commercial implementations of this, each vying for a dominant vocabulary word. For the purposes of this paper, we’ll refer to all of them as Wireless Bridges.
4) You can lease space on a low earth orbit, “LEO”, satellite constellation.
5) You can use the Public Internet and create an encrypted network flowing through shared cables and routers. This is known as making a Software Defined-Wide Area Network, or “SD-WAN”.
Not all of the above are equally priced, secure, fast, scaleable, or easy to manage. Since price will always be fickle, we will focus, for the most part, on the other aspects.
If you have the budget and wherewithal to go into work tomorrow and say, “screw the Internet’s hackers and reliability problems, just run some fiber between our buildings,” you should probably go ahead and do that. Airgapped connections are dedicated cables strung between facilities. Why the name? They do not intersect with other cables. Done right, this is the fastest, largest connection you can get between your buildings. Keeping them safe, and stable, is a matter of guards, guns, excellent hardware, and good maintenance crews. If you are not sure (tip: you are not) you can keep the cables from being tapped, you are going to want to send the data in an encrypted state.
If you don’t want to build and maintain cables between your buildings, you can always pay your telecom provider to do it for you. Typically, telecom providers render this service by leasing you space on a quasi-dedicated network of physical cables linking your buildings, as well as those of the other parties leasing space on the line. If you need to add another building to the network, the telecom provider will, for a fee, dig a trench and run a cable out to it. Since there are usually only a few dozen connection points on such a physical network, these systems can use a simplified packet transmission technique relative to that employed for sending data across the Internet. The term MPLS stands for “Multiprotocol Label Switching”, which is in reference to the simplified transmission technique such networks use. MPLS systems often offer higher packet delivery reliability rates than straight transmissions over the Internet, and they are assuredly cheaper than airgapped lines hauled over long distances. But do not be lulled by the telecom vendors into thinking they are safe. The only firms using MPLS have considerable treasure running across those lines. However, unlike an airgapped network guarded by a team under your employ, MPLS cables are rarely guarded by anyone. Take the hit on transmission speed and encrypt your data before you send it across the line.
Wireless Bridges can be quite effective if your buildings are close enough together, you don’t have a large bird population, and you don’t mind zapping your employees (never mind whether it is actually harmful, it will unnerve anyone who gets wind of it).
Low Earth Orbit Satellite Constellations promise pretty good speeds and a way to pull data out of tricky parts of the world. If you want to send your transmissions over one, expect to be leasing bandwidth alongside a relatively small number of other firms. Think of this as a space-based version of MPLS, but with compromises in speed and security in exchange for access to far off parts of the globe. There are no commercially available LEO systems presently available. That should change by 2020. Unfortunately, unless you have extremely well-tuned hardware on the ground, LEO is not a secure means of sending data. Civilian antennas tend to broadcast in a general direction, on the basis that at least one of the satellites in the communications array will receive the signal. This means any satellites passing through a several thousand square mile area receive the signal, not just the intended satellite. In contrast, proper military uplinks use narrow beams, tracking motors, and timers to ensure that the signal reaches one, and only one, satellite. Rule of thumb: if you are wealthy enough to buy satellites, you have enemies wealthy enough to buy the feeds off of the other satellites flying around in the area and then run pattern analyses on the encrypted packets to figure out what you are up to. In short, pay for the requisite ground-based systems.
Software Defined-Wide Area Networks use the Public Internet as the means of connecting geographically distinct networks. That’s it. Everything else you see is smoke blown by marketing departments.
The reason why “Software-Defined” is part of the moniker is that, once you start traversing the Internet, you need to start defining what is part of your network using more than “whatever is connecting to the router” as your descriptor. Done properly, SD-WAN can balance tremendous loads and can be more secure, reliable, and versatile than the other options presented above. The “done properly” part is hard. What follows is an explanation of how to do it.
Step 2: What makes an excellent SD-WAN?
Most of you are reading this as a primer to learn what to buy. Let’s start, then, with a few basic questions that you should ask.
Does it have redundancy?
An SD-WAN should actually be at least 2 networks, not one. The Internet can be fickle, and uptime matters. Every facility should be connected through at least one load balancer with forward error correction connected to at least two independent networks that link together the other facilities within your organization. If one network fails, a load balancer will see that all of the data from the facility flows through the backup without a hitch. Forward error correction (FEC) improves the likelihood that the packets which compose your transmission actually make it to their intended destination (in layman’s terms: FEC sends two identical packets via different routes).
Does it self-heal?
If an SD-WAN breaks, is there an automated system in place that repairs it?
Is it encrypted?
You would think everyone would know how to do this these days. They do not. If crypto isn’t your thing, make sure the SD-WAN uses two layers of high-end crypto (AES-256 with independent 4096-bit keys is fine). An equally acceptable alternative is if they are using two different forms of crypto at least in the ballpark of AES-256.
Can it be traced?
The greatest weakness of most SD-WANs is that they are easy to detect. The thing to watch out for are vendors selling boxes that connect into SD-WANs through IP addresses that rarely, if ever, change. If an opponent can inexpensively develop a map of your network, they are likely to start poking around for weaknesses. The basic question to ask is, “are the entry points into the SD-WAN you are trying to sell me static?"
Does it segment both cryptographically and topologically?
Big words, simple problem. Let’s say you have a bunch of air conditioning units in your buildings that need to communicate with one another but you, reasonably, suspect they can easily be hacked. If a vendor tells you “oh, don’t worry, the communications amongst the A/C units are cryptographically segmented from the rest of the network”, what that vendor is saying is that the data being sent amongst the air conditioning units is encrypted using a different key than the rest of the data being sent between the buildings. That means than any baddie who breaks into your A/C unit will be able to see the rest of the network, but won’t immediately be able to read the data passing through it. Depending upon what the baddie’s objectives are, you may have just thwarted them. It would be far safer, however, if the A/C units sent their data through an entirely different network. By this, we mean different wires and different servers. To be sure, this isn’t always practically possible within your buildings, but it certainly is when transiting the Internet. The implication of segmenting a network both at the cryptographic and topological levels is that your SD-WAN shouldn’t really be one network, it should be several.
Can it be easily managed?
This is where most vendors make their money, so pay attention. If a company charges a fee for network management, they are inherently disincentivized to make the system easy for the end-user to run on their own. The demo gimmick we have seen a lot of recently is a slick user interface with two to four local area networks connected together and a salesperson connecting another one via drag-and-drop. Part of the demonstration should be giving you ten minutes with the mouse and keyboard and letting you create and connect several dozen local area networks, each with their own unique set of devices/users. Think that’s crazy? Look at how big your company is now. Imagine how many changes will be taking place on a daily basis in practice.
Can it be set up in under an hour?
This question falls into the same bucket as management. If the SD-WAN is well built, hardware installations aside, the setup of the actual networks should take under an hour. If this requirement causes a salesperson to start stammering, just walk away.
Step 3: How to do it.
You need 5 things to build a proper SD-WAN.
1: You will want load balancers: at least one per building. Your call on how much redundancy you need.
2: You will need hardware or software that provides forward error correction.
3: You are going to need some computers. Processors running Linux that can spin up virtual machines which can broker connections to multiple different networks. These processors will need to be sitting on boards with ports capable of handling the throughput you desire.
4: You will need software which can launch, monitor, maintain, and amend the cryptographically and topologically distinct networks to which the boxes will be brokering connections.
5: You will need a user interface which can manage the connections being made into said networks.
Step 4: Putting this into practice.
This is engineering—if you dedicate time and money to it, you can get one up and running. If you are sitting in a lab reading this, we’d place high odds on you being able to jerry rig a decent SD-WAN in a matter of weeks. Alternatively, you can buy an SD-WAN.
What tends to surprise people who purchase SD-WANs is the human element: Manually maintained, high-quality SD-WANs require three to four people per SD-WAN to keep them afloat and, because they will have access to the pipes that channel your most valuable data, you cannot offshore these jobs safely. Note also that even an SD-WAN that automatically maintains itself will need a person to manage what things are allowed to access the SD-WAN.
Step 5: Guessing how much this will cost.
Start off by eliminating the jackasses from the field. No self-respecting person will charge you a fee for providing technical support. Moreover, that technical support had better be based in the United States.
You should expect to be charged based upon the number of buildings you have connected to the SD-WAN, both because of the need for multiple pieces of physical hardware at each facility, and because there are some networking charges that cannot be avoided once you get into physical space.
Minus the hardware and, if it isn’t automated, the people, a secure, cloaked, redundant SD-WAN should not cost you more than $12k/year, plus about $3k/year per facility you bring into the network. Remember when coming up with your estimates, however, that your security department will probably require the things you care about most to travel on different networks from the things you care about least, so multiplication may come into play.
Step 6: Go for it.
Disclaimer: Why we bothered to write this article
SD-WANs are a large part of our business and, given we hold the patents on making cryptographically and topologically segmented SD-WANs that operate automatically, we think we offer the best product on the market today. You can check out our SD-WAN page at https://dispel.io/use-cases/sd-wan, or can contact us directly at email@example.com.