Blog: Simplify IP Networking by Combining Routing & Security

By Sorell Slaymaker |

128 Technology has created a stateful session-aware router, which collapses firewall, load balancing, and WAN optimization functions natively into a single platform. By combining networking and security functions, the 128T Networking Platform can route and optimize applications based on network performance AND security trust requirements.  This enables network operators to simplify their networks – especially for applications with similar traffic profiles, such as video, that look similar to the network.

Along with a stateful session aware router, the 128 Technology data model uses tenants and services to define devices, users, and applications.  This named based approach provides a simple way for the router to understand how to route and secure applications based on the required security and performance parameters.

Consider the challenge of managing different types of video traffic across multiple network links in an enterprise wide area network (WAN).  This is about to be a very real problem for many companies, as 82% of all IP traffic will be video by 2020.  What’s more, this video traffic will be comprised from many types of video based applications, which have different network security and performance requirements.

Imagine a typical enterprise with five network links; one going directly to the Internet, one private, two to cloud providers, and an LTE connection for out of band management and backup if all wireline access is cut.  Which traffic goes across each link is based on both routing and security policies.

Large Enterprise Site with Five Network Connections:

Enterprise Example.png

While a traditional WAN would look at all video traffic as the same (assuming it is all marked AF41 DSCP for instance), a better approach would involve a more granular routing scheme, where different types of video traffic would be treated differently.

To illustrate, consider the 3×3 matrix below for network performance and security requirements using names.

The three network performance categories would be:

  1. Real-Time Interactive – Collaboration across teams or to customers using voice, video, and web
  2. Near-Real Time – Live streaming of an event or for augmented reality
  3. Non-Real Time– Viewing stored content for training or illustration of how a new product works

The three security categories would be:

  1. Trusted– A device and/or user that has been authenticated
  2. Semi-Trusted – 3rd party federation or an assumed trust level
  3. Not-Trusted – No trust, and a full stack of security controls are required

Combining the network and security policies together in a 3X3 matrix allows the 128T router to select the appropriate path(s), rate shaping, QoS priority, and firewall controls to ensure video application performance and security. Also, when network congestion occurs, instead of dropping video traffic randomly, a more intelligent and dynamic QoS schema can be used.

Nine Different Classes for Video Traffic:
Video Categories.png

Traditionally, segmenting and optimizing video applications across routers, firewalls, load balancers, and WAN optimizers leads to “ACL Hell”, along with a host of other operational headaches.  This is because network routing and security have been treated as two separate functions.  Combining them into one function and moving to a named based addressing model (while still supporting legacy IPv4/6 addressing) will simplify IP networks.