Was a 100% Remote Workforce in your Network Diagram?

Was a 100% Remote Workforce in your Network Diagram?

By Special Guest
Mark Casey, CEO, Apcela
  |  April 09, 2020

Just like that, the CEO said, “All employees will work remote until further notice,” and the network that was ‘transitioning’ to a next-generation architecture was product-tested overnight.  Many failed, and the result was a workforce unable to connect…

That scenario has turned real for companies like brokerage firm Charles Schwab Corp., which faces the challenge of moving upwards of 20,000 workers to a remote work model.

“Like many companies, we simply did not build into our plan the need to have the majority of employees work from home at the same time,” said Nigel Murtagh, executive vice president of corporate risk said in a memo that was reported by Bloomberg (News - Alert) News.  “We are in the process of building out that capability now, as quickly as possible.”

Not everyone will be in the same place as Schwab, but many enterprises are going to have the same struggle to meet the surge in demand for remote access.  What are some steps to take?

Tackling capacity concerns in the near term

Capacity for existing remote access solutions will be taxed.  Take steps to moderate the traffic impact by having clear guidelines on what’s allowed and what’s not allowed while using the VPN.  Explictly stating a ban on video streaming sites, like Netflix and YouTube, are ok; blanket policies blocking social media sites like Facebook (News - Alert) might be harder to justify if employees are trying to feel connected to impacted family members.

Apart from sharing guidelines, also consider how to implement those policies on a per user basis, if possible.  Consider using different/more restrictive policies for remote users to avoid resource contention.  What is the employee’s role?  What level of access to applications should they be given?  If the employee is a social media manager, they might actually need access to Vimeo, YouTube (News - Alert), Instagram and other communication channels to stay in touch with employees and customers.

Have a consistent policy managed by a centralized orchestrator, with resilient backup. 

Design for a distributed VPN footprint

Conventional network design for VPN services involves backhauling authorized user traffic to a central location where the VPN gear is located.  The first issue is too many legitimate users accessing the equipment looks no different than a malicious DDoS attack – too many requests, too little capacity can make the corporate VPN go belly up.  Racking and stacking new gear in the enterprise datacenter is impractical – there’s significant cost in trying to chase down the increased demand and no guarantee that addressing the access part of the equation necessarily solves the quality of experience for end users.

The leads in to a related problem:  Since many business-critical applications no longer solely reside in the enterprise datacenter, traffic that manages to get to the VPN is then sent back out over the internet to access cloud services and applications hosted in third-party datacenters.  The latency that VPN usage introduces can make some of these applications nearly unusable.

The performance issues with “tromboning” traffic is bad enough even in ideal conditions that employees often find workarounds that make the VPN irrelevant.  To prevent intentional (malicious) or inadvertent (COVID-19) Denial of Services effect on the VPN infrastructure, enterprises need to consider a distributed network architecture. 

What this means is the traffic from regional branches of the enterprise or partners and suppliers should be aggregated into regional hubs located in carrier neutral multi-tenant datacenters.  The hubs are connected together with SD-WAN networks that have an added benefit:  The entire application and security stack can be deployed closer to end users to enhance performance to enhance performance while maintaining centralized management and monitoring capabilities.

Leverage an analytics platform to shape traffic and security policies

The traffic patterns created by new remote work practices will also require a different approach to monitoring.  Separate network traffic, security and application monitoring make it difficult to properly assess performance issues.  Enterprises need to look to use analytics platforms that can make metric-driven correlations between networks, applications and third-party elements such as firewalls.

Integration of insights from these usually discrete systems will provide very valuable insights that can be used to shape future telecommute and security policies. 

For further detailed suggestions around employee education and training for work from home programs, go to the SANS organization for suggestions on best practices.

About the author:  Mark Casey (News - Alert), Apcela’s Founder and CEO, is a progressive leader intensely focused on leveraging emerging technologies and his deep knowledge of the global telecom and IT markets to deliver top results for clients, associates and stakeholders.  Mark’s experience and reputation is built on a successful track record of over 25 years in the communications industry delivering results for industry heavyweights including AT&T and Verizon (News - Alert).  Mark joined railroad operator CSX in 2001 to lead CSX Fiber Networks supporting large carriers with complex network optimization.  In 2005, Mark led the acquisition of FiberSource,® the core intellectual property among other assets of CSXFN, to form the nucleus of CFN Services. Now leading Apcela, widely recognized as one of the fastest growing technology firms in North America, Mark and his team specialize in developing high-performance solutions for globally distributed, real-time, mission-critical applications.  Under his leadership, Apcela pioneered the development of the Alpha Platform, an award winning high-performance private cloud for global, low-latency electronic securities trading.  Mark holds a BBA from the University of Massachusetts at Amherst and an MBA from American University.

The benefits of and technology required to enable distributed workforces will be featured at SD-WAN Expo 2021.  This will be the fourth edition of SD-WAN Expo, coming to the brand new Miami Beach Convention Center, February 9-12, 2021, as part of the TechSuperShow.  The fourth edition of SD-WAN Expo will expand on many of the topics enterprise leaders need to know surrounding their connectivity needs, including deployment models, evolving standards, SASE, practitioner case studies, and more. The collection of TechSuperShow events – SD-WAN Expo, ITEXPO, Future of Work Expo, The Blockchain Event, MSP Expo, and more – deliver an unprecedented educational and networking opportunity, where business leaders have access to all the technology that is helping businesses drive success.




Edited by Erik Linask