Steve Garson

Author Archives: Steve Garson

IDG Contributor Network: China to block SD-WAN and VPN traffic by Jan. 11

A new Chinese policy going into effect next week, will have profound impact on businesses relying on Internet VPN or SD-WAN access within China.According to a notice from China Telecom obtained by SD-WAN Experts, the Chinese Government will require commercial Chinese ISPs to block TCP ports 80, 8080, and 443 by January 11, 2018. Port 80 is of course the TCP port commonly used for carrying HTTP traffic; 8080 and 443 are used for carrying HTTPS traffic. Commercial ISP customers interested in maintaining access to those ports must register or apply to re-open the port through their local ISP.  The news, first reported by Bloomberg July, was expected to be implemented by February, 2018. This is the first time a specific date has been provided for the action.To read this article in full, please click here

IDG Contributor Network: Warning: security vulnerabilities found in SD-WAN appliances

In a rush to capitalize on the SD-WAN market opportunity, some SD-WAN vendors seem to be playing fast and loose with their appliances.At a recent customer site of ours, Nirvik Nandy, CISO of SD-WAN Experts and CEO of Red Lantern, a security and compliance consultancy, and I collaborated on a security analysis of SD-WAN architectures. We conducted penetration testing of several SD-WAN solutions, looking atthe appliances and cloud architectures. Details of how we tested and vendor results are necessarily confidential. However, I can share with you some of our overall findings about appliances – we’ll get to the cloud at a later date.SD-WAN security: what it really means First, some context: SD-WAN vendors speak about their architectures as being secure and that’s true to an extent. All SD-WAN solutions secure traffic in transit. But there’s more to network security than protecting data against eavesdropping and wiretapping, which is why companies deploy next-generation firewall (NGFW), intrusion prevention systems (IPS), and more.  SD-WAN and security vendors have been addressing this need, integrating the functionality of one another into solutions that provide networking and security.To read this article in full, please click here

IDG Contributor Network: Warning: security vulnerabilities found in SD-WAN appliances

In a rush to capitalize on the SD-WAN market opportunity, some SD-WAN vendors seem to be playing fast and loose with their appliances.At a recent customer site of ours, Nirvik Nandy, CISO of SD-WAN Experts and CEO of Red Lantern, a security and compliance consultancy, and I collaborated on a security analysis of SD-WAN architectures. We conducted penetration testing of several SD-WAN solutions, looking atthe appliances and cloud architectures. Details of how we tested and vendor results are necessarily confidential. However, I can share with you some of our overall findings about appliances – we’ll get to the cloud at a later date.SD-WAN security: what it really means First, some context: SD-WAN vendors speak about their architectures as being secure and that’s true to an extent. All SD-WAN solutions secure traffic in transit. But there’s more to network security than protecting data against eavesdropping and wiretapping, which is why companies deploy next-generation firewall (NGFW), intrusion prevention systems (IPS), and more.  SD-WAN and security vendors have been addressing this need, integrating the functionality of one another into solutions that provide networking and security.To read this article in full, please click here

IDG Contributor Network: Why your company can be sued for using SD-WAN

When you buy your SD-WAN, or for that matter any WAN technology, you sort of assume that the vendor has the legal right to sell it to you.But what happens if they don’t? What happens if you’ve built your WAN on an illegally acquired technology?The question is not just theoretical. Last week, FatPipe sent me a press release pointing out how United States PTO Patent Court upheld a signature claim to its U.S. patent (number 6,775,235) for load balancing across disparate networks. Load balancing is a critical component of all SD-WAN products. As such, FatPipe could, in theory, claim licensing fees from SD-WAN players and their users.To read this article in full or to leave a comment, please click here

IDG Contributor Network: Why your company can be sued for using SD-WAN

When you buy your SD-WAN, or for that matter any WAN technology, you sort of assume that the vendor has the legal right to sell it to you.But what happens if they don’t? What happens if you’ve built your WAN on an illegally acquired technology?The question is not just theoretical. Last week, FatPipe sent me a press release pointing out how United States PTO Patent Court upheld a signature claim to its U.S. patent (number 6,775,235) for load balancing across disparate networks. Load balancing is a critical component of all SD-WAN products. As such, FatPipe could, in theory, claim licensing fees from SD-WAN players and their users.To read this article in full or to leave a comment, please click here

IDG Contributor Network: VMware’s VeloCloud acquisition: an argument for SD-WAN services?

The recent news around VMware’s acquisition of SD-WAN provider VeloCloud is puzzling from a lot of angles but particularly in what it says about SD-WAN services.Let’s make a deal VeloCloud is a leader, and some would say the leader, in the SD-WAN market. The company has been in the space since its founding in 2012 and has raised $84 million in private funding, according to CrunchBase. It claims around 1,000 enterprise customers (1,000).The VeloCloud acquisition will help VMware compete with Cisco, who acquired SD-WAN provider Viptela for $610 million in May. VeloCloud isn’t VMware’s first virtual networking acquisition. Back in 2012, the company acquired Nicira, which became the basis for its NSX network virtualization offering. Integrating the two technologies creates an interesting end-to-end solution. VeloCloud’s approach of coupling appliances with aspects of a cloud service, will play well with VMware’s premise-oriented strategy.To read this article in full or to leave a comment, please click here

IDG Contributor Network: VMware’s VeloCloud acquisition: an argument for SD-WAN services?

The recent news around VMware’s acquisition of SD-WAN provider VeloCloud is puzzling from a lot of angles but particularly in what it says about SD-WAN services.Let’s make a deal VeloCloud is a leader, and some would say the leader, in the SD-WAN market. The company has been in the space since its founding in 2012 and has raised $84 million in private funding, according to CrunchBase. It claims around 1,000 enterprise customers (1,000).The VeloCloud acquisition will help VMware compete with Cisco, who acquired SD-WAN provider Viptela for $610 million in May. VeloCloud isn’t VMware’s first virtual networking acquisition. Back in 2012, the company acquired Nicira, which became the basis for its NSX network virtualization offering. Integrating the two technologies creates an interesting end-to-end solution. VeloCloud’s approach of coupling appliances with aspects of a cloud service, will play well with VMware’s premise-oriented strategy.To read this article in full or to leave a comment, please click here

IDG Contributor Network: The 4 SD-WAN architectures for network security

SD-WAN might have begun as a networking technology, but the SD-WAN’s future lies in security. Integrating branch security features into SD-WAN, allow leaner, simpler remote office deployments.  To those ends, security vendors have introduced SD-WAN capabilities — and SD-WAN vendors add security capabilities.1. SD-WAN appliances with basic firewalling Many SD-WAN vendors deliver basic firewalling capabilities in their SD-WAN appliances. These firewalls are roughly equivalent to the stateful firewalls you might see in a branch office router. Capabilities will include policy-based filtering and blocking applications based on port or IP addresses. Examples include Cisco (Viptela), Silver Peak and Velocloud.To read this article in full or to leave a comment, please click here

IDG Contributor Network: How will you connect AWS, Azure, and Google Cloud to your SD-WAN?

I’ve been spending a lot of time the past few weeks reviewing SD-WAN vendor cloud offerings. Maybe it’s because of some the announcements in the area. It triggered a bunch of questions from my customers. Maybe it’s because a lot of folks seem to be waking up to the importance of connecting their SD-WAN into the cloud.Regardless, what’s become increasingly apparent to me are the vast differences between vendor implementations. At first glance, the cloud would seem to be just like any other site. Add an SD-WAN node as you would with any other location, let it connect into the SD-WAN, and voila! Job done. Oh, how I wish it was that simple.SD-WAN cloud configurations are like that sweet, devilish 5-year old who can terrorize your home while looking delightfully cherubic. Different tools are needed to manage cloud implementations than the cloud. Routing into the IaaS cloud is rarely simple. Properly configuring the cloud—setting up the VPCs, installing the SD-WAN nodes, provisioning the IPsec connectivity—all take time. It’s why SD-WAN vendors have made a point of introducing cloud-specific implementations.To read this article in full or to leave a comment, please click here

IDG Contributor Network: Office 365: What’s your network deployment architecture?

I recently gave a webinar on how to best architect your network for Office 365. It comes on the heels of a number of complaints from customers around their struggles deploying responsive Office 365 implementations. SharePoint doesn’t quite work; Skype calls are unclear. And forget about OneDrive for Business. It’s incredibly slow.Latency and Office 365 Ensuring a smooth transition to Office 365, or for that matter any cloud deployment, involves a solid understanding of which Office 365 applications are being deployed. Here latency matters. Microsoft recommends that round trip latency for Office 365 does not exceed 275 ms, but those metrics change significantly depending on the Office 365 application. Latency should not exceeds 50ms with Exchange Online and 25ms with SharePoint. (Check out my “ultimate” list of Office 365 networking tools for help with your O365 deployment.)To read this article in full or to leave a comment, please click here

IDG Contributor Network: Office 365: What’s your network deployment architecture?

I recently gave a webinar on how to best architect your network for Office 365. It comes on the heels of a number of complaints from customers around their struggles deploying responsive Office 365 implementations. SharePoint doesn’t quite work; Skype calls are unclear. And forget about OneDrive for Business. It’s incredibly slow.Latency and Office 365 Ensuring a smooth transition to Office 365, or for that matter any cloud deployment, involves a solid understanding of which Office 365 applications are being deployed. Here latency matters. Microsoft recommends that round trip latency for Office 365 does not exceed 275 ms, but those metrics change significantly depending on the Office 365 application. Latency should not exceeds 50ms with Exchange Online and 25ms with SharePoint. (Check out my “ultimate” list of Office 365 networking tools for help with your O365 deployment.)To read this article in full or to leave a comment, please click here

IDG Contributor Network: When evaluating SD-WAN, look beyond the features table

Like many IT products, SD-WAN products can sound insanely alike. Sit through presentations and read through the literature and then ask yourself what’s the practical difference between each vendor’s implementation? It can be difficult question to answer even for people in the business of answering those questions.A common approach for an initial cut in an evaluation process is to reduce the product list by focusing on features. By creating a table of specific product specifications, assigning a weighted scoring, many of my customer have come up with a score and by extension a tool for eliminating some products from their selection process.Such an approach while valuable in some respects, is insufficient even for an initial cut. There are too many elements to a purchase that are not measured by a features table. Or, there might be important unfamiliar features that you forget to include in the table.To read this article in full or to leave a comment, please click here

IDG Contributor Network: When evaluating SD-WAN, look beyond the features table

Like many IT products, SD-WAN products can sound insanely alike. Sit through presentations and read through the literature and then ask yourself what’s the practical difference between each vendor’s implementation? It can be difficult question to answer even for people in the business of answering those questions.A common approach for an initial cut in an evaluation process is to reduce the product list by focusing on features. By creating a table of specific product specifications, assigning a weighted scoring, many of my customer have come up with a score and by extension a tool for eliminating some products from their selection process.Such an approach while valuable in some respects, is insufficient even for an initial cut. There are too many elements to a purchase that are not measured by a features table. Or, there might be important unfamiliar features that you forget to include in the table.To read this article in full or to leave a comment, please click here

IDG Contributor Network: Can SD-WANs meet standards requirements?

Any innovative technology faces a battle of doubt. When Amazon first rolled out AWS, few could imagine servers running in the cloud. Before Salesforce, many thought CRM to be too critical to run as SaaS. I find SD-WANs to be facing a similar battle. It’s inconceivable to many that an SD-WAN could replace MPLS. This is particularly true for security teams.At one recent client, a chemical company, the team was looking to transition from MPLS to SD-WAN. The security group, though, could not accept the fact that SD-WANs met the requirements stipulated by CFATS (Chemical Facility Anti-Terrorism Standards) guiding the chemical industry.It was a classic example of professionals getting hooked into the implementation and failing to consider alternative approaches to addressing the same need. CFATS professionals assume MPLS and firewalls to be mandated by the standard. MPLS being the de facto transport. As for firewalls, “Organizations understand and feel safe with firewalls,” says Nirvik Nandy, my partner and the president and CEO, of Red Lantern, a security and compliance consultancy.To read this article in full or to leave a comment, please click here

IDG Contributor Network: Can SD-WANs meet standards requirements?

Any innovative technology faces a battle of doubt. When Amazon first rolled out AWS, few could imagine servers running in the cloud. Before Salesforce, many thought CRM to be too critical to run as SaaS. I find SD-WANs to be facing a similar battle. It’s inconceivable to many that an SD-WAN could replace MPLS. This is particularly true for security teams.At one recent client, a chemical company, the team was looking to transition from MPLS to SD-WAN. The security group, though, could not accept the fact that SD-WANs met the requirements stipulated by CFATS (Chemical Facility Anti-Terrorism Standards) guiding the chemical industry.It was a classic example of professionals getting hooked into the implementation and failing to consider alternative approaches to addressing the same need. CFATS professionals assume MPLS and firewalls to be mandated by the standard. MPLS being the de facto transport. As for firewalls, “Organizations understand and feel safe with firewalls,” says Nirvik Nandy, my partner and the president and CEO, of Red Lantern, a security and compliance consultancy.To read this article in full or to leave a comment, please click here

IDG Contributor Network: Can SD-WANs meet standards requirements?

Any innovative technology faces a battle of doubt. When Amazon first rolled out AWS, few could imagine servers running in the cloud. Before Salesforce, many thought CRM to be too critical to run as SaaS. I find SD-WANs to be facing a similar battle. It’s inconceivable to many that an SD-WAN could replace MPLS. This is particularly true for security teams.At one recent client, a chemical company, the team was looking to transition from MPLS to SD-WAN. The security group, though, could not accept the fact that SD-WANs met the requirements stipulated by CFATS (Chemical Facility Anti-Terrorism Standards) guiding the chemical industry.It was a classic example of professionals getting hooked into the implementation and failing to consider alternative approaches to addressing the same need. CFATS professionals assume MPLS and firewalls to be mandated by the standard. MPLS being the de facto transport. As for firewalls, “Organizations understand and feel safe with firewalls,” says Nirvik Nandy, my partner and the president and CEO, of Red Lantern, a security and compliance consultancy.To read this article in full or to leave a comment, please click here

IDG Contributor Network: When SD-WAN is more than SD-WAN

As the SD-WAN market has matured, one thing has become very clear: SD-WAN will not exist on its own. The technology is merging with other networking technologies, ultimately becoming a feature of a much larger bundle. While it may be too early to say what this “new thing” will be, the rough contours are emerging.Predominantly, we’re seeing security and SD-WANs merge. Just consider some of the activity: Velocloud recently announced its SD-WAN Security Technology Partner Program to integrate with other security vendor’s products. Viptela (soon to be Cisco), Silver Peak, Velocloud and others have long (well, long in the SD-WAN sense) touted integration with security vendors using service chaining. Cato Networks built its own integrated security and networking stack in the cloud. Masergy bundles SD-WAN (Silver Peak and its own technology) with third-party security services in the cloud. But what’s missing in many of these integrated offerings is the completeness of the edge solution. Companies need more than just an SD-WAN in branch offices. They need firewall, IPS, anti-malware, URL filtering and anti-virus for security. Internally, networking calls for Active Directory, DHCP, DNS, and print services. Externally, the edge may need WAN optimization, bandwidth management, QOS, traffic balancing, Continue reading

IDG Contributor Network: When SD-WAN is more than SD-WAN

As the SD-WAN market has matured, one thing has become very clear: SD-WAN will not exist on its own. The technology is merging with other networking technologies, ultimately becoming a feature of a much larger bundle. While it may be too early to say what this “new thing” will be, the rough contours are emerging.Predominantly, we’re seeing security and SD-WANs merge. Just consider some of the activity: Velocloud recently announced its SD-WAN Security Technology Partner Program to integrate with other security vendor’s products. Viptela (soon to be Cisco), Silver Peak, Velocloud and others have long (well, long in the SD-WAN sense) touted integration with security vendors using service chaining. Cato Networks built its own integrated security and networking stack in the cloud. Masergy bundles SD-WAN (Silver Peak and its own technology) with third-party security services in the cloud. But what’s missing in many of these integrated offerings is the completeness of the edge solution. Companies need more than just an SD-WAN in branch offices. They need firewall, IPS, anti-malware, URL filtering and anti-virus for security. Internally, networking calls for Active Directory, DHCP, DNS, and print services. Externally, the edge may need WAN optimization, bandwidth management, QOS, traffic balancing, Continue reading

IDG Contributor Network: When SD-WAN is more than SD-WAN

As the SD-WAN market has matured, one thing has become very clear: SD-WAN will not exist on its own. The technology is merging with other networking technologies, ultimately becoming a feature of a much larger bundle. While it may be too early to say what this “new thing” will be, the rough contours are emerging.Predominantly, we’re seeing security and SD-WANs merge. Just consider some of the activity: Velocloud recently announced its SD-WAN Security Technology Partner Program to integrate with other security vendor’s products. Viptela (soon to be Cisco), Silver Peak, Velocloud and others have long (well, long in the SD-WAN sense) touted integration with security vendors using service chaining. Cato Networks built its own integrated security and networking stack in the cloud. Masergy bundles SD-WAN (Silver Peak and its own technology) with third-party security services in the cloud. But what’s missing in many of these integrated offerings is the completeness of the edge solution. Companies need more than just an SD-WAN in branch offices. They need firewall, IPS, anti-malware, URL filtering and anti-virus for security. Internally, networking calls for Active Directory, DHCP, DNS, and print services. Externally, the edge may need WAN optimization, bandwidth management, QOS, traffic balancing, Continue reading

IDG Contributor Network: SD-WANs lost my voice

If there’s one application that brings chills to the hearts of SD-WAN implementers it’s providing a predictable real-time voice service. So let’s talk about how SD-WANs might help.The problem with voice We need to separate from the theory of voice and the reality of voice. The theory goes something like this. The Internet is fine for email and web browsing. It’s even pretty good for personal voice. But if I want to deliver a voice service, day-in-day out without a hiccup, then I run into a problem. Voice is a real-time protocol with strict tolerances around latency, loss and jitter. Exceed those tolerances and symptoms common to a poor voice service set in. Increased delays from traffic routing or lost packets disrupt voice calls. Outages and brownouts can cause calls to drop.To read this article in full or to leave a comment, please click here