The new edge of the network: Preparing your network for the consumerization of IT

Geoff MattieGlobal Solutions ArchitectDell Inc.

Executive summary

How will the consumerization of IT affect my mobile network infrastructure?

How can I scale my infrastructure to meet the new demands of the new mobile enterprise?

What opportunities and issues does this open up for my wireless infrastructure?

As organizations plan to accommodate the increase in mobile devices driven by employee demand for access to critical data, there is a strong focus on mobile device management, mobile applications development, and device-level security. While these three areas are extremely important, another fundamental pillar of mobility should not be neglected: the wireless network.

Introduction

Traditional network management positions the wireless network as a simple extension of the hard wire network. People who were allowed to log in and access resources through the LAN were simply given credentials to use a specific SSID that would extend that LAN functionality through wireless access points. But in many cases these wireless networks do not have the capability to identify which users are logged in, what they are doing, or what device they are doing it with. To date, in most cases, this has not been an issue with corporate-approved devices accessing secure networks.

But now with the “consumerization of IT” underway, organizations are seeing increased employee demand as they bring in numerous wireless devices in a variety of form factors. These mobile devices are no longer just a communications apparatus. They have become fully-fledged computing devices that organizations are finding new and innovative uses for. Additionally, the devices are not all corporate-issued and managed, or capable of accessing a “hard-wire” network. This means IT must find new and better ways of categorizing and allowing these devices to access their resources securely.

With these new devices and security needs, comes new capabilities and expectations from the workforce, things such as uninterrupted roaming, wireless video on demand, and VoIP; all of which add up to higher bandwidth needs.

How can organizations address this new environment?Role-based management vs. traditional administration of the enterprise

In traditional network management, resources and users are commonly segmented using VLANS which allow administrators to provide or block access to specific areas of the environment by simply opening or closing ports and assigning the appropriate IP and/or MAC addresses to the user’s devices. For instance, let’s say you have an executive team, a corporate team, and a factory team, and you want to assign resources to these groups separately. In a traditional network, you would assign each group – and the resources you want them to access – a separate VLAN (“Exec VLAN”, “Corp VLAN”, and “Fact VLAN” for purposes of this example).

2

The “edge” of your network is expanding, and your work force expects the same access to the resources no matter how they connect. No longer is the “corporate issued device or nothing” approach considered legitimate.

Now you can address each group with specific functionality/capabilities/resources. In our case, as outlined in Figure 1 below, you are assigning Video and VoIP to the executive team, and letting the executive team and corporate team have access to the internet, while blocking internet access from your factory. Yet you still ensure access to the inventory system.

Figure 1

Next let’s assume, like many organizations, you have added wireless and remote connectivity to give your users more flexibility in accessing resources from various locations throughout your campus (or remotely). Using the traditional management approach, you would assign each user the appropriate SSID for an access point. When a user connects to the SSID, he or she will be cleared using the same credentials they were assigned on the hard wire LAN, which will assign them to the appropriate VLAN.

But what happens if that user tries to access the LAN with a non-traditional network device such as a personal smart phone or a tablet? These devices do not connect to traditional hard wire networks like a Laptop or PC so they must come through your wireless access points. Or what about accessing the network in a different location, say one of your campuses in a different city, or from an internet connection at home or in a coffee shop?

The “edge” of your network is expanding, and your work force expects the same access to the resources no matter how they connect. No longer is the “corporate issued device or nothing” approach considered legitimate.

The question is how can you accommodate this in a way that is scalable and manageable, while still providing the security your business requires?

The answer is “role based access control” with a network that is application, device, and user aware, in addition to being traffic aware. Rather than making these elements available based on the VLAN a user is attached to, you assign them to the user or device itself, allowing that entity to have the same experience from wherever they log in by directing them through a network controller.

3

The question is how can you accommodate this in a way that is scalable and manageable, while still providing the security your business requires?

Figure 2

As you can see from Figure 2, using Role-Based management opens up the ability to become very “micro” in how you assign network access and resources. Using a central controller, with role-based management, you can sync with your LDAP database, allowing you to manage all resources from one interface. This ensures the user will achieve the same access and rights no matter what location they connecting from.

As you begin to identify traffic and applications on your network, you will soon be able to dynamically control quality of service (QoS) levels as appropriate for each, whether it is tied to the application, the device, the user, or all of the above.

This method of network management also adds an additional layer of security to your environment. By assigning resources, service levels, and access to specific devices and users, you add one more filter to that pass prior to gaining access. In other words, someone who is trying to spoof your network into thinking they have already been validated through a false IP address or MAC address will still be denied access to resources unless they have the proper user credentials.

Stateful Roaming and Redundancy

As well as a more flexible and wider range of security options, what can the new edge of the network offer us?

In addition to ever increasing speeds, which are allowing the transfer of higher-bandwidth data such as video and voice over the air, Wi-Fi® networks have introduced functionality to provide a more solid and consistent connection.

Historically users on Wi-Fi networks can experienced inconsistent performance as they move from one end of a campus to another, from one floor to the next, or between two access points (APs) that may be located on separate VLANs. This is because as you move from one AP to another, your device needs to rejoin the network by negotiating with the next closest AP, briefly losing your connection in the process.

This means that any applications used on the edge of the network requiring a constant connection, such as voice or video conferencing, would terminate and have to be restarted.

The ability exists now to provide “stateful roaming”, whereby APs are either “FAT” (also referred to as “Smart” or “Intelligent”), in which case they maintain and share user state information with each other. Or they are “thin”, which means all data is merely passed through. In either case, a central controller in the data center maintains user state information and prevents a gap in connectivity. It is still debatable which of these approaches is best.

4

The answer is “role based access control” with a network that is application, device and user aware, in addition to being traffic aware.

In addition to Stateful Roaming, “Spectrum Load Balancing” ensures that your devices are connected to the strongest signal available by defining zones within your wireless network in which only specific proximal APs will connect.

This allows critical applications to operate on your wireless network without fear of being interrupted, and introduces a huge cost saving opportunity by employing a feature called “Fixed Mobile Convergence” in your organization.

Fixed Mobile Convergence

Imagine a workforce that spends portions of each day between the company’s campus and being out on the road, visiting clients, or attending off-site meetings (perhaps insurance agents who frequently need to leave the office to visit accident sites). For these types of employees, the invention of smart phones and the ability to have data and voice wherever they go is becoming a critical part of their job. The organizations that employ these workforces understand this and have invested in the often high costs of providing that access. But what if there were a way to reduce these costs, especially while employees are sitting at their desks on campus or even in their home office?

Now that virtually all smartphones (and even some that aren’t so smart) are able to connect via mobile carrier or wireless network signals, IT departments have begun to look into the possibility of saving data and voice costs by routing these activities through their wireless networks whenever possible. The trend is called Fixed Mobile Convergence, and it is a reality today.

In most cases, what is required is a combination of a voice router in the data center, with a client on the smartphone itself. With this combination, for some clients, dynamic handoffs between carriers and Wi-Fi networks are available to users as they come into range of either, without interrupting their call activities, and potentially saving significant costs in carrier fees through “least cost routing”. In other cases, the handoff will involve minimal user interaction to park the call then pick back up again.

This has the added benefit of ensuring a consistent, strong signal for employees in campus areas where mobile cellular signals may be weak. For instance, a doctor that must consult a colleague while walking into an interior hospital room.

The reverse scenario is also possible, by defining parts of your campus that traditionally have poor wireless connectivity (such as a warehouse) you can instruct the router to hand your users back to the mobile cellular network. The possibilities here are endless, and we are only at the beginning of the journey.

ConclusionThe consumerization of IT and the variety and complexity of mobile devices is a well-known phenomenon by now. IT departments and executives are quickly becoming aware of the opportunities that the new trends offer in workforce efficiency and potential cost savings.

However, many organizations overlook the challenges to their wireless networks. No longer is the wireless network simply an extension of the hard wired network. This is the new “edge” of the network, and it is critical that it is included as a fundamental part of your Mobility strategy and roadmap planning.

Bio

Geoff Mattie is a Global Solutions Architect at Dell working with customers on the Strategy, Planning and Enterprise Architecture levels related to Mobility. Geoff has over 25 years experience providing innovative technology solutions, operations support, and consulting for clients ranging from Small and Medium Businesses to Fortune 100 companies. In addition to consulting, he has served as a Global Operations Manager for Y&R Brands and Director of Digital Production for T3.

5

No longer is the wireless network simply an extension of the hard wired network. This is the new “edge” of the network, and it is critical that it is included as a fundamental part of your Mobility strategy and roadmap planning.

Dell and its affiliates cannot be responsible for errors or omissions in typography or photography.  Microsoft, Windows, and the Windows logo are trademarks, or registered trademarks of Microsoft Corporation in the United States and/or other countries. Dell and the Dell logo are trademarks of Dell Inc.  Other trademarks and trade names may be used in this document to refer to either the entities claiming the marks and names or their products.  Dell disclaims proprietary interest in the marks and names of others.  © 2011 Dell Inc.  All rights reserved.

August 2011 | TheNewEdgeofNetwork_WP.indd | Rev. 1.0 20110819BROB