LinkProof Branch
Guaranteed Connectivity
for Remote and Branch Offices
1. Introduction
In recent years, the Internet has become widely adopted by businesses of all sizes and in all industries as a crucial communication tool. The wide variety of network-based applications that organizations depend upon to execute day-to-day business activities, now include applications ranging from supply chain management, through sales portals, data management, software development tools, and resource management. The growing number of network-based applications requires intra-enterprise communications to be highly efficient and highly available.
Continuous and high-quality Internet connectivity is especially important for remote branch offices of large enterprises. As numerous mission-critical network applications are located at company headquarters, for these offices to maintain basic business operations, they require a continuously available network link to their central office.
While the availability of network connectivity between the remote and central offices is critical, large enterprises must also deal with the growing need for additional bandwidth between offices. Infonetics Research claims that the WAN and Internet Access market is poised to grow by 24% between 2003 and 2007 where the migration to new technologies and faster connections will fuel this growth.1 Infonetics notes the following three trends in this market:
1. Two key factors prompting respondents to increase their WAN bandwidth are increased WAN use by existing users and sites, and the addition of bandwidth-hungry applications like multimedia applications and ERP.
2. The WAN world has changed from one dominated by frame relay and TDM leased lines to a world that uses a mix of frame relay, TDM, optical/Ethernet, and broadband technologies (DSL, cable, and fixed wireless)
3. Spending for leased line and frame relay accounts for 94%, on average, of all Internet service expenditures, with DSL coming in second at 5% and broadband cable third at 1%
Infonetics also lists the following five reasons businesses are increasing WAN bandwidth, according to the size of the organization2:
Figure 1: Reasons Organizations are Increasing WAN Bandwidth
1 “User Plans for WAN and Internet Access, North America 2003,” Infonetics Research, April 2003 http://www.infonetics.com/resources/purple.shtml?nr.wanus03up.042303.shtml
2 Infonetics Research, April 2003. Based on 240 respondents.
Above all, in today’s economic environment, businesses must find ways to reduce their operational costs. For enterprises with numerous branch offices, connectivity costs represent a significant portion of their overall operational costs. Even a small reduction in connectivity costs at each branch is multiplied at the enterprise level.
The result is that enterprises are required to meet seemingly opposite demands: on one hand is the need to reduce their connectivity costs, and on the other meet the need for high-availability and growing bandwidth requirements of intra-enterprise connectivity.
Broadband services, such as DSL, can benefit these businesses as they have become increasingly available with decreasing costs, making them a cost-effective connectivity option. Yet, while broadband is cheaper than Dedicated Internet Services, such as T1, T3 or E1, it is not as reliable and service levels are not guaranteed. To avoid downtime and meet their connectivity needs, these businesses would like to subscribe to more than one line, be it two T1 or E1 connections, a fractional T3, xDSL or any combination of the above.
Until now, only company headquarters and larger regional offices have had a solution to address the challenge of high availability with cost-efficient connectivity. By using LinkProof to manage the operation of all Internet links across their multi-homed network, larger offices are guaranteed uninterrupted online services and optimized content delivery. While this solved the problem at corporate headquarters, branch offices do not need, nor does the cost justify, such a robust and large-scale solution, and, up until now, have not had an answer to the challenges presented above.
Radware’s new LinkProof Branch is targeted at Remote Offices and Branch Offices (ROBO) of large enterprises, which require uninterrupted network connectivity to their headquarters. LinkProof Branch is a desktop box, with an integrated switch, that enables businesses to simultaneously manage multiple independent links, both Internet and private. By connecting LinkProof Branch on the edge of their local network and connecting multiple links, branch offices achieve 24/7 Internet connectivity with automatic failover between the links.
Figure 2: LinkProof Branch
LinkProof Branch allows branch offices, for the first time, to:
• Maintain a continuous network link to their central office, providing constant access to mission critical applications
• Utilize the fastest link to the central office, providing the best possible performance for each session
• Control and reduce their connectivity costs by using all connections to satisfy their bandwidth and backup requirements, purchasing more bandwidth at a lower cost
• Cut connectivity costs using low-cost high-bandwidth broadband connectivity in conjunction or instead of current services
• Monitor and control traffic on each connection
• Manage bandwidth allocation for all available capacity, guaranteeing service levels to all mission critical applications
• Load balance VPN sessions over multiple Internet links for increased redundancy of VPN operations
• Prevent the violation of mission critical applications and databases by monitoring and scanning all enterprise traffic, while identifying and intercepting suspect traffic
• Reduce the number of network elements by utilizing an integrated 8 FE port, wire-speed switch
2. The Challenge: an end-to-end connectivity solution
2.1. Cutting Connectivity Costs
While enterprises are continuously deploying new network-based applications to efficiently run their business, it is these same applications that require an increasing amount of intra-enterprise bandwidth. The enterprise as a whole is challenged to find cost-efficient solutions to upgrade connectivity bandwidth between the various branches and company headquarters.
Additionally, in today’s economic climate, enterprises are increasingly worried about cutting operational costs. This drives businesses to efficiently utilize existing bandwidth while planning WAN bandwidth increases in a cost-effective manner.
As mentioned above, the decreasing price of broadband connectivity such as DSL is also driving more businesses to adopt these services as they are usually less costly than Dedicated Internet services such as T1, T3, and E1 connections. Businesses are also constrained by the minimal throughput demands that a Dedicated Internet service requires. To cut costs, businesses want to pay for the bandwidth they require, not by levels determined by their ISP.
2.2. The Cost of Downtime
Many ROBOs rely on a single connection as their main access to the Internet and to their headquarters, which presents a single point of failure for their network. During each period of their ISP’s downtime, their network is down as well as they have no other connectivity options. Additionally, an ISP’s periods of downtime can be lengthy. For example, even with 99.0% uptime, service providers are still “allowed” almost 90 hours of downtime annually! Additionally, if an ISP goes out of business, it is their single-link customers who are left without any network connectivity and need to scramble to find an alternative.
Network downtime and service degradation can mean financial losses, even for small branch offices. The Gartner Group calculates the cost of downtime as simply the sum of the labor cost of employees idled by the downtime plus the cost to the business due to the business-critical application not being available.5 Gartner’s analysts estimate that one hour of network downtime can cost anywhere from $1,000 to $100,000 per hour.6
The major cost incurred by a branch office during downtime is that of lost productivity. Each hour of downtime reduces the productivity of employees who require the Internet or the network connection to headquarters. Infonetics Research has found that on average, 28% all employees are adversely affected by downtime and suffer an 80% productivity loss.7 This loss is especially crucial for branch offices where close to 100% of employees rely on a constant connection to headquarters for all their tasks.
5 http://www.suttondesigns.com/glossary/downtime.shtml
6 http://www.inciscent.com/news/01072002.html
7 “WAN Downtime and SLAs,” Infonetics Research, Dec 1998
The example below demonstrates the potential total downtime cost for an enterprise with 15 small branch offices:
Figure 3: Cost of downtime due to lost productivity
2.3. The Need for a Backup
The majority of networked businesses are aware of the downtime risk associated with a single link. As a solution, a few of these offices have adopted the “hot standby” model to avoid lengthy downtime: when their main link fails, they manually switch to the backup.
This approach has four major disadvantages: First, the standby is standing idle for at least 99.0% of the time, causing offices pay dearly for a service they barely use. Second, as the backup is idle for such long periods, and offices usually do not check its operability on a regular basis, when the time comes for it to be used, it is occasionally found to be inoperative.
Third, due to the high costs of maintaining an idle backup, most offices decide on a bandwidth volume that is significantly smaller than their main connection, so that when they do activate it, their traffic volume is severely limited. In that case, they usually do not have a tool for prioritizing bandwidth usage, denying access to mission-critical applications.
Finally, the manual switch from a failed link to the standby is time consuming as well, which causes additional periods of costly network downtime. The manual switchover also requires an on-site administrator, which may be problematic during nights, weekends, and holidays.
For example, an office that uses a T1, at 1.5 Mbps, pays $1,2508 monthly for the service. To back up the T1, the office would spend $15,000 annually for a service, which is idle 99% of the time. This is why many offices chose a link with a significantly lower capacity than their main link as their backup.
8 AT&T monthly cost of a T1 for Small Businesses, including local access as quoted March 12, 2003.
Current Multi-homing Solutions
Multi-homing, connectivity to the Internet through multiple ISP links, is rarely an option for ROBOs. Current multi-homing solutions are overkill for small offices: the high cost, the complex management requirements, and required ISP cooperation serve to deter most offices from deploying a multi-homing solution.
Company headquarters, and larger regional offices, already have several multi-homing solutions, depending on the capacity and the performance that they need. By using Radware’s full-featured LinkProof, on the various Application Switch platforms, to manage the operation of all Internet links across their multi-homed network, larger offices are guaranteed uninterrupted online services and optimized content delivery.
However, their small and medium sized branch offices cannot afford, and do not need, such a robust and large-scale solution. Yet, they do require the continuous connectivity that multi-homing can provide to maintain their link to the central office and the ability to guarantee bandwidth to their mission-critical applications.
2.5. An Enterprise-wide Solution
An additional challenge is deploying managing multi-homing solutions on an enterprise-wide level. As stated above, solutions for smaller branch offices were not previously available, and solutions for the larger offices were managed independently at each site.
Enterprises who deploy multi-homing solutions at each branch office are challenged with the task of managing these devices. With numerous smaller branches, each with limited individual IT resources, the large enterprise is usually required to coordinate all connectivity-related issues from the central office.
3. The Solution: LinkProof Branch
LinkProof Branch manages the operation of multiple links for ROBOs, guaranteeing uninterrupted connectivity to company headquarters and to Internet services and optimized content delivery for reliable, high performance and cost effective connectivity. LinkProof Branch is part of Radware’s extensive LinkProof family, a field-proven solution, with over two years of experience and over 2,700 LinkProofs installed world-wide.
3.1. Controlling and Reducing Connectivity Costs
LinkProof allows large, multi-branched enterprises to fully control and reduce their connectivity costs at both headquarter and branch level. By enabling flexible and simultaneous connectivity options, offices can combine many types of links from different service providers, as well as a private link.
• Using multiple broadband connections: Branch offices can use two more economical broadband connections as opposed to one Dedicated Internet connection such as a T1. For example, instead of paying $1,2509 monthly for a 1.5 Mbps T1 connection, companies can opt for two 768 kbps DSL connections. With each connection priced at only $27010 per month, the monthly payment drops to $540, a savings of $710, or over $8,500 annually per branch. In addition, each branch office benefits from link redundancy to avoid network downtime.
• Solving the backup challenge: Each branch office can avoid the costs and unused bandwidth of the “hot standby model” by concurrently using all available bandwidth. As mentioned above, this can be a savings of $15,000 annually per branch office. By using LinkProof Branch to manage all links, branch offices can also utilize their private link to headquarters in parallel to their public Internet links, achieving increased bandwidth availability at existing costs.
• Incremental bandwidth scalability: By allowing two independent links, branch offices currently using a single link can opt to upgrade their overall capacity at the increments that they choose.
Instead of doubling capacity with an expensive Dedicated Internet Service upgrade, which is their only current option, offices can add a lower-throughput DSL line as a second connection, at much lower rates. For example, a full T1 at 1.5 Mbps costs $1,250 monthly. To increase capacity beyond 1.5 Mbps, the connection must be upgraded to 3 Mpbs ranging from a monthly cost of
$2,480
13
(for NxT1 services) to $3,000
14
(for a fractional T3). With LinkProof Branch, branch offices can increase the capacity via an additional DSL connection at a fraction of the cost: a 384 Kbps connection costs only $200
15
monthly. In this scenario, the office still pays $1,250 for the T1 and $200 for the additional capacity for a total of $1,450. When compared to the Dedicated Internet service (fractional T3), the
monthly savings are $1,550, or over $18,000 annually. This is a significant savings achieved simply by allowing the office to purchase only the capacity it needs.
Businesses can also choose to upgrade their bandwidth capacity with another T1 or fractional T1 service, as opposed to upgrading to a single 3Mbps connection. For example, a fractional T1 service, providing 256Kbps, costs $870 per month. This is still a savings over the price of a 3Mbps connection.
By using LinkProof Branch to upgrade their connectivity, enterprises not only benefit from downtime avoidance because they are using multiple Internet links, they are also cutting connectivity costs by purchasing only the capacity they need.
• Managing Bandwidth: As mentioned above, LinkProof Branch allows a ROBO to manage a multi-homed network. But multi-homing does not have to mean mindlessly adding bandwidth in order to guarantee access, but rather using existing bandwidth optimally, while adding bandwidth as necessary in a cost-effective manner.
9 AT&T monthly cost of a T1 for Small Businesses, including local access as quoted March 12, 2003.
10 AT&T monthly cost of a DSL Service for Small Businesses, as quoted March 12, 2003.
13 AT&T monthly cost of a NxT1 for Small Businesses, including local access as quoted March 12, 2003.
14 Fractional T3 service is not offered by AT&T. Price quoted is from http://www.broadbandbuyer.com/chartbusiness.htm
15 AT&T monthly cost of a DSL Service for Small Businesses, as quoted March 12, 2003.
Bandwidth Management can limit bandwidth allocation to non-critical applications. By limiting allocation to applications such as MP3 downloads and Real Audio/Video, enterprises can free around 30% of their existing bandwidth. Bandwidth Management, coupled a maximal capacity for each link, can be used to avoid bursting by allowing non-critical applications to consume bandwidth only when such bandwidth is available and thereby preventing bursting, and further reducing connectivity costs.
Coupling a transparent and seamless integration with existing networks, with an enterprise-wide management tool, LinkProof Branch delivers a previously unavailable multi-homing solution for enterprises at the branch level, with resilient and price controlled Internet links, keeping the entire business fully connected 24/7.
3.2. Avoiding Downtime & Service Degradation
LinkProof Branch protects businesses from the cost of downtime and service degradation by preventing them. By automatically routing network communication over available links only, LinkProof Branch provides fault tolerant connectivity and continuous availability of online services, providing high-availability of network connectivity to all branch offices.
• Preventing Downtime: When ROBOs deploy an additional private link for intra-enterprise communications, LinkProof Branch can load balance traffic between all links. Traffic management decisions can be based on source and destination addresses, or by protocols and applications. For example, LinkProof Branch can route all traffic destined towards headquarters over the private link when it is active, or route it over the public links when it is not.
• Avoiding Service Degradation: By intelligently routing traffic across Internet and private links, LinkProof Branch provides effective link utilization and accelerated service responsiveness, thus providing optimized performance between the branch offices and company headquarters. Offices benefit by increased employee productivity through continuous high-performing WAN connectivity.
• Intrusion Prevention: It is probably no surprise “that malicious code attacks (i.e. viruses, worms, etc.) have proven year in and year out to be the most common incidents reported in the Computer Crime and Security survey.”16 In the past few years, each year has had a significant attack, one that has attacked a large number of organizations worldwide: Melissa and Explorer in 1999, “I Love You” in 2000, and Code Red and Nimda in 2001. In fact, between July and December 2001, Nimda and Code Red accounted for 63% of all attacks.
According to the survey, as a result of attacks in 2000, companies reported an average loss of $245,845 per organization. As a result of attacks in 2001, the average loss reported increased to $283,000 per organization. It is estimated that these costs will continue to increase.
LinkProof Branch running Application Security protects each branch office against common attacks. As such, it can become a crucial component of an enterprise-wide security solution.
3.3. The ROBO Solution
As in the example shown below, adding LinkProof Branch on the edge of the local network enables the connection of independent ISP links as well as a private link. The installation is transparent and does not require the cooperation of either service provider. LinkProof Branch manages and optimizes all the links.
Figure 4: Multi-homing with LinkProof Branch
From the large enterprise perspective, LinkProof Branch provides a compelling multi-homing solution for smaller branch offices, which require continuous connectivity, but at lower capacity links.
16 CSI/FBI Computer Crime and Security Survey, April 2002, http://www.gocsi.com/press/20020407.html
The enterprise can provide multi-homing capabilities to each office, according to connectivity and performance needs. For example, in the example below, the central headquarters uses an Application Switch II based LinkProof for high performance. Their large regional office uses an Application Switch I, while all the smaller branch offices use a LinkProof Branch.
Figure 5: Multi-homing solution for branched enterprises
LinkProof Branch provides a compelling value proposition at a very attractive price. LinkProof Branch’s feature set, detailed in section 4, will allow ROBOs to control and optimize their Internet connectivity for the first time.
4. LinkProof Branch Feature Set
4.1. Automatic Failure Protection
In order to provide continuous online service availability, LinkProof Branch constantly monitors all routers, at the branch office, through the service provider’s locale to company headquarters, to detect any failures. If a failure is detected, LinkProof Branch automatically routes traffic through the all other available links, providing uninterrupted connectivity.
By using LinkProof Branch, businesses avoid downtime and all the costs associated with it due to lost revenue and productivity.
Additionally, LinkProof Branch constantly monitors the quality of each link. If a service provider suffers from a degradation of service, causing significant slow down of traffic, LinkProof Branch will route traffic through the other links, ensuring the best possible performance for each session. By avoiding sub-performing links, LinkProof Branch guarantees the best possible performance in every situation.
4.2. Cost-efficient Bandwidth Scaling and Usage
Offices that rely on a single link, must upgrade their link to a more expensive, higher throughput link each time their capacity demands increase. As most service providers charge more for a single, high-throughput connection than the equivalent bandwidth from two lower-capacity lines, the cost savings can be significant. See section 3.2 for additional detail and the exact cost calculation.
With LinkProof Branch, small offices can increase their capacity at the bandwidth multiples that they need, either with multiple, inexpensive broadband services such as DSL, or with Dedicated Internet Services such as fractional T1 lines. ROBOs benefit by gaining additional bandwidth and no additional, or even reduced, costs.
4.3. Accelerated Performance for the Best User Experience
To optimize bi-directional performance for each session, LinkProof Branch utilizes Radware’s unique proximity and content routing algorithms to select the fastest performing link for a specific destination. Based on user-defined balance between the number of hops to the destination and the measured latency to it, LinkProof Branch ensures the fastest Internet service response time for each session.
Businesses benefit by improving performance and optimizing bandwidth usage on their existing lines, without paying more for additional capacity. Additionally, employee productivity is increased as their access to centralized network resources is optimized.
4.4. Optimized Link Utilization
LinkProof Branch considers a wide variety of link-related parameters when making a load balancing decision between all available ISP connections, for both incoming and outgoing traffic. Users can also select the weights to allocate to each factor in the decision.
• Traffic Load: The load on each link can be considered so that the traffic volume is balanced through all ISP connections.
• Service Cost: Multiple cost levels and combinations can be set for each link. Including support for all the following models:
‐ Fixed capacity for a fixed price. In this model the service provider provides a given capacity without allowing any bursting or overflows.
‐ Pay-per-use. In this model the enterprise pays for the actual usage of bandwidth, rather than any predetermined capacity.
‐ A combined model. In this model, the enterprise pays a fixed price for the given capacity, but also pays on a pay-per-use basis for all usage above this capacity.
‐ A multi-level model. In this model, the service provider sets prices for several capacity levels.
• Proximity Checks: The response time of a specific destination, in terms of latency and hops. Each method can be weighted separately to provide the user to configure the proximity algorithm to best fit his requirements.
• Dispatch Method: In addition to the three parameters above, LinkProof Branch uses a dispatch method to ensure that traffic is not always routed through the same link. LinkProof Branch can dispatch traffic according to a cyclic routine, or by the least number of users or bytes.
The wide variety of traffic management parameters enables businesses to control their traffic flow for optimal connectivity performance at a lower cost.
4.5. Compatible with Existing Network Structure
LinkProof Branch provides transparent multi-homing management by complete address scheme handling, using Network Address Translation (NAT) and automatic traffic routing. This allows for seamless management of services across two service providers via any access technology. The transparency and seamless management enable LinkProof Branch users to control their connectivity options without ISP cooperation.
4.6. Multi-site Multi-link Load Balancing for VPN Sessions
In typical VPN installations, a number of remote clients access the VPN Gateways at a central VPN site at corporate headquarters. Branch offices install a VPN Gateway to securely access network resources at the central site.
When the central site or branch offices have implemented multi-homing, the VPN sessions must be load-balanced between the links at all sites. In Radware’s multi-homing enterprise solution (as shown in section 3.3 above) when company headquarters deploy a high-performing LinkProof and the branch offices use a LinkProof Branch, all sites can load-balance all incoming and outgoing VPN traffic.
Enterprises benefit from accelerated VPN performance as the best performing and least loaded link is selected per VPN session, and from VPN resilience, as automatic failover between links occurs automatically when a connection fails.
4.7. Built-in Layer 2 Switch
The LinkProof Branch box incorporates an integrated eight-port Fast Ethernet wire speed Layer 2 switch for fast and efficient connectivity for the small or remote office.
4.8. Device Redundancy
For businesses concerned about LinkProof Branch being a single point of failure in their network, LinkProof Branch provides redundancy capabilities. These enable an additional LinkProof Branch to function as its backup, seamlessly taking over all connectivity actions if the main device fails.
4.9. Controlled Access
LinkProof Branch allows users to define access permissions and authorized control ports to ensure that only legitimate users can access the functional level in the device that they are authorized to interact with.
4.10. Enterprise-wide Management Tool
Using Configware Insite to manage all the LinkProof devices at each site, enterprises can achieve both performance control and visibility.
Configware Insite is the industry's first site wide software management tool that enables unified administration, visibility and control of IP application performance across the enterprise. Based on an easy to use site map interface, Configware Insite enables enterprises to draw their entire network, including the various LinkProof devices with their respective routers.
Configware Insite’s statistics module provides real-time and historical views of actual application performance levels for monitoring site wide operations and simple pinpointing of vulnerabilities and failures, affording complete visibility and control over the performance of all Internet Links.
Figure 6: Enterprise-wide management with Configware Insite
Bandwidth Management
The ability to differentiate levels of service and to control an organization’s bandwidth usage is key to providing consistent, high quality service. SynApps Bandwidth Management allows companies to define and enforce their own bandwidth management policies based on any combination of users, servers, applications and content. For example, SynApps enables a company to guarantee that mission-critical applications receive higher priority than non-critical traffic.
Bandwidth Management also enables the definition of different service levels and provision of content to different types of users. This assures that each class of user or application gets the best level of service according to company policy.
LinkProof Branch with Bandwidth Management provides ROBOs additional control over their bandwidth usage. Connectivity costs can be reduced with the limiting of traffic to critical applications only, thus avoiding costly upgrades or bandwidth bursting.
Intrusion Prevention
Application security provides a line of defense for critical network resources that complements and expands those typically deployed in network designs. SynApps automatically detects and protects networks and applications from common attack
signatures such as Buffer Over Flow (BOF), exploits and vulnerabilities, mis-configuration, default installation, back door/Trojans and port scanning.
The application security module monitors both network and application traffic in order to detect and prevent attacks in real-time by terminating the suspicious sessions as they enter the network.
Placed on the network’s edge, closest to external links, LinkProof Branch is in a unique situation to provide intrusion prevention at the entrance to the network. With LinkProofs deployed at all branches and offices. Application Security provides an enterprise-wide security solution.
Qualifying Questions
Leading your customers to LinkProof Branch:
• Are your branch offices currently working with only one ISP? Are you worried the ISP’s potential downtime, causing your branch personnel to site idle?
• Are you aware that most ISPs usually commit to 99.0% uptime a year? This means that your office could be subject to over 43 hours of downtime annually?
• Do you have a backup connection? Is it at the same volume as your main line? Does it stand idle when the main line is active?
• Do you have a private link between your branch offices and your headquarters? Does it stand idle most of the time? Is it utilized in concurrently with your public Internet links?
• What is the bandwidth of your existing link(s)? What is your bandwidth growth plan?
• Are you evaluating options to increase your bandwidth now? Did you evaluate broadband technologies in parallel to your existing link? If you chose to work with broadband, how will you use it with your existing link? If you didn’t, by enabling both connections at once, LinkProof Branch offers guaranteed availability, better performance, at a lower cost for connectivity.
• Would you like to ensure all your remote branch offices are continuously connected?
• Would you like us to show you how to cut connectivity costs? (Use examples above, with localized costs)
• Would you like us to show you how to cut connectivity costs while ensuring high connectivity availability.
• Would you like us to show you how to cut connectivity costs while improving response time and guaranteeing access to mission-critical applications?
