Sorry. There are no results for ""

Return to Blog

SD WAN Remote Access: What to consider for home workers?

Written by Kurt Marko

I am an engineer and technologist whose experience is both broad and deep, designing and building digital systems ranging from sub-micron transistors to Web-scale infrastructure. I now apply the knowledge and skills from a 20+ year career in R&D and IT architecture to analysis, consulting and communications.

The shocks of early 2020 catalysed years worth of social, business and consumer change into just a few months and nowhere has the acceleration been greater than in IT as organisations suddenly shifted to remote work, online processes and cloud services.

As work-from-home (WFH) stretched from temporary accommodation into a semi-permanent condition, IT was faced with the reality that the inconsistent, and in many cases, pathetic state of home broadband connectivity was sapping employee productivity through balky video calls, additional remote support tickets and slow access to data and applications.


“While IT has long outfitted many employees with laptops and other equipment to facilitate work at home and on the road, it typically left the choice and provisioning of home Internet service up to each employee.

Working from home is now a critical consideration for all IT teams when assessing SD WAN vendor solutions.


While IT has long outfitted many employees with laptops and other equipment to facilitate work at home and on the road, it typically left the choice and provisioning of home Internet service up to each employee. With WFH becoming just "work," such a tenuous, remote access networking situation became a severe liability. Except for senior executives, where expense is no object, an employee's home Internet connection has typically been their responsibility.

Given the limited choice of broadband providers at any particular location, the decision has almost entirely hinged on the service available from the one or two providers (typically in the U.S. a cable TV-broadband and wireline telco) with infrastructure near one's home. The advent of affordable LTE service and Wi-Fi routers supporting plug-in LTE modems provided another option for some, but bandwidth caps made wireless service undesirable for most people trying to combine work and consumer (e.g. video streaming) activity on the same service.

With most people using only a single ISP, one's lifeline to the Internet, whether used for streaming Netflix or Zooming with a project team, is subject to the vagaries of consumer-class broadband, which lacks any SLAs for service quality or availability. Although broadband speeds, reliability and latency have greatly improved over the years, consumer circuits are usually oversubscribed, which leads to congestion that often manifests itself as video buffering or slow website refreshes.

Consumer circuits don't provide application-based packet prioritisation and although some consumer routers offer QoS options, these are primarily designed for gamers to preferentially treat UDP gaming protocols, not office applications. SD WAN remote access has become the standard method for improving network reliability, QoS and security, but before the WFH boom, it was exclusively applied to branch offices, manufacturing, logistics and retail sites and other business locations, not an employee's home. However, with most residential areas offering multiple wired and wireless ISPs and the availability of low-cost uCPE (universal customer premises equipment) appliances capable of running various virtual network services, home-based SD WAN has become a viable option.

SD WAN provides several advantages over traditional VPNs, including:

  • Higher reliability when using multiple remote connections.
  • Greater control over routing configurations including the ability to backhaul some traffic to a central data center for security scanning, some directly to trusted SaaS locations (for example, an email or VoIP service) and non-business traffic directly to the Internet.
  • Increased visibility over network usage, performance and reliability, including use by individual applications or data types.
  • User- and group-based QoS and security configurations that can follow users as they connect from different locations. For example, an executive can take a portable SD WAN appliance on business trips and gain the same access and security protections they have when at home or in the office.

By virtualising the WAN and centralising administration, SD WAN decouples network configuration and security policy from location and enables hybrid, distributed work environments that cover any employee's location.

WFH (working from home) SD WAN options

SD WAN vendors don't design and optimise equipment for home offices, thus most options are overkill for a single user. However, over the next four years, one analyst predicts an explosion in sales of uCPE devices used to terminate SD WAN circuits. Omdia expects uCPE sales to skyrocket from just $27 million in 2020 to almost $1.8 billion in 2024, a 184 percent CAGR. These products will fall into three t-shirt sizes, small (4 CPU cores), medium (8C), and large (12-16C or more). Virtually all of the 4C and 8C products will use low-power Arm or Intel Atom processors, making them suitable for the cost-sensitive home market.

The choice of hardware will be dictated by whatever one's chosen SD WAN vendor supports, i.e. the choice of software and services should dictate the hardware. Although uCPE devices are increasingly popular, they're not the only option since many network security and UTM (unified threat management) appliances also support DIY SD WAN connections between their products. For example, Watchguard offers SD WAN as part of its Firebox appliances with features such as dynamic path selection, site-to-site VPNs, zero-touch deployments and support for broadband Internet, MPLS and LTE circuits.

Building reliable WFH connectivity

WFH is only one characteristic of the post-pandemic work environment, the others being increased use of cloud infrastructure and applications instead of internal hardware and software, greater geographic diversity among workgroups (in part, a consequence of WFH) and greater asynchrony of work communications as team conversations move online to collaboration platforms like Slack or Teams and video meetings are automatically recorded to be viewed after the event (also an outcome of WFH). Combined, these factors mean that the traditional approach to remote networking, namely tunneling an employee's traffic through a VPN that terminates in a central data center, are inadequate. WFH turns an employee's home into a branch office that requires comparable, albeit down-scaled, network services.

Much like other elements of IT infrastructure, designing reliable SD WAN starts by identifying single points of failure, aka SPOF. As AWS CTO Werner Vogels famously says, "Everything fails, all the time." Unless you're NASA designing manned systems for space travel, it's both impossible and impractical to eliminate every SPOF. Indeed, every redundant component approximately doubles the cost of that subsystem. Thus, the more layers of redundancy, the more expensive and complex the system. Even a hyperscale cloud operator like AWS realises that whether due to the low risk of failure or cost-sensitivity of the buyer, some SPOFs are not worth eliminating.

The core principles of infrastructure reliability — redundant hardware, continual health and security monitoring and consistent, centrally-managed administrative processes and system configurations — apply to SD WAN whether it is deployed at a data center, large manufacturing facility or home office. Thus, reliable WFH installations require:

  • Redundant backend systems for the SD control plane and network management systems
  • Multi-path connectivity to remote offices or employee homes
  • (Ideally) redundant hardware at the remote site

The effort required to create a reliable SD WAN depends upon the deployment model:

  • DIY, using privately-operated hardware and internal software, has the highest design effort and cost for backend systems.
  • Outsourced to a service provider, whether a NaaS, carrier or network MSP, eliminates the need to build core infrastructure

Layers of SD WAN remote access redundancy

For high availability at remote sites, both models have roughly equivalent hardware requirements, although the products supported by different SD WAN services are idiosyncratic. Indeed, hardware often must be procured from the vendor or partner to get the required client-side software pre-installed. Furthermore, regardless of the service, all need redundant last-mile circuits to protect against failures at a single carrier. Since our topic is WFH scenarios, we will focus on the connectivity and equipment options for remote office high availability.

Velocloud provides several HA examples in its Reference Architecture guide that use Dell Virtual Edge Platforms (VEP) as the client endpoints connected to interior LAN switches. The VEP is like most uCPE devices in its ability to run various virtual network services such as SD WAN edge software, firewalls and content filters. In this scenario, two devices run VeloCloud Edge (VCE) as an HA pair and each terminates network service from two ISPs. VeloCloud HA pairs provide sub-second failover when one device is offline and automatically negotiate active and standby roles and synchronises port status. For maximum reliability, the pair is cross-connected with two LAN switches and uses BGP or static routes to forward WAN traffic.

Source: VeloCloud SD WAN Reference Architecture Guide

Most SD WAN products support similar HA topologies. For example, Silver Peak devices can be connected in a HA pair to balance traffic across two WAN circuits.

SD WAN remote access for the home office

SD WAN services can be used from any location with Internet access, but delivering the full benefits of path optimisation and traffic steering requires at least two active physical links and a hardware appliance. Even so, WFH SD WAN isn't an all-or-nothing proposition and there are several layers of functionality, complexity and cost that cover a range of needs. These include:

VPN client to SD WAN service: Many NaaS providers have a mobile client to simplify configuring and establishing VPN connections to their SD WAN backends. These operate like consumer VPN services by eliminating the need to manually configure VPN parameters, install certificates or system profiles. The client tunnels all traffic through an encrypted connection that terminates at the nearest POP where it is scanned and routed according to an organisation's SD WAN policies.

Source: Apple iOS App Store.

  • SOHO router with dual-WAN capability: Protecting against ISP failures requires two broadband connections and a home router capable of load balancing across multiple links or a uCPE appliance running SD WAN endpoint software. The simplest solution, and one the author has done for more than a decade, requires connecting two broadband links (often cable Internet and DSL) into a small router capable of load balancing or automatic failover between WAN connections. Dual-WAN hardware options include consumer Wi-FI routers, enterprise UTM appliances and SFF systems running open source routing software like pfSense.
As an alternative to the expense of two active WAN links, some routers include software that allows using USB modems to use LTE service as a standby backup connection. These don't require any SD WAN service on the backend and use simple measures like ICMP (ping) or TCP/UDP (DNS lookup, curl, etc.) to determine link status. In the usual case when both links are active, outgoing connections are balanced across both links according to a weighted average (round robin) or by network ranges.

The previous two methods, WAN link redundancy and VPN clients can be combined to deliver a limited form of HA SD WAN by allowing employees to access corporate networks even when their primary broadband connection is offline.

Source: Author; Watchguard XTM Multi-WAN configuration screen.

  • Complete SD WAN endpoint via a uCPE appliance: Building a proper home office SD WAN requires installing a uCPE device compatible with the organisation's SD WAN service. Here, the WFH site becomes another endpoint in the corporate network and downloads traffic management and security policies from a central controller. Like the router example, uCPE appliances can route traffic over two or more WAN links and many support USB LTE modems as a standby failover link.
  • Redundant CPE appliances and switches: The most reliable, complicated and costly solution entails emulating the HA branch office topology described above using smaller, home-friendly equipment. These would use an SD WAN vendor's smallest supported CPE endpoint and inexpensive managed switches. Indeed, adding switch-layer redundancy is a minor addition to the total cost since 8- or 16-port managed gigabit Ethernet switches are widely available for $100-200.

What SD WAN remote access products are available?

The speed of the WFH migration and uncertainty about the future of the home as a permanent work location means that SD WAN vendors haven't aggressively marketed to WFH employees, with most offerings only announced within the last year. However, many products built for small branch offices are appropriate for home use and are positioned by SD WAN vendors as WFH options. Similarly, as detailed above, redundant topologies designed for ROBO installations can be adapted for home users requiring maximum availability.

We don't have space for a complete product guide, but the following are examples of SD WAN systems appropriate for WFH.

  • Aruba Silver Peak Unity EdgeConnect US (ultra-small) and XS (extra-small): Now part of HPE-Aruba, Silver Peak offers a family of SD WAN appliances. The Ultra Small model, which the company describes as about the size of a deck of playing cards, with three GbE interfaces and the XS with four, are the bare minimum for a home office in which two interfaces are dedicated to WAN/broadband services, leaving one or two left for an internal LAN switch. It runs the EdgeConnect Physical SD WAN software that is centrally managed via Unity Orchestrator, which can be installed on either a private server or cloud compute instance.

Source: Aruba

  • Cisco ISR-1100 series: With six models, a small form factor and efficient 30W hardware, the ISR-1100 is appropriate for home offices in either solo or redundant installations. It comes with four GbE interfaces and options for either two SFP or two internal LTE interfaces and runs the Viptela SD WAN OS which includes an L7 firewall, IPS, URL filtering and malware scanning.

Source: Cisco ISR 1100-4GLTE; from ISR 1100-4G/4GLTE/6G Data Sheet

  • Dell-VeloCloud: The VEP4600 we used to illustrate a typical redundant design is overkill for home offices, but a companion VEP1405 series is not and works with the same VeloCloud software. It features a small form-factor (about the size of a Mac Mini), 6 1G ports, 2 10 G ports, and a low-power Intel Atom processor that uses about 20 percent of the power required by the larger 4600 model.

Source: Dell; VEP1405 product page.

Versa CSG 300 Series with Versa Secure Access Client:

  • Versa branded its CSG 300 series appliances and Versa Secure Access cloud service as a WFH solution. It combines the simplicity of an SD WAN, zero-trust cloud services with small, centrally managed appliances. The CSG 350 has 4x1 GbE interfaces and two internal slots for LTE modems and provides SD WAN and NGFW features. The 355 has 6x1 GbE, three internal wireless slots and adds UTM security features like antivirus protection and IPS.

Managing remote access environments

All enterprise SD WAN products provide a central management console for setting consistent policies across locations, monitoring usage and availability and detecting security events. However, even the most reliable hardware and broadband service can fail, leaving units unreachable. The time-honoured rebooting method, which in the case of network appliances usually means unplugging and replugging the power cable, can fix most system lockups; however, having an out-of-band (OOB) path to a device's management interface is the best way for remote personnel to diagnose and fix hardware problems.

As the name implies, out-of-band management (OOBM) operates independently of the production WAN links via IP gateway devices that usually have a separate LTE interface. OOBM devices automatically switch over to the backup cellular network to maintain connectivity to a network appliance's management interface. They also send alerts about network outages and unusual activity via email, SMS or SMTP traps and automatically download their configuration from a central management console when first deployed. Several companies sell out-of-band management hardware, including Advantec, Digi, EtherWAN, Lantronix, Netbiter, OpenGear (owned by Digi), ProSoft and ZPE Nodegrid.

Wrap-up

IT executives and managers responding to a recent survey said that even after health restrictions have ended, 78 percent of the employees at their organisation will be spending at least 25 percent of their time working remotely. In this hybrid work environment, having a reliable WFH network is a necessity. Extending SD WAN to home offices is the best approach and there are several options for increasing reliability via redundant WAN links and hardware.

Fully redundant systems aren't warranted in every situation, however, deploying SD WAN hardware that supports LTE services as an emergency backup should be a baseline for regular home workers. Organisations should also strongly consider OOBM hardware with wireless connectivity and maintaining an inventory of spare uCPE devices that can be express shipped in cases of hardware failure.

Author

Kurt Marko insider@netify.com Last Updated: 04.05.2021
Netify Forbes Members

Pros And Cons | Features | Cloud Access | SASE Security | Solution Overviews | Managed Services

The Top 10 UK SD WAN Vendor And Service Provider Report. 98 Pages, 19K Words.

At 98 Pages and 19,000 words, the Netify top 10 UK SD WAN vendor and service provider report is designed to help IT decision makers kick-start their shortlist. Download your copy now.