Will the real Ethernet Fabric please stand up…or, are some Vendors playing fast and loose with terminology (again)?

Many will remember the early days of fixed-format Ethernet Switches, when the development of resilient configurations was initiated as an alternative to existing Modular Chassis systems. While we can debate who invented what, and when – SynOptics, 3Com, and even Digital all fielded competing designs – the really significant thing about these solutions is that they were genuinely resilient. All were based on a backbone capability that virtualized what the traditional chassis relied on in hardware. Thus, “stacking” – in a true, resilient, integrated way was born.

Then, along came the pretenders. These were the vendors that wanted to share the spotlight even though they didn’t have anything innovative to bring to the party; even though some only daisy-chained switches, some used Spanning Tree, most consumed relatively low-speed front-panel uplink ports, and most didn’t support QoS. If they could manage two or more interconnected Switches with a single IP Address they wanted to stake a claim. Eventually, everyone claimed to do stacking, which ultimately commoditized and devalued the term. This sad state of affairs is the reason Avaya insists on using the term, “stackable chassis” for our genuine, full-featured technology.

The Software-Defined WAN (SD-WAN) label appears to be taking a similar journey, which again is causing confusion in the industry. Respected industry analyst Zeus Kerravala echoes my sentiments in a blog  discussing his frustration when the aspirations of marketing trumps the realities of engineering.

This is not simply an esoteric debate about the proper names to apply to respective technologies. When the same name is used to market vastly different capabilities, it lays the burden of decoding what’s what on the customers. So, rather than focusing on helping businesses solve specific real-world problems, this exercise in obfuscation just makes matters worse.

We’re seeing the same thing with use of the term, Fabrics – driven, it appears, by the need to ground Software-Defined Network (SDN) offers on some form of Fabric. The logic seems to be that in order to have a credible SDN story you also need to offer a Fabric. While there may be some basis in fact for the logic, it doesn’t automatically translate that any networking solution has the right to call themselves a Fabric.

This is part formal standards definition and part real-world capability. A few years ago, and at roughly the same time, the two main industry standards bodies – the IEEE and the IETF – both established working committees to address the question of Fabric-based networking. The IEEE eventually went with something called Shortest Path Bridging, (SPB, formalized as 802.1aq) and the IETF placed their bet on the rather funkily named Transparent Interconnection of Lots of Links (TRILL, formalized as RFC 6325, et al).

Unsurprisingly, both standards take a very different approach to solving what was meant to be roughly the same problem: creating agile, reliable, and scalable networks that seamlessly complement server/application virtualization in the Data Center, and next-generation networking initiatives at the network edge. In short, a Fabric.

Remembering that this is an opinion piece and not a white paper, I’m going to be unapologetically subjective: SPB is by far the superior of the two. At the risk of over-simplifying things, but in the interests of space and time, I’ll stake the claim that SPB represents a re-imagining of Ethernet for the 21st Century, while TRILL is simply Spanning Tree overdosing on steroids. But, I’ll at least give TRILL the credit of being a standard – indeed, at last count it’s about ten standards – and that’s more than most of these Johnny-come-lately “Fabrics” can claim.

TRILL’s biggest problem is that it’s not a particularly good Fabric technology and nobody seems very interested in implementing it — certainly not in a standards-compliant form. Cisco use a bit of TRILL in their FabricPath offering, while Brocade uses a different part in their Virtual Cluster Switching offering. Neither is pure TRILL and neither is interoperable, but at least they have the right to call their solutions a Fabric…more or less. Juniper took a shot at the Fabric challenge with QFabric, but this went largely unnoticed by the rest of the industry, and certainly by potential customers.

The only Fabric standard that has garnered wide-spread support is SPB. Avaya implements this as our Fabric Connect technology and we’ve been instrumental throughout the evolution of the standard (or, perhaps I should say “standards” as SPB is now standardized by both the IEEE and the IETF (6329)). The Avaya Fabric Connect implementation leverages the native extensibility of SPB to add significant Enterprise-centric capabilities in the areas of integrated L3 Virtualization, L3 Routing, and IP Multicast. However, all the while, we remain interoperable with other standards-compliant SPB implementers such as Alcatel-Lucent, Huawei, and even HP.

And that brings us to the pseudo-Fabrics being touted in the context of SDN. Perhaps answering these questions brings us to a conclusion:

  • Is a networking overlay that adds yet another layer of protocol and complexity – while making some wildly optimistic assumptions about topology, reachability, and failover – really a Fabric?
  • Is something that is limited to the confines of the Data Center, can only be run as a service on a computing platform, or is bottlenecked by a controller really a Fabric?
  • If so, where’s the end-to-end nature, the step-function in agility, scalability, and availability?

While the IEEE does not necessarily hold the mortgage on what is or is not a Fabric and any pioneer is free to innovative to their heart’s content, a pretty authoritative line has been drawn in the sand. There are, quite rightly, well-defined expectations of what constitutes a Fabric. Customers have a right to expect that a “Fabric-based” solution does – in fact – deliver Fabric-centric capabilities. And, crucially, it’s a solution that matches their business needs and expectations.

More and more, we’re seeing people appreciate that a Fabric – a genuine Fabric – is the delivery vehicle for the technological and commercial benefits that businesses desperately crave. After all, it’s not about the protocol, it’s about what it delivers.

To this point, Zeus Kerravala recently posted the “Network of 2020.” Interesting stuff, and it particularly resonates with me because of the clear and consistent alignment with the message that I preach day-in, day-out. I’d recommend that you pay particular attention to those attributes that businesses really need to focus on; those that will enable them to advance faster, avoid forklifts upgrade, and aren’t burdened with high capital investments and hidden operational complexity and cost.

If this has sparked some interest, then it would appear that I’ve done a good day’s work. Many of you already know that I’m pretty passionate about this subject and about what Avaya can offer. However, even if you’re considering alternatives from another vendor, I would simply encourage you to delve into exactly what’s been proposed with a good, hard look at what’s actually behind the top-level marketing message.

For those of you that are more than interested, the good news is that there’s a solution out there taking full advantage of the standardized Ethernet Fabric technology: Avaya SDN Fx™ Architecture is a standardized end-to-end Fabric-centric architecture that solves the challenges left over by decades of legacy multi-protocol client-server networking. It maintains backwards compatibility, while delivering next-generation capabilities; providing a seamless evolution to SDN. And it’s available today.

Do your research. Challenge your vendor to a proof of concept. Don’t buy simply on theoretical benefits and a hope that the future will deliver on the promises of today. Most importantly, make sure that you’re implementing technology solutions that are focused on driving positive business outcomes.

Related Articles:

Less Maintenance, More Innovation: How to (Finally) Fill the IT Skills Gap

If you take a good look at how the business ecosystem is evolving, you’ll find that it’s being redefined by five key market trends:

You’d be hard pressed to find research that doesn’t indicate the takeover of these five megatrends.

Forrester, for instance, predicts that machine learning and automation will replace 7% of all U.S. jobs by 2025. According to the Economist Intelligence Unit, almost 80% of companies identified digital transformation as their top strategic priority last year. Gartner believes that 70% of all newly deployed apps will run on open source databases by 2018; meanwhile, research continues to show that some 20 to 30 billion objects could be connected to the IoT by 2020.

As these technologies shape our smart digital world, so too do they raise the stakes in terms of customer expectations. Next-generation consumers demand nothing short of a sophisticated digital experience marked by greater quality, agility, speed and contextualization.

The Need to Transform NOW

Driven by these trends, organizations have no choice but to consider how they can adapt to grow and thrive. Competitors are moving at rapid new paces and blazing unforeseen trails. We’re seeing this disruption industry-wide, from companies like Uber and Lyft that have revolutionized the taxi industry (taxi trips have fallen by as much as 30% in cities like L.A.) to Airbnb, which turned the hospitality industry on its head by introducing the concept of an end-to-end digital homestay experience.

Look around and you’ll see just how much your own industry is changing. Do you realize how much new ground is ready to be broken? How much unexplored territory there is to seize? The organizations that thrive will be the first to not only see the possibilities, but successfully execute them. To do so, however, companies must undergo some level of transformation—and IT must be a central part of that transformation.

Elevating IT to Accelerate Business

To enable business to move at a pace that maintains a competitive edge, leaders must ask themselves how they’re empowering their IT staff. As it currently stands, something needs to be done about today’s IT skills gap. What we’re seeing is too many departments tied down to costly, archaic systems that hinder performance and productivity. There are too many people doing the same things and expecting different results. In a world where IT maintenance and innovation must be expertly balanced, teams are working to keep the lights on and not spending enough time learning new technologies and strategies or becoming part of the solution. This has been an ongoing problem that needs to be talked about less and acted on more.

The bottom line is that organizations will only truly accelerate in the digital era if IT spends enough time on strategic initiatives. Consider that 60% of top-performing companies engage IT to gather ideas for innovation, and 49% collect ideas through business unit workshops facilitated by IT. Without question, IT should be factored as a critical part of business innovation.

So, how can businesses free their IT teams to begin innovating? The right technology here is key—specifically, it has to be a combination of business process automation over an automated, end-to-end, meshed networking architecture. Let’s first focus on networking—this open, agile and integrated platform liberates IT by substantially reducing the level of complexity associated with traditional network maintenance, allowing teams to spend more time on high-level strategic initiatives. I’d like to take a look at how such a platform helps fill the IT skills gap from a traditional networking standpoint and outline some of the security benefits this architecture can bring.

Networking

Traditional legacy architecture, often referred to as “client-server” is becoming near obsolete thanks to the proliferation of automation and M2M. But before we jump too quickly, you may remember the resistance from peer-to-peer communication where IT in fact won the battle and for the most part didn’t allow it—simply put, the legacy architecture couldn’t sustain it. As manual processes continue to be replaced by smarter, automated processes, it’s imperative that organizations start thinking differently in terms of networking.

This may mean, for example, seamlessly integrating AI and machine learning into their communications strategy to engage customers with flexible new touch points. This will also likely require the integration of services from several vendors with different capabilities, versus one single provider, hence the importance of having an open ecosystem with standards as much as possible.

Regardless of how organizations go about it, the fact is that they must begin moving their networks in a new direction if they wish to progress at the pace their business needs to. Fully-meshed, end-to-end architecture offers an open ecosystem in which businesses can begin freely automating, integrating and reinventing traditional processes without a high level of complexity. This time freedom enables IT to begin reimagining business outcomes. The use of open, integrated, future-proof technology opens new doors of opportunity to do so.

Security

With billions of IoT devices directly communicating and sharing data, organizations are now operating in an essentially borderless network—or as I like to call it, the everywhere perimeter. While this everywhere perimeter enables organizations to operate with unmatched agility and ease, it can also destroy companies if left unprotected. As one can imagine, the strategy and technology needed to protect a virtually borderless network look drastically different than those protected by a traditional firewall or legacy network architecture (Static VLANs, ACLs). This is exactly why IT needs to flex its strategic muscles and identify a stronger security approach, one that safeguards the organization with a near impenetrable network that significantly minimizes security risks and reduces exposure.

An end-to-end meshed networking architecture lets organizations quickly and securely enable services across the network anywhere they are consumed (i.e., personal mobile device, Wi-Fi hotspot, corporate campus). This is done through end-to-end network segmentation, which is widely considered to be the holy grail of network security today. Comprised of three core components—hyper-segmentation, native stealth and automated elasticity—this solution ensures organizations have the necessary framework for next-generation cybersecurity defense. By minimizing security risks in this way, organizations can ensure they are maximizing the value of IT. Lay the foundation right first, then focus on business process workflow automation. Doing the opposite or simply ignoring the foundation will cause pain and slow down your business transformation while making it extremely difficult to maximize the benefits of, for example, IOT.

In the end, every important business initiative requires time. Organizations won’t be able to reinvent themselves if their IT department has none to spare.

2017 Avaya Customer Innovation Awards Honor Five Companies Leading the Way in Digital Transformation

Every year, Avaya and IAUG recognize a handful of customers who are innovators. These customers are recognized with Customer Innovation Awards. Last year’s award winners included a number of technology firms. This year’s five award winners, recognized on stage at Avaya Engage in Las Vegas, include three customers in the financial services sector, a leading global retailer, and a leader in the film production industry.

Each of these customers is benefiting from the latest Avaya solutions to meet business goals—whether the goals are growth, customer experience, cost management, or risk mitigation.

BECU

BECU, which began life 80 years ago as the Boeing Employee Credit Union, today is the fourth largest credit union in the US, with over $12 billion in assets and over a million credit union members. In 2016, BECU embarked on a digital transformation journey focused on the customer experience. BECU relies on Avaya Elite Multichannel running on an Avaya Pod Fx™ infrastructure.

BECU engineer Rick Webb says, “BECU is rapidly expanding and needed a technology partner that could support that expansion and keep our members happy. The Avaya Elite Multichannel infrastructure does just that, while providing increased flexibility and allowing BECU to better meet the expectations of our more than 1 million members.”

Green Shield Canada (GSC)

Green Shield Canada (GSC) is a one of the leading health and dental benefit carriers in Canada, with over 850 employees across seven locations. Starting last year, GSC is deploying the Avaya Equinox™ Experience and seeing strong results. Competing with larger players in its industry, GSC sees strong collaboration among its workforce as a key ingredient for success.

Jim Mastronardi, GSC Director for Enterprise Infrastructure says, “Green Shield Canada has over 850 employees across seven offices in Canada—from Montreal to Vancouver. We saw an opportunity to explore technology upgrades that would enhance company-wide communications and bring our teams across Canada closer together. With just a single training session, employees have hit the ground running with the Avaya Equinox tools. The video conferencing option has provided a solution to overbooked meeting rooms, and the instant messaging feature is already cutting down on the number of emails being sent.”

Scotiabank

Scotiabank prides itself on “being a technology company providing financial services.” As a long-time Avaya customer—and a beta customer for Avaya Oceana™ and Avaya Oceanalytics™—Scotiabank is on a digital transformation journey to better serve bank customers worldwide. Scotiabank contact centers located in Canada and the Caribbean & Latin America region have benefited from a next-gen centralized architecture leveraging the latest Avaya solutions to better serve customers.

Scotiabank has already developed and deployed Avaya Oceana and Avaya Breeze™ apps, and continues to innovate in an ongoing drive to improve customer service and meet customer needs in a competitive market. The success of Scotiabank’s transformation program has enabled the bank to move with greater agility, improved reliability, and speed to market. This has changed the framework for deployment from months/years to days/weeks while improving the overall ROI/TCO.

The Crossing Studios

The Crossing Studios is one of Vancouver’s largest and fastest growing full-service studios and production facilities for film. The firm caters to companies like Fox, Nickelodeon, Showtime, and Netflix. The Crossing Studios were unhappy with the stability and quality of the disparate systems previously in place across their seven studio locations. In 2016, The Crossing Studios deployed a Powered by Avaya IP Office solution offered by local provider Unity Connected Solutions.

Powered by Avaya IP Office has improved stability, reduced TCO and provided the advanced features that the business needs to serve a very demanding film industry client base, including high scale audio conferencing, extensive web collaboration, and rich multi-vendor HD video conferencing. CTO Mark Herrman says, “We needed something that would support our rapid growth, support our clients, and support our bottom line. Thanks to IP Office and the hosted cloud model, we’re able to keep pace with dynamic, fast-moving film productions, staying as flexible as our clients need us to be.” Estimated savings are in the six figures for the first year alone.

Walgreens

Walgreens is using custom Avaya Snap-ins to bring centralized contact center reporting capabilities to local branch sites, for compliance purposes and to help improve the overall customer experience. Avaya Professional Services were instrumental with the deployment, which relies on an Avaya Pod Fx infrastructure.

These companies are each leaders in their respective industries. As part of their digital transformation journeys, they recognize that when it comes to selecting a trusted technology advisor, “experience is everything.” #ExperienceAvaya.

APTs Part 4: How Do You Detect an Advanced Persistent Threat in Your Network?

Here in part four of my APT series, we’re looking at how to detect Advanced Persistent Threats in your network. The key is to know what to look for and how to spot it.

Look for patterns of behavior that are unusual from a historical standpoint. Some things to look for are unusual patterns of session activity. Port scanning and the use of discovery methods should be monitored as well. Look for unusual TCP connections, particularly lateral or outbound encrypted connections.

Remember that there is a theory to all types of intrusion. An attacker needs to compromise the perimeter. Unless the attacker is very lucky, they will not be where they need or want to be. This means that a series of lateral and northbound moves will be required to establish a foothold. In order for any information to leave your organization there has to be an outbound exfiltration channel. This is another area where APTs have to diverge from the normal behavior of a user.

Here’s what to look for:

  • Logon Activity:

    Logons to new or unusual systems can be a flag. New or unusual session types are also a flag to watch for, particularly outbound encrypted sessions or unusual time of day or location. Watch for jumps in activity or velocity.

  • Program execution:

    Look for new or unusual program executions at unusual times of the day or from unusual locations. Execution of the program from a privileged account status rather than a normal user account should also be alarming.

  • File access:

    Look for unusually high volume access to file servers or unusual file access patterns. Also be sure to monitor cloud-based sharing uploads as these are a very good way to hide in the flurry of other activity.

  • Network activity:

    New IP addresses or secondary addresses can be a flag. Unusual DNS queries should be looked into, particularly those with a bad or no reputation. Look for the correlation between the above points and new or unusual network connection activity. Many C2 channels are established in this fashion.

  • Database access:

    Most users do not have access to the database directly. But also look for manipulated applications calls doing sensitive table access, modifications or deletions. Be sure to lock down the database environment by disabling many of the added options that most modern databases provide. An application proxy service should be implemented to prevent direct access in a general fashion.

     

    The goal is to arrive at a risk score based on the aggregate of the above. This involves the session serialization of hosts as they access resources. The problem with us as humans is this: if we’re barraged with tons of data and forced to do the picking out of significant data, we are woefully inefficient. First of all, we have a propensity for missing certain data sets. How often have you heard the saying, “Another set of eyes”? Never manually analyze data alone, always have another set of eyes go over it.

     

    At Avaya we’ve developed a shortest path bridging networking fabric we refer to as SDN Fx™ Architecture that is based on three basic self-complimentary security principles:

    • Hyper-segmentation: This is a new term that we’ve coined to indicate the primary deltas of this new approach to traditional network micro-segmentation. First, hyper-segments are extremely dynamic and lend themselves well to automation and dynamic service chaining, as is often required with software-defined networks. Second, they are not based on IP routing and therefore do not require traditional route policies or access control lists to constrict access to the micro-segment. These two traits create a service that is well suited for security automation.
    • Stealth: Due to the fact that SDN Fx is not based on IP, it is dark from an IP discovery perspective. Many of the topological aspects to the network, which are of key importance to APTs, simply cannot be discovered by traditional port scanning and discovery techniques. So the hyper-segment holds the user or intruder in a narrow and dark community that has little or no communications capability with the outside world, except through well-defined security analytic inspection points.
    • Elasticity: Because we are not dependent on IP routing to establish service paths, we can extend or retract certain secure hyper-segments based on authentication and proper authorization. Just as easily however, SDN FX can retract a hyper-segment, perhaps based on an alert from security analytics that something is amiss with the suspect system. There may even be the desire to redirect them into Honey pot environments where a whole network can be replicated in SDN Fx for little or no cost from a networking perspective.

In the End

Hardly a day goes by without hearing about a data breach somewhere in the world. To combat these breaches, it’s imperative to understand how APTs work and how you can detect them. Remember—prevention is ideal, but detection is a must!

With this blog series, I hope I’ve helped you see how to limit the impact of APTs on your enterprise. If you missed a blog post, here’s the whole series:

APTs Part 1: Protection Against Advanced Persistent Threats to Your Data

APTs Part 2: How the Advanced Persistent Threat Works

APTs Part 3: Prevention is Ideal, But Detection is a Must

APTs Part 4: How Do You Detect an Advanced Persistent Threat in Your Network?