Avaya Software-Defined Networking 1.0 — Doing it differently

Let’s start with a few figures that explicitly demonstrate the unparalleled scale and diversity of devices to the Internet of Things:

  • Number of connected devices worldwide in 2016: 5 billion
  • Projected number of connected devices in 2020: 50-75 billion
  • Expected economic impact of IoT by 2025: $10-12 trillion

What’s not so apparent within these statistics is the monumental challenge to security. This is the challenge for every industry vertical, from healthcare to building construction, from FDA-approved medical devices connecting to the network to smarter-connected kitchens: How can they reliably and securely send control and network traffic into the cloud or within an enterprise without being compromised?

Securing the growing number of connected devices used in business—particularly in healthcare—is the focus of the Avaya SDN Fx Healthcare solution. First presented this year at HIMSS, a global healthcare technology conference, the solution is built around open source technologies to protect sensitive medical devices from would be hackers who could use the devices as entry points to the rest of the hospital network and introduce potentially malicious traffic originating on physically compromised devices.

At Avaya, we get it! Every good solution begins with key questions that capture the challenge. Simply put, we started with these three:

  • How can we help businesses address IoT without worrying about network deployment complexities, downtimes, upgrades and patching?
  • How can we provide the same or better level of security, availability and reliability of our customers’ systems as they grow with IoT?
  • How can we enable customers to get these done in a simple manner without massive forklifting or impacting their day to day operations?

Our strategy to overcome these challenges took a multi-prong approach, an open, extensible architecture and an eye toward the end users.

First, we implemented a controller-based architecture that creates secure service paths based on the profile of IoT devices connecting. Service profile is a container that encapsulates a network profile which is determined by who is accessing the network and a security profile determined by what is being accessed. This is called an access-context. This access-context-based service enablement ensures on-demand provisioning, putting critical security and compute resources where they are needed the most. The Dial-home feature of our smart IoT gateway device—the Avaya Open Network Adapter—helps ensure that it always connects to the controller to declare itself. Moreover, a combination of certificate, TLS-based authentication allows secure communication between the Open Network Adapter and the controller for safe, reliable control traffic exchange.

The next task was to drive a solution that addresses the potential for and likelihood of human error and system failure. Our underlying strategy therefore focused on insulating critical customer IoT devices and applications from these failure scenarios and delivering millisecond recovery with minimal down time. The Avaya Open Network Adapter—our IoT gateway device—can operate uninterrupted to provide secure connectivity for medical devices even when the connection to the SDN controller is lost or has experienced a failover. This guarantees continuous, secure availability of network resources for mission-critical business workflows.

To further augment our strong belief in availability and reliability, the controller plane architecture embraces a hybrid model of Active-Active and Active-Standby systems. The Active-Active model allows data and resource replications that are critical for southbound control operations. It is important to note that data implies user, application and context along with network details. This is done at a higher layer called the Clustering Engine layer using distributed main-memory database and Advanced Messaging Queuing Protocol (AMQP) bus. AMQP implemented using RabbitMQ allows controller to perform large number of transactions close to 1 million per second. Main memory databases using Mnesia allows distributed, fault tolerant DBMS implementation. Tables can be replicated on different compute nodes with system that guarantees location transparency. Therefore, the application accessing the data requires no knowledge of where the different tables reside. This allows sub-second response time, extremely fast data replication with smaller CPU cycles to execute, which are critical for control operations, high volume data analytics. Linearly scaling cluster implementation allows critical data to be replicated without being shared and thereby improving the overall availability of the data. Active-Standby implementation enabled preservation of singleton data (data that should not be replicated across system) such as licensing details, etc.

The architecture involves Master nodes (>=1) that actively replicate data to ensure guaranteed availability, a leader node that is elected from among master nodes to provide a unique northbound IP interface and host singleton data and a slave nodes (>=0) performing lower level control operations.

The embedded load balancer allows control traffic to be evenly distributed in the cluster comprising of N-nodes (where N<=255), supporting more than 30,000 transactions per second. This allows the controller to cater to any surge in control traffic and handle network storms. Moreover, it facilitates a single virtual IP addressing at the southbound data interface for the IoT devices connecting to the controller and thereby providing a single-system view to the outside world.

To ensure that systems can recover from failed state and that data integrity can be maintained without any compromise after recovery, we implemented a fault-tolerant model that uses a supervisor tree theory. Supervisor tree theory is a hierarchical model and notation that defines what needs to be monitored, remedied within active system. Supervisory tree has leaf nodes that act as independent supervisors looking at their own assigned set of resources and reporting to their parent node. Loosely coupled architecture ensures each leaf supervisory node to act on its behalf making independent decisions based on the operating conditions or from reports from its child nodes and configuration parameters. Remediation typically involves retries and migration of resources.

Last but not least, to ensure complexities don’t precipitate to the application layer, we have implemented a three-tier SDN architecture that is simple to deploy, use and most importantly allows customers to focus on their day to day operations without having worry about infrastructure. Installation is greatly simplified by our zero touch deployment which is unique in the industry. With just three simple commands per node user can deploy the full two-node cluster.

Northbound APIs allow customers, partners and developers to create secure network and connectivity services for their applications without requiring any advanced knowledge of the underlying infrastructure, SDN controller complexities. Application registration and authorization process using OAuth framework extends security to user and application space.

With an average of 12 connected devices per hospital bed and upwards of 100,000 connected devices in a given hospital system, it’s easy to see the need for an architectural model like this to push the accepted limits of the tools openly available. It’s also easy to see the importance of vendors like Avaya being champions for the standardization of these solutions rather than just opportunistically offering up professional services to overwhelmed IT organizations or leaving them to deal with the aftermath of breaches. Securing the diverse array of Things connected to the network and doing so at unprecedented scale is about more than just innovation. It’s a matter of solving the real-world problems faced by our customers in these rapidly changing times.

Related Articles:

An Exploration of End-to-End Network Segmentation—Part II: Native Stealth

As I’ve said before, no one provider can completely eliminate network security risks. There is, however, a proven way to reduce risk and network exposure: end-to-end segmentation, which is comprised of hyper-segmentation, native stealth, and automated elasticity. In part I of this series, I explored the concept of hyper-segmentation. In a nutshell, hyper-segmentation involves using SPB (Shortest Path Bridging–802.1aq) to quickly and easily create virtual network segments that are completely isolated from one another. This enables network security tools to perform with greater efficiency, offering businesses full transparency into network activity.

Now imagine if you could create these virtual segments on the fabric infrastructure itself, meaning the topology used to carry the traffic would be completely invisible to any IP discovery or hacking. That’s exactly what we’re going to discuss here in part II: delivering a stealth network that keeps hackers in the dark. Let’s jump right in.

The Risk of IP Hopping

If you still rely on IP hopping, it’s likely a matter of time before someone enters your network and quickly discovers your full network topology, potentially without you knowing (if someone hasn’t already). I understand it can be difficult to grasp how a method that’s been in practice for nearly 30 years can be so unsecure, but remember: just because a methodology has been around for a long time doesn’t mean it’s conducive to today’s business requirements.

The problem with IP hopping is simple: once someone successfully enters a network using any kind of automated or reasonably sophisticated tool, they can begin discovering IP hop routes. These tools, when in the wrong hands, can allow attackers to gain full visibility into an organization’s IP architecture.

This means if a hacker successfully penetrates your firewall, they will within minutes be able to see all of your network topology and devices (and you thought Halloween was scary!). With this level of transparency, attackers can effortlessly detect where video surveillance is, for example, or where patient records are stored in order to begin impacting those devices, databases, nodes or systems.

This is one of the reasons so many companies hesitate to offer guest Wi-Fi services. It’s one of the easiest and lowest-risk ways for hackers to penetrate a company’s firewall and begin gaining network visibility. Remember, RF leaks out of building/walls; sit in parking lot near a building and et voilà!

Stealth Networks: Invisible to Hackers, Invincible for Companies

If you recall in part I, we discussed the importance of provisioning the network only at the point of services where offered and where that service is consumed by the end-user or device (IoT, as an example). In provisioning only at points of services—using an IP shortcut—the rest of the network essentially becomes a transport because we make use of Ethernet Switch Paths (ESPs) instead of typical IP hopping from node to node. This eliminates hackers’ dependencies on IP routes and allows them to only see entry and exit points. Everything else becomes stealth or invisible.

Remember the above example about penetrating the firewall through a Wi-Fi network? Let’s say this happens to a company that’s implemented an end-to-end segmentation solution. The hacker may successfully connect to the company’s physical infrastructure but, because of native stealth, they will only be able to see as far as that one segment. The attackers can’t hack what they can’t see. Meanwhile, organizations gain more controlled insight into where attackers are trying to do damage.

At the end of the day, you can’t stop hackers from penetrating your network, firewall, or gaining access to your building. If they do, however, end-to-end hyper-segmentation allows you to control what hackers see with peace of mind so that your customer databases, credit card numbers, etc. are securely isolated and undiscoverable. Hence, don’t expose your customer’s credit card information (PCI), patient records or others. Isolate that critical data in a secure virtual segment and run it over that ONE converged infrastructure. No more need for a separate physical network to meet your business security needs when you implement the right solution.

We’re almost done exploring the core of end-to-end segmentation. Elasticity is the final capability that completes this network security trifecta, and I dig into it in part III next week.

How to Make the Most of IoT While Minimizing Security Risks

I was in London yesterday for IP Expo 2016. I had the pleasure of speaking with many customers and presenting a keynote about the security concerns raised by the Internet of Things (IoT). Below is a summary of what we discussed for those who weren’t able to join me or who did but need a refresh.

Adding millions of new devices, hardware endpoints, and billions of lines of code, along with more infrastructure to cope with this load is, unsurprisingly, creating a vast set of security challenges across all areas of the IoT—a set of challenges the scale of which we haven’t seen before.

Fortunately, the technology industry is working hard to address these issues, and from the network side there are many lessons we can apply from the Internet and BYOD-ready networks.

Let’s face it: the days of a fixed network edge, defined by office and a few home workers using corporate laptops is long gone. And we’ve been living the last several years with the borderless network—or as I like to call it, the Everywhere Perimeter. At Avaya, we’ve built on our fabric networking technology to create a solution that addresses this challenge, providing a layer that seamlessly manages segmentation, stealth and elasticity across the organization. (I recently introduced a series that talks at length about these three core pillars.) This approach makes securing the everywhere perimeter much more practical.

If all this sounds like gobbledygook, I can assure you it isn’t. Here’s an example of how it works: if an IP phone is plugged in, the voice network is automatically and securely extended. If a video surveillance camera is plugged in, the surveillance network is extended. When devices and objects are unplugged, the network retracts, eliminating potential back door entry points to the network. What this means is that organizations can hide much of their networks while protecting those elements that remain visible. The end result: you can’t hack what you can’t see, so businesses can avoid many of the conventional hooks and tools that hackers seek to exploit, while at the same time engaging with their customers and employees in an agile and timely manner via the IoT.

I invite you to learn more about elements of the IoT security that are beginning to impact businesses of all sizes. Take a look at this white paper, which offers a roadmap for implementing smart, multilevel security capabilities.


New Age, New Requirements, More Innovation: Three Ways to Keep Up (Part 3)

The 2016 Rio Olympics may be over, but the excitement is still palpable. As I watched the performances from some of today’s most gifted athletes, I couldn’t help but think about this blog series on business innovation and the need to push further.

Think about it: U.S. swimmer Katie Ledecky is a three-time Olympic gold medalist, yet she succeeded in smashing even her own world record in the 400m freestyle competition. Meanwhile, Simone Biles—the most decorated female gymnast in World Championships history—has a floor move named after her called “the Biles.”

My point here is that the very best in the world don’t become so without continually innovating and pushing themselves. In this same vein, businesses today must excel in an environment where not only keeping current but driving innovation is mandatory. In fact, nearly 60% of CIOs surveyed by IDG this year said that innovation is a top business mandate. If you take away only one key point from this series, I hope it’s related to this need to continually innovate within your business.

Part 1 and Part 2 of this series outlined how companies can evolve their contact centers and networking strategies to keep up with today’s rapid pace of innovation. But these are only two parts of a massive puzzle that companies must piece together.

As I mentioned earlier, it feels near impossible to cover everything that has changed within the last 25 years in technology and business. What I can tell you is this: the innumerable changes that have happened have led to what we here at Avaya call “digital transformation.”

Digital Transformation: A Mindset Fueled by Technology
Digital transformation is a belief that the greatest innovation is driven through digitization and simplification. By automating information, simplifying processes and connecting more objects through the Internet of Things (IoT), businesses can transform from the inside out.

It’s critical that business leaders understand the importance of reengineering their organizations in this way. Why? Because 75% of CIOs surveyed by Deloitte last year said that digital technologies will significantly impact their business. Because IDG’s survey found that more businesses are scrambling to prioritize budgets as a result of this deep focus on digital transformation. Because research shows that the IoT will consist of more than 34 billion connected devices by 2020.

This digital transformation isn’t just happening at the enterprise level, though. Take a look and you’ll see the changes that are happening all around you. For example, you may notice a smart meter on the side of your neighbor’s house that allows them to view real-time energy usage on their smart device. You may see cars parallel parking themselves on the side of the road. We’re seeing everyday objects, cities, campuses and hospitals becoming Internet-enabled in ways that were incomprehensible decades ago. I even tweeted recently about Wilson Sporting Goods getting in on the action with the “Smart Football,” which will quite possibly change the game of American football.

The Greatest Challenge of Digitization (and How to Overcome It)
Digital transformation opens the door to a smart new world where outcomes and possibilities are constantly being reimagined. At the same time, however, it’s creating more unique, industry-specific needs than ever before. These needs drastically vary and can be challenging to meet.

For example, healthcare organizations need to efficiently connect doctors with care teams via cutting-edge medical devices and communication capabilities. All of this needs to be done while remaining compliant with industry regulations.

On the other hand, financial organizations need to securely deliver anywhere/anytime/any-device account access to customers while ensuring fraud prevention. Meanwhile, educational directors need to deliver a next-generation learning experience as well as a safe campus environment for students. You see where I’m going with this? The list of vertical-specific needs goes on and on.

The problem we’re seeing is that many companies don’t understand that there is no cookie-cutter framework for digitization. Just like every Olympian’s tools and training are different, every company’s digital transformation will look different depending on its vertical-specific needs.

So, in a world where business needs are getting more granular by the minute, how can organizations keep up? How can they stay on top as true innovators and change seekers?

I can’t tell you in good conscience that there’s an end-all solution here, because there’s isn’t. At Avaya, we believe the key to mastering digital transformation begins with the right support. In other words, you need to find the right strategic partner/integrator who will work with you to determine your vertical-specific needs and how you can meet and exceed them. Better yet, find a partner/integrator who can also deliver the solutions you require to quickly adapt to your customers’ needs and capitalize on new opportunities. This way, you can avoid most of the leg work while keeping a leg up on the competition.

Your partner/integrator of choice should have a deep focus on such things as analytics, automation, networking, security and IoT. Above all, seek a partner/integrator that has a solid understanding of and passion for smart vertical solutions.

As I mentioned in a previous blog, the possibilities today for businesses are limited only by the imagination. Find a partner/integrator who’s ready to step into your world and come along for the ride.