Why Avaya + VMware = SDN Success

Why it doesn’t have to be an either-or decision between the underlay and the overlay

Software-Defined Networking (SDN), Network Function Virtualization, virtualization, data center automation, the list goes on. These are the hot topics fundamentally changing the way we design, build and operate our IT infrastructures. What do they all have in common? They’re being discussed in detail this week at VMworld, one of the largest annual gatherings of customers, experts and vendors in the industry.

As mentioned in our last post on VMworld, Avaya is showcasing its cloud-based Unified Communications and Contact Center service offerings, and the new, smaller sibling of the Avaya Collaboration Pod family, the Collaboration Pod 2400.

The Collaboration Pod 2400 combines virtual compute, storage, networking and all Avaya UC/CC applications in a ready-to-deploy platform with a “single pane of glass” management system and integrated support provided by Avaya.

This allows customers to have a very complex set of applications up and running in mere hours. Stay tuned for a future blog post on Collaboration Pods, where we talk to cloud service providers who confirm this time-to-service advantage.

Underpinning the infrastructure agility of the Collaboration Pod platform is Avaya SDN FxTM networking architecture and VMware’s virtualization technology. Avaya SDN Fx offers unprecedented flexibility and ease of deployment. Independent research found the technology resulted in 100 percent fewer outages based on human error, 11 times faster implementation and 7 times faster configuration and troubleshooting time. Avaya SDN Fx is a true game changer.

In order to provide compute virtualization and overlay networking, the Collaboration Pod uses VMware’s proven ESXi technology in conjunction with Avaya Virtual Provisioning Service.

The Collaboration Pod we are exhibiting at VMworld is a proof of concept that runs on VMware’s NSX-V platform. We’re leveraging NSX-V’s compute, storage and networking virtualization, as well as its micro-segmentation, to provide enhanced capabilities for controlling micro-flows.

VMware’s NSX-V and Avaya SDN Fx are highly complementary and an ideal foundation for SDN and cloud-based offerings in and beyond the data center.

Avaya Collaboration Pods Overlay and Underlay

Avaya SDN Fx and VMware’s NSX form a best-in-class combination and are proof of the ongoing innovation provided by Avaya and VMware. Avaya SDN Fx allows for the extension of the VMware fabric–including its micro-segmentation capabilities–to the campus and branch, thus providing an integrated, end-to-end solution.

As partners, we continue to deliver best-in-class solutions to our customers. Avaya plans to work with VMware to ensure closer integration with NSX-V and a co-certification once the VMware program for NSX-V becomes available.

Related Articles:

Secure IoT Deployments with Avaya SDN Fx™ Architecture Solutions

Let’s look at how to deploy the IoT in a safe and sane manner—a top-of-mind business challenge. Before diving into the technology, let’s remember why secure IoT deployments are so important. The Yahoo breach is a lesson learned: Yahoo CEO Marissa Mayer lost $12M in bonuses over the Yahoo data breach and Yahoo paid $16M to investigate the breach and cover legal expenses as of March 2, 1017. It’s clear that the cost of not building a safe infrastructure is much more than the cost to build one.

Software Defined Networking (SDN) is sometimes over-hyped. At a base level, separating the control plane from the data plane makes sense (if one understands the definitions of a data plane and control plane). In a practical sense, it means the network infrastructure doesn’t need to be managed on a node-by-node basis (i.e., logging into network devices on each end of the cable to make complementary changes to configure a network link). This is where SDN can be over-hyped. The SDN solution automates the process of making the changes to each end of the cable, making the network easier to manage. But, it doesn’t reduce the complexity, increase the resiliency (other than reduce outages due to typing errors), or make it easier to troubleshoot or expand.

Avaya SDN FxTM Architecture is based on fabric, not network technology. The architecture was designed to be managed as an entity of subcomponents and not a bunch of nodes that are interconnected to create a larger entity. In other words, it’s like designing something to manage a forest, as opposed to managing the trees. Would you really want to manage a forest one tree at a time?

How SDN Fx Architecture Benefits the IoT

Although the SDN Fx network architecture wasn’t specifically designed for the IoT, it works well for providing a solid foundation to deploy IoT solutions. These are the key components of the SDN Fx Architecture that benefit the IoT:

Avaya Fabric Connect is Avaya’s implementation of Shortest Path Bridging (SPB/IEEE 802.1aq). SPB replaces the traditional network stack, greatly simplifying network configuration, management and security. Three key benefits of Fabric Connect apply directly to IoT deployment use case:

  • Hyper-Segmentation: SPB supports 16 million+ network segments. In theory, every IoT device on a network could have its own segment. More realistically, every device type can have its own segment. For instance, HVAC could be one network, security cameras could be on another, employees on a third, guests on a fourth, etc. It’s worth noting that the NSA sees segmenting IoT networks as a key to limiting exposure of IoT deployments. (In my next blog, I’ll examine how Avaya solutions provide security between devices on the same segment.)
  • Automatic Elasticity: Services in SPB are provisioned at the edge without touching the core of the network. This makes it very straightforward to provision network services for the hundreds or thousands of IoT devices that the business wants up and running yesterday. Plus, edge provisioning makes moving devices simple. When a device is disconnected from the network, the network service to that port is disabled and eliminates open holes in the network security. When the device is connected to the same or different port, the device is authenticated and services are automatically configured for the port.
  • Native Stealth: SPB operates at the Ethernet, not the IP layer. For example, if a would-be hacker gains access to one segment of a traditional network, they can go IP-snooping to discover the network architecture. A traditional network is only as secure as the least secure segment/component. With Fabric Connect, if a security loophole is overlooked in a less important network project, there isn’t a back door to access the rest of the network and the corporate data.

Avaya Fabric Extend provides the ability to extend an SPB fabric across a non-fabric network, such as IP core, between campuses over Multiprotocol Label Switching (MPLS), or out to the cloud over WAN. IoT deployments enable the phased adoption of SDN Fx so that IoT projects can gain the values above, without ripping and replacing significant network infrastructure or affecting non-IoT workloads.

Avaya Fabric Attach automates the elasticity of the SPB fabric for IoT devices and other devices supporting Automatic Attachment (IEEE 802.1Qcj). Fabric Attach allows the device to signal the network that it needs in order to connect to a service. If the device is authorized, the service is automatically provisioned. When the device is disconnected, the service is terminated. If the device is moved to a different network port, the service will be provisioned automatically to the new port. This makes deploying and moving Fabric Attach-enabled devices very simple. For a real-world example, see how Axis Communications is starting to deploy Fabric Attach in their IoT devices.

Avaya Open Networking Adapters—an Open Network Adapter is a small device that sits in-line with an IoT device to provide programmable security for IoT devices that lack adequate network security. One component of the solution is Fabric Attach, which provides automated service provisioning and mobility to devices that don’t have the auto-attach capability. (I’ll explore more about the power of Open Networking Adapters in an upcoming blog.)

The Avaya Identity Engines Portfolio provides powerful tools for managing user and device access to a network, commonly referred to as Authentication, Authorization, and Accounting. In the IoT use case, Identity Engines authenticate a device by MAC address or MAC address group and use predefined policies for the device type to dynamically configure services. For instance, a camera could be assigned to Video VLAN 30 and provisioned for multicast, while a phone would be authenticated, assigned to VLAN 20, and configured for SIP communications. This provides security for unauthorized devices joining the network and provides automatic segmentation based on device type and service requirements.

I’m not sure if there ever was a time when network design and implementation was static, but there was a time when the devices connected to the network could be predicted: servers, printers, storage, PCs, etc. With IoT, IT is being asked to design networks for devices that haven’t been thought of yet. The old network technologies were designed for mobility by work order, and IT was able to list the number of device types that wouldn’t work on the network. SDN Fx provides a true software-defined network and not software-defined automation on old network constructs. A fabric network has the intrinsic flexibility and security required for tomorrow’s IoT projects, today.

In my recent blogs about the IoT, I’ve looked at how the IoT enables Digital Transformation and examined a business-first approach to IoT technology adoption. Next in this blog series, I’ll explore the newest component of the SDN Fx solution for the IoT, the Avaya Surge™ Solution.

Aiming Towards an Unfettered and Secure IoT

Last week, we heard bold claims by a networking vendor that they could make the Internet of Things (IoT) safe because they “own” the network. One of the ways they plan to do this is to certify products to take advantage of network security capabilities.

As a player in the networking space that is addressing IoT security, Avaya agrees “that there aren’t enough people on Earth to run the network the way it’s being run today, when you look at the scale of IoT.”

But, we strongly disagree on a number of other claims and respectfully offer these counterpoints:

  • One Pipe, One Gatekeeper:

    Their point of view shouldn’t be surprising—they are a vendor that has long relied on proprietary approaches designed to keep out the competition. The plan to certify devices to run on their network is yet another cog in the wheel whereby they soundly eliminate competitors and increase their revenue instead of allowing the market to decide who has the better approach to securing IoT. This brings us to our next point.

  • Innovation: Supporting or Suffocating?

    Does a single vendor governing who and what has access to the network encourage innovation or does it stifle it? While the concept of whitelisting is generally good, it requires a significant level of execution to be effective without hindering innovation. The sheer scale of the IoT means that it’s likely billions of devices will ultimately be connected. Each type needs to be certified, demonstrating compliance to a standard that gives them permission to onboard. Not impossible, but this is not the domain of a single vendor. In addition, as the market continues to trend towards more flexible networks and elasticity enabling greater innovation, the one-vendor-owns-the-network approach is rigid and exclusionary. The ecosystem for devices becomes extremely limited.

  • Say Bye-Bye to Your Legacy Equipment:

    While newer devices may be able to incorporate new standards and technology, there are still many, many legacy devices in operation that don’t have that level of intelligence. Many of these devices are regulated and would require significant back porting to support the operating systems they run. Requiring a forklift to remove non-compliant legacy devices is a huge moneymaker for some vendor—something we’ve seen them do in the past. But, for the company that needs to change their entire legacy operation, it may mean closing the doors due to a prohibitively expensive demand to update. Alternatively, they will be forced to manually manage the whitelists for legacy devices—an extremely cumbersome process.

An Alternative Approach

Avaya has already taken ground-breaking steps in securing IoT—steps that are much less costly and cumbersome, and support the innovation that IoT stands for by its very nature. Let me elaborate:

  • Automatic Onboarding, Configuration and Management:

    While the competition suggests that its approach will include not only “IoT onboarding and management capabilities, it will go beyond security to include automation of other tasks like network configuration that administrators would otherwise have to do.” Hello there. Let me introduce myself. This is fundamental to Avaya SDN Fx™. More than 800 Avaya customers are already enjoying the unique simplicity delivered through automation to the edge found in Avaya Networking. However, it’s still networking. Fundamentally, IoT needs to be separate from the network. While interaction between the solutions may offer benefits, any IoT solution needs to be capable of providing unique value regardless of the network underneath.

  • Keep What You Have, Use What You Want:

    IoT is gazillions of unique endpoints like medical imaging equipment, video devices, specialty printers, and more. Thus, you must protect 100% of your devices for a secure network. To manage this, and to secure legacy devices and a broad ecosystem of devices, Avaya built the Open Network Adapter—a small adapter about the size of a deck of cards enabled with an Open vSwitch. The Open Network Adapter allows these special devices to automatically connect to the network with a granular security profile based on their individual communication characteristics. Once fitted with the adapter, a session can be automatically set up, torn down and re-established—even if moved to a new location. This ensures that devices always have the proper security and can be tracked for both logistics and analytics purposes.

  • Securing the Future and Making Whitelisting Practical:

    Avaya’s SDN Fx IoT solution takes a different approach by providing proxy capabilities for devices to protect existing investments. This lets budgets be focused on innovations that are important to the business strategy. The SDN Fx IoT solution is based on the concept of intelligent profiling to dynamically understand the expected conversation patterns of whitelisted devices. This is important, as devices can be spoofed or hacked. Many IoT devices are in public domains where people may have physical access. They are often implemented by non-IT personnel and may not be secured to the level an enterprise expects. Gaining permission for whitelisting the device is a low threshold most will be willing to accept. From there, IT is free to characterize the traffic patterns of the devices and dynamically narrow the security profiles to a very refined set of flows within the whitelist.

  • Hyper-Segmentation for Hyper-Secure Networks:

    For those looking to evolve their defenses beyond an overlay solution and fully integrate their end-to-end security, Avaya’s SDN Fx provides a perfect complement to the IoT solution with automated connection into hyper-segments directly from the Open Network Adapter. Recently, we announced the hyper-segmentation capabilities of Avaya Networking. This end-to-end segmentation creates isolated traffic lanes within the network that limit where a hacker can go. They can’t get to the core and wreak havoc with sensitive data and operations. With hyper-segmentation, you get on the on-ramp to a dedicated toll road, where you are the only car on the road. Your isolated road leads directly to your destination, with no off-ramps. No one can see you, and you can’t see anyone else. But more importantly you can’t get off at any other destination than your own.

Avaya has already done much of the work needed for securing IoT that the other networking vendor is proposing, although we’ve left out those aspects that are not in the best interests of customers and innovation. While they are trying to make this about the network, the network has yet to stop many of the recently publicized breaches.

Any IoT device has the potential to be compromised whether remotely or physically, so end-to-end security is absolutely necessary, but absolutely should not be an old school, proprietary approach. Instead, it starts with micro-segmenting between applications and extends that level of separation and obfuscation out to the device and cloud edges. Anything less is like a football player taking the field with full pads but no helmet. Most hits will be absorbed, but the ones that aren’t can be the most damaging.

World’s Largest Surveillance Camera Provider Awards Avaya Technology Partner of the Year

You need more than just sophisticated surveillance video cameras to catch it all. Although cameras are an important part of the equation, the quality of your surveillance video is only as good as the quality of the network infrastructure that it runs over.

Blurry video, lapses in video footage and delays in pulling up video footage: all of these major complications can result from a poor underlying network … and cause serious security lapses. According to a 2014 report from ZK Research, 70 percent of surveillance issues can be attributed to less than rock-solid network quality.

Axis Communications, the global leader in network video, recognizes the importance the network plays in delivering high-quality and secure surveillance. At its 10th annual Axis Connect & Converge Conference, Axis − the world’s No. 1 provider of surveillance cameras − named Avaya its 2015 Technology Partner of the Year.

Avaya offers a network optimized for video surveillance. Leveraging Fabric Connect, an Avaya network uses Shortest Path Bridging (SPB), which eliminates the need for multiple protocols and enables simple endpoint provisioning. This gives the network greater scalability, performance and simplicity than traditional IP network offerings, leading to more flexible and reliable support for Axis video surveillance cameras.

When a spotty network means spotty surveillance, customers look for reliability. An always-on network means safer hospitals, cities and even schools, such as in the case of joint Avaya and Axis customer Holland Hall. Due to increasing calls for safety for students and faculty, Holland Hall implemented a new video surveillance system with 50 Axis cameras and an Axis video management system (VMS), with the capacity to add more cameras as needed.

“We just dropped in our IP video surveillance system and it works without impacting our student network,” said Henry Finch, the school’s director of IT. “We can spin up whatever we need on the security side knowing we don’t need to wait until after school.”

To learn more about how video surveillance is made easy with Avaya, click here.