Trombones are wonderful instruments. These brass beauties are mainstays of any marching band, dutifully producing a bouncing bass tone. Some trombones, however, generate a completely different sound: cries of frustration from networking teams and end users across the globe.
Such cries are common among those suffering from the “trombone effect” on their corporate network. This occurs in a network architecture that forces a distributed organization to use a single, secure exit point to the Internet, and vice versa. For example, network traffic from remote locations and mobile users is being backhauled to the corporate data center before exiting the Internet through the network security appliances stack. Responses then flow back through the same stack and travel from the data center to the remote user. The resulting twisted path resembles the bent pipes of a trombone, producing a negative impact on latency and, therefore, the user experience.
Bending the pipes
Connecting remote offices to the data center is a must. Users need to access internal applications like customer relationship management (CRM), enterprise resource planning (ERP) and remote desktops. This tightly managed connection, known as multi-protocol label switching (MPLS), is expensive, but it has a guaranteed service level that is essential when accessing on-premise enterprise apps. However, using MPLS for Internet traffic is wasteful, as users can access public cloud services using an unmanaged Internet connection instead of overloading the MPLS link.
Yet, many organizations do use MPLS link for Internet traffic. There are two reasons for that:
1. In the past, Internet traffic for enterprise use was limited so the MPLS impact was small. The increased adoption of cloud-based applications such as Salesforce, Dropbox and Google Docs has substantially increased the volume of enterprise Internet traffic. In addition, Internet of Things (IoT) sensors generate large amounts of data that need to be centrally stored and analyzed, often using cloud-based services.
2. Many organizations – and especially midsize enterprises – can’t afford to own and manage a stack of security appliances, such as firewalls and web filters, in each office in a distributed environment. Therefore, rather than having a straight shot to the Internet, the Internet-bound traffic from each office must exit through a secure point at headquarters, which naturally causes slower network performance resulting in lower productivity for workers and requiring heavier investment in MPLS links.
Obviously, what used to work in the past, even at cost, may not work for us anymore.
The broken appliance-based security approach
Given the complexity of today’s network architectures, an appliance-based security approach is an unrealistic option for businesses looking to cure the trombone effect. Not only is the appliance lifecycle cost-prohibitive when you factor in buying, installing, configuring and repairing devices in every remote office, but many products on the market today are difficult to customize for various environments. Some appliances only cover specific locations or paths to the data, and their ability to evolve and adapt with updated capabilities to address new threats is typically slow and cumbersome.
There is also the growing problem of the security skills gap, as deploying appliances in each office would require a security professional on hand to deal with any sudden issues. Even unified threat management (UTM) appliances still require on-site personnel in case the appliance fails or requires maintenance.
Given these challenges and the new central role that Internet and cloud-based traffic play in today’s businesses, we should rethink some of our core assumptions on how enterprise networking and network security are being architected and delivered.
Getting on the straight and narrow
Some companies have turned to the use of regional hubs as an answer to the trombone effect. These “mini data centers” host the security stack and shorten the distance between the remote location and a secure exit point to the Internet. While this approach has reduced latency and increased network performance, it’s only a half-step as the fundamental issue of maintaining multiple instances of the security stack still remains.
A solution for the trombone effect must include a globally available secure exit point to the Internet through which enterprises can directly send their traffic. Recent innovations in cloud-based networking and security may pave the way to not only address the trombone effect, but also the way enterprise networking evolves to address the new cloud and mobile-centric enterprise. The trombone effect on network architecture will only get more twisted and contorted over time. To foster productivity in the age of cloud-based applications, companies need to carve a direct path to the Internet that not only delivers strong security, but minimizes latency. And that’s a tune we can all sing along to.