Why your WAN requires visibility, policy and control

Insightful analysis by consultants Steve Taylor and Jim Metzler, plus links to the latest WAN news headlines

Over the past two newsletters we've established that there is a wide range of applications running over the typical enterprise WAN. We've also hinted at the fact that sometimes these applications are sanctioned (i.e., Microsoft's SharePoint) but sometimes it is not clear if other applications (i.e., YouTube) are sanctioned. This newsletter is motivated by that growing array of applications transiting the WAN as well as by a panel that Jim chaired at the recent Interop conference in NYC. That panel was entitled Policy and Control. In hindsight, Jim wishes that he had called it Visibility, Policy and Control.

The genesis of the panel was the April 2008 Interop conference in Las Vegas at which Jim moderated 11 panels. One of those was on WAN optimization and one of the speakers was Mark Urban of Packeteer. Mark made a compelling argument that IT organizations needed to understand the applications that are running over their WAN and implement policy to control those applications. In the case of malware or spyware applications, the control that Mark was referring to was to eliminate these applications. In the case of VoIP, the control referred to by Mark was ensuring that the quality of the VoIP calls was not adversely affected by other bandwidth hungry applications.

Another panel discussed the need for a next-generation LAN. One of the speakers, Jeff Prince of Consentry Networks, talked about the need for a new generation of LAN switch that understands the context of each network flow and can apply policy based on that information. According to Jeff, IT organizations can leverage their understanding of user identity and role, tied to applications, both to provide differentiated services to applications and to users, and to improve security through controlled user access to the network and its resources.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Over the past two newsletters we've established that there is a wide range of applications running over the typical enterprise WAN. We've also hinted at the fact that sometimes these applications are sanctioned (i.e., Microsoft's SharePoint) but sometimes it is not clear if other applications (i.e., YouTube) are sanctioned. This newsletter is motivated by that growing array of applications transiting the WAN as well as by a panel that Jim chaired at the recent Interop conference in NYC. That panel was entitled Policy and Control. In hindsight, Jim wishes that he had called it Visibility, Policy and Control.

The genesis of the panel was the April 2008 Interop conference in Las Vegas at which Jim moderated 11 panels. One of those was on WAN optimization and one of the speakers was Mark Urban of Packeteer. Mark made a compelling argument that IT organizations needed to understand the applications that are running over their WAN and implement policy to control those applications. In the case of malware or spyware applications, the control that Mark was referring to was to eliminate these applications. In the case of VoIP, the control referred to by Mark was ensuring that the quality of the VoIP calls was not adversely affected by other bandwidth hungry applications.

Another panel discussed the need for a next-generation LAN. One of the speakers, Jeff Prince of Consentry Networks, talked about the need for a new generation of LAN switch that understands the context of each network flow and can apply policy based on that information. According to Jeff, IT organizations can leverage their understanding of user identity and role, tied to applications, both to provide differentiated services to applications and to users, and to improve security through controlled user access to the network and its resources.

Steve Mullaney of Palo Alto networks spoke at a third panel and he made a case that enterprise IT organizations need to deploy a next-generation WAN firewall that can eliminate the blind spots that are associated with most of the current WAN firewalls. An example of this is the inability of most current products to examine the traffic that transits port 80. Steve suggested that a next-generation firewall should be able to decrypt SSL-encrypted payloads to look for application identifiers/signatures. The idea being that once this inspection is performed and policies applied, allowed traffic would be re-encrypted before being forwarded to its destination.

As Jim moderated the three panels he realized that while the discussions were ostensibly on very different topics, all three speakers had a very similar message relative to the need for visibility, policy and control. We agree with the speakers on the need for this functionality, and we also acknowledge that it is possible to implement visibility, policy and control as part of a WAN optimization project, a LAN redesign or as part of implementing more intelligent WAN firewalls. However, as opposed to looking at this functionality just in isolated silos, we suggest that IT organizations look at implementing better visibility, policy and control across their entire network.

Read more about lans & wans in Network World's LANs & WANs section.

Steve Taylor is president of Distributed Networking Associates and publisher/editor-in-chief of Webtorials. Jim Metzler is vice president of Ashton, Metzler & Associates.