The Role of Overlay Networks in Modern IT Infrastructure
“Traditional networking is crumbling under the weight of today’s hyperconnected world, failing to meet the demands of modern enterprises. The future lies in networking as software—specifically, overlay networking—where agility, security, and scalability are embedded in code, reshaping how we connect in the digital age.” – Mike Gorman, NetFoundry CISO and Head of Operations
Overlay networking is a class of solutions used to enable information systems to be agile and efficient in the fast-changing environments we all find ourselves in today. There are many methods to achieve these goals, but most leave out the most important aspects, the capabilities required to actually operate them effectively and efficiently over the lifecycle of the solution or product. NetFoundry has reimagined the overlay network from the ground up and received a patent for the concept in the US and elsewhere. We believe that the NetFoundry Ziti Platform (also available as the open source OpenZiti project) and NetFoundry Cloud provide truly production-class overlay networking to offer secure, efficient, and operable networks in the heterogeneous network of today, spanning enterprise, cloud, edge, and mobile assets.
NetFoundry: Overlay Networking Reimagined
- Abstracts Resources: Simplifies and secures connectivity across cloud, enterprise, and edge environments for IT, OT, and IIoT solutions.
- Embeddable Networking-As-Code: NetFoundry Ziti Platform – Purpose-built for designing Zero Trust connectivity into products and solutions.
- Networking As A Service: Available as a service via NetFoundry Cloud; Enables you to spin up an overlay in minutes – the AWS of secure networking.
- Enterprise-Grade & Production-Ready: Aligns with the FCAPS model, ensuring comprehensive network management.
- Security & Flexibility: Emphasizes zero trust architecture, including trusted identities and microsegmentation for secure, adaptable, and easily integrated solutions.
What is Overlay Networking?
Overlay networking is an abstraction of the underlying network resources to simplify the implementation of various requirements. In some cases, these requirements are physical. Large data centers may spread resources out in virtualization infrastructures, and various systems need to appear to be directly connected even though they are spread out in various racks and elsewhere. VXLAN (Virtual Extensible LAN) is one technology that was created for this purpose, and in large data centers, it is an enabling technology, allowing much more efficient and faster provisioning of resources in a physically pooled environment.
Virtual Private Networks (VPNs) are a form of overlay network, allowing a logical link to traverse any number of network nodes and routes to connect resources. There are various technologies used to implement VPNs and to create specific network topologies, such as Generic Routing Encapsulation (GRE) and IP Security (IPSEC) connections, among others. All of these share some common characteristics. They are used to decouple the logical network connectivity from the physical, removing the need to maintain access controls at each node and link, and allowing the use of public networks for extending organizational network capabilities.
Why do we use overlay networking?
As infrastructure migrated to the cloud, overlay networking became increasingly important. Within the cloud itself, between services offered in different clouds, and for interconnecting users and on-premise resources with the cloud. Organizational networks have grown increasingly complex and more difficult operationally. The requirements of time to value often make the use of physical interconnection services difficult, the time to commission connectivity being very significant, and adding the business risk of being locked into longer-term contracts.
Now the increased interest in IoT, IIoT, and edge computing brings the needs deeper into all networks. Networks built for one use case are forced into service for others, due to the costs of building and maintaining multiple networks. Third-party devices add to these issues as well, requiring methods to provide access to and from them for maintenance and operations while they are spread throughout an enterprise’s physical network topology. These various use cases in the same physical space create significant burdens on securing the various solutions and protecting the business and its stakeholders. The use of overlay networks can provide solutions, treating the underlay connectivity as a utility, similar to power, with some important general controls, but without the need to implement fine-grained controls to devices without the operational concerns of proper monitoring, maintaining synchronization, etc.
Overlay network is also a benefit in meeting the demands of today’s Zero Trust Network Access (ZTNA) needs. The ability to reach individual applications, data stores, or devices, is micro segmentation. When the overlay network has strong authentication and authorization functions, as well as the ability to add additional checks for security posture, multifactor authentication (MFA), and continuous verification, as well as detailed usage data for anomaly monitoring, the properly implemented overlay network can meet the ZTNA requirements, and enable the overall Zero Trust architecture requirements of any size organization.
Overlay Network Drawbacks
Recently, fueled by the rise of Zero Trust Network Architecture (ZTNA) as a concept, a number of solutions have been developed and marketed to provide micro segmentation, the ability to reduce the potential connectivity of any two devices on a network to only that which is required for the expected outcome. Many overlay network topologies begin to fail when this challenge is undertaken at scale. Utilizing the “classic” point-to-point models of traditional networking the operator is left to maintain a large number of individual components. VPN connections, GRE tunnels, IPSEC links and other solutions have few good management options. They often fall back to the manual configuration of access control lists (ACLs), subnet routing, and other tasks which make the maintenance of the network difficult, reducing reliability and resilience.
Production-level requirements, such as overall monitoring of traffic, visibility of connectivity issues, availability of forensic data for security and troubleshooting, and even basic provisioning and audit capabilities are time-consuming and prone to human error. While the fundamental requirements of the solution may be met, they are met at very high cost and risk, often requiring the skills of high-value technical personnel in the operations of the network, as well as the integration of the solutions into business operations. Even with the expended resources, the overall availability of the network is often impacted.
What Makes a Production Overlay Network?
The ISO created a very fundamental framework for understanding network management systems for telecommunications management systems. The highest level of this framework is summarized as the FCAPS model, which is a list of concepts for defining what services a production class network must provide, and more importantly, provide reliably and with as little additional effort as possible.
FCAPS
- Fault: The ability to be notified of issues affecting the operations of the system, as well as information relevant to resolving the problem.
- Configuration: Configuration of the network is critical, of course, providing the interconnectedness required while maintaining the other capabilities.
- Accounting: Providing detailed information on the utilization of resources for cost purposes, as well as input to capacity engineering and other maintenance processes.
- Performance: Having detailed information about the operations of the system is critical, and being able to monitor and measure changes made to the network for impact is a critical component of the overall success of the system and its users.
- Security: Particularly in this day and age, information security is critical to all organizations and the public at large.
These are not requirements for the overall solution; a network is designed to allow communications and enable the flow of information. However, these are underlying requirements for the network component of an information system to be able to operate efficiently and effectively and are far too often not considered, leading to higher costs and lower reliability overall.
NetFoundry Production Class Overlay Networking
NetFoundry offers a Network as a Service (NaaS) solution, NetFoundry Cloud, based on the NetFoundry Ziti Platform. Note: This platform has been made available as an open source project OpenZiti, sponsored and maintained by NetFoundry. The original Ziti platform and architecture was envisioned as a complete networking solution and provides the information and features required to be a full production-quality network. The NetFoundry Cloud (NaaS) provides additional enhancements to improve the usability of those features as well as the support and operations required to maintain production-level reliability and resilience.
Let’s review the FCAPS items and the features and functionality of NetFoundry Cloud.
Fault: The NetFoundry network has a control layer that collects and emits information collected from the network. There are many components, some nodes/processes, like the Network Controller itself and Routers, as well as links, sessions, and various processes that work together to provide the overall functionality. The Network Controller emits faults along with other events for all these subcomponents. In addition, each connection (fabric circuit) is recorded as a success or failure with details on the failure type. This data allows the network to be monitored for operation and provides real-time information when faults are detected.
Configuration: Configuration of a NetFoundry Network instance is a combination of the underlying Ziti concepts and the value added by NetFoundry. There are several components to effective configuration involving policies, service definitions, and attributes to group and manage identities and services. The NetFoundry Console makes this simple, providing all the information in a simple format via a web interface. Additionally, NetFoundry has created integrations to import from IAM systems, such as Active Directory, to automatically provision identities. The Console allows all aspects of a network to be configured without having to resort to CLIs or textual configuration. For customized integrations to meet specific criteria, all the functionality of the Console is available via RESTful APIs.
Accounting: Utilization data within the NetFoundry system is highly granular. Fundamentally, they recognize the purpose of the network is to allow identities to access services. The information around what identity is connecting to what service is recorded in utilization to the minute. As the identities are cryptographically protected, and the services configured, this not only allows the accounting of the usage of services, but nonrepudiation of that access, enhancing the security function.
Performance: The same granular level of data that accounting relies on provides information critical to the performance of the network. Each attempted connection is logged, success or failure, and various failure causes are defined to give immediate understanding for troubleshooting a correction. The data is tagged with many relevant pieces of information, allowing the “slicing” of the network by service, node, links, etc., and aggregating these via simple views provides deep insight into the operations and performance overall. Additionally, this information can be utilized to understand the usage patterns and feedback to the configuration function for continual improvement and optimization.
Security: Ziti was envisioned from the very beginning to provide highly secure connectivity to information. The identities that access or serve information are cryptographically secured (X.509), and have various methods of protection available including Multi Factor Authentication (MFA), security posture checks, and the availability of PKCS11 as an interface to hardware tokens and other more secure certificate management systems. Each circuit is dynamically and ephemerally encrypted between endpoints, and doubly encrypted traversing the fabric, as they are carried within links also encrypted. All links and connections from identities to the network are verified by the use of mTLS, with both sides verifying the other’s identity, rather than the user validating the server only, like HTTPS. The policies configured in the network only allow authenticated and authorized identities to “see” the services to access them. For those not authorized, even if authenticated, the services simply are not reachable. There are many more aspects to the security of NetFoundry NaaS instances, and capabilities to perform all security operations functions.
NetFoundry Cloud: Zero Trust Overlay Networking As A Service
As companies and organizations of all types continue to evolve the security and resilience of their information systems, the networking component is critical. Not only does the ability to interconnect information, but it does it efficiently, resiliently, and securely, requires the consideration of a broad range of factors and functionality. NetFoundry has reimagined the network, utilizing underlay networks as a utility for gross connectivity, and applying fine-grained access in real-time, simply, and easily, with all the functionality of a true production network solution.
NetFoundry NaaS can become an accelerator. As ZTNA guidance often says, start with the most important assets. NetFoundry can coexist with any underlay, and grow to whatever requirements there might be in the future. So a special use case often starts the NetFoundry journey. Once implemented, the solution gives new flexibility to enterprise or product communication planning needs without sacrificing any of the operational necessities. Further development of integrations and a growing understanding of the solution benefits not only new projects, but the existing ones, continuing to enhance the performance and resilience of the information system.
We built the NetFoundry platform and Ziti architecture from the ground up based on a patent awarded to our founder, to deliver a programmable, secure, and performant network. As we survey the solutions available, we find ourselves unique. Beyond the full suite of functions noted above, we provide SDKs in multiple programming languages that allow the embedding of these functions directly into software. These SDKs and the resulting functionality or truly open source, so they can be built into applications without licensing, and deployed on any Ziti network. They can be built into applications and devices as interface options, as has been done by the Caddy project. Our vision of the networking future is secure by default, even beyond secure by design, with the ability to implement network communications of all kinds over all networks to meet the needs. We have given this to the community in the hope that we can help to move the world to a more secure networking future, empowering new businesses, and allowing existing ones to become more secure while increasing efficiency, rather than hindering innovation and growth.