Digital transformation is forcing organizations to move away from traditional approaches and into application specific networking. With constant change in applications and infrastructure, network agility is paramount, but networks such as MPLS and the equipment that drives them have remained largely unchanged. While SD-WANs and similar technologies have introduced some abstraction into site-to-site connectivity, they are often location, hardware, and service-provider specific. The modularity that makes thriving in a world of digital transformation possible requires a paradigm shift, where network edges are no longer defined by physical locations, but by applications. In application specific networking, application endpoints define the edges and application contexts programmatically define the networks.
We make it possible to spin up highly secure, performant, application-specific networks at scale using web-based orchestration tools and APIs. These “AppWANs” abstract the network in the same way that containers and virtual machines abstract applications from underlying compute infrastructure. Moreover, because digital transformation is a gradual process, NetFoundry’s technology and orchestration tools give businesses the ability to meet the needs of the digitally transformed application environment, while inter-working with existing networks and systems to continue to serve current needs. As business services are modularized in a transformation cycle, AppWANs can be spun up, segmented, and adjusted in minutes to secure and connect them to the appropriate context within the company ecosystem or over the Internet.
Application Specific Networking: Secure By Design
Each application specific network is fortified by a military-grade, layered security architecture which isolates and protects data flows, resulting in a private, dark network, microsegmented by application. In an ecosystem defined by application specific networking, security and compliance needs are defined by application, rather than the combination of application, network, and security infrastructure. This eliminates potential vulnerabilities introduced by separate policies.
Security Layer 1: Authenticate-Before-Connect
By design, application specific networking in NetFoundry’s model authenticates endpoints before the endpoints are given network access. This authenticatebefore-connect security paradigm is becoming a best practice with advocates including the Cloud Security Alliance (“Software Defined Perimeter”), US Defense Information Systems Agency (“black cloud”), and Google (“BeyondCorp”).
Security Layer 2: Least Privilege Access (LPA)
Each authenticated endpoint is only given the access it needs, as defined by the security polices of the business. LPA enables application-level, centralized (one IAM policy across apps and network), micro-segmentation. For example, an IoT device may be diverted to a honeypot network depending on its identity or location.
Security Layer 3: Dark Network
Protected endpoints open an outbound connection to the NetFoundry overlay fabric. Our application specific networking architecture denies any packets which have not been authorized, making the network dark. Even if a device inside the network is vulnerable, application specific networks mask the deficiency by rejecting the externally originated attempts before it can reach the vulnerable device.
Security Layer 4: Data-In-Motion Protection
Application specific networking uses strong encryption, on demand. NetFoundry partnered with Dispersive Technologies to incorporate Dispersive session splitting technology, which is currently used for the transmission of US power grid data, and fragments each individual data session into multiple, individually encrypted data flows. Our web-based orchestration console and APIs enable administrators to centrally manage encryption and session splitting on an application-by-application basis.
Security Layer 5: Move the Attack Surface Away From the Business
NetFoundry manages infrastructure at data centers around the world, including data transit nodes, proxies, session controllers, and security infrastructure. These data centers move the attack surface to the highly resilient and protected NetFoundry overlay fabric, and away from business networks, assets, and data.
Application Specific Networking: Performant By Design
Traditional networking solutions such as MPLS and SD-WAN lose control of data once it is routed to a destination which is not front-ended by WAN CPE, thus relying on best effort Internet over those routes. Conversely, Application Specific Networking using NetFoundry’s platform optimizes data across the Internet, assuring quality of experience (QoE) with a quad-layered architecture.
QoE Layer 1: Supplementing BGP-Based Routing
BGP, the dominant inter-AS routing protocol, is tolerant of latency and packet loss until they result in “outage” conditions, and ISP routing is often built to optimize costs over performance. Application specific network endpoints work on top of BGP to adaptively route across the best performing paths on NetFoundry’s global overlay fabric (multiple tier one Internet backbones).
QoE Layer 2: Proxying TCP
TCP, the protocol underlying most Internet data, suffers from well documented problems which constrain performance, particularly when there is material latency or packet loss. NetFoundry overcomes this issue in application specific networking by proxying TCP, substituting a performant method over UDP with reliable delivery mechanisms, dramatically outperforming traditional single-path VPNs in terms of throughput and latency.
QoE Layer 3: Hybrid WAN Local Access
NetFoundry’s optimizations for BGP and TCP significantly improve “middle mile” performance. However, application specific networks optimize the local access segment as well. Each endpoint can aggregate multiple networks such as wired and wireless into a single overlay according to application policies, improving performance, throughput, and cost. In addition to providing better access network resiliency, this multiplies route diversity, enabling the application specific network to utilize more paths to meet the QoE requirements of the application.
QoE Layer 4: Direct Routing
Since application specific networks are carrier agnostic, provide embedded security, and do not require custom CPE, businesses can directly connect any endpoint or site to its destination. The latency added by the “trombone” routing above is one of the major causes of QoE problems to SaaS and IaaS services. Although SD-WAN could theoretically route directly via Nashville for example, the policy will most often steer data to the MPLS network, because the SD-WAN cannot control security or performance once it hands the data off to the Nashville ISP. NetFoundry’s embedded, Internet native security and performance optimization enables the business to route isolated application specific network traffic directly from Nashville.