Heavy Networking

Fortinet sponsors today’s Heavy Networking podcast. You probably know Fortinet as a firewall company, but today’s conversation focuses on Fortinet’s Secure SD-WAN capabilities. Fortinet’s offering combines SD-WAN and security features such as Next-Gen firewall in the same appliance, including key features such as application identification, dynamic path selection, and SLA monitoring. Joining us today to talk about Secure SD-WAN are Nirav Shah, senior director of products and solutions; and Alex Samonte, director of technical architecture. We discuss: * The evolution of business drivers for SD-WAN from cost savings to application optimization * How Fortinet leverages its application ID capabilities from its NGFW for SD-WAN * Fortient’s ability to decrypt and inspect SSL/TLS traffic for SD-WAN and security policies * Centralized management for SD-WAN and security from one console * Hardware acceleration with purpose-built ASICs * How Fortinet supports public cloud use cases * More Show Links: Fortinet Fortinet SD-WAN Solutions Fortinet on Twitter

Understanding how the Internet carries your traffic is no longer optional. The Internet is much of your WAN, and the Internet can have problems just like any wide area network. Beyond the Internet, the public cloud providers have their own networks. Guess what? You need to understand how those are behaving as well. Sponsor ThousandEyes is here to explain how you can understand Internet performance more deeply. Before we get into that part of the discussion, we’ll review the data turned up by their research arm in the second annual Cloud Performance Benchmark report. The report covers AWS, Azure, GCP, AliCloud, and IBM. That is, how do the  public clouds perform from a networking perspective? And what does that mean for you as you work with application architects placing workloads in the cloud? Our guests are Archana Kesavan, Director, Product Marketing; and Angelique Medina, Director, Product Marketing at ThousandEyes. We discuss: * Why ThousandEyes decided to develop this annual report * How it measures cloud provider performance * What’s new in the second report, such as the inclusion of performance details on AliCloud and IBM * Result highlights and comparisons of cloud performance across geographical regions * The introduction of Internet Insights, a real-time view of global Internet health * More Show Links: Cloud Performance Benchmark – ThousandEyes Internet and Cloud Intelligence Research – ThousandEyes

Internet Exchanges (IXs) perform a core function of allowing provider networks to exchange traffic and data. IXs are key to the functioning of the Internet. However, there are relatively few physical locations in the United States where those exchanges exist. That means traffic may have to trombone or take non-optimal routes to get from one network to another. Thus, the emergence of edge exchanges. An edge exchange is a micro-data center positioned at the network operator side of a last-mile networks. That network can be wired or mobile. The goal of an edge exchange is to provide direct interconnection and traffic exchange between provider networks closer to end users and mobile towers. Our guest to walk us through the ins and outs of edge exchanges is Alex Marcham, Technical Marketing Manager at Vapor IO. We discuss: * The role of IXs in moving Internet traffic * How edge exchanges differ from Internet exchanges (IXs) * Why edge exchanges have emerged and the problems they are meant to address * The Linux Foundation’s LF Edge project * More Sponsor: Ixia Today’s show is sponsored in part by Ixia. Join Ixia for The Network Makeover, a unique event featuring >50 giveaways and tips & tricks designed to help you turn network data into dynamic network intelligence. Register now and then tune in December 2-13 for daily chances to win. Go to  www.ixiacom.com/packetpushers to sign up. Sponsor: Pilot Fiber Pilot Fiber is hiring network engineers for support and infrastructure roles! With hundreds of happy customers in NYC, we’re out to prove that a happy team means happier customers.  Pilot is looking for technical pros who share a passion for driving an unprecedented end-to-end experience. Find out more at pilotfiber.com/packetpushers. Sponsor: Tufin Tufin has pioneered a policy-based approach to network security management using automation and analytics. As a result, you can make network changes in minutes instead of days, reliably and securely. Tufin. The Security Policy Company. Get details at www.tufin.com. Show Links: Alex Marcham on Twitter Network Architecture 2020 – Alex’s Blog LF Edge – Linux Foundation Datanauts 135: An Introduction To Edge Computing – Packet Pushers PQ Show 105: Will 5G Improve Rural Broadband? – Packet Pushers

Today on Heavy Networking our subject is: Stop treating your wide area network like a network. What does that mean? Is it a Zen koan? If we meditate on the inherent contradictions in that sentence, will we achieve enlightenment? Maybe not. But maybe we will learn to let go of old notions about how to design and run a WAN as more and more of our applications and infrastructure vanish into the cloud. Open Systems is our sponsor for today’s episode and our Zen master for this discussion is Silvan Tschopp, head of solutions architecture at Open Systems. We discuss: * What Open Systems means by not treating the network like a network * How SaaS and public cloud affect WAN design * Using SD-WAN to get around traditional WAN limitations * Benefits of integrating SD-WAN and security controls * Potential tradeoffs that come with weighing down SD-WAN with features * More Show Links: Open Systems Silvan Tschopp on LinkedIn Heavy Networking 474: Find Breaches With Continuous Monitoring From Open Systems (Sponsored) – Packet Pushers Heavy Networking 466: Securing The Network That’s Everywhere With Open Systems (Sponsored) – Packet Pushers Heavy Networking 446: How Open Systems Integrates Security And SD-WAN As A Service (Sponsored) – Packet Pushers

Managed Service Providers (MSPs) are trying to sell SD-WAN services by convincing you that you don’t have the staff, training, or competence to operate an SD-WAN. On today’s Heavy Networking, Greg Ferro and Ethan Banks pick this argument apart to see if there’s anything to it. Short answer? There really isn’t. Greg and Ethan discuss: * Why SD-WAN is well-suited to being operated in house * Why MSPs are not well-suited to managing a dynamic technology such as SD-WAN * The mistaken notion that MPLS circuits are a must-have in your WAN * Why it’s bad for your business to outsource a developing technology to a provider * More This discuss is based around the whitepaper “SDWAN: Get A Managed Service Or Do It Yourself? (Your Incompetence Is My Opportunity” by Greg Ferro. The whitepaper is available for Ignition subscribers. Membership is $99 per year. Sponsor: Tufin Tufin has pioneered a policy-based approach to network security management using automation and analytics. As a result, you can make network changes in minutes instead of days, reliably and securely. Tufin. The Security Policy Company. Get details at www.tufin.com. Sponsor: Ixia Join Ixia for The Network Makeover, a unique event featuring more than 50 giveaways, plus tips and tricks designed to help you turn network data into dynamic network intelligence. Register now and then tune in December 2-13 for daily chances to win. Go to  www.ixiacom.com/packetpushers to sign up. Show Links: Packet Pushers Ignition SDWAN: Get A Managed Service Or Do It Yourself? (Whitepaper – Subscription required)

TRex is an open source traffic generator backed by Cisco. Joining us on Heavy Networking today is Hanoch Haim, Principal Engineer with Cisco, and the lead developer on the TRex project. This is not a sponsored show. I heard about TRex from an audience member. I thought it was a really interesting open source alternative to commercial traffic generators that cost six figures. I reached out to Hanoch, and he was kind enough to join me for this episode to talk about TRex. We discuss: * How TRex works * Use cases for traffic generation in testing * How to deploy TRex * Performance limits * Why Cisco put this project into open source instead of selling it * More Show Links: TRex  – Cisco Systems TRex Docs TRex on GitHub TRex Forum – Google Groups PQ Show 85: FD.IO & VPP Open Virtual Switch – Packet Pushers TRex: An Open Source Traffic Generator – YouTube TRex as a stateful traffic generator – Cisco Presentation TRex traffic generator from Userspace 2015 in Berlin – Slideshare Adding stateless support to TRex – Slideshare Adding stateless support to TRex (video from DPDK Project) – YouTube

Today on Heavy Networking we talk security, both on premises and in the public cloud. The network you build and run on premises and in the cloud are expressly designed to connect users and customers to applications and data, but they’re also a vehicle for malware, exploits, and intruders. The network is being asked to do more filtering, more scanning, more blocking, more decision-making to try keep out the bad stuff, but we’ve also seen the limits of anti-virus, anti-malware, intrusion prevention, and Next-Gen Firewalls; even if these products are 99.999 percent effective, one mistake is all an attacker needs to get a toehold. On today’s sponsored show we’re going to talk with ExtraHop about network detection and response (NDR), with a focus on public cloud. Our guest is ExtraHop founder and CTO Jesse Rothstein. He’s here to talk about how NDR differs from prevention, how to use it in the cloud, ExtraHop’s ability to take advantage of native cloud traffic mirroring, and more. We discuss: * The shift in security from prevention to detection * How to leverage the network as a source of ground truth for security investigations * Getting useful visibility in hybrid environments * The benefits of cloud-native traffic mirroring * Dealing with information overload * Behavioral modeling and analysis * Traffic decryption challenges and solutions * More Show Links: ExtraHop ExtraHop Reveal(x) Cloud – ExtraHop Cloud-Native Network Detection & Response – ExtraHop Tech Bytes: How ExtraHop Leverages Cloud-Native Traffic Mirroring For Security (Sponsored) – Packet Pushers

Welcome to Heavy Networking from the Packet Pushers Podcast network. Today’s show is all about Digital Transformation. CIOs, executives, analysts, and product managers talk about digital transformation the way exercise junkies talk about CrossFit: as the way and the truth and the blueprint for…what, exactly? Businesses already use technology. Things are pretty well digitized. Employees have laptops and mobile devices, and IT teams build and run elaborate systems to move and process data. Does digital transformation just mean adopting the latest gadget and moving data faster, or is there something more? That’s the question we’ll explore on today’s episode. We’ve brought on several guests to help puncture the hot air balloon of digital technology and see if there’s anything useful inside: Paul Beyer, Infrastructure Architect; Tobias Metz, Consultant Network Engineering & Training Coordinator; and Emma Cardinal-Richards, Senior Network Architect. In our conversation we: * Try to assemble a working definition of digital transformation * Explore how the idea of digital transformation differs from previous eras of technology adoption * See if we can tie the notion of transformation to particular technologies * Discuss the impacts of digital transformation on engineers Sponsor: ExtraHop ExtraHop is the enterprise cyber analytics company delivering performance and security from the inside out. ExtraHop offers complete visibility with machine learning to help you make quick, confident decisions about your IT environment. Explore the ExtraHop Performance Platform at extrahop.com/packetpushers. Sponsor: ITProTV Get over in-depth technical training from ITProTV. ITProTV offers online instruction in CompTIA, Cisco, VMWare, Microsoft and more. You can stream courses live and on demand on your favorite device. Sign up at itpro.tv/packet and save 25%. Use the code PACKET25 when you check out. Show Links: Paul Beyer on LinkedIn Paul Beyer’s blog Tobias Metz on LinkedIn Emma Cardinal-Richards on LinkedIn Emma Cardinal-Richards on Twitter

DDoS is a significant problem. The volume of DDoS traffic is increasing by leaps and bounds, enabled in part by botnets of compromised hosts such as IoT devices. On today’s sponsored Heavy Networking, we talk with Juniper Networks and Corero about how they’ve partnered on a unique solution to thwart DDoS attacks at the network edge. The solution encompasses Juniper’s MX routers and Corero’s SmartWall Threat Defense Director (TDD). Juniper and Corero’s solution can be used by service providers, enterprises, and in the cloud. Our guests are Ashley Stephenson, CEO of Corero; and Mark Denny, Product Manager, Senior Staff at Juniper Networks. We discuss: * The growing frequency and sophistication of DDoS attacks * The integration between MX routers and Corero’s SmartWall TDD * How Junos and Corero coordinate on attack detection and response * Leveraging the MX router’s ASIC * How the solution filters malicious traffic from legitimate packets * The benefits of DDoS mitigation at the network edge * More Show Links: Juniper Networks Corero Juniper Networks And Corero: A Modern Approach To DDoS Protection At Scale – Juniper Networks (PDF) Juniper MX and Corero SmartWall Demo – YouTube

Today’s Heavy Networking dives into LTE on the WAN with sponsor Cradlepoint. Cradlepoint provides wireless WAN networking using LTE for enterprise and public safety customers with a variety of use cases, including branch and remote office connections, fleet tracking, IoT, and more. The company also offers a cloud management platform to monitor and manage wireless connectivity. Our guest is Marc Bresniker, Vice President of Product Management at Cradlepoint. Marc joins us to provide some background on using LTE for WAN connections and the benefits of using Cradlepoint’s LTE solutions as part of your SD-WAN strategy. We discuss: * LTE as a WAN technology * Speeds and capabilities of LTE * Managing LTE costs * How LTE enables IoT and mobility * Using Cradlepoint for primary and secondary SD-WAN connections * Customer case studies * More Learn more about Cradlepoint’s cloud-managed LTE solutions at cradlepoint.com/packetpushers. Show Links: Cradlepoint Cradlepoint Blog Cradlepoint on Twitter Cradlepoint on Facebook Cradlepoint on YouTube

Today on Heavy Networking we go deep on segment routing. Segment routing is way to encode into a packet the path it should take through the network. And why would you want to do that? Lots of reasons, including traffic engineering and service chaining. Sound scary? Step all over everything you think you know about dynamic routing and path selection? To make sure you leave this podcast with a head full of segment routing knowledge is our guest, Ron Bonica, Distinguished Engineer at Juniper Networks, our sponsor for today’s detailed look into SR, SRv6, SRv6+, path computation, recovering from failure states, and more We discuss: * An overview of segment routing and its use cases * Ingress, transit, and egress nodes in an SR domain * Key differences among segment routing options, including SR-MPLS, SRv6, and SRv6+ * How segment routing works with nodes that aren’t in an SR domain * Hardware and software requirements to use segment routing * More This is deep, detailed show, so grab a stack of virtual donuts and a pot of coffee, and let’s go down the rabbit hole. And if you want even more information, check out the list of resources below. Show Links: Juniper Networks Segment Routing Segment Routing (SR) and Traffic Engineering (TE): Part One – Juniper Forums Segment Routing (SR) And Traffic Engineering (TE): Part Two – Juniper Forums SRv6+ Segment Routing Headers – Why We Want Them – Juniper Forums A Segment Routing Renaissance – Juniper Forums Segment Routing: Policies, Paths, and Segments – Juniper Forums Segment Routing (SR) With Multiprotocol Label Switching (MPLS) – Juniper Forums The IPv6 Compressed Routing Header (CRH) – IETF

Today on Heavy Networking, a network transformation. OK, that sounds like marketing, but it isn’t. This is a discussion about a migration to Cisco ACI and VMware NSX technologies, paired with some automation, by a network engineer who was new to both products. It wasn’t all beers and cheers on the way to success. There were rocks and pitfalls. Joining us for detailed conversation about running ACI and NSX in the same data center is Derek Wilson, a Principal Network Consultant at a big company you’ve heard of but we won’t mention. We discuss: * The impetus for a hardware refresh that led to ACI * Why he chose a spine-leaf design * How ACI simplified the physical infrastructure * Why the organization chose NSX for the overlay * How ACI and NSX interact (and don’t) * The learning curves on each product * How the team decided between Terraform and Ansible for automation tooling * More Sponsor: Cumulus Networks Cumulus Networks is announcing a brand-new networking certification: the Cumulus Certified Open Networking Professional. Learn Linux networking fundamentals, including essential concepts and commands behind Linux-based open networking, and master the Cumulus Core–everything you need to know to become proficient in Cumulus Linux. Get details at cumulusnetworks.com/cert. Sponsor: InterOptic InterOptic is your reliable data interconnect company. Stop paying OEM prices for optics, and get brand-equivalent transceivers at a fraction of the cost.  Find out more at Interoptic.com/packet-pushers. Show Links: Setting the Record Straight: Confusion about ACI on VMware Technologies – Cisco Systems Heavy Networking 438: VMware NSX Evolution For Cloud Networking And Security (Sponsored) – Packet Pushers PQ 137: WhiteSpider & Real-World Cisco ACI Deployments (Sponsored) – Packet Pushers

Greg and Ethan are here today. Hi. Just us. We wanted to speculate on what the impact of 5G and private LTE might be over the next several months & years on enterprise wireless. That is, Wi-Fi. As in, will you need a private Wi-Fi network with APs you lovingly hang from the ceiling after a careful site survey and artisanally painted heat maps, along side of clever SSIDs with their accompanying policies? Or will you be at the point where you can just dump much of that responsibility on your telco, and let them do all of that for you? This is a thought exercise. We don’t have all of the answers here, but there’s a lot to think about, both from the telco and enterprise side. Greg and I will take both sides of the argument and roll these ideas around in our head. 5G is coming. Private LTE is real. Companies are coming out of stealth with offerings in this space, so it seemed like a good time to chinwag about this. We discuss: * Risks and benefits for telcos of 5G * Risks and benefits for enterprises of 5G * If 5G does take over for Wi-Fi, what does that transition look like? * Where might you want to retain Wi-Fi? * More Sponsor: Cradlepoint The future of the WAN is wireless, but a wireless connection is only as good as the edge. Cradlepoint unlocks the power of advanced cellular through wireless edge solutions that are delivered the way you consume everything IT: as a service. Reliable. Elastic. Simple to manage from anywhere. Learn more about Cradlepoint’s cloud-managed LTE solutions at cradlepoint.com/packetpushers. Sponsor: ExtraHop ExtraHop is the enterprise cyber analytics company delivering performance and security from the inside out. ExtraHop offers complete visibility with machine learning to help you make quick, confident decisions about your IT environment. Explore the ExtraHop Performance Platform at extrahop.com/packetpushers. Show Links: 5G And Enterprise IT Whitepaper – Packet Pushers Ignition (Membership required)

I have worked with several intrusion detection and prevention systems going back a couple of decades or so. The problem with them? Alarm floods. Never-ending updates. False positives. Mysteriously dropping legitimate traffic. Poor integration with firewalls. A lack of correlation with host logs. Old-school IDS/IPS just sucks. “Old-school” is the keyword there. We’re going to discuss a different, modern approach with our sponsor, Open Systems. The big idea is continuous monitoring, and in the Open Systems architecture, continuous monitoring expands on IDS/IPS to deliver a holistic, distributed security perspective. Joining us is Dave Martin, Senior Director for Product Management of Threat Response within Open Systems. Open Systems provides SD-WAN platform, but it also integrates a variety of security capabilities including firewalls, secure Web gateways, email protection, and intrusion detection. They also offer complementary services such as vulnerability management and assessment. On today’s episode we focus on Open Systems’ continuous monitoring capabilities. Show Links: Open-Systems.com Heavy Networking 446: How Open Systems Integrates Security And SD-WAN As A Service – Packet Pushers Open Systems Product Brief – Open Systems (PDF)

Welcome to Heavy Networking, a uniquely nerdy podcast that puts the network at the center of the universe where it belongs. Today is a sponsored show with ThousandEyes and we’re going to feast on a smorgasbord of topics: first, a new synthetic transaction monitoring tool from ThousandEyes. Second, we’ll discuss why performance monitoring is critical to your SD-WAN readiness and ongoing operations. Third, we’ll explore postmortems on a couple of 2019’s Internet outages, including a major route leak that affected CloudFlare, and what that means when you’re relying on the Internet for critical business applications. Our guests from ThousandEyes are Alex Henthorn-Iwane, VP of Product Marketing; and Angelique Medina, Director of Product Marketing. Show Links: ThousandEyes Browser Synthetic Monitoring – ThousandEyes Introducing Internet-Aware Synthetic Transaction Monitoring – ThousandEyes Blog ThousandEyes Addresses Critical Enterprise Application Performance Visibility Gap With Internet-Aware Synthetics – ThousandEyes ThousandEyes for Application Delivery – ThousandEyes (PDF) Visibility for Your Hybrid WAN and SD-WAN Traffic – ThousandEyes Cloudflare Users Burned by Internet Routing Pile-Up – ThousandEyes WhatsApp Disruption: Just One Symptom of Broader Route Leak – ThousandEyes Internet Outage Reveals Reach of China’s Connectivity – ThousandEyes