The U.S. military just took a major step forward in the development and deployment of secure, resilient network architectures across its vast communications infrastructure.
The Department of Defense has certified Juniper’s Session Smart™ Router (SSR) for the approved product list (APL) under the joint interoperability test command (JITC). This marks a major milestone in networking’s role in military preparedness and readiness because it allows units in all branches to quickly deploy streamlined, resilient and, most importantly, secure SD-WANs quickly and at far less cost and complexity of traditional connectivity solutions.
The Session Smart Router is Juniper’s answer to the myriad of difficulties associated with traditional SD-WAN architectures. Most WAN platforms solve issues like connectivity, flexibility and security by creating virtual networks and overlays on top of the transport layer. This requires the use of tunnels to create isolation between networks and ease some of the deployment challenges inherent in these kinds of architectures.
Tunneling Hazards
Tunneling, however, introduces its own set of problems. For one thing, they add a lot of overhead to transport networks, which make them difficult to optimize, reduces available bandwidth and adds latency to critical data streams. In some cases, tunnel overhead doubles the packet bandwidth on the WAN, leading to data loss and an overall poor user experience.
What’s more, tunneling impacts the scalability of SD-WAN, which is supposed to be one of the key advantages of adopting a software-defined architecture in the first place. A typical customer premise equipment (CPE) router can accommodate up to several hundred terminals. When networks span upwards of 1,000 sites however, the number of bi-directional tunnels could scale to half-a-million or more. This puts a lot of pressure on the CPE processor, which is why most SD-WAN vendors recommend caps on the number of tunnels deployed. And while hub-and-spoke architectures can help alleviate this burden, they still cannot meet the scale requirements of a modern military.
Another issue with tunneling is security. When packet streams are highly fragmented, for instance, attackers can easily exhaust receiver memory by bombarding the network with endless fragments. And when applied to native IP environments, tunneling does not allow traffic to be filtered, which enables an end-run around firewalls, intrusion detection systems (IDS) and intrusion prevention systems (IPS). Even advanced deep-packet inspection (DPI) tools have difficulty seeing into most tunnel architectures.
The Session Smart Router addresses all of these problems in a very simple way: it does away with tunnels altogether. Using a new session-based technology called secure vector routing (SVR), Juniper’s platform is able to implement SD-WANs without encapsulating traffic and rewriting source and destination IPs through the network address translation (NAT) mapping solution available on native IP.
Fully Isolated
Because every tenant is assigned its own session on its own NAT address, SVR enables complete isolation while delivering full SD-WAN functionality by forwarding sessions, not packets. This ensures highly granular, end-to-end control and visibility of all networks without the vast overhead required by tunnels that drive up costs and lower performance. With intelligent routing control moved from the packet level to the session level, SVR transforms stateless L2 and L3 networks into networks that are session-aware, ensuring that bi-directional sessions are maintained on the same path, securely and intelligently.
SVR also overcomes the scalability issue associated with tunneling. With no overhead, there is no added burden on the physical router, even when thousands of sessions are active. In essence, it means the SD-WAN is now as scalable as IP, all while the hyper-segmentation capabilities of the system enable highly refined utilization of multiprotocol label switching (MPLS) links to help lower costs and maintain high performance for all users.
This approach also enhances network and data protection because it enables Zero Trust security by default. Without the need to turn to IPSec for encryption, it can be more easily implemented using AES-128 or -256. SVR also has an adaptive feature that eliminates the need for double encryption by determining if a given payload is already encrypted or not.
It isn’t an understatement to say that this is truly a paradigm shift in the way SD-WANs are developed and deployed. The strategic advantages of this kind of flexibility would be impressive enough even without the dramatic cost savings and overall performance advantages that tunnel-free architectures provide.
As the military engages with an increasingly complex geo-political environment, highly-dynamic and highly-reliable communications offer a crucial edge against the ongoing technological advancements of potential rivals. And now that this technology is certified on the JITC APL, it can be quickly provisioned and deployed wherever it is needed, across all branches of the military, in short order.
