Skip to main content

Solution architecture

  • Hub and spoke architecture eliminating last mile problems known as the leg. Edge networking systems in a mesh are by implementation incapable of mitigating these problems because they don’t have visibility on either end of the link;
  • Multi-tenant installation that supports multiple clients across multiple ISPs from a single instance;
  • Latest stable Linux Debian based networking kernel that is a performance leader;
  • Hardened operating system certified for government and federal use;
  • 3 to 7 ISP legs;
  • Private Wide Area Networking as well as branch networking including centralized branch breakout in data centre or headquarters;
  • (Custom) Cloud Connector and Accelerator;
  • (Custom) Up to 1024 WAN/LAN links;
  • (Custom) Dedicated management servers;

Hardware

  • X86 based hardware solution using hardware-based encryption and network offloading;
  • Intel processor and networking controller optimization;
  • Desktop and rack mount CPEs shipping;
  • Integration with Ethernet based hand-offs as well as fibre solutions;
  • Integration with mobile and fixed wireless networking kit;
  • (Custom) Integration with off the shelf inverters and micro-ups;

Support

  • 24/7 international support – without limits;
  • Online product documentation of all functions and features;

Management

  • Administration portal that is cloud based within the IBM Cloud;
  • Secure administration of secure edge using key based management protocols;
  • Separate client portal where client has access to dashboard, configuration and performance;
  • IBM cloud-based management server includes SLA guarantees for management, security and performance;
  • Analytics provided for determining mitigation of down time;
  • Hierarchical administration and assignment rights including the ability for a managed service provider to allocate reseller area;
  • RAG (Red Amber Green dashboard) scalable to thousands of sites including core statistics;
  • Automated CPE and zero touch provisioning;
  • Full log and troubleshooting ability including debug;
  • Asset management fields and annotation of CPE and leg details;
  • Leg and interface widgets for status and error conditions;
  • Automated monitoring and instant fail-over of legs;
  • Leg upload and download speed provisioning;
  • Automated speed and tuning algorithms;
  • IP space management;
  • (Custom) Loading of vnstat on central aggregator to provide long term trending statistics;
  • (Custom) Ability to use btop on edge or aggregator;
  • (Custom) Implement and use ncdu to track disk usage;

Networking

  • IPV6 and IPV4 support;
  • Ability to seamless integrate with CGNAT networks or other routers that only provide Internet using NAT (RFC1918);
  • Instantaneous fail-over of connectivity within a maximum of 150-300ms;
  • Secondary and fail-over data centre hubs for resilience;
  • Meshed hubs within data centres using vxlans, wireguard and babel;
  • Quality of Service (QoS) ability providing crystal clear voice;
  • Default real time, interactive, routine and bulk categories. Full customization of (QoS) available;
  • Reservation percentages and bandwidth limitations available for QoS;
  • Overhead backhaul encapsulation configuration ;
  • Low latency/jitter algorithm;
  • High bandwidth algorithm;
  • Packet filters using IP headers;
  • Bandwidth adaptation to dynamically adjust to congestion situations such as interference and backhaul congestion;
  • Split tunneling including bandwidth reservation;
  • Compression algorithms on spoke to hub links;
  • Packet Distribution using Weighted round robin, Flowlet and IDMPQ;
  • TCP clamping and Source address verification;
  • Aggregation of bandwidth using bonding;
  • Packet loss detection including setting of limits, warnings, and notifications;
  • Leg flap detection;
  • Automated MTU detection and monitoring;
  • TCP Acceleration;
  • Port and concurrency selection;
  • Congestion control algorithm selection including those for satellite, fibre, wireless and international links;
  • DHCP, Static and PPPoE settings for legs;
  • Secondary and multiple leg settings per interface including unlimited use of vlans;
  • Floating IP and CPE based NAT;
  • Public and private IP address integration for connected IPs;
  • (Custom) Implement gretap interfaces for layer 2 connectivity;

Security

  • Uplink security including HMAC, AES128, AES256 and SALSA20;
  • Encryption handshaking ;
  • Prevention of encryption interception;
  • (Custom) Implementation of Threat intelligence (3rd party block lists such as Firehol). Protects against malware, ransomware and crypto mining. Ability to optionally and additional email and security protection;
  • (Custom) Implement various Canary tokens in containers to be able to trigger breach alerts;
  • (Custom) Implement a netcat based canary;

Network management

  • Traffic flow visualization using Netflow/IPFIX ability and integration with 3rd part collectors such as Elastiflow or NFDUMP based tools such as NeDi;
  • Monitoring of CPE and Leg statistics;
  • Integrated Performance Graphing scaling from 15 minutes to 1 year;
  • Utilization, Latency, Packet loss graphs, Leg changes, Quality of service graphs and CPU graphs;
  • Built-in bandwidth testing tool including history log;
  • (Custom) SNMP (Net-snmp) agent enabled on edge providing full SNMP management ability and integration with 3rd party SNMP tools and pollers;
  • (Custom) LLDP visibility by loading lldpd agent;

Infrastructure management

  • (Custom) Device management micro plane for administration of 3rd party networking services and kit using rport;
  • (Custom) Remote linux or windows agents with ability to do check network performance using speedtests or iperf as well as latency checks or path diagnostics;
  • (Custom) Centralized port forwarding with grouped access lists;

Service chaining

  • Integration with Clavister, Pfsense, Opnsense, Palo Alto, Checkpoint, Cisco, Sophos, Fortinet, Watchguard, and Mikrotik.
  • Firewall as a service integration with any 3rd party ISO;
  • (Custom) Consolidation of all firewalls instances to a single central pair based in the data centre;

Edge services

  • Lighting fast asynchronous local DNS caching of thousands of domains for up to 15 minutes;
  • Query local DNS caching server for statistics;
  • Multiple routers and firewalls supported per edge;
  • Handle multiple IPSEC or VPN outgoing connections via single NAT;
  • Support for all netfilter patches and helpers;
  • (Custom) Implement rock solid DNS using multiple upstream DNS servers simultaneously and selecting the fastest one;
  • (Custom) Integrate DNS with Quad9, Cloudflare and OpenDNS;
  • (Custom) Content based filtering at the edge using DNS filtering integration which includes the following categories of abuse, crypto, drugs, fraud, mining, piracy, ransomware, scam, tiktok, ultimate, whatsapp, ads, doh, facebook, gambling, malware, phishing, porn, redirects, smarttv, tracking and vaping;
  • (Custom) Disable DNS over HTTPS (DOH) or DNS over TLS (Dot);
  • (Custom) Force google safe search;
  • (Custom) Force bing family safe search;
  • (Custom) Force duckduckgo safe search;
  • (Custom) Enable youtube restricted mode;
  • (Custom) Prevent forwarding of private IPs or incomplete domains to upstream resolvers;
  • (Custom) Disable Web Proxy Auto-Discovery (WPAD) from configuring browsers;
  • (Custom) Log all DNS queries for troubleshooting;
  • (Custom) Ability to provide CVE based vulnerability assessment of locations as well as infrastructure and networking device inventory by using nmap install with scripts;
  • (Custom) Container providing web based speedtests or iperf testing abilities;
  • (Custom) Containers protected by sshguard;
  • (Custom) Lightweight intrusion detection using psad;
  • (Custom) Ability to perform remote packet captures using Wireshark via sshdump;
  • (Custom) Save capture file from Wireshark and view in Brim for threat hunting;
  • (Custom) Install wireless controller software such as the UNIFI controller on a Fusion edge;
  • (Custom) Execute netdiscover or p0f tool on edge for basic inventory;
  • (Custom) Use arping to check whether is up;

Traffic analytics

  • Lighweight traffic analtyics that does not stress the CPU to use as an alternative to netflow;
  • Lightweight agent uses Radix tree for low memory consumption;
  • Scales easily to gigabit speeds;
  • Creates inventory of devices discovered on network with ability to classification, association and labelling;
  • Highlights traffic that bypasses firewall rules or DNS policies/filters;
  • Identifies cyberthreats and risky behaviour;
  • Advanced DPI engine that identifies applications and protocols;
  • Provides geolocation mapping of traffic;
  • Extracts hostnames from including DNS, mDNS, HTTPS, HTTP, QUIC, DHCP and NTP;
  • Various bandwidth reports can be generated including by user, group, application, device type, operating system, protocol, geographic location and network parameters;
  • Ability to foucus in and spotlight analytics for devices and applications;
  • Provides review ability to tick the boxes for compliance;
  • Standard offering of 24 hours of traffic analytics;
  • (Custom) One year retention of traffic analytics.

WAN optimization

  • Acceleration using tcp multiplexing (eg. ability to improve cloud storage synch speeds tenfold);
  • (Custom) WAN optimization using Replify;
  • (Custom) Ability to provide a split tunnel using domains instead of IPs;

WFH

  • (Custom) Road warrior VPN integration such as Openconnect, Wireguard, Strongswan or Softether;
  • (Custom) Implementation of OCSERV in a DMZ container provisioned on the SD-WAN edge;

Notifications

  • (Custom) Integration with UK (Uptime Kuma);
  • (Custom) Ability to integrate leg status from Fusion management servers into UK;
  • (Custom) Report on networking edge and aggregator uptime using UK as well as any 3rd party networking kit;
  • (Custom) Integration into various messaging, push and notification platforms;
  • (Custom) Integrate host based scripts that report temperature or speedtests to UK;

 

Ronald Bartels – Technical director of Fusion. Please email him if you have any questions or require a demonstration of the Fusion SD-WAN solution. ronald@fusionbroadand.co.za or info@fusionbroadband.co.za

Kirthesh

Author Kirthesh

More posts by Kirthesh

Leave a Reply