Established firms rarely get to reboot their entire network security infrastructure from scratch that’s what online financial trading firm London Capital Group (LCG) has just done in a project that saw its entire server architecture virtualised using VMWare’s NSX.
Booting Software-defined Networking (SDN) sounds good on paper but implementing it in anger across a network that has to continue supporting tens of thousands of financial customers must have been onerous.
The company found itself building a new greenfield network from the ground up while running an older one in parallel over a migration timescale of 18 months through 2015 and into this year.
What LCG went through offers a small but interesting window into the demands of taking on such a project as well as some of the rewards that come at the end. Many firms are doubtless quietly doing similar things on a smaller scale using VMWare as well as its rivals Cisco, Juniper, IBM and HP.
“We had an end of life environment, a mixture of virtualisation software being used,” opens London Capital Group’s CIO, Blair Wright on the aging infrastructure he inherited when joining the firm in 2014.
This included old backup equipment, aging network switches running different firmware revisions, a creaking phone system and a managed MPLS, now run in-house.
“It was long in the tooth in terms of hardware and software and had grown organically. There was a ton of dead ends in the network with workarounds,” says Wright, describing the sort of network many CIOs must live with while dreaming of better things.
So why not simply upgrade a few pieces in an evolutionary way?
Officially, the problem was that LCG was about to release a brand new online trading platform and feared the aging network would not support it.
“We were experiencing stability issues and service outages, and requests from across the business were taking the IT team days or even weeks to manage, purely due to the complexity of our existing network.”
Building something new would overcome that issue but two further ambitions – using fewer expensive resources and overhauling security – were quickly added to the list or priorities, which is where the deployment seems to have taken an interesting turn.
“Because we have a small IT team we wanted it to be as standardised infrastructure so we made our lives simple,” explains Wright. “NSX gave us the ability to keep traffic inside the servers. That was important to us in terms of performance.”
The performance and ability scale without complication explains the VMWare part; virtualisation is utterly standard for this kind of infrastructure even if the resource gains were still surprising.
LCG runs two datacentres with an enterprise cloud built atop Nutanix’s cloud platform, running NSX across not only the online platforms but its own internal development environment. According to Wright, this ended up cutting the number of cabinets the firm occupies by 40 percent with a total of 325 servers supported in the reduced footprint.
A good result, probably standard for this kind of deployment, but next came the security. This is where things got slightly trickier and required deeper organisation change, not something everyone thinks through when implementing virtualisation on this scale.
When networks wear out: east to west
The servers were now isolated, a good thing. What engineers call ‘easy-west’ traffic between servers within the data centre was minimised with each system sitting in its own DMZ. Users access applications on the severs and ports needed. The micro-segmentation restrictions mean that adjacent servers are firewalled from one another, removing the possibility of external or internal hackers moving around the network with ease.
But that ramp in security came at the cost of a re-education of developers who had become used to the idea that servers can talk to one another, calling on resources.
“The thing that sold NSX was the east-west firewalling. Having that kernel on every box and server and have us the security we wouldn’t normally have without a lot of work. We can spin up a new server without having to change a firewall rule.”
This also neatly solved the security issue of how to support partners accessing servers, precisely the vulnerability that in 2014 famously caught out US retailer Target in a slightly different context.
Wright mentions the big learning curve created by the overhaul but believes change was inevitable. LCG’s network is smaller but manages to run more in a more secure way.
It’s a triumph of Software Defined Networking for a firm that, in retrospect, had few options other than to bite the bullet and invest in a virtualised infrastructure. So equipped, Wright predicts that the network will soon host new applications, including mobile, to extend its trading platform to new customers.
But the warning is clear for firms that spy similarities between their situation and that faced by LCG in 2014. Invest in something before it's too late.