By 2018, IT leaders at an independent federal agency had had enough. The agency had thousands of users spread across its East Coast headquarters, national branch offices and numerous home offices. And those all relied heavily on the agency’s network, which had major performance issues.
Part of the problem was the centralized security architecture. Regardless of where traffic started and where it was supposed to go, everything had to pass through the agency’s Trusted Internet Connection (TIC) at HQ.
Established in 2007, TIC began as a federal initiative designed to reduce the number of internet connections across government – and to ensure that all traffic was inspected.
At this agency, data crisscrossed the country over virtual private networks, sometimes several times before reaching its final destination. This kind of circuitous path is known as the “trombone effect” because it resembles the twisting, looping pipes of a trombone.
The situation was hardly ideal. The amount of traffic combined with the trombone effect made things frustratingly slow at times. Tromboning also reduced network visibility, making it hard for IT to support users and respond to problems. And if something needed to be fixed, it often required manual effort, instead of an automatic patch.
The agency tried to mitigate these problems by deploying large security appliances at branch locations, but those devices took too long to check traffic, causing new bottlenecks. And with so many branch offices, costs escalated. The devices weren’t practical or affordable long-term solutions.
Such challenges aren’t unique to our example agency. Supporting IT for a distributed workforce is tough at all agencies.
The latest version of the TIC policy, known as TIC 3.0, has provided relief.
A major plus with TIC 3.0 is that it offers several use cases, one of which addresses how to avoid “the TIC Tax” of backhauling all traffic to headquarters.
By following TIC 3.0 guidance, our sample agency had a choice. It could establish multiple cloud policy enforcement points, or PEPs, and have headquarters, branch offices and remote workers connect to the closest PEP. Or it could enable PEP protections at the branch offices and on remote worker connections and enable direct Internet traffic from there.
The agency decided to try a TIC use case, establishing regional zones of security inspection in a public cloud and directly connecting the branches to those sites over secure VPN connections.
Shortly, it reaped the benefits of TIC 3.0:
- The simple regional zones model eliminated the trombone effect, which gave users quicker connection times and better performance.
- Free logging and reporting tools provided by the public cloud provider gave network admins better visibility into network issues.
- And the agency got a sweet deal through lower costs, improved performance and more robust security.
Based on its proof-of-concept results, the agency adopted a TIC 3.0 solution with one additional improvement. The agency established a software-defined wide area networking, or SD-WAN, solution in the branches that used broadband connections.
That combo added flexibility, made it easier for users to connect to the cloud, and provided greater network performance and resiliency.
The agency also realized a 50% cost savings from moving infrastructure off premises to the cloud.
Any agency can improve its wide area networking performance and security by following three best practices:
- Build a foundation for TIC 3.0,
- Enlist a secure SD-WAN solution, and
- Examine network traffic in real time.
This article is an excerpt from GovLoop Academy’s recent course, “Using TIC 3.0 to Improve Network Performance and Security,” created in partnership with Fortinet. Access the full course here.