Company D – Big Insurance Group

Company D is a medium-large insurance company approved by China Banking and Insurance Regulatory Commission with a registered capital of billions in CNY, its business focused on life insurance, capital management, property insurance and trusts. Compared with traditional finance, the economic background of new finance is the intelligentization of “Industry 4.0”, and the corresponding production factors are information and data. The new financial formats of online e-commerce, social networking, services and media require Company D to build an IT architecture that supports more diversified edge scenarios and meets the demand for security, control and high availability.

With thousands of insurance brokers, a wide distribution of many outlets across a large number of locations outside the office, Company D needs to guarantee business security and smooth sales experience. For such business systems, it is difficult to establish a network through an expensive dedicated line system, and an open Internet architecture cannot secure financial business processes, not to mention multiple problems in connecting internal and external systems, complex operations, maintenance and management, and high labor costs.

GOSDWAN’s Innovation in New Finance

Edge Security

Edge nodes of new finance are usually accessed through the Internet and the mobile Internet with potential security risks and unstable network quality. Enterprises generally need secure edge nodes with encrypted front-end devices to ensure the “last mile” of users is safe and smooth. That means, any accesses to edge nodes are authenticated and judged according to security polices configured on the control plane (basically ready for the deployment of a Zero Trust Architecture).

Fast Delivery

New finance also features various channels and types of sales terminals. Branches have large differences in infrastructures, including different gateway types, link types and service requirements. The SD-WAN based zero-touch-provisioning enables automatic service distribution, self-service management of links and services, rich fault diagnosis and preventative maintenance tools, which significantly simplifies the deployment of a massive number of branches.

Link Load Distribution

The private lines of traditional financial business’ production network carry fewer services and lighter loads with smooth traffic. It has large bandwidth to cope with traffic surge but with low bandwidth utilization. Whereas, there are various business types and complex applications at the Internet egress, which leads to frequent traffic overload and congestion. Aggregate management of link capacity and redistribution of load is yet another important feature of SD-WAN, allowing enterprises to reduce bandwidth for private lines and increase it for Internet egress. The QoS parameters such as network latency, jitter and packet loss of the lines are detected by SDWAN uCPE to ensure traffic scheduling when one of the private lines has traffic congestion or network failures, the application will be switched to another private linewithin seconds.

WAN Optimization and Acceleration

Due to high cost, slow deployment and complicated maintenance of traditional dedicated lines, it is not recommended to deploy dedicated lines for the massive number of non-core outlets of new finance. Instead, the Internet is used as the carrier, and the WAN acceleration function is deployed to compress, de-duplicate and optimize protocols for a QoS transmission performance close to that of a dedicated line. However, the traditional WAN optimization device is a standalone device, and WAN optimization in SD-WAN is a default software function, so customers can achieve traffic optimization and acceleration without additional cost.

Highlights of Technical Design In New Finance

Support for Application-based Service Identification

The system identifies the targeted application of network traffic, redefines the traffic according to service attributes (develop labeling rules), and performs traffic scheduling according to service policies. Security policies such as URL filtering, IPS detection, and firewalls are configured to safeguard critical services in priority, and intelligent routing and traffic policies for non-critical services to guarantee service quality and experience.

Zero-touch-provisioning

Before service delivery, site survey data are aggregated to online customer network management to generate the overall configuration scheme. The site configuration can be distributed from the service scheduler to the corresponding white box device at the site after being connected with the network, realizing site on-boarding without professional supports on-site.

Secure Access Service Edge (SASE)

With the VPN Server function configured at a branch-level site, a secure and reliable transmission tunnel, through centralized remote configuration, can be established between user terminals outside the office and the IPSec tunnel on the Internet. When the business volume of the sites increases, the solution can be further optimized and upgraded by deploying NFV products such as Secure Web Gateway (SWG), Cloud Access Security Broker (CASB) and cloud-based firewall at the corresponding branch sites to support the access needs of complex services.

uCPE Service Chain

Next-generation firewall, VPN Server, IPS/IDS (Integrated Threat Intelligence Subscription) and WAN optimization capabilities in the form of NFV products are provided based on software subscription model at the uCPE location without increasing hardware investment at branch sites.