How SD-WANs Can Become Next Generation WAN ArchitecturesMarch 1, 2017
While SD-WANs are a valuable first step towards evolving the wide area network, they only address a small part of the dissolved enterprise perimeter challenge. With the rise of mobility, cloud datacenters, and Software as a Service (SaaS) the classical demarcation between public and private networks becomes less relevant, driving changes in four IT disciplines – security, cloud, mobility, as well as networking. By addressing the full implications of the dissolved perimeter, CIOs and IT managers can reduce the operational costs and improve the effectiveness across IT.
Impact of the Dissolved Perimeter
The traffic patterns driving SD-WAN adoption change how companies protect their users and data. As mobile users connect directly to the internet through unsecured Wi-Fi hotspots and offices access cloud resources via direct internet access, the attack surface grows. This, at a time when security teams already struggle to keep ahead of threat actors and new attack vectors.
Incremental approaches to addressing the dissolved perimeter perpetuate the limitations inherent in existing IT structures. Capabilities remain duplicated between products, increasing capital costs. Networking, security, and mobility technologies are deployed and operated independently. As such, critical information becomes “siloed” behind disparate tools. It’s not that IT lacks the right information to solve its problems; it’s that the right information isn’t readily available to the right team at the right time. With information locked behind application silos, operational improvements, such as automation, becomes increasingly complex.
Changing the WAN is an opportunity to fix the bigger problem of the dissolved perimeter. By creating an integrated cross-domain approach to security, networking, cloud and mobility, IT can become leaner, more effective, unburdening teams from much of their mundane chores and accelerate the delivery of new business capabilities.
Rather than multiple policies governing each technology, organizations can create a single policy integrating the four IT disciplines. Instead of locking information within proprietary networking and security tools and complicating attack detection and response, an integrated approach allow teams quickly deploy countermeasures against current and emerging threats.
Integrated Security-Network Evaluation
CIOs and IT leaders should pull together an interdisciplinary team to take a strategic approach to the new WAN and the dissolved perimeter. The team should include line-of-business members, application team leads, as well as networking, security and mobility representatives. The goal: to understand the full impact a proposed networking architecture will have on all IT disciplines. Areas to be evaluated include quality of experience, availability, security, cost, agility, manageability, and extensibility.
Quality of Experience
Legacy WAN architectures tried to solve a security challenge through networking design. Rather than connecting every location to the Internet and then having to secure those locations, legacy WANs backhauled Internet traffic across the MPLS network to a centralized, secured Internet portal.
When the portals sit near or within the path to the Internet destinations, the performance impact of such an architecture is usually nominal. However, when a portal is out-of-path or far away from the destination, latency increases in what’s called the “trombone effect”, often degrading the quality of experience. The quality of experience for a user in Tokyo, for example, can suffer significantly if the user must first send Internet traffic to the Internet portal in San Francisco to reach a destination back in Tokyo.
But even without the trombone effect, Internet routing performance is unpredictable and unoptimized. For one, the Internet is a collection of networks, each managed per the business requirements of the provider. As such, ISPs will dump traffic on peers even if a faster route is available across their own networks. What’s more, without a provider managing end-to-end performance, latency and packet loss rates fluctuate significantly particularly when sessions cross between provider backbones.
In addition, Internet routing does not consider the nuances of individual applications. The path-selection process for loss-sensitive applications, such as VoIP and video, for example, is no different from those that are bandwidth intensive. Without being able to differentiate between applications, internet routing leads to suboptimal application experience.
By knowing the location of applications (datacenter or cloud) and of prospective mobile and fixed users, CIOs and their teams can anticipate these performance hurdles and challenges. Those challenges can be addressed by leveraging a range of technologies including SLA-backed networks, WAN optimization tactics and more.
SD-WANs give organizations several choices in this area – using existing MPLS services, adding broadband or 4G Internet connections, or using a mix. Each service comes with its own cost structure and capabilities. To align availability requirements and needed investments, CIOs, CISOs, and their teams need to understand the importance of the applications and business locations to the company, and align networking and security availability options accordingly. Security teams will want to identify if redundancy is needed in branch security design and explain what happens when a failure occurs at a branch security appliance. Will security still be implemented? From a mobility perspective, teams need to assess the importance of assuring regional or global VPN access to WAN resources.
SD-WANs achieve significant gains in agility and cost reduction in large part due to their ability to leverage direct Internet access (DIA) at branch offices. But DIA also significantly expands the attack surface far beyond that which can be protected by the basic firewall provided in SD-WAN appliances. In addition to the encryption used to secure SD-WAN tunnels, branches also require URL filtering, anti-malware, IDS/IPS, sandboxing and more.
While cost reduction drives SD-WAN interest, it may be far less significant than realized when evaluating the fuller picture of the WAN architecture. Research shows that DIA bandwidth costs can be as much as 90 percent less than MPLS bandwidth costs. But to improve uptime DIA will also require dual-homed links. Fiber runs are preferable for DIA just as they were with MPLS, further reducing savings. Dual-homing means multiple suppliers at each branch, increasing supplier management costs. Increasing the attack surface through DIA will also require additional security measures to be implemented at the branch. Security teams will need to be consulted to better understand the associated capital and operational costs required to secure those new Internet access points. Converging multiple IT disciplines can lead to further reduction in operational and capital expenses.
One of the rallying cries for SD-WANs is the promise that organizations will be able to adapt to business requirements far faster than with a private data service, such as MPLS, see “A Guide to WAN Architecture & Design”. By separating the underlay (the data services) from the application, SD-WANs allow networking teams to respond quickly to changing business requirements. New offices can be brought up instantly with 4G connections and switched over to business Internet services as necessary. Zero Touch Provisioning (ZTP) makes deploying new equipment trivial. Giving applications more bandwidth or adding more users at site becomes much easier.
But agility is more than just a networking issue. It’s also a security requirement. Organizations will want to be sure security teams can meet those same agility objectives. Can they secure DIA in equally short time? New users and applications require changes to traffic and security policies. How quickly and easily can those be instantiated and delivered to the branch? What about ongoing management of security appliances and services, will those impede the business in anyway? These and other questions need to be considered carefully before opening the branch office to the Internet.
WAN architectures impact management and operations differently. With MPLS services, organizations had one “throat to choke”, should there be an outage, and one bill for all of WAN services. With SD-WANs requiring multiple suppliers, supplier management becomes a bigger operational challenge. The same is true with consolidated billing and the other “extra” benefits of using a single supplier.
Operations will also want to look at the challenge of running the SD-WANs from a networking and security perspective. Are additional skills going to be required to handle the policy-based routing, tunnel management and rest of actions needed to build out and maintain an overlay? How complex is it to introduce a new application company-wide, for a department, or a site? Attention should also be given to the integration of network and security. Ideally, a single policy should encompass both domains.
Conventional WANs connect offices, but with more users working out of the office and most traffic destined for the Internet, organizations need to evaluate the extensibility of any WAN architecture. Can mobile users connect to the overlay and easily access enterprise applications? How is optimum path selection made when there’s no integration of cloud datacenters? Policy configuration and distribution, performance, and security — all need to extend to the mobile user and the cloud as well as to the office.
A New Kind of WAN
By taking a more holistic view of the challenges stemming from the dissolved perimeter, organizations are in a better position to evaluate SD-WAN architectures. Which architectures are best positioned to address the new challenges facing IT? We’ll answer that question in our next blog.