Answering the Top Questions About SASE Asked by IT Professionals
For global companies still operating with a legacy WAN architecture, WAN modernization is mandatory today for a variety of reasons. For example, digital transformation is based on business speed, and the lack of network agility can hold an organization back. A company that has to wait months to install networking equipment in order to open a new location might miss a fleeting business opportunity.
Many businesses have spent millions of dollars increasing their level of application and computer agility through the use of cloud resources, and now it’s time to update the network with a software-defined WAN. When it comes to modern cloud-based applications, a poor network will result in a poor experience.
“SD-WAN” is a very broad category. Architectures can vary greatly from one vendor to another, and one service provider to another. CPE (customer premise equipment), broadband transport, security, and other factors can be quite different from one provider to another. If a company chooses the wrong SD-WAN, it can be detrimental to the business.
Global companies have unique networking needs. Workers across far-flung locations around the world often need to communicate and collaborate. For example, product developers in the U.S. need to confer in real-time with managers in manufacturing plants in Asia. Architects in Europe need to send blueprints to builders in South America. These routine work activities place special demands on the network pertaining to bandwidth, response times and data security.
We asked Zeus Kerravala, Principal Analyst with ZK Research, to outline his set of SD-WAN considerations for global companies. According to Kerravala, the choice of network is critically important for companies with locations across the globe. He explains the importance of considering Internet transport for global connections, managing CPE, and securing branch offices.
WAN transport considerations
Many SD-WAN solutions are big proponents of augmenting or replacing MPLS circuits with broadband connectivity, says Kerravala. “Broadband Internet transport is fine for short distances but it can add significant latency in global connections.” He pointed to a chart drawn from his research that demonstrates sample response times of these longer distances using the Internet versus a private network.
|Sample Average Response Times|
|Internet (seconds)||Private Network (seconds)|
|Dubai to Dallas||1.185||0.375|
|Dubai to London||4.24||0.19|
|Frankfurt to Shanghai||1.99||0.2|
|San Jose to Shanghai||3.97||0.306|
|San Jose to Chicago||0.194||0.158|
“A lot of these response times have to do with how Internet traffic works. ‘The Internet’ is really a collection of interconnected networks, and it’s difficult to know how your traffic moves around on this system of networks,” says Kerravala. “Various factors can affect Internet response time, such as the time of day, but it’s easy to see that the differences are staggering compared to using a private network. You might look at some of these figures and think that the difference isn’t very much, but if you are moving large packets of data, say for data center replication, it might actually make a difference in how long it takes to perform an activity.” Latency can affect important applications like voice and video.
Kerravala points out that there are a lot of SD-WAN vendors, and many of them target different kinds of customers. “The service providers that have their own private backbone are a better fit for global companies because they leverage the benefit of broadband as an on-ramp but it doesn’t become the transport network.”
Many SD-WANs require significant CPE and managing them globally is an issue. “It’s expensive and time-consuming for an engineer to visit branch locations around the globe to install firewalls and routers. The process can hold up opening new offices,” says Kerravala. “The traditional model of having the networking equipment on premises is actually getting in the way of businesses. Digital transformation is about agility. If a company is trying to take advantage of some sort of market transition and open up a new office but now they have to wait a couple of months in order to get a box shipped to a certain location and have an engineer hop on a plane, that’s a problem. How you manage the CPE is as important as how you manage the transport.”
There’s been a lot of chatter in the industry about NFV (network functions virtualization) or virtual CPE and the ability to take a network function and run it as a virtual workload on some kind of shared appliance. Conceptually, putting a WAN optimizer or a router on some sort of white box server sounds great. “I can take multiple appliances, consolidate them down to one and all of a sudden I have a better model,” says Kerravala. “On the upside, it does lower the cost of hardware. The problem is, it doesn’t really address many of the operational issues. I have replaced physical with virtual and maybe I can deploy it faster because I can remotely install it but operationally, I’m still managing these things independently.”
A company that has 100 global offices might have 100 virtual firewalls instead of 100 physical ones, but they still need to be managed independently. Administrators need to worry about firewall rule sets, configuration updates, and software updates. Moreover, the company doesn’t get the same kind of elastic scale that it would get from the cloud. So, the company has addressed half the problem in that its hardware costs are less but they have introduced some new operational challenges. Kerravala calls the lack of hardware scaling capabilities “the dark side of vCPE” that doesn’t get talked about much.
He recommends that global companies shift their networking equipment to the cloud to get better scalability and to eliminate the need to maintain equipment locally. “There’s no reason today to not leverage the cloud for as much as possible. We do it in the computing world and the application world and we should do it for the network environment as well,” says Kerravala.
“If I’m going to move to this virtualized overlay type of network or some sort of SD-WAN, then a better model is to take my vCPE and push it into the cloud. And so, the functions now exist in your cloud provider and they inherit all the benefits of the cloud—the concept of pay per use and elastic scaling, the ability to spin services up and spin services down as needed. If I want to open a new office, I know I need routing capabilities and a firewall and maybe a VPN. I can just pick those from a menu and then have them turned up almost immediately. So, there’s no infrastructure management needed, there are no firmware updates, there are no software updates. The cloud provider handles all of that. I have a lot more assurance that when I request a change, it is going to propagate across my network at once. I don’t have to manage these things node by node. It can significantly change the operational model.”
Along with CPE and transport, global companies have to think about security implications as well. For example, securing branch offices independently is complicated and error-prone.
Traditional CPE-based security is very rigid and inflexible, and in an era when companies want to do things quickly, it can be a challenge to have to manage security solutions from multiple vendors. The process of keeping rules up-to-date and keeping policies up to date is complicated because not all vendors use the same syntax or follow the same rules. That process for even two vendors is so overly complicated that it’s hardly worth the effort.
Say a company has 100 offices and not all of them have been upgraded to the same level of firewall software. The company wants to put in a new security patch, but it might not be possible until all the firewalls have been upgraded. Anyone involved in networking knows that configurations get out of alignment with each other very quickly. vCPE offers some benefits but it really doesn’t change that model.
Kerravala explains that the middle mile is not all that secure. “You can protect the edges but that middle mile is where a lot of the threats come from, and so you get inconsistent protection across the organization. This is where thinking about changing the security paradigm by moving a lot of these functions into the cloud makes a lot more sense because now security is almost intrinsic across the entire network. You can protect the edges but you can also protect that middle mile where a lot of the breaches happen today,” he says.
Because of the unique needs that global organizations have, they must thoroughly evaluate the architectures of various SD-WANs. Kerravala recommends implementing much of the SD-WAN infrastructure in the cloud to simplify management and operations and to improve security.
For more information on this topic, watch the recorded webinar The Practical Blueprint for
MPLS to SD-WAN Migration.