Answering the Top Questions About SASE Asked by IT Professionals
Every few weeks, yet another survey confirms enterprise interest in SD-WAN. To help inform enterprises how best to make the transition to SD-WAN, I’ve been speaking with independent engineers and network architects around the industry for their insights and suggestions. The following is the first of these interviews, with Frankie Stroud, network and security architect for the Virgin Australia Group. Think you could add to the conversation or have someone you think I should speak with? Give me a shout and let me know.
Dave Greenfield (DG): Frankie, let’s start with you. Who is Frankie?
Frankie Stroud (FS): I’m a contractor in the Brisbane [Australia] area, currently at Virgin Australia [VA], where I’ve been for about eighteen months. Before VA I was with Optus and a few other domestic telecommunications companies. I’ve also worked with network integrators.
I mainly act as a system guide for organizations. I look at the viability of technologies, at proofs of concept, and pilot setups for the customer in order for them to assess technology.
DG: So what exactly are your responsibilities at Virgin?
FS: VA is going toward a digital cloud transformation. They have a managed service environment, sort of constrained by the approach that the service provider takes. There’s no real automation in place, no scripts, nothing to really drive efficiencies out of the network. That was one of the key reasons we started to look at technologies which would simplify those things. For instance, we changed VA’s WiFi environment to [Cisco] Meraki, a solution based on the principles of cloud-based controllers and simplified, template-based configuration. As SD-WAN is starting to mature and gain some traction in the market, we’re starting to look at that more seriously.
DG: Do carriers perceive SD-WAN differently than their customers?
FS: Yeah. We see a lot of the providers here in Australia trying to push NBN [national broadband network]-type services as their business grade A-type service, and what we see is there’s next to no difference between those services running on SD-WAN versus ones supposedly providing quality of service or a best-effort-type service. That, I suppose, is not a good sign for some of the telcos trying to add value within their particular environments, but it’s certainly of benefit to the enterprise customers who are just looking to pick up some bandwidth here and there.
DG: Should a customer care about which SD-WAN platform a provider is delivering?
FS: I certainly think so, especially nowadays when organizations want to make changes rapidly and not just through the virtual server or virtual storage environment. Devices can be spun up reasonably fast. The network has started to become the bottleneck, and we want to remove that, not have it keep us from meeting our business objective because of a longer SLA process.
DG: What about QoS? Walk me through what happens when a customer calls and says they want to change the QoS setting. Does that happen frequently?
FS: It would probably happen more frequently if it was a simpler process. I think people put up with a lot of pain around QoS. We’ve had a few times [at VA] when we’ve tried to avoid making changes to QoS because we have to get the network and the CPE sides of the telco involved. Those are typically two separate functions within the telco environment. Marrying up those two parts of the organization in order to make a change is a process in itself.
DG: You mentioned the CPE nodes. There’s been a lot of conversation about white box hardware. What are your thoughts?
FS: I actually quite like the idea. I don’t think it extends the life of the environment, because it’s still hardware, regardless if it is a white box or an appliance provided by the vendor. But it certainly gives you choices to extend virtualization and to virtualize different elements.
DG: Having been on both enterprise and telco sides of the industry, if a corporate customer said, “Frankie, I am interested in purchasing a managed service,” what advice would you give them?
FS: Well, I would ask what they want to achieve. There’s a lot of communication now around a co-managed environment, where the provider takes a level of responsibility for the platform and the customer takes on all policy or templates or just monitoring. But you’ve got to question whether you have the resources to take this in house. What are you going to gain?
DG: What are the skills an organization needs to run SD-WAN in house?
FS: Those skills are certainly a lot lower than in the past. You would certainly need someone who understands the concepts, the protocols, but not necessarily how the platform goes about driving changes throughout the environment. You need people who can maybe understand more on the visual side — the analytics, the monitoring — by looking at the information that’s presented. They will just interpret and understand that rather than memorizing lots of different commands.
DG: What’s the biggest risk enterprises face when migrating from MPLS to SD-WAN?
FS: One of the biggest problems is when you don’t want to make the full transition and insist on having both networks coexist. So they have an SD-WAN environment plus one which is driven by BGP protocol routes. Depending on the platform, you may end up not utilizing the most efficient path to a destination, so in order to join the two environments, you have to go through another, different set of hub points. If you are geographically spread, that may be problematic. I think the migration between the two environments requires an overlay technology or, in the case of Cato, moving to a cloud platform, a location.
DG: Is WAN transformation only about replacing MPLS for you?
FS: Well, I think architecturally there’s a big difference [between MPLS and SD-WAN]. Organizations on that journey to AWS, Azure, Google, you name it, or ones looking at more SaaS-type applications, can benefit from not backhauling through a datacenter environment before reaching out to those provider environments. There are architectural efficiencies that come out of placing a bit more control in the hands of the user, allowing them to select and steer applications based on business policy.
DG: What are the security implications of moving away from MPLS? For example, with local Internet breakout?
FS: Definitely, if an organization has opened up their environment to an Internet feed of some sort, then security does play a part, whether you’re encrypting over a tunnel to a centralized platform to protect the local site from a DDoS point of view, or if you’re just dropping traffic straight out to the Internet. You’ve got to consider the direction that traffic is taking. How do you protect against DLP and ensure data is not leaking from your environment? How do you ensure that stuff coming back into the environment via that location hasn’t got some sort of malware in it at some point? So having that control has to be taken into consideration.
DG: Okay, here’s probably the most important question I have today: What’s your favorite movie you’ve seen in the past six months?
FS: I suppose Avengers: Endgame. That was good.