The way in which organizations work is changing. Work is done in more places and the Internet has become central to how business is conducted. This means that corporate networks must change as well. The answer — Software-Defined Wide Area Networks (SD-WANs).
SD-WAN brings unparalleled agility and cost savings to networking. With SD-WAN, organizations can deliver more responsive, more predictable applications at lower cost in less time than the managed MPLS services traditionally used by the enterprise. IT becomes far more agile, deploying sites in minutes; leveraging any available data service such as MPLS, dedicated Internet access (DIA), broadband or wireless; and being able to reconfigure sites instantly.
SD-WAN does this by separating applications from the underlying network services with a policy-based, virtual overlay. This overlay monitors the real-time performance characteristics of the underlying networks and selects the optimum network for each application based on configuration policies.
What’s the Difference between SD-WAN and SDN
SD-WANs implement software-defined networking (SDN) principles to connect locations. SDNs first were introduced in the data center with the goal of increasing network by separating the data plane from the control plane. The policies and routing intelligence would run in one or more servers (“controllers”), which would instruct the networking elements forwarding the packets (switches and routers).
SDN created an overlay across the local network, opening up a world of possibilities in efficiency and agility. SD-WAN creates an overlay across the wide area network also bringing incredible efficiency and agility gains.
How Does SD-WAN Work?
An SD-WAN is built on the very powerful idea of separating the network services (such as cable, xDSL, 4G/LTE) from the applications that the organization wants to use. This independence enables the network to be configured to more efficiently optimize those applications.
In an SD-WAN, a specialized appliance at the site’s edge connects to the network services, typically MPLS and at least two Internet services. Across those services, the SD-WAN appliance joins a network of encrypted tunnels — the overlay — with other SD-WAN appliances. Policies configured at a central console are pushed out and enforced by the appliances using policy-based routing algorithms. As traffic comes to the appliance, the SD-WAN software evaluates the performance and availability of the underlying network services, directing packets across the optimum service at any one time and pre-configured application policies dynamically select the optimum tunnel for a specific session based on a number of priorities and network conditions.
The world of SD-WANs is evolving. Variations on the basic concept focusing on where the lion’s share of the networking and security processing is done are creating a rich set of vendor and service provider choices for organizations ready to move from legacy WAN services.
Why Do Enterprises Need SD-WAN?
The cloud and high levels of mobility characterize how people use networks today. WANs, however, was designed in an era in which the focus was on linking physical locations. Using the old approach to support the new needs results in expensive global connectivity, complex topologies and widely dispersed “point products” that are difficult to maintain and secure.
The unending and cumbersome cycle of patching, updating, and upgrading requires skilled techs, an increasingly scarce commodity. That’s especially distressing because all this complexity is an inviting target for hackers, who can exploit misconfigurations, software vulnerabilities, and other attack surfaces.
There are several reasons that legacy WANs no longer are up to the job. MPLS, the focal point of the old approach, is expensive and requires long lead times for deployment to new locations. Legacy WANs only touch the Internet at secure Web portals, usually at the data center. This leads to the “trombone” effect of sending Web data back and forth across networks. The result is added latency and exhaustion of the supply of MPLS links as Internet traffic increase. Direct Internet access, which would link branch offices to the Internet, is expensive and could overwhelm rudimentary branch hardware. Finally, the WAN was designed when the emphasis was on linking physical assets such as offices and data centers. This approach isn’t ideal for this new and varied world.
What are the Benefits of SD-WANs?
SD-WANs reduce bandwidth costs by leveraging inexpensive services, such as Internet broadband, whenever possible. They can still use dedicated Internet access (DIA) for higher uptime and performance. (DIA is often more expensive than broadband but less than MPLS and comes with some service guarantees.)
Cloud and Internet performance also improve because the trombone effect is eliminated. Cloud and Internet traffic are not sent through distant datacenters but directly onto the Internet.
The shift to software enables changes of all sorts to be made quickly and from a centralized point. SD-WANs are far more agile, quicker to deploy and less expensive to support in branch offices. Changes are implemented far more quickly, which can save money, increase revenues or provide other benefits for the organization.
What are the Limitations of SD-WANs?
Though SD-WAN brings many benefits, there are also key limitations. Extending the SD-WAN to the cloud requires installing an SD-WAN in or near the cloud provider’s data center, a complicated if not impossible task. Mobile users are entirely ignored by SD-WAN.
And while traffic is encrypted, exposing branches to the Internet raises the threat of malware, phishing emails, and other attacks. Deploying security appliances at the branch means that continuing with the costs of purchasing, sizing, and maintenance associated with security appliances continues. Enterprises are still forced into upgrading appliances, and IT need to apply the full range of security functions, as traffic volumes grow. Finally, troubleshooting is also made more difficult as personnel has to jump between networking and security consoles to reach root cause. This is inefficient and can lead to errors and overlooked information about the problem at hand.
What are SD-WAN Services?
An SD-WAN managed service is a carrier- or service provider-based SD-WAN offering. It guarantees the organization a certain level of performance across its network. The carrier provides the transport and connects the enterprise to real and virtual technology at the carrier data center and perhaps in third-party clouds.
SD-WAN managed services don’t answer the question of how to secure branch-based Internet access. They are simply a different business and management approach to the same technological infrastructure.
How Do Cloud-based SD-WAN Services Address Those Challenges?
The emerging option is to converge security and networking functions together into cloud-scale software. All Internet and WAN traffic is sent to and received from the provider’s point of presence (PoP) running the software. PoPs, in turn, communicate over their own backbone, avoiding the performance problems associated with the Internet core. This approach is known as SD-WAN as a service or SD-WAN 3.0.
The important point is that the challenges of running both networking and security stacks at the branch office are alleviated. The SD-WAN devices in this case form from a “thin edge” with minimal processing. The main task that these devices perform is to assess packets to determine whether they should be sent to the Internet, to the MPLS links or elsewhere. With the core security and networking process done in the cloud, SD-WAN as a service can continue to inspect traffic at line rate regardless of the traffic volumes or enabled features.
What Does Cato Offer
Cato Networks firmly believes in the SD-WAN 3.0, cloud-based approach. The Cato Cloud offers a global backbone, provides secure connectivity to branch offices, mobile users, cloud data centers and other locations. To learn more about Cato Cloud, visit https://www.catonetworks.com/sd-wan/
Dave Greenfield
Dave Greenfield is a veteran of IT industry. He’s spent more than 20 years as an award-winning journalist and independent technology consultant. Today, he serves as a secure networking evangelist for Cato Networks.
