The recent trends have greatly accelerated this process. When looking into ways to help mitigate this complexity, one of the leading conclusions is that enterprises should find ways to consolidate their separate, stand-alone, products into a unified solution which can be more easily managed and maintained, and which can provide them with a consistent and a holistic view of all traffic in their network.

Gartner has gone a step further and designed a framework that facilitates this, which they named the Secure Access Service Edge (SASE). SASE is, in essence, an architecture that converges networking and security capabilities into a single solution and goes a long way in reducing network complexity.

Before we talk about the networking and security services that SASE converges, let's first look at the entities and traffic flows they need to serve.

The journey starts at any of the enterprise's endpoints which need to access any of the enterprise's assets or external resources. The origin endpoints are typically users who can connect from any of the enterprise's physical locations or remotely. Physical locations are typically enterprise headquarters or branch offices, which connect between themselves or to other enterprise locations such as physical or cloud-based datacenters. Enterprises typically use an MPLS and/or SD-WAN product to connect their physical locations:

Traditional MPLS VPN Network

Mobile & Remote users will use a remote access solution to connect to their networks. Cloud-based services such as AWS, Azure will require virtual connectors, or other secure tunnel solutions to connect to the enterprise network and remote offices use a private managed MPLS service to connect to the headquaters.

As we can see, a modern digital enterprise needs to connect various types of endpoints that are spread across multiple locations.

So how is it possible to converge network and security services for such a dispersed network topology?

The only real option, as Gartner stated, is to use a cloud service to which all network endpoints can connect and which is capable of delivering all required services. This is precisely what Cato's SASE Cloud platform offers:

SASE Architecture Example

Secure Access Service Edge

We’ll be covering the above and more in this article:

• Defining Cloud-Native Services
• Cloud-Native – Single Pass Architecture
• Scalable Cloud-Native Services
• Cloud-Native Service Resiliency
• Cloud-Native Service Managed Service
• Summary

Related Articles:

• Complete Guide to SD-WAN. Technology Benefits, SD-WAN Security, Management, Mobility, VPNs, Architecture and more
• How To Secure Your SD-WAN. Comparing DIY, Managed SD-WAN and SD-WAN Cloud Services
• SASE and VPNs: Reconsidering your Mobile Remote Access and Site-to-Site VPN strategy
• Converged SASE Backbone – How Leading SASE Provider, Cato Networks, Reduced Jitter/Latency and Packet Loss by a Factor of 13!

Defining Cloud-Native Services

While we all use cloud services daily for both work and personal benefit, we typically don't give much thought to what actually goes on in the elusive place we fondly call "the cloud". For most people, "the cloud" means they are just using someone else’s computer. For most cloud services, this definition is a good enough, as we don't need to know, nor care, about what they do behind the scenes.

For cloud services delivering enterprise networking and security services, however, this matters a lot. The difference between a true cloud-native architecture and software simply deployed in a cloud environment, can have detrimental impact on the availability, stability, performance, and security of your enterprise. 

Let's take a look at what cloud-native means, and the importance it plays in our network.

Key Topics:

• SASE is the Answer
• A Converged Private Backbone is Essential
• The Proof is in the Packets – Testing a Converged SASE Solution
• Summary

SASE is the Answer

With uncanny timing, Gartner introduce the Secure Access Service Edge or SASE near the end of 2019, just before the Covid-19 virus started to gain global traction. SASE represents the shift away from castle & moat security with resources siloed into just a few corporate datacenters. After all, if organizations are consuming collaboration and productivity tools from the cloud, why not security and connectivity too?

While there is much buzz around SASE with security and networking vendors, and some debate over what products and services fit the SASE moniker, the intention is simple: leveraging economies of scale, organizations should purchase SASE as a cloud delivered service with global presence that brings security closer to the user. The user can be remote, mobile or in a corporate owned facility, regardless of physical location, the user’s access and security posture should remain consistent.

Figure 1: Cato PoP Map (click to enlarge)

At Cato Networks we built the first SASE solution, starting way back in 2015. We’ve grown to 70+ Point-of-Presence (PoPs) globally that fully converge networking and security into a single platform. With our experience we believe that a global private backbone is an essential component of a true SASE solution. If we consider that the goal is consistent access and security with reduced cost and complexity, we must recognize that the ability of a user to access resources applies not just to access controls and services, but also to the usability and reliability of that user’s access. Essentially –users must have predictable performance to be productive.

A Converged Private Backbone is Essential

Reliability and predictability of connectivity isn’t a new concept or focus area for technical teams. Organizations have been using MPLS and other methods to achieve this for years. But MPLS is expensive, resulting in reliable, low bandwidth links to just a few places. Don’t forget that this approach completely neglected remote users who traditionally have had to VPN across the public Internet to reach datacenter security and resources.

Fast forwarding to today, most SASE vendors position their services as a way to reduce or eliminateMPLS, but completely ignore the unpredictability of the public Internet. Cato’s service was architected with this in mind, and we connected our PoPs with a global private backbone of multiple tier 1 providers. Our customer’s packets aren’t taking the cheapest possible route across tier 3 providers, instead taking the most efficient route to the destination. Combined with our WAN optimization capabilities, Cato ensures reliable, predictable performance for all users and locations.

Figure 2: Cato Network Rules (click to enlarge)

The easiest way to see if a SASE vendor has a converged private backbone is to look at their management console. Your vendor should enable you to make granular Internet & WAN rules to manage the handling and routing of your traffic. In addition to priority level, you should be able to control egress PoP location, even egressing your traffic from dedicated private IP addresses, and enabling things like TCP optimization and packet loss mitigation.  

Figure 3: Network Rule Criteria (click to enlarge)

Figure 4: Network Rule Actions (click to enlarge)

Having the ability to configure these policies directly in the management interface demonstrates that the backbone is a converged component of the solution. You should not have to open tickets and wait for routing policies to be created on your behalf, instead you should have direct control with the ability to deploy or modify policies in real-time.

Controlling egress location allows you to maximize your utilization of Cato’s global private backbone, egressing your traffic as close to the destination as possible. The ability to use dedicated private IP addresses mean that you can use source-IP anchoring policies for SaaS application security, without having to backhaul your traffic anywhere.

The ability to create and manage your WAN and Internet traffic with policies is key, but also essential is understanding how these policies are impacting your traffic and real-time visibility into performance. Cato allows you real-time views into performance, priority level and application usage. These insights are invaluable in ensuring your policies are meeting your organization’s needs or evaluating potential changes that may be required.

Figure 5: Traffic Priority Analyzer (click to enlarge)

The Proof is in the Packets – Testing a Converged SASE Solution

To demonstrate the real-world implications of a converged SASE solution with a global private backbone, we ran PingPlotter to a server in China over a 48-hour period using both the public Internet and Cato’s backbone. Connectivity into China is usually complex due to regulation and the great firewall, but Cato’ PoP network can easily enable organizations access into and out of China (Cato has 3 PoPs in China and a government approved link to Hong Kong).

As you can see below, the results speak for themselves. When utilizing Cato’s backbone, we had only 20ms of Jitter, down from 260ms on the public Internet. We also had much less packet loss with our connection being far more reliable and consistent. You can just imagine the difference in user experience when using file sharing, VOIP or collaboration tools:

Figure 6: PingPlotter Tests (click to enlarge)

Summary

The promise of SASE is to bring security and connectivity to all edges with less cost and complexity. To do this effectively, a SASE vendor must have a global private backbone. At Cato, we built our SASE cloud from the ground up, fully converging networking and security into a single platform delivered from 70+ global PoPs that are connected by a private backbone composed of multiple Tier 1 providers. Cato allows you to quickly connect and secure users and locations at global scale with ease.

More information on SD-WAN and SASE can be found in our dedicated SASE and SD-WAN section.

Before we dive any further, let’s take a look at what’s covered:

• SASE: The Architecture for a Secure Cloud and Mobile World
• Defining SASE
• The Four Pillars of SASE Architecture
• SASE Showcase: Connecting & Managing All Locations Together
• The SASE Unified Network
• Summary

Related Articles

• Complete Guide to SD-WAN. Technology Benefits, SD-WAN Security, Management, Mobility, VPNs, Architecture & Comparison with Traditional WANs. SD-WAN Providers Feature Checklist
• SD-WAN is the Emerging, Evolving Solution for the Branch Office
• Understanding Secure Access Service Edge (SASE) and how it integrates with SD-WAN
• SASE and VPNs: Reconsidering your Mobile Remote Access and Site-to-Site VPN strategy

SASE: The Architecture for a Secure Cloud and Mobile World

IT and security managers are constantly concerned by the different entities which connect to their networks. Keeping track of who is connecting, using which edge device type, what they’re connecting to, and which permissions they should have can be a messy and dangerous business.  

An enterprise’s network is composed of several types of edges. An edge can be any location or endpoint which needs to connect to any other resource or service available inside or outside the network. This includes the enterprise’s on-premises headquarters, branch offices, data centers, mobile users connecting remotely (e.g. their home), public cloud data centers (e.g. AWS and Azure), 3^rd party SaaS applications (e.g. Office365 and Salesforce), and virtually any website across the WWW.

To enable connectivity and secure access for all edges, enterprises are forced to adopt different solutions to manage different edge types. For example VPN for remote users, on-prem Next Generation Firewalls (NGFWs) for the physical locations, cloud-based NGFW for cloud-based applications, Cloud Access Security Brokers (CASB) for SaaS and Secure Web Gateways (SWG) for web access.  This large number of different products introduced unwanted complexity, inefficiency, and potential security loopholes to enterprises. But perhaps there is a better way to enable secure access to any service from any edge? In fact, there is, and it’s called, surprisingly enough, Secure Access Service Edge (SASE).

Cloud-based SASE Traffic Analysis Dashboard

Defining SASE

SASE is a new architecture that converges networking and security into a holistic, unified cloud service. It is a concept defined by Gartner in late 2019 to simplify enterprise networking and security. At the heart of the SASE premise lays the understanding that network and security cannot be addressed separately, using different products and services. The inter-dependency between the two is fundamental, and their convergence is critical for addressing the needs of the modern digital enterprise.

Click here to learn more about SASE and how it differs from SD-WAN.

The Four Pillars of SASE Architecture:

 Four main principles lay at the heart of the SASE architecture:

1. All edges. A true SASE solution should be able to service all enterprise edge types.
2. Converged. SASE’s networking and security services should be delivered from one software stack, not discrete appliances integrated together, and all must be managed via a single pane of glass.
3. Cloud-native. A SASE solution should be built using cloud-native technologies and should support elasticity, auto-scaling and high-availability.
4. Global. An effective SASE solution should have an extensive global footprint of Points of Presence (PoPs) covering all major locations worldwide.

SASE Showcase: Connecting & Managing All Locations Together

One of SASE’s main goals is to simplify connectivity, access, and management of the enterprise. This is achieved by unifying all the required functionality into a single solution.

For example, in Cato Network’s SASE Cloud platform, all edges connect to the closest Cato PoP and are managed from Cato’s management console. All traffic to and from these edges undergo the same networking optimizations and security inspections to detect and mitigate threats in real-time.

The Cato Network SASE platform provides complete connectivity & management of all endpoints

Connecting physical locations such as the headquarters, branch offices, and data centers, is the simplest scenario. They are controlled by the enterprise and enable an easy deployment of an SD-WAN appliance such as the X1500 (left) and X1700 (right) Cato Socket models shown below: 

The Cato Socket can manage multiple connections, preferably from multiple ISPs, in active/active mode and continuously monitors them to determine the best performing link to send traffic over:

On-Premises Edge

Furthermore, the Cato Socket can make user- and application-aware decisions for implementing the defined QoS policies.

In addition to connecting the enterprise’s on-premises data centers, we also need to connect cloud-based applications at public clouds (AWS and Azure). For these environments, we will use Cato’s virtual socket (vSocket) as shown below:

Defining network connectivity to any of these locations is done quickly and easily via Cato’s Management console. By clicking the Configuration drop-down menu and selecting Sites you are taken to the site configuration screen:

Site Configuration

Then by opening the Add site dialog screen, we can configure a new site. We start by naming the new site e.g Best Site Ever:

New Site Configuration

We then open the site Type drop-down menu and select the site type. Available options include Branch, Headquarters, Cloud Data Center or Data Center (on-premises):

Next, we open the “Connection Type” drop-down menu (see figure below) and select the type of Cato Socket connector we wish to use for our site:

Socket Type Selection

Physical locations typically use the X1500 or X1700 Cato Sockets, while cloud data center locations typically use one of the Cato virtual sockets (vSocket), depending on the cloud being accessed. As can be seen from the list of connections types, there is also an option to connect both physical and cloud sites using an IPsec tunnel.

The additional configurations are pretty straightforward. In addition to country and time zone, we need to define the uplink/downlink bandwidth limitations for the site and the local subnet used to allocate IP addresses to local hosts. And that’s it. Our site is ready go.

Adding remote users is also a breeze. In the configuration section below, select VPN Users:

We then click on the “+” icon and the new user dialog is shown:

New User Configuration

We fill in the user’s full name and email address, and the new user is defined. We then add the user’s phone number and a link for downloading and configuring the Cato client.

Once the Cato Client is installed and launched on the user’s device, it will automatically search for the nearest PoP and establish a secure connection with it:

The Cato SDP VPN Client

All traffic sent to and from the device is encrypted. The Cato SDP client provides a wide range of statistics, including traffic usage, PoP information, and more.

The SASE Unified Network

Once we’re done configuring all our different edges, we can easily view our entire network topology by selecting My Network > Topology: 

Network Topology

We can see all the edges we have defined: On-premises data centers, cloud data centers, HQ/branch offices, and remote users. We can see its status for each defined edge and take a deeper dive to view extensive analytics covering networking, security, and access metrics.

A true SASE solution should enable access and optimize and secure traffic for all network edges. It should make adding new sites and users easy and fast, and it should provide a unified view of your entire network topology.

Summary

In this article, we briefly covered the purpose of SASE and showed how a SASE solution could be used to connect all edge points within an organization, regardless of their location or size. Catonetwork’s SASE platform was used as an example to show how easily a SASE solution can be deployed to provide fast and secure access to users and offices around the world. We examined the four pillars of SASE architecture and saw what a SASE unified network looks like.

More information on SD-WAN and SASE can be found in our dedicated SASE and SD-WAN section.

Yet, for all that praise, VPNs are far from perfect. They require IT to purchase and deploy separate VPN appliances, increasing capital costs and complicating maintenance. Most VPN solutions require frequent patching, user policy settings, reconfiguration, and oversite. All of which adds to the burden of attempting to maintain security. What’s more, VPNs can introduce latency into mobile connections, as well as require additional login steps, often confusing end users and adding to the burden of the help desk.

All of which issues beg the question: Is it time to drop your VPN and find a better solution for site-to-site and mobile access?

Before we answer the question, let’s take a look at the key topics covered here:

• SASE or VPN: What’s the Difference?
• SASE Brings VPN Benefits without VPN’s Networking Weaknesses
• SASE Makes Security Much Easier
• SASE Answers the VPN Questions

Until recently, the answer to our question above would have been “no.” There wasn’t a better answer out there. However, as networking technology has evolved, an answer to the VPN conundrum may be found in Secure Access Service Edge (SASE), the successor to SD-WAN and, quite possibly, VPNs. Here’s why. 

SASE or VPN: What’s the Difference?

SASE originates from a proposal by research giant Gartner, which defined SASE as a cloud architecture model combining the functions of different network and security solutions into a unified, cloud security platform.

SASE, as envisioned by Gartner, operates as a cloud-naive service connecting all of an organization’s “edges” – including sites, mobile users, IoT devices, and cloud resources -- into a single, global secure network.  It’s cloud-native meaning that the software has all of the scalability, elasticity, and repaid deployment benefits of the cloud.

And the network is secure. We don’t just mean secure as an encrypted network, like SD-WAN. We mean one that also has a complete, embedded security stack protecting against Internet-borne threats.  More specifically Next-Generation Firewall (NGFW), CASB, SWG, ZTNA, RBI, and DNS are all part of the SASE platform.

Devices of different sorts establish encrypted tunnels to the SASE point of presence (PoP). The software in the SASE PoP authenticates connecting user and grants access to defined resources based on user identity and real-time conditions, such as the user’s location or device.

Incoming traffic is inspected in a single-pass with SASE applying the complete range of security functions, optimized, and forwarded along the optimum path to its destination. As such, edges gain the best possible network experience anywhere in the world, at least that’s the theory. 

SASE Brings VPN Benefits without VPN’s Networking Weaknesses

Like a VPN, SASE can operate securely over the Internet making it affordable and available everywhere. But SASE goes a few steps further than any contemporary VPN solution, bringing the kinds of performance and ease of use that previously were only afforded to sites. In short, SASE makes sites, mobile users, IoT devices and cloud resources “equal citizens” of the new WAN.

SASE simplifies deployment and maintenance by eliminating additional, specialized VPN hardware and concentrators. Instead, sites and mobile users connect directly to the SASE PoP. Sites via SASE’s global SD-WAN service; mobile users connect via client or clientless access.

And by establishing tunnels to the nearest PoP and not to one another, SASE avoids the deployment and recovery problems of full mesh, site-to-site VPNs. In those networks, where sites maintain direct tunnels with every other location in the network, significant time is spent first by IT personnel configuring the tunnels and then by the VPN device re-establishing tunnels after a network failure. With SASE, sites only establish one or two tunnels to the local PoP. This is done automatically, making initial deployment very easy, and with so few tunnels, recovering from a network failure can be in a fraction of the time even for what was a very large, meshed network.

SASE also addresses the performance problem faced by VPNs. The WAN optimization and route optimization built into SASE improves traffic performance for all edges. With VPNs, those technologies either weren’t possible (in the case of mobile users) or would have required additional investment (in the case of site-to-site VPNs).

What’s more by SASE eliminates the backhaul that undermines mobile VPN performance. Instead of bring Internet and cloud traffic back to a central inspection point, as is the case with VPNs, SASE brings security inspection to the local PoP. Traffic hits the nearest PoP, gets inspected, and is forwarded directly onto its destination.

SASE Makes Security Much Easier

Not only does SASE address VPN’s networking limitations but having a single security engine for traffic from any edge significantly simplifies security policy management and enforcement.

Access control is much tighter. Rather than giving remote users access to the entire networks, SASE uses cloud-based Software Defined Perimeter (SDP) or zero trust network access (ZTNA), which restricts network access to authorized resources. Users only see the network resources, be they applications or hosts, permitted by their policy. There’s no opportunity for them to “PING” or use other IP tools to investigate the network and uncover unprotected resources. SDP uses strong authentication on access and continuous traffic inspection, helping to further secure endpoints.

Security management is also much easier particularly when combining VPNs with SD-WANs. Rather than maintaining separate security policies for the mobile users connected by VPN and office users sitting behind the SD-WAN device, SASE creates a single set of security policies for all users and resources.

SASE Answers the VPN Questions

SASE with cloud-based SDP proves to be faster, more secure, and easier to manage than legacy VPN systems. It’s the obvious choice for those looking for a modern VPN or to benefit from the combination of VPNs and SD-WAN.

And yet, while SD-WAN technology seems like a solution to many of the problems that businesses are having connecting to the cloud, there are still some concerns around security and that is where Secure Access Service Edge (SASE) comes into the picture.

Before we dive any deeper, let's take a quick look at what we've got covered:

• What is SD-WAN?
• How is SASE Different from SD-WAN?
• SASE in the Real World
• The Benefits of SASE
• Who are the SASE Players

What is SD-WAN?

Software Defined Wide Area Networking (SD-WAN) is a seismic shift from traditional WAN technology, where proprietary hardware and software are replaced with virtualization technology that can abstract networking from hardware. The “Software Defined” part of an SD-WAN uses virtualization to create a WAN architecture that allows enterprises to leverage any combination of transport services, including MPLS, LTE and broadband internet services, and create a fabric of connectivity that connects users to applications. SD-WANs use a centralized control plane to intelligently direct traffic across the WAN, increasing application performance, resulting in enhanced user experience, increased business productivity and reduced costs for IT.

Access popular articles covering SD-WAN topics by visiting our SD-WAN Network section

How is SASE Different from SD-WAN?

The Secure Access Service Edge, better known as SASE, is a technology proposed by Research Giant Gartner. The research house defines SASE as a cloud architecture that converges various network and security functions into a single, cloud security and networking platform. SASE goes beyond what an SD-WAN can offer by incorporating security protocols and increases the reach of the network with support for mobile devices, IoT devices, and other devices that may not have a persistent connection to the network. What’s more, SASE can securely bridge cloud services into the SD-WAN, allowing branch offices and remote users to access services from most any locations. SASE is delivered as a service, minimizing or eliminating the need for specialized hardware or security appliances.

The SASE model allows IT teams to easily connect and secure all of their organization’s networks and users in an agile, cost-effective and scalable way.

What’s more,

SASE in the Real World:

You can’t have SASE without SD-WAN, the two technologies have a symbiotic relationship that actually flattens the networking and security stack into a single connectivity stack. SASE, as envisioned by Gartner, operates as a platform, which provides organizations with the ability to connect to a single secure network, which then grants secure access to physical and cloud resources, regardless of location. Or, more simply put, SASE brings security to SD-WANs by introducing four primary characteristics:

• Identity Driven: Organizations will be able to control interactions with resources using a least-privileged strategy combined with strictly enforced access control. Attributes used by that control element include application access policy, user and group identity and the sensitivity of the data being accessed.
• Cloud Native Architecture: The SASE model architecture requires the implementation of several different cloud capabilities into a platform. That platform will offer agility, be adaptive, self updating, and will give organizations a holistic and very flexible approach to connect, regardless of location.
• Support for All Edges: SASE creates a single network for allof an organization's resources. Data centers, branch offices, cloud resources, and endpoints. A common interpretation of that deployment may include SD-WAN appliances for the physical edges and software clients for endpoints or browser based clientless connectors.
• Globally Distributed: SASE platforms must be globally distributed to organizations, meaning that SASE service providers must be able to deliver low latency services to enterprise edges and offer low latency connections into cloud service providers.

A proper SASE solution delivers a connectivity platform as a service which brings forth unified cloud management, with zero trust capabilities, incorporated into a single networking stack.

The Benefits of SASE:

SASE brings agility and a holistic approach to both networking and security. Ultimately, SASE proves both innovative and disruptive, and will potentially transform the way network security is consumed over traditional products and cloud services. The most notable benefits of SASE include:

• Lowered Costs: SASE can reduce the number of components and vendors required to provide edge connectivity into the cloud, while also lowering operational overhead.
• Improved Network Performance: SASE is built upon a global SD-WAN service, which may leverage a private backbone and incorporates automatic traffic optimization and continuity.
• Vastly Improved Security: All traffic flow is inspected at the source and the endpoint, creating the opportunity for fully encompassing policies, which can be based upon identity, resources, or other defined elements.
• Reduced Overhead: With SASE providers operating and maintaining the security stack, IT staffers will not have to worry about updating, patching, or scaling edge connectivity products.

The other benefits from SASE come from the adoption of an SD-WAN platform, where connections can be consolidated, and then managed from a single pane of glass. Additional benefits can be found in an SD-WAN’s core capabilities of reducing proprietary hardware needs and bringing much needed simplicity to cloud connectivity.

Who are the SASE Players:

Numerous vendors are investing in the SASE model and are bringing services online. Gartner has identified more than a dozen vendors that are developing SASE offerings, with notable players, such as Cato Networks, Cisco, FortiNet, Zscaler, all building SASE offerings for the market.

WAN optimizers were a boon to telecom budgets when network bandwidth was particularly pricey. Businesses also have used the devices to prioritize applications that are sensitive to delay and packet loss--particularly when traffic is shuttled among corporate-controlled sites.

However, changes in network traffic patterns and application protocols, the tendency to encrypt data in transit, the emergence of software-defined WAN (SD-WAN) and other factors are all challenging the need for WAN optimization in the edge appliance form factor that IT shops have traditionally deployed.

Shifting Network Landscape

While historically most application requests were directed inward, toward corporate data centers, most are now outbound, toward cloud and Internet locations. As the software as a service (SaaS) computing model continues to gain steam, these trends will only get stronger.

With much of corporate traffic headed toward the cloud, enterprises have little or no control over the far-end site. As a result, it becomes difficult to support a network topology requiring optimization appliances at both ends of the WAN link. Ever try asking Salesforce.com if you could install your own, specially configured WAN optimization appliance in their network? Good luck.

In addition, today’s security schemes can throw a wrench into traditional WAN optimization setups. Nearly all cloud-bound traffic is SSL/TLS-encrypted from the workstation to the cloud using keys that aren’t readily accessible. WAN optimizers can’t see that traffic to shape or treat it, unless the device is brought into the certification path for decryption and re-encryption before delivery. Adding that step introduces a processing burden to the optimization appliance that can impede scalability.

Another change factor is that Internet bandwidth is more plentiful than it was when WAN optimizers came to market, and it’s far more affordable than MPLS capacity. So the requirement to compress data and deduplicate packets to conserve expensive bandwidth, which traditional WAN optimizers are good at, has become less stringent.

Duplication Of Effort

There are also other ways to get some of the traditional WAN optimizer’s benefits baked right into services. Some cloud service providers, such as Amazon with its AWS Global Accelerator service, for example, help improve connections to their services, encroaching a bit on the traditional WAN optimization appliance’s turf.

Today, those WAN links are carrying predominantly HTTP and TCP traffic. That means that the need to accelerate various other application-specific protocols is disappearing. The acceleration capabilities for IP-based traffic offered by cloud providers such as Amazon are now more in demand than the multiprotocol acceleration function of traditional WAN optimizers.

The deduplication and compression capabilities of WAN optimization appliances remain beneficial. However, there is less of a need for them because of greater availability of network capacity. And cloud computing is bringing data closer to users to decrease distance-based latency.

Emergence Of SD-WANs

Amid all these WAN changes, SD-WANs have taken the industry by storm, affording the opportunity to offload traffic from pricey MPLS circuits onto lower-cost links. By incorporating dynamic path selection--the ability to route traffic across the best-performing WAN link available at the moment of transmission--the SD-WAN is subsuming a portion of the WAN optimization role. SD-WANs are still in hockey-stick growth mode, with IDC predicting a 40% compound annual growth rate through 2022.

The SD-WAN cloud is clearly the future of WAN Networking

SD-WANs, depending on the vendor, incorporate other optimization capabilities, too, such as packet-loss correction technology, TCP proxies to compensate for network latency, traffic shaping, and quality of service (QoS) priority marking.

Managed SD-WAN services, or cloud-based SD-WAN, are particularly appealing for the performance improvements they yield. In this setup, your SD-WAN service provider generally runs a private IP network, which it controls end to end. That puts the provider back in the seat of controlling both ends of your connection by linking your sites to its own backbone points of presence all over the world. That means your traffic is no longer subjected to the “best effort” nature of the public Internet, where it traverses circuits managed by multiple providers.

Different Approaches

Enterprises will always want their WAN traffic treated as efficiently as possible with the best possible application performance and response times. But where WAN optimization appliances (or WAN optimization built into edge routers) were once the sole source of application acceleration, the changing WAN landscape means that optimization is being handled in different ways. These include acceleration techniques offered by cloud vendors and, most notably, by popular SD-WAN offerings.

Where WAN optimization takes place will depend on whether you deploy SD-WAN and, if you do, which SD-WAN deployment model you choose: on-premises or as a managed, cloud-based service. One way or another, enterprises should address WAN performance so that their long-haul, particularly global, transmissions don’t sputter and choke response times of their critical applications.

This article tackles the above and many more questions around enterprise WAN network connectivity options and the different type of SD-WAN network implementations along with their advantages and disadvantages.

Key Topics:

• SD-WAN Deployment Options
• Do-It-Yourself (DIY) – Deploying Security at Each Site
• Telco Managed SD-WAN Services
• SD-WAN as a Service
• Summary

Directly connecting branch offices to the cloud increases your exposure to malware and Internet-borne attacks, expanding your attack surface across many sites. If not adequately addressed, these risks could outweigh the cost and performance benefits of SD-WAN. Let’s take a look at the SD-WAN options for securing your sites.

Related Articles

• Complete Guide to SD-WAN. Technology Benefits, SD-WAN Security, Management, Mobility, VPNs, Architecture & Comparison with Traditional WANs. SD-WAN Providers Feature Checklist
• SD-WAN is the Emerging, Evolving Solution for the Branch Office
• MPLS vs. SD-WAN vs. Internet vs. Cloud Network. Connectivity, Optimization and Security Options for the ‘Next Generation WAN’
• The Most Common Worst Networking Practices and How To Fix Them

SD-WAN Deployment Options

There are a few SD-WAN options available. Each requires a different approach to branch security:

• Do it yourself (DIY): It’s possible to build and manage your own SD-WAN by deploying firewalling and unified threat management (UTM) capabilities yourself at each branch site. You can install separate physical appliances for each type of security you need or run the security tasks as virtual network functions (VNFs) in software. VNFs usually run in a special CPE appliance, but it may also be possible to run the VNFs in your branch router, depending on which router vendor you use.

• Telco managed SD-WAN services: This option mirrors the DIY approach above; however, a telco resells the needed SD-WAN appliances and software to you and manages the installation on your behalf. The SD-WAN setup is the same but lightens the load on your IT staff and reduces the need for specialized SD-WAN skill sets in-house.

• SD-WAN as a cloud service (“SD-WANaaS”) from a software-defined carrier (SDC): With this option, most SD-WAN functions run as a distributed, multi-tenant software stack in a global, private cloud maintained by your SDC. The provider integrates multiple levels of security into the network in the cloud, and your traffic traverses the SDC provider’s own IP backbone, avoiding the risk and best-effort performance challenges of the public Internet.

Let’s take a closer look at each approach.

DIY: Deploying Security at Each Site

SD-WAN solutions encrypt branch traffic in transit, but they don’t protect against Internet-borne threats, such as malware.  To tackle those risks, you’ll require an array of security functions, these include next-generation firewalling, intrusion detection and prevention (IDS/IPS), quarantining or otherwise deflecting detected malware, and web filtering.

Those security functions can be deployed as standalone appliances, VNFs running on a vCPE, or a secure web gateway (SWG) service. Regardless, your deployment becomes more complex and your capital costs far more than simply your SD-WAN appliance costs. Also, keep in mind that as traffic volumes grow, appliances and VNFs will require more processing power to keep pace with increased traffic loads, requiring appliance hardware upgrades. And while SWG will inspect Internet traffic, they don’t inspect site-to-site traffic, opening the way for malware to move laterally once entering the enterprise.

Telco Managed SD-WAN Services

By turning to a telco to install and manage your SD-WAN equipment, you alleviate the need for special SD-WAN skillsets in-house. The telco maintains the security edge devices and services; there’s no software patching, updating, and upgrading to worry about.

But at the same time, you’re left dependent on the telco. The telco is responsible for making network upgrades and changes and will often take far longer than if you had made those changes yourself. You’ll also be paying more each month for all of that support and integration work offloaded onto the telco.

And you’re still left with the same technical limitations of an appliance-based approach. This means that with the telco must reflect all of the costs of the design and maintenance of the security and networking infrastructure in their price to you. And as with a DIY approach, you’ll still be left with periodically scaling your appliance as traffic loads grow, further disrupting your IT processes and increasing costs.

SD-WAN as a Service

Integrating SD-WAN with UTM by using a Software-Defined Carrier (SDC) is the simplest solution to deploy and manage and quite possibly the most secure.

Here’s why: When you use an SD-WAN-as-a-service, security is converged into the network and delivered from the cloud. You don’t have to concern yourself with scaling network security as your implementation grows. Your cloud provider has infinite, elastic resources at its disposal, far more than what a small appliance on your premises can handle.

Services offered by a complete fully-managed SD-WAN network provider

SDC services usually involve integrating the software for SD-WAN, IPsec, firewalling, and UTM into a single, software stack. By collapsing multiple security solutions into a cloud service, the provider can enforce your unified policy across all your corporate locations, users, and data.

In addition, you will be running your traffic over a higher-grade IP network than the best-effort Internet. SDCs run their own Tier-1 IP backbones with service-level agreements (SLAs) attached to them. There are both security and performance benefits inherent in using the SDC’s network infrastructure compared to the Internet.

Summary

If you’re short on SD-WAN or in your organization security expertise, DIY might introduce cracks into your WAN and leave you vulnerable. Complexity usually increases the potential for human error, which contributes to risk. If you subscribe to that philosophy, you’re better suited to the managed service or as-a-service cloud approach.

If you’re anticipating growth, both in the number of sites and per-site volume, the cloud service is a better fit to your needs. It brings the scalability benefits to the table and provides extra security by transporting your traffic on a private IP backbone, which also provides a performance benefit compared to public Internet links.

The benefits of a secure SD-WAN, however you choose to achieve it, are many. You’ll reduce infrastructure and circuit costs while improving performance with direct-connected links to cloud and Internet resources. You just need to be sure the t’s are crossed and the i’s are dotted on security so you can enjoy SD-WAN’s many advantages with a clean conscience.

Management refusing to consider new vendors because, well, they’re new. Engineers wanting to do everything manually when automation would save them a ton of time. Overspending on capacity when there are more affordable alternatives. You get the picture.

Some practices are well known, others are less obvious. A great starting point for identifying the worst of the worst in your organization was a recent list compiled by Gartner. The list culls insight from several thousand client interactions.  While the Gartner report requires payment,  a free eBook from Cato Networks explains each networking practice and how they can be addressed with a cloud-based SD-WAN.

The practices fall into three categories — cultural, design and operational, and financial:

• Cultural practices describe how IT teams relate to collaboration, and more broadly, innovation. Excessive risk avoidance is one example of a “worst” cultural practice. Adherence to manually configuring networking device and the silo-ism that often crops up among IT teams are other examples.
• Design and operational practices are those practices that restrict the agility, increase the costs, and complicate the troubleshooting of the enterprise network. These practices often stem from having amassed legacy technologies, forcing less than ideal practices. Other practices include the lack of a business-centric network strategy, spending too much for WAN bandwidth, and restricted visibility into the network.
• Financial “bad” practices stem from the dependencies IT organizations have on their legacy vendor relationships. All too often, busy IT professionals cut corners by leaning on their vendors for technology advice. This particularly the case in newer technologies where an IT professional may lack sufficient background to conduct an assessment. Vendors and their partners have a commercial interest in furthering their own aims, of course. As such, companies end up being locked into vendors or following questionable advice.

Often, worst practices grow out of the best intentions, evolving incrementally over time. Risk avoidance isn’t inherently bad, for example. It stems from the healthy desire to limit network outages. But excessive risk avoidance stems from organizational cultures where teams are locked into dysfunctional postmortems, blaming one another. 

Adopting technologies that encourage transparency can help address the problem. With a common portal used by all offsite networking teams — security, WAN, and mobile — problem resolution is faster, collaboration easier, and finger pointing is eliminated. How do you do that? To learn more, check out the eBook here.

This new functionality is a good thing, of course. But, at the same time, it raises a big challenge: Multiprotocol Label Switching (MPLS), the way in which most branch offices network today, is a poor match for this new environment. It is an expensive and rigid one-size-fits-all approach to an environment that prizes fluidity and flexibility.

The answer is Software Defined-Wide Area Networking (SD-WAN). It matches the network to branch offices’ needs and provides a superior user experience. It also the potential to reduce costs.

Our Complete Guide to SD-WAN Technology article provides an in-depth coverage on SD-WAN Security, Management, Mobility, VPNs, Architecture and more.

SD-WAN is still a work in progress, no doubt, but the technology is positioned to be the next wave in branch office connectivity -- here's why.

• Welcome to the New Branch
• MPLS Problems Hurt the New Branch
• No Support for Mobile Users
• SD-WAN is the Answer
• The Different Worlds of MPLS and SD-WAN
• Is SD-WAN Totally Mature? No…
• SD-WAN 3.0: How SD-WAN Services Help
• At the Branch, Think SDWaaS. Not MPLS

Welcome to the New Branch

Enterprises generally configure WANs in a classic hub-and-spoke manner. Branches are the ends of the spokes and resources are in the hub, typically the headquarters or datacenters. Internet traffic is backhauled across the MPLS-based WAN to the hub for delivery through a secured, Internet access connection.  

That’s a solid, bulletproof approach. However, branch operations have changed radically since MPLS was introduced in the early 1990s. Back then, branch offices were comfortable with a T1 or two. Today's offices need 5x that amount. Back then, most applications and services terminated at MPLS-attached datacenters, not the Internet. Today, most traffic goes out to the Internet. Back then most work was done in offices. Today, work is done, well, everywhere.

MPLS Problems Hurt the New Branch

MPLS-based architectures are a poor fit for the new branch. Bandwidth is far more costly than Internet access (exact amounts will vary between regions and packages). Installation can take months, especially if the provider doesn’t have any available circuits; bandwidth upgrades weeks. This, needless to say, is too slow for today’s environment. International deployments only add to the problems.

The cost and inflexibility of MPLS leads many organizations to skimp on branch office bandwidth and, often, skip on redundancy. Instead, the sites instead are linked by non-redundant cable, DSL or wireless services and therefore are vulnerable to circuit failures and downtime. The use of separate networks makes creating a fully meshed architecture, where every office has a direct connection to every other office, far more difficult, impacting Active Directory and VoIP design. Those connected to MPLS face delays when more bandwidth is needed, such as for branch expansions and seasonal traffic spikes.  

The same antiquated approach extends to contracts. Branch offices often are temporary. One may start in somebody’s home. That worker may quickly be grouped with other workers at a larger branch across town. The three-year contracts offered by MPLS providers is simply inappropriate for such small- or transient-branch offices.

And none of this says anything about two shifts in enterprise networking -- the cloud and mobility. Backhauling Internet traffic adds too much latency, disrupting with the user experience. Often traffic is backhauled only to be sent back across the Internet to a site near the edge. This back and forth -- aptly called the “trombone effect” -- causes significant latency problems and consumes expensive MPLS bandwidth, particularly when the central portal and branch office are far from each other.

No Support for Mobile Users

WANs are all about physical locations. Mobile users, who were not that big a deal “back in the day,” are not supported by MPLS-based WANs.

Typically, mobile employees connect through VPNs to on-premises firewalls or concentrators. Data is sent either to a local access point or a centralized and secure access point on the WAN. In such scenarios, applications and other resources generally are located in different places. This leads to split tunnels and management complexity, which is the enemy of efficient, low latency and inexpensive operations.

One option is site-to-site connectivity via firewall-based VPNs. It’s a bad option, however, it necessitates convoluted Internet routing. The resulting jitter, latency and packet loss impacts voice, video and other sensitive applications. It is a workaround that causes as many problems as it solves.

SD-WAN is the Answer

SD-WANs answer these challenges -- and more. As the name implies, SD-WANs are a subset of the software-defined networking concept, which separates the data being transported from the routing and provisioning information directing the journey, increasing flexibility by orders of magnitude.

The initial versions of SD-WAN focused on bandwidth provisioning and last mile link bonding. That was a great advance. The arrival of SD-WAN 2.0 was even more exciting envisioning the entire network -- the branches, the headquarters, the datacenter and so forth -- as a single unified entity. It adds four elements that enable the selection of the path with the desired attributes through this network to be found:

• Controllers create traffic policies and send them to virtual and/or physical appliances at each location.
• Virtualized data services normalize Internet services, such as xDSL, cable, and 4G/LTE, as well as MPLS into a single network.
• Virtual overlays are secure tunnels that enable underlying data services to be temporarily and fluidly cobbled together -- virtualized -- to create an optimal path and its service characteristics.
• Application-aware routing is the process of choosing the path with the desired end-to-end performance characteristics. The variables include application requirements, business policies, and real-time network conditions.

Branches become part of this holistic network through an SD-WAN node, which usually is an appliance connected to the LAN on the branch side and MPLS and an Internet service such as cable or DSL on the network side.

When they are installed, the SD-WAN nodes, using zero-touch provisioning, point to a predetermined IP address that links it to the controller. Policies are uploaded to the device. These generally include port configuration, business policies (such as priority and thresholds for failover) and application requirements. This information is combined with real time data to determine the best network path. Latency-intolerant VoIP sessions, for instance, may be provisioned with MPLS and bandwidth-intensive FTP transfers via broadband.

The Different Worlds of MPLS and SD-WAN

Once SD-WANs are accepted as a possible alternative to MPLS-based WANs for branch offices, the focus turns to cost comparisons. The answer is complex. Bandwidth costs go down in an SD-WAN environment because cheaper broadband is a viable alternative for much traffic. On the other hand, security costs rise because branches with direct Internet access (DIA) require next-generation firewalls (NGFWs), IDS/IPS, sandboxing and other security elements. These systems also must be patched and upgraded as necessary, which adds to opex.

Another change is in vendor relationships. MPLS implementations generally are by a single vendor (the famous “one throat to choke”). SD-WAN deployments usually rely on multiple suppliers. This adds complexity to elements such as inventory and payment management. This complexity impacts costs. On a deeper level, the SD-WAN enables changes to be implemented much faster than MPLS. The cost ramifications of adding bandwidth to meet an unexpected sales spike immediately (in the case of SD-WAN) compared to next month (MPLS) is fluid. There is no doubt, however, that adding the bandwidth quickly is a benefit.

Our article MPLS vs SD-WAN provides addition considerations between the two for organizations around the world.

Is SD-WAN Totally Mature? No...

SD-WAN is a young technology that still is evolving in fundamental ways. Organizations considering the technology should be aware of the shortcomings of SD-WAN 2.0.

A key obstacle is related to the need for hardware. In SD-WAN 2.0, DIA is hardware-based. Placing an appliance at each branch office is expensive, as noted above, and requires capacity planning, configuration and maintenance including updates, patches and, perhaps, upgrades that can require hardware changeouts. Security is handled as it is at more substantial corporate locations.

A second shortcoming is that an SD-WAN doesn’t eliminate MPLS (or an equivalent SLA-backed service). Broadband still is an iffy proposition for latency- and loss-sensitive applications. Thus, an SLA-based service remains part of the picture. That makes sense, but it’s odd to go to great trouble to wean the organization off a particular technology -- and retain it.

A third challenge is that today’s SD-WANs don’t do a good job of supporting mobile users and the cloud. Mobile support requires additional hardware and software. SD-WANs only support clouds in a one-off proprietary manner. These approaches add complexity and aren’t a long term solution.

SD-WAN 3.0: How SD-WAN Services Help

The next version of SD-WAN confronts these challenges. SD-WAN 3.0 -- which also is known as SD-WAN as a Service (SDWaaS) -- is fully inclusive. It provides branch office and mobile users with secure end-to-end connectivity to the cloud and data centers.

This brings the cloud “as-a-service” vision to the SD-WAN sector. Servers, storage, network infrastructure, software and security no longer are the enterprises’ problem. Software is distributed across geographically dispersed points-of-presence, each of which is fully-redundant and connected by multiple paths to every other PoP. The organization instantiates, configures and manages their SD-WANs as if they are running on their own dedicated equipment -- but they aren’t.

SDWaaS uses a “thin-edge” architecture to do this. This is a zero-touch appliance at the branch that simply moves packets across secure tunnels into the SD-WAN cloud, MPLS or other transport. The thin-edge performs only the tasks that must be done locally. These include optimal PoP selection, bandwidth management, packet loss elimination and dual transport management. This means that the edge can run in many different devices and services, such as a software client for mobile devices or an IPsec tunnel from third-party firewalls or cloud services.

But beyond the SD-WAN, most edge functions needed to support the branch perimeter are built into SDWaaS. A complete, converged security stack includes NGFW, IPS, and SGW. SD-WAN and network optimization also run in the cloud including routing, optimal path selection and execute throughput maximization algorithms. And by moving these functions into the cloud, they're available to secure and improve the experience of users in all SD-WAN nodes -- headquarters, remote branch offices, homeworkers, and, yes, mobile users.

At the Branch, Think SDWaaS, Not MPLS

Simplifying infrastructure is a key to thriving in our data-intensive, cloud-based and highly mobile world. A single network with a single framework for all users and applications makes IT leaner, more agile. It will include all branch offices, large and small, a big change from their traditional second-class status.

Converging networking and security is essential to the story of WAN transformation. And while SD-WAN is a valuable evolution of today’s WAN, SDWaaS goes further and brings a new vision for networking and security to today’s branch offices.

As one of the founders of Check Point Software and more recently Cato Networks, I’m often asked for my opinion on the future of IT in general, and security and networking in particular. Invariably the conversation will shift towards a new networking technology or the response to the latest security threat. In truth, I think the future of firewall lays in solving an issue we started to address in the past.

FireWall-1, the name of Check Point’s flagship firewall, is a curious name for a product. The product that’s become synonymous with firewalls wasn’t the first firewall. The category already existed when I invented the name and saved that first project file (A Yacc grammar file for the stateful inspection compiler, if you must know.) In fact, one of the first things Gil did when we started our market research for Check Point in 1992 was to subscribe to a newly formed firewall-mailing-list for, well, firewall administrators.

But FireWall-1 was the first firewall to make network security simple. It’s the stroke of simplicity that made FireWall-1. From software to appliances, firewall evolution has largely been catalyzed by simplicity. It’s this same dynamic that three years ago propelled Gur Shatz and me to start Cato Network and capitalize on the next firewall age, the shift to the cloud.

To better understand why simplicity is so instrumental, join me on a personal 25-year journey of the firewall. You’ll learn some little-known security trivia and develop a better picture of where the firewall, and your security infrastructure, is headed.

The Software Age & Simplicity Revolution

When we started developing FireWall-1, the existing firewalls were complicated beasts. Solutions, such as Raptor Firewall or Trusted Information Systems Firewall Toolkit (FWTK) relied on heavy professional services. Both came out of corporate America (If I remember correctly Raptor from DuPont and FWTK from Digital).

The products required on going attention. Using new internet applications could mean installing a new proxy server on the firewall. Upgrading an existing application could require simultaneously upgrading the existing proxy servers, or risk breaking the application. No surprise, the solutions were sold to large organizations willing to pay for the extensive customization and professional services required to implement and maintain them.

They say “necessity is the mother of invention” and that was certainly the case for Gil, Marius, and I. We were anything but corporate America. Extensive on-site support, custom implementations, professional services — the normative models wouldn’t work for us sitting in my grandmother’s apartment 10,000 miles away from the market, suffering the sweltering Israeli summer with no air conditioning and only $300,000 in the company bank account.

We needed a different strategy. What we needed was a solution that would be:

• Simple to use without customer support,
• Simple to deploy without professional services,
• Simple to buy from a far, and, above all,
• Simple enough for three capable developers to build before running out of budget (about 12 months).

To make the firewall simple to use, two elements were key:

• A stateful and universal inspection machine that could handle any application given the right, light-weight configuration file. No longer was there a need to deploy and update custom proxy servers for each application. In the coming years, when Internet traffic patterns changed to include an ever growing number of applications, stateful inspection became critical.
• An intuitive graphical user interface that any sys admin could understand and use almost immediately.

Actually, we didn’t get the UI right the first time around. After a few months of development, we ran a "focus group” with friends that luckily were PC developers. During those days, PC developers were much more advanced UI folk than us Sun Workstation guys. Our focus group hated the UI, which led us to start all over, and develop a PC-like interface that looked like this:

Caption: A screenshot of FireWall-1’s early interface.

 I still think it’s pretty great. By the way, you might notice a host called “Monk” in the rule base. It was one of the two Sun workstations we owned (actually borrowed as a favor from the Israeli distributor of Sun), and named Monk after Thelonious Monk, the American jazz pianist and composer. The other machine was named Dylan. And all of those cool Icons? They were drawn by Marius who doubled as our graphic artist. He worked on a PC.

To make the product simple to deploy, we made a special effort to compress the entire distribution into a single diskette with the install manual printed on the diskette’s label:

Caption: An early FireWall-1 disk. Note the installation instructions on the label.

The last critical point was making the product simple to buy. In a world where the competition sold direct and made a considerable part of their revenues off of professional services, we decided to become a pure channel company and sell exclusively through partners.

We were very lucky to sign up early on with SunSoft, the software arm of the then leading computer manufacturer, Sun Microsystems, and become part of their popular Solstice suite. Sun's distribution know-how and capabilities were critical in the early days. In the pull market that followed, the fact that buying FW-1 through our partners was simple became critical.

Caption: An early FireWall-1 disk packaged as part of Sun’s Solstice suite

The Appliance Age: Simplicity At Scale

As firewalls became increasingly popular, the workstation form factor became increasingly difficult to maintain. The basic premises of our business — simple to buy, simple to deploy simple to use — were eroding because of how customers were using the product. It's one thing when you have a single Internet control point running on a repurposed workstation, but now organizations had distributed hundreds of these firewalls running on all sorts of machines and operating systems. You can imagine the mess.

Moving from shrink-wrapped software to prepackaged appliances seemed like, well, a simple, logical next step. The transition was anything but simple.

There was an existing, perimeter appliance already in the market — the router. It made perfect sense to embed the firewall in that appliance, at least that's what I thought when I signed an OEM agreement with Wellfleet Communications, the then number two router company (after Cisco, of course). We even had a customer with an amazing 300-node purchase (a large Fl in NY). One of our leading engineers, Nir Zuk, relocated to Boston to work at the Wellfleet office and support that project.

Caption: Embedding the firewall in a Welfleet router was good in concept but the remained crippled by limitations of the underlying router.

I remember the day I visited Nir. He wasn't happy at all, spitting and cursing as only Nir can. The hardware and operating system underlying the Wellfleet router were not strong enough nor dynamic enough to address the needs of a sophisticated firewall. It was a far cry from developing for the Solaris-based workstation. Work progressed slowly and, in the end, Nir was talented enough to get something basic working, enabling us to implement the 300 router- firewall nodes purchased by the customer. But the product remained crippled by the underlying platform. Overall, the product wasn't a success.

It became clear that there was a need for a dedicated appliance, and so we started looking around for a platform flexible enough to run a firewall. One of the early platforms we targeted was an appliance from a company called Armon, who ran a network monitoring solution based on the RMON standard.

Since the appliance was built to run sophisticated software we believed it will be a good match for FW-1. The Armon CEO, Yigal Yaakobi, was a big enthusiast of the OEM model, and licensed the box to us to build a dedicated firewall appliance. But Armon was just bought by SynOptics Communications, the then leading wiring hub manufacturer, who merged with Wellfleet to form Bay Networks. We needed Bay Networks management buy-in, which meant meeting with Jim Goetz, later the famed investor with Sequoia.

Yigal and I dressed up in our best, and in my case the only, suit and met Jim at a café shop in Vegas across from the Interop show. The meeting was not a success. Apparently, Jim did not appreciate my style in clothing and spent most of the meeting scolding it. And so the future of the firewall suffered a minor setback due to my lack of fashion sense. But the idea apparently stuck, because we will soon meet Jim in a more fortunate circumstance.

Caption: Embedding the firewall in Nokia appliances (pictured is a Nokia IP1220) proved successful.

Anyway, I did not give up. I hired Asheem Chandna (later the famed investor with Greylock) as the vice president of business development and product management, and relocated Nir Zuk to the Bay Area. The two started, among other things, the OEM program for Check Point that yielded the very successful Nokia relationship, which for many years was the basis of Check Point’s line of appliances.

As an epilog, Nir, Jim and Asheem started a company few years later called Palo Alto Networks that redefined the network security market, introducing the first modern unified threat protection appliance. And, yes, it was simple to buy, deploy and use, and wonderfully addressed the challenges of the changing traffic patterns it needed to protect.

Caption: Palo Alto redefined the network security market with unified threat protection appliances (shown here is a PA-7000 series appliance)

The Cloud Service: Simplicity For Today’s Business

Firewalls were always in the business of defining the perimeter, but originally we had ambitions to go after the business of the WAN. At Check Point we developed VPN-1 immediately after releasing FireWall-1 (and then merged them into one product suite), the first IPsec-based VPN between gateways and later a client VPN version as well for remote users. The idea was to replace Frame Relay and ATM, the predecessors of MPLS.

Caption: An early VPN-1 disk for running on a Nokia appliance

Then we developed FloodGate-1 to provide WAN optimization and QOS for the IP VPN network. The goal was to create a platform for a high-quality, Internet-based WAN that did not require dedicated, expensive, Frame Relay, or ATM connections and would extend beyond physical locations to any type of nomadic (if we use the ‘90s term) user.

It failed. MPLS won. People wanted SLA-backed networks to run their mission-critical apps. The Internet was too unpredictable. That was my exit project at Check Point. After I left, the FloodGate-1 effort was sidelined.

I also put this problem aside and started working on bringing firewalls deep into the datacenter of organizations. That took about 12 years and yielded other companies called Imperva and then Incapsula, founded by Gur Shatz, who soon emerged as a true cloud innovator.

In Incapsula, for the first time, the appliance form factor came under attack. The datacenter was by now mostly hosted on a cloud service or even just a good, old, plain hoster. Physical appliances made little sense when you could use a third-party cloud service. Incapsula was a great success (still is) because it took application delivery and security, and matched the cloud challenge with a cloud toolset.

While we were busy with the datacenter firewall it became increasingly clear that the perimeter was dissolving. In a world where most of my apps are third-party Software as a Service (SaaS), most of my data resides on third-party, public clouds, and most of my work is done on mobile devices out of the office, of what use are physical appliances when they’re guarding my now largely empty office?

Organizations had to buy increasing number of products for protecting their SaaS applications, Infrastructure as a Service (IaaS) cloud datacenters, and mobile users on top of their ongoing firewall spend. To make things worse, lots of branch locations and small offices that never had a direct breakout to the Internet but just backhaul over MPLS to company center where the firewall resided could not do that anymore. The Internet became a utility. You needed it anywhere, anytime, lots of it and in a secure way. So, all sort of patches like MPLS augmentation and secure web gateways emerged to increase Internet availability to all elements of the organization. Things were very messy at this stage. A far cry from the simple to buy, deploy, and use idea of the past.

Caption: With cloud, you can create one network with one set of security policies for all locations, resources, and users

When Gur (yep, that guy from Incapsula fame) and I started Cato Networks almost three years ago we realized the problem of WAN and perimeter are interlocked and require a new architecture that will make secure Internet and WAN available everywhere, anytime to any part of the organization – a branch office, a data center, a cloud segment, a mobile user. It was like going back 17 years in time to the days of VPN-1 and Floodgate-1 and taking a round two at that problem, but this time in a completely different world driven by cloud and mobility. The key remained the same: bring simplicity to an increasingly complex world.

Caption: Cato addresses a diverse range of use cases.

Following the Incapsula playbook we built a cloud network able to deliver anytime anywhere networking and security services. Think AWS for networking and network security. I believe this is the architecture that 10 years from now will dominate the enterprise WAN.

But it’s not just my belief. After 18 months in the market, hundreds of customers with thousands of branch locations across all verticals now rely on Cato Cloud to connect and secure their corporate networks. They agree with us: Cato is the future of networking.

This article discusses the different connectivity, optimization and security options for the ‘Next Generation WAN’ (NG-WAN). The NG-WAN calls for a new architecture to extend the WAN to incorporate the dynamics of cloud and mobility, where the traditional network perimeter is all but gone.

The Wide Area Network (WAN) connects all business locations into a single operating network. Traditionally, WAN design had to consider the secure connectivity of remote offices to a headquarters or a data center which hosted the enterprise applications and databases.

Without further delay, let's take a look at the topics cover in this article:

• First-generation: Legacy WAN Connectivity
• 1: MPLS - SLA Backed Service at Premium Price
• 2: Internet - Best-Effort Service at Discounted Price
• Second Generation: Appliance-based SD-WAN
• SD-WAN Augmenting MPLS with Internet Links
• Third Generation: A Cloud-based, Secure SD-WAN
• Summary

Let’s look at evolution of the WAN.

First Generation: Legacy WAN Connectivity

Currently, there are 2 WAN connectivity options which offer a basic tradeoff between cost, availability and latency:

Option 1: MPLS - SLA-Backed Service at Premium Price

With MPLS, a telecommunication provider provisions two or more business locations with a managed connection and routes traffic between these locations over their private backbone. In theory, since the traffic does not traverse the internet, encryption is optional. Because the connection is managed by the telco, end to end, it can commit to availability and latency SLAs. This commitment is expensive and is priced by bandwidth. Enterprises choose MPLS if they need to support applications with stringent up-time requirements and minimal quality of service (such as Voice over IP (VOIP).

Headquarters connecting to remote offices via MPLS Premium service

To maximize the usage of MPLS links, WAN optimization equipment is deployed at each end of the line, to prioritize and reduce different types of application traffic. The effectiveness of such optimizations is protocol and application specific (for example, compressed streams benefit less from WAN optimization).

Positives:

• Latency: Low
• Availability: High

Concerns:

• Price: High

Option 2: Internet - Best Effort Service at a Discounted Price

Internet connection procured from the ISP, typically offers nearly unlimited last mile capacity for a low monthly price. An unmanaged internet connection doesn’t have the high availability and low-latency benefits of MPLS but it is inexpensive and quick to deploy. IT establishes an encrypted VPN tunnel between the branch office firewall and the headquarters/data center firewall. The connection itself is going through the internet, with no guarantee of service levels because it is not possible to control the number of carriers or the number of hops a packet has to cross. This can cause unpredictable application behavior due to increased latency and packet loss.

Internet-based connectivity forces customers to deploy and manage branch office security equipment.

Positives:

• Price: Low

Concerns:

Latency: Unknown

Availability: Low

Second Generation: Appliance-Based SD-WAN

The cost/performance tradeoff between internet and MPLS, gave rise to SD-WAN. SD-WAN is using both MPLS and internet links to handle WAN traffic. Latency sensitive apps are using the MPLS links, while the rest of the traffic is using the internet link. The challenge customers face is to dynamically assign application traffic to the appropriate link.

Readers interested in SD-WANs should read our Complete Guide to SD-WAN article.

Related articles:

• Complete Guide to SD-WAN. Technology Benefits, SD-WAN Security, Management, Mobility, VPNs, Architecture and more
• The Need for a Converged SASE Platform. Converging Network & Security Services with Catonetworks SASE Platform
• How To Secure Your SD-WAN. Comparing DIY, Managed SD-WAN and SD-WAN Cloud Services
• SASE and VPNs: Reconsidering your Mobile Remote Access and Site-to-Site VPN strategy
• Converged SASE Backbone – How Leading SASE Provider, Cato Networks, Reduced Jitter/Latency and Packet Loss by a Factor of 13!
• Key Features of a True Cloud-Native SASE Service. Setting the Right Expectations

SD-WAN: Augmenting MPLS with Internet Links

SD-WAN solutions offer the management capabilities to direct the relevant traffic according to its required class of service, offloading MPLS links and delaying the need to upgrade capacity.

SD-WAN solutions, however, are limited in a few key aspects:

SD-WAN Footprint

Similar to WAN optimization equipment, SD-WAN solutions must have a box deployed at each side of the link.

Connectivity

SD-WAN can’t replace the MPLS link because its internet “leg” is exposed to the unpredictable nature of an unmanaged internet connection (namely, its unpredictable latency, packet drops and availability).

Deployment

SD-WAN, like the other WAN connectivity options, is agnostic to the increased role of internet, Cloud and mobility within the enterprise network. It focuses, for the most part on optimizing the legacy, physical WAN.

Third Generation: A Cloud-based, Secure SD-WAN

With the rapid migration to Cloud applications (e.g., Office 365), Cloud infrastructure (e.g. Amazon AWS) and a mobile workforce, the classic WAN architecture is severely challenged. It is no longer sufficient to think in terms of physical locations being the heart of the business, and a new cloud-based SD-WAN solution was born. Here is why:

Limited end to end link control for the Cloud

With public cloud applications outside the control of IT, organizations can’t rely on optimizations that require a box at both ends of each link. In addition, Cloud infrastructure (servers and storage), introduces a new production environment that has its own connectivity and security requirements. Existing WAN and Security solutions don’t naturally extend to the new Cloud-based environments.

Limited service and control to mobile users

Securely accessing corporate resources requires, mobile users to connect to a branch or HQ firewall VPN which could be very far from their location. This causes user experience issues, and encourages compliance violations (for example, direct access to Cloud services that bypasses corporate security policy). Ultimately, the mobile workforce is not effectively covered by the WAN.

The Cloud-based, Secure SD-WAN is aiming to address these challenges. It is based on the following principles:

The Perimeter Moves to the Cloud

The notorious dissolving perimeter is re-established in the Cloud. The Cloud delivers a managed WAN backbone with reduced latency and optimal routing. This ensures the required quality of service for both internal and Cloud-based applications.

The Cloud-Βased WAN is “Democratic” and All-Inclusive

All network elements plug into the Cloud WAN with secure tunnels including physical locations, Cloud resources and mobile users. This ensures all business elements are integral part of the network instead of being bolted on top of a legacy architecture.

Security is Ιntegrated into the Νetwork

Beyond securing the backbone itself, it is possible to directly secure all traffic (WAN and internet) that crosses the perimeter - without deploying distributed firewalls.

As shown in the example above, the SD-WAN provider acts as a gateway to the internet for the business. Any attempts to gain access to the business network or attacks must pass through the SD-WAN provider's secure network. This not only provides increased levels of security but also off-loads attacks directly to the SD-WAN provider, saving the business considerable bandwidth and resources needed to repel attacks.

Summary

This article compared SD-WAN solutions with Service Provider MPLS, Internet and Cloud Networks. We examined the positive and negative offerings of MPLS services (guaranteed SLAs), Internet-based WAN solutions (best-effort service), augmenting MPLS with Internet links and Cloud networks.  For more information on SD-WAN, refer to our Complete Guide to SD-WAN networks.

SD-WAN

SD-WANs are suitable for any organization regardless of their size and location(s). Forget about managing routers, firewalls or proxies, upgrading internet lines, high-cost WAN links, leased lines (MPLS), filtering incoming traffic, public-facing infrastructure, VPNs and mobile clients. SD-WANs provide all the above and allow managers, administrators and IT staff to manage their WAN infrastructure via an intuitive, easy-to-use GUI interface, lowering equipment and service contract costs but also minimize the need for continuous upgrades and other expensive and time-consuming exercises.

Related articles:

• The Need for a Converged SASE Platform. Converging Network & Security Services with Catonetworks SASE Platform
• How To Secure Your SD-WAN. Comparing DIY, Managed SD-WAN and SD-WAN Cloud Services
• SASE and VPNs: Reconsidering your Mobile Remote Access and Site-to-Site VPN strategy
• Converged SASE Backbone – How Leading SASE Provider, Cato Networks, Reduced Jitter/Latency and Packet Loss by a Factor of 13!
• Key Features of a True Cloud-Native SASE Service. Setting the Right Expectations

The diagram below clearly shows a few of the network and security services leading global SD-WAN providers such as  CATO Networks provide to businesses no matter where they are geographically located around the world.

SD-WAN Networks offer zero-touch deployment with advanced network security services

Let’s kick-off this guide by taking a look at the SD-WAN topics covered:

• What is SD-WAN?
• The Problem with Traditional WANs
• How Does SD-WAN Work?
• SD-WAN Benefits
  • SD-WAN Application Performance
  • SD-WAN Cost Savings and Avoidance
  • SD-WAN Availability
  • Agility: Deploying new Sites, Reconfiguring the WAN
• SD-WAN Architecture
• SD-WAN Architecture - Edge Appliances
• SD-WAN Architecture - Cloud-Based SD-WAN
• SD-WAN Deployment Methods
• SD-WAN Must-Have Features
• Recommended SD-WAN Security & VPN Features
  
  • Next-Generation Firewall (NGFW)
  • Secure Web Gateway (SWG)
  • Advanced Threat Prevention
  • Local Security Appliances
  • Virtual Network Function (VNF)
  • Firewall as a Service (FWaaS)
• Recommended SD-WAN Mobility Features
• Recommended SD-WAN Management Features
• Summary

What is SD-WAN?

Software-Defined Wide Area Network (SD-WAN) is a new architectural approach to building Wide Area Networks (WANs) whereby applications and the network configuration are isolated from the underlying networking services (various types of Internet access or private data services sold by network service providers). As a result, the networking services can be reconfigured, added, or removed without impacting the network. The benefits to such an approach address long-standing concerns with traditional WANs around the cost of bandwidth, time to deploy and reconfigure the WAN and more.

The Problem with Traditional WANs

For years, organizations connected their locations with private data services, namely MultiProtocol Label Switching (MPLS) services. Companies contract with their network service provider to place MPLS routers at each location. Those routers connect with one another or a designated site across the MPLS service. MPLS services are seen as being:

• Private because all customer traffic is separated from one another.
• Predictable as the MPLS network is engineered to have very low packet loss
• Reliable as the carrier stands behind the MPLS with service and support, backing it up contractually with uptime (and reliability) guarantees.

Traditional High-Cost MPLS VPN Networks

As such, MPLS services are expensive (relative to Internet connectivity), in some cases costing 90 percent more than Internet bandwidth. And with bandwidth being so expensive, companies have to be very judicious in their bandwidth usage. Sites are often connected by single MPLS line, creating a potential single point of failure. Delays from line upgrades are a problem, as lines often lack the necessary excess capacity to accommodate traffic changes or new applications. Finally, new deployments take significantly longer than Internet lines — weeks in some cases, months at the extreme — whereas Internet access can be deployed in days if not minutes (with 4G/LTE).

Organizations accepted MPLS limitations for years for numerous reasons. For too long, the Internet was far too erratic to provide the consistent performance needed by enterprise applications. That’s changed significantly within Internet regions over the past few years. A decade ago, most enterprise traffic stayed on the MPLS network, terminating at a headquarters or datacenter housing the company’s applications. Today, Internet and cloud traffic are the norm not the exception, often constituting half of the traffic on and MPLS backbone. The net result is that data transmission costs end up consuming a significant portion of an IT Department’s annual expenditure on its WAN with Internet- and cloud-traffic being a major cause.

How Does SD-WAN Work?

Enter SD-WAN. SD-WAN leverages ubiquitous, inexpensive Internet connections to replace MPLS for much of an organization’s traffic. At a high-level, the SD-WAN separates the applications from the underlying network services. Policies, intelligent routing algorithms, and other technologies in the SD-WAN adapt the network to the application. Depending on implementation, the locations, cloud datacenters, SaaS applications, and mobile users can all be connected into the SD-WAN.

High-Speed Low-Cost SD-WAN with Global SLA Contracts

More specifically, the SD-WAN router sits at the edge of a location’s local network and connects to the network services. Best practices call for at least two connections per location. Hybrid WAN configurations will use an MPLS line and an Internet service, such as fiber, xDSL, cable or 4G/LTE. All-Internet configurations will use two or more Internet service. The SD-WAN routers connect with one another, forming a mesh of encrypted tunnels (the “virtual overlay”) across the underlying network services (the “underlay”), such as cable, xDSL, or 4G/LTE.

Unlike traditional WANs, all lines in an SD-WAN are typically active. The SD-WAN uses Policy-Based Routing (PBR) algorithms and preconfigured application policies to dynamically select the optimum tunnel based on application requirements, business priorities, and real-time network conditions. The SD-WAN is responsible for balancing traffic across the site’s connections. Should there be an outage (a “blackout”) or degradation in the line (a “brownout”), the SD-WAN moves traffic to alternate paths and restores them to initial paths also based on configured policies.

SD-WAN providing alternative connectivity paths during critical line failures

As a result, SD-WAN helps us align our WANs to our business priorities. We can provide every location, user, or resource with just the right available connectivity configured with the just the right amount of resiliency. Business-critical locations, such as a Data Center, can be connected by MPLS and two active, dual-homed connections. Small offices where MPLS may not be available can be connected with one line. Disaster response teams, and other ad-hoc groups, can use 4G/LTE.

Yet despite the configuration, all sites continue to be managed by the same set of security policies and routing rules with the same orchestration engine and from the same management console. In short, we extract maximum value from the underlying WAN resource for optimum Return On Investment (ROI).

SD-WAN Benefits

More specifically, SD-WAN brings benefits to the organization in terms of performance, cost savings, agility, and availability.

SD-WAN Application Performance

Applications have very different networking requirements when it comes to the WAN. Voice is susceptible to jitter and packet loss; bulk data transfers require lots of bandwidth (throughput, actually). Internet routing doesn’t respect those differences. Route selection reflect economic realities between ISPs not application requirements. Internet providers will dump packets on peered networks or keep packets on their own network even though there are “better” routes available.

SD-WAN lets organizations be smarter in how they route traffic. Policies describe the latency, loss and jitter tolerances of various applications. The SD-WAN routers monitor latency, and loss metrics of their connections. They then use that information and the preconfigured policies to select the optimum path for each application.

SD-WAN Cost Savings and Avoidance

Software-Defined Networking (SDN) benefits may still need to be realized in the Data Centers, but they’re very apparent when SDN is applied to the WAN. The ROI of SD-WAN can be dramatic. Internet bandwidth can cost 70 percent less than MPLS bandwidth depending on region and location.

Operational costs are also reduced. Traditional WANs require advanced engineering and mastering of arcane protocols. SD-WANs do not completely eliminate for that experience by any means. But they do help maximize engineering resources by simplifying deployment and management of branch offices. Policy-driven configuration minimizes the amount of “configuration-drift” between branch offices, complicating WAN support. Adding new application services across the WAN without adversely existing services becomes much far easier. Availability requirements can be more readily met.

SD-WAN architectures that include advanced security further improve savings. They eliminate security appliances, saving on the costs related to the upgrading, patching, and maintenance of those appliances.

SD-WAN Availability

The availability of traditional WAN was more often than not determined by the uptime of the last mile. Within the core of the network, service provider have plenty of redundancy. It’s in the connection to the remote site where redundancy is more limited.

Many locations will not have redundant connections. Even if there are redundant connection there’s no guarantee that the physical cabling is fully redundant. The different services may still share some common ducting and cabling, opening the way for a discontinuation of service due to a backhoe severing a line or some other physical plant failure. Running two active connections complicates network engineering. And in the event of a blackout on one connection, failover is rarely fast enough to sustain a session or voice call, for example.

SD-WANs natively improve the availability of locations. Their use of active/active connections builds redundancy into the WAN. By mixing different types of WANs, such as 4G/LTE and fiber, diverse routing becomes easier to guarantee. Should there be a blackout or a brownout, the SD-WAN router automatically switches traffic to the second connection. Depending on implementation, failover can be fast enough to sustain a session; users never realize there’s been a networking issue or link failure.

Agility: Deploying new Sites, Reconfiguring the WAN

SD-WAN allows organizations to respond faster to business conditions. This gets expressed in different ways. Businesses often need to start operations at remote sites quickly or, at least, without extensive delays. Enterprise IT is challenged with deploying networking services and configuring security at remote locations. SD-WAN addresses these problems on several fronts:

Deploying new sites: While provisioning MPLS circuits alone can take up to 90 days, more for high-speed circuits, the Internet circuits used by SD-WAN can be deployed in days, less when considering 4G/LTE connections. While MPLS often required on-site expertise to configure networking equipment, SD-WAN avoids those delays with zero-touch provisioning.

Reconfiguring the WAN: Traditional WAN architectures required the network service provider to change the network, which introduced further delays. If more bandwidth was required at a new location, the service provider had to re-provision the line all of which led to more delay. No wonder Gartner found enterprises to be “...dissatisfied with large incumbent network service providers.” SD-WAN puts the enterprises in control of network provisioning. The use of “fatter” Internet pipes means line provisioning is generally not required.

SD-WAN Architecture

There are two basic SD-WAN architectures, edge appliances and cloud-based SD-WAN. Both edge appliances and cloud-based SD-WAN involve a controller function for pushing out policies and distributing routing information and a management console for dashboard, reporting and policy configuration. Where they differ is in the location of the virtual overlay and how they provide advanced services.

SD-WAN Architecture - Edge Appliances

With edge appliances, the SD-WAN virtual overlay stretches from location to location. Appliances are installed at each site and, once connected to the Internet, retrieve configuration profiles from the SD-WAN controller. The SD-WAN devices configure themselves and joining or construct a virtual overlay with other devices. Each device runs the policy-based routing algorithms needed to steer traffic to the most appropriate link based on application requirements and underlying link quality.

Edge appliance architectures are very familiar to network engineers. It’s been the approach used for years by router vendors, WAN optimization vendors, and more. The approach brings certain known benefits namely:

• Incremental WAN evolution — SD-WAN edge appliances integrate with existing enterprise networking and security infrastructure while making the WAN more agile.
• Transport independence — Edge appliance architectures give customers maximum freedom in choosing network service providers.

At the same time, edge appliance architectures introduce several constraints into the SD-WAN such as:

• Limited ability to improve Internet performance — SD-WAN edge appliances cannot control the end-to-end routing across the Internet. As such, they remain dependent on MPLS to deliver latency- and loss-sensitive applications, particularly across global connections.
• Unable to evolve WAN functionality — The limited capacity of the SD-WAN edge appliance restricts the overlay's capabilities. Advanced security functions, such as decrypting traffic or running extensive rule sets, consume significant resources. Taking full advantage of these features forces an unexpected hardware upgrade. It's the same problem that had long limited the use of unified threat management (UTM) appliances.
• Overly site focused — Appliances are well suited for connecting locations, but they do not naturally extend to support cloud datacenters, SaaS applications, and mobile users. There’s no easy way to place an SD-WAN appliance in the cloud. Mobile users are rarely happy with the poor performance that results when having to connect back to an appliance that could be very far away, particularly when traveling.

SD-WAN Architecture - Cloud-Based SD-WAN

With Cloud-based SD-WAN, the virtual overlay is formed between the points of presence (PoPs) of the Cloud SD-WAN service. The PoPs connect to each other across a privately managed backbone. There are appliances at each location, but in contrast to edge architecture, Cloud-based SD-WAN appliance run “just enough” functionality to send traffic to the nearest PoP. Software in the PoP applies the necessary security and network optimizations before forwarding the traffic along the optimum path to its destination.

Cloud-based SD-WAN is a new approach to networking, but very familiar one to any IT person. It's the same approach used by AWS, Azure and countless other cloud providers. The architectural benefits include:

• Thin edge flexibility — Since the edge appliance needs minimal functionality, the software can be implemented across a wider range of endpoints. Client software, for example, can connect mobile devices into the SD-WAN. The same is true for cloud applications and cloud datacenters.
• Enhanced functionality — By leveraging the resources of the cloud, cloud-based SD-WAN can deliver a broad range of advanced functionality without facing scaling constraints. Network throughput is also be improved by carrying traffic over a private, cloud backbone and not the public internet.

At the same time, cloud-based SD-WAN architectures face several constraints including:

• Education — Converging networking, security, and mobility into the cloud represents a radical transformation in networking. It may require some training for IT professionals to grasp the full implications of the evolution.
• Service Delivery — Cloud-based SD-WAN should be manageable by the customer to avoid the delays and per-task-pricing associated with managed service offerings from carriers and traditional network service providers.
• Geographic Footprint — The effectiveness of Cloud-based SD-WAN services rides on the reach of its network. Without a global network, a Cloud-based SD-WAN service cannot fix the Internet’s consistency, latency and packet loss problems, problems that are particularly prevalent between Internet regions.

Cloud-based SD-WAN is fundamentally different from two other similar sounding solutions (see table):

• Cloud-managed services host the management/orchestration engine in the cloud. The SD-WAN fabric is still constructed from an edge appliance architecture.
• Cloud-hosted services (also called “cloud-delivered”) move some SD-WAN functionality to the cloud. In addition to running the management/orchestration engine in the cloud, some shared infrastructure among customers, such as gateways to cloud services, will run in the cloud. The SD-WAN fabric continues to be constructed edge-to-edge by edge appliances (and gateways).

By contrast, Cloud-based SD-WAN services move the management/orchestration engine, and the SD-WAN fabric into the cloud. Edge appliances (or mobile client software) only implement the critical edge functions to connect to the SD-WAN fabric in the cloud. As such, the shared infrastructure includes not only the gateways on a cloud-hosted service but also full SD-WAN software and the middle-mile transport connecting the POPs.

SD-WAN Deployment Methods

As we’ve seen, organizations can deploy SD-WANs themselves using SD-WAN edge appliances, in what’s sometimes referred to as “Do It Yourself” (DIY) deployments, and cloud-based SD-WANs

In addition to the two primary SD-WAN architectures, service providers offer managed SD-WAN services. As with any managed IT services, managed SD-WAN services repackage vendor’s SD-WAN technology (typically an SD-WAN edge appliance, but not necessarily), with the service providers implementation expertise.

With managed SD-WAN services, organizations rely on the service provider to maintain and run the SD-WAN. As such, there are several service-specific features to consider including:

Service Level Agreements (SLAs) governing all aspects of the service. SLAs should include a detailed description, specify the time needed to make any moves, adds, or changes (MACs) to the SD-WAN. Penalties should be specified as well.

Service and Support - A detailed description of support levels should be provided including escalation procedures and any agreements around time to repair.

Delivery Timeline - A clear project and delivery timeline should be specified with the SD-WAN roll out.

SD-WAN Must-Have Features

There are many features to consider when selecting an SD-WAN edge appliance or cloud-based SD-WAN architecture. The following are the minimum criteria for an SD-WAN:

Endpoints — The SD-WAN solution must connect locations to the SD-WAN with a hardware appliance or software, such as a virtual appliance or a VNF. The SD-WAN solution should also connect other types of resources, namely cloud datacenters (IaaS), cloud applications (SaaS), and mobile users.

Encrypted overlay —-The SD-WAN must establish a secure, virtual overlay across network services. All traffic across that overlay must be encrypted. The overlay must be policy-driven.

Data service independence —- The SD-WAN must connect locations with major types of Internet data services, such as fiber, xDSL, cable, and 4G/LTE, and MPLS, for hybrid deployments.

Application policies — The SD-WAN must provide configurable policies describing application characteristics, such as failover options and the minimum and maximum thresholds for latency, loss, and jitter.

Real-time line monitoring — The SD-WAN appliances must able to gather real-time latency and packet loss statistics of the attached lines.

Policy-based routing — The SD-WAN must implement algorithms that can select the optimum route for a given application based on configured application policies and real-time line statistics.

Recommended SD-WAN Security & VPN Features

While it’s not a definitional requirement, the SD-WAN solution should include advanced security services. All SD-WAN providers claim to deliver a “secure SD-WAN” but that only refers to traffic protection. Organizations still need to protect against data exfiltration, malware infection, and other advanced security threats, which requires advanced security technologies such as Next-Generation Firewall (NGFW), Secure Web Gateway (SWG), and advanced threat protection.

Companies are forced to deal with internet & malware attacks to their infrastructure

Ideally, the SD-WAN will be converged with the advanced security services. With security and networking converged together, deployment becomes much simpler, capital costs drop, and operationally, the SD-WAN and security infrastructure are easier to maintain than with separate security and networking devices. But if converged security is not possible, at the very least the SD-WAN provider should offer service chaining/insertion to integrate with external third-party security services.

SD-WAN providers block all malicious traffic/attacks at the Cloud level

Deployment costs will be higher and operations more complex than with a converged SD-WAN, but that’s necessary. Much of performance and cost benefits of an SD-WAN come from replacing MPLS access with direct Internet access at the branch office. By exiting Internet traffic locally, the SD-WAN avoids the backhaul and performance problems of traditional WAN configurations. Without advanced security at the branch office, users can’t take advantage of local Internet and remain immune to the range of Internet-borne threats.

Specific advanced security features to consider from an SD-WAN provider include:

Next-Generation Firewall (NGFW)

The NGFW should offer:

• High performance and elasticity — Inspect all application traffic, regardless of volume or use of encryption, without forced capacity upgrades.
• Application awareness — Identify access to on-premise or cloud applications regardless of the port or protocol being used, or if the application is SSL encrypted.
• User awareness — Identify users, groups, and locations regardless of IP address
• Unified, granular security policy — Control access to applications, servers and network resources

Secure Web Gateway (SWG)

The SWG should offer:

• Dynamic site classification — The SWG capabilities should Include a URL database with many site category classifications including phishing, malware delivery, botnets and other malicious sites.
• Block, prompt or track user access — The Reduce legal or security exposure from risky web usage
• Web access policy enforcement — Restrict website access in accordance with a corporate policy

Advanced Threat Prevention

The advanced threat protection capabilities should include:

• Anti-malware — Scan HTTP and HTTPS traffic for malicious files and stop endpoint infections.
• IPS / IDS — Applies context-aware protection to traffic based on domain / IP reputation, geolocation, known vulnerabilities, DNS, as well as application- and user-awareness.

SD-WAN offers three options for delivering advanced security functions at the branch - local security appliances, virtual network function, or firewall as a service (FWaaS):

Local Security Appliances

Local Security Appliances such as firewall or UTM appliances, are the typical way companies protect branches. Appliances notorious for introducing operational complexity and increasing costs. There’s significant overhead incurred from configuring, patching and maintaining security appliances at each location. And, as mentioned above, using advanced security functions (or continuing to operate effectively when traffic levels spike), requires the use of significant hardware resources from the appliance. Often security professionals end up choosing between disabling advanced features, compromising organizational security, or being forced into a hardware upgrade.

Virtual Network Function (VNF)

VNF is a virtual network security stack deployed into a physical SD-WAN appliance or third-party applianced called a vCPE. As such, VNFs reduce the physical challenges of running separate physical boxes at the branch office — the HVAC issue, calculating power, and the rest of the wiring closet issues. However, VNFs are still discrete entities, requiring management of their software and upgrades, and facing the same scaling issues as any local security appliance.

Firewall as a Service (FWaaS)

Firewall as a Service (FWaaS) faces none of the scaling and maintenance challenges of local security appliance or VNFs. The infrastructure was built from the ground up as a cloud service, eliminating the management challenges and scaling issues of security appliances. They do require the service provider to offer a fully multitenant, easy-to-use, and powerful security engine that can be run fully by the customer.

Recommended SD-WAN Mobility Features

The SD-WAN was classically seen as a replacement to the WAN and, as such, did not focus on connecting mobility. But with data and applications shifting to the cloud, any SD-WAN should connect mobile and stationary users to those resources.

To do so, the SD-WAN should equip mobile users with client software for securely connecting into the SD-WAN. Once connected to the SD-WAN, the mobile user should be supported with the same optimized routing, security policies and management controls as users located within the office. Specific features should include:

Automatic optimum path selection — The SD-WAN mobile client should should dynamically select the optimum path to the closest SD-WAN node (closest PoP).

Access control — Once connected to the SD-WAN, fine-grained access controls should restrict mobile user access by application, active directory groups or specific user identity. Organizations should be able to determine the precise resources that can be seen and accessed by the mobile user.

Advanced security — Mobile users should be fully protected by any advanced security services provided by the SD-WAN, such as NGFW, IPS, and SWG.

Recommended SD-WAN Management Features

The management and administration console is the view into the SD-WAN. As such, usability and design are obviously critical.

In the example below, the CATO Networks SD-WAN management interface provides an intuitive interface from where we can monitor, configure policies and manage the entire WAN network without worrying about service providers, VPNs or network equipment!

Managing a global 27 multi-location SD-WAN Network via CATO Networks

Other features to investigate for a future SD-WAN include:

SD-WAN configuration — The SD-WAN should allow for rapid site addition/removal; LDAP integration for quick addition of existing users into the SD-WAN; brief, well-documented integration process or automatic tools for cloud resource integration.

Converged configuration and reporting — Networking and security (if offered) should be tightly integrated together. A single, centralized view of all network and security events should be provided. Access-control definitions, security policies, networking policy configuration — all should be converged together. Reporting should be per site, VPN, and application.

Complete real-time visibility — The management console should provide complete visibility in realt-time into the core functioning of the SD-WAN, including the topology, connected devices, network usage statistics, as well as advanced security services.

Detailed usage metrics — Visibility into network usage should be granular, allowing IT professionals drill down into usage by VPN, location, device, user, and application. Monitoring and alerting should be provided on all networking and security events with full audit trail of all changes to system configuration and policies.

Application policy definition — The SD-WAN should allow for the creation of application policies including the specifying of the application’s importance (priority) and any relevant failover parameters.

Analytics engine and integration — An analytics engine should be provided by the product or easily integrated into the product.

Management protocols and APIs — The SD-WAN vendor should specify all northbound APIs for event correlation and user applications, and management protocols (e.g, SNMP, HTTP, XML) available for in-house integration.

Summary

This article explained what SD-WANs are and how enterprises and organizations of every size are moving towards these WAN solutions. We analyzed the problems with traditional WANs, saw the benefits of SD-WANs, SD-WAN architecture design and implementations, talked about SD-WAN deployment methods and touched heavily on SD-WAN Security, VPN, Advanced Threat Prevention, Firewall services, Mobility and Management offered by leading SD-WAN providers.