New Paradigm of Converged SD-WAN, Security and Virtualization

By Michael O’Malley, VP Strategy & Business Development, Radware

Michael O’Malley, VP Strategy & Business Development, Radware

As IT departments look for more and better ways to offer reliable services to their enterprise users, two significant trends attempt to remake the WAN interface. Software-Defined WAN (SD-WAN) is rapidly changing how enterprises deploy connectivity across multiple locations, while virtualization is providing new economics for changing baskets of edge security services. But before we get there, let’s just define what these terms mean.

"IT professionals can now create a WAN network and security bundle cost-effectively that elastically scales and provides superior security among multiple locations"

What is SD-WAN?

SD-WAN is a relatively recent technology for deploying reliable connectivity with QoS guarantees. The main requirement for QoS is to satisfy SLAs across multiple locations in the WAN. Previously, enterprises looking for QOS guarantees had to deploy an MPLS edge router across all the locations in a meshed architecture of Label Switched Paths (LSPs) that tunneled the traffic over a L2 or L3 VPN to provide guaranteed treatment of the data flow. This has been widely deployed and is well understood and effective. However, MPLS routers are costly to implement and complex to deploy. Additionally, the VPN services required from a network provider add expense, making this a viable solution for large enterprises, but difficult economically for medium and small business. SD-WAN is a QoS overlay technology that can operate over multiple less expensive WAN interfaces, like Ethernet, DSL or even LTE. SD-WAN devices typically come preconfigured so the set up can be as simple as connecting the WAN and LAN ports and booting up the device.

Enter NFV

NFV or Network Functions Virtualization has been an emphasis in the networking community over the last several years in order to transform IT from networking based on custom-purpose hardware to a new paradigm of networking based on custom-purpose software all running on commodity X.86 servers. This transformation has borne fruit recently in the networking space with virtually all major vendors starting to offer functionally equivalent virtual devices like routers, switches and most importantly security devices that run on inexpensive white box servers.

Convergence, Security and the New Economics of CPE

These two innovations combine at the WAN edge to create a new category of devices known as vCPE or virtual Customer Premise Equipment. This new device has several advantages over previous HW-based CPE devices. Most importantly, vCPE enables a new calculation between cost and security. With the increasing prevalence of enterprise security breaches, security has come to the forefront of any CIO’s agenda. However, virtualization dramatically changes the risk vs. reward tradeoff. In the past, IT managers had to determine how much security on the WAN device they could afford at any one location based on the value of the information at the location, the size of the location (in terms of employees or critical business functions) and the cost of deploying multiple HW devices to provide all the necessary layers of security. With vCPE, IT managers can now place a commodity server and replace all the potential HW devices with multiple SW instances for the various network and security functions required a technique called service chaining, which chains or stitches the WAN flows through all the necessary SW functions in a single server. This radically reduces the cost implications of security and enables the IT manager to provide superior security at each location. In addition, a completely virtual infrastructure at the WAN interface enables the agility to add and delete services as well as the ability to grow capacity for each service dynamically based on the business need.

The Necessary Bundle

This brings us to the heart of the matter. IT professionals can now create a WAN network and security bundle cost-effectively that elastically scales and provides superior security among multiple locations. Utilizing SW orchestration bundles these services can be preconfigured and instantiated at turn up without IT personnel on site and provide a superior service bundle with:

• SDWAN to provide simple preconfigured QoS across the WAN while leveraging low cost interconnect with DSL, cable or other.

• DDOS to protect against both network and real time previously unknown application attacks that can cause outages and tax your IT department to troubleshoot outages or network congestion caused by morphing attacks.

• Firewall to provide a stateful traffic cop to determine legitimate types of traffic and block unauthorized applications, and

• Intrusion prevention systems to drop malicious packets trying to attack known exploits in vulnerable internal systems to disable or gain control of the systems.

Leveraging new technologies like SD-WAN and embracing the new paradigm of security with virtualization, IT managers now have powerful tools in place to provide state of the art network and security in the WAN in an agile, dynamic and cost effective virtual environment.

New Editions