The first decision SD WAN solution buyers must make is the deployment model, namely whether SD WAN comes one of the following options. Smaller organisations and those lacking deep networking expertise will prefer options 3 or 4. Large enterprises will lean towards a mix of options 1 and 2, with 1 used at data centers and large campuses and 2 at branch offices or employee homes (see our article on SD WAN for WFH employees for details).
- Licensed software installed as a virtual appliance
- Integrated with a hardware appliance (and whether it is included with the base product or an optional add-on)
- As a managed service using third-party software
- As a cloud NaaS using proprietary software
Evaluating SD WAN products requires diving into the technical details to ascertain and understand the differences. Since many vendors don’t make online documentation publicly available and couch their online websites with marketing generalities, technically sophisticated buyers must pin vendors down on how SD WAN features work and not just rely on a feature checklist. Furthermore, organisations interested in SASE features should pin vendors down on how these are supplied, namely, are they an integral part of the product, an optional, but still vendor-developed component or a third-party solution loosely integrated via service chaining.
Although IT departments will naturally gravitate towards the SD WAN products offered by vendors they already use, project leaders should resist the temptation to rubber-stamp a choice merely because the vendor says it integrates with what they already have. All properly engineered SD WAN products operate well with any standard IP network and last-mile circuit. Unless there are proprietary automation or analytics features that work across SD WAN functions and existing data center LAN products, keep an open mind to other products that might better fit your needs and budget.
Note: Other SD WAN vendors are available to view via the Netify marketplace.
The disruptions of 2020 underscored the criticality of network infrastructure to business operations. Organisations that could quickly, cost-effectively extend enterprise-grade services to remote locations had a significant competitive advantage over those that struggled to handle work-from-home employees and far-flung contractors. In the world of remote work, SD WAN solutions and related security services emerged as the core technology for delivering reliable, secure enterprise networking to employee homes, third-party service providers, SaaS applications and cloud infrastructure.
Although Software WAN is not a new technology, recent data confirms that SD WAN is finally being deployed across industries. One survey found that 79 percent of companies have SD WAN deployments to some parts of their organisation, with 76 percent saying they will have SD WAN links to most, if not all locations by 2026. Another study didn’t find SD WAN solution penetration to be quite as pervasive, but showed that adoption went up by 140 percent in two years. Some of the increase results from extending enterprise networks to new locations, the rest results from MPLS VPN displacement as organisations have gained confidence in the reliability and security of SD WAN over broadband and other less expensive physical links.
While the data shows significant increases in SD WAN adoption, it also indicates that many organisations are still developing or refining their SD WAN strategy and might not have settled on a deployment architecture or products. Indeed, it’s a decision that requires diligent research into SD WAN solution features, product options, network integration and security capabilities of various products.
What are the top SD WAN features?
SD WAN solutions are a by-product of two older technologies: WAN optimisation software and software-defined networking (SDN). As we first detailed here, SD WAN uses SDN to separate network control (aka the control plane) from the physical circuits carrying packets (aka the data plane). Treating the WAN connection as virtual abstractions distinct from the physical manifestation of cables and radio frequencies allows spreading traffic across multiple physical links — including across both wired and wireless circuits — and precisely managing the packet flow over each to increase throughput and availability. The SD WAN control plane also can optimise and prioritise traffic for particular applications to guarantee service levels (QoS) by reducing latency and resource contention.
Using software to create an abstraction layer between WAN connections and physical circuits allows SD WAN to work with any type of network service, including traditional MPLS, carrier Ethernet, cable broadband, DSL, wireless LTE and 5G or even both geosynchronous (e.g. EchoStar) or low-Earth (e.g. Starlink) satellite service. SD WAN can improve throughput by bonding multiple circuits and load balancing across them using dynamic path selection based on network congestion and quality. Virtual connections are made via inherently secure encrypted tunnels, typically using IPSec or HTTP/TLS, with firewall-type ACLs controlling access and traffic flow. The centralised SD WAN control plane can set and enforce traffic routing and security policies for all of an organisation’s remote links.
Other SD WAN features, in rough order of popularity and availability, are:
- Packet- and application-layer traffic routing, management and optimisation features derived from the WAN optimisation appliances where many vendors got their start. These include data compression, error correction, application identification and QoS prioritisation.
- A central management interface providing consistent configuration, security and usage policies across sites, users/groups and applications. SD WAN security controls typically exploit SSO capabilities provided by an external IDM or IAM service that authenticates identities and manages credentials. The management system also aggregates monitoring logs and alerts used to create summary dashboards and detailed data visualisations of system status, performance and availability.
- Management systems provide multiple ways to automate administrative tasks using CLI scripts and API calls. Many of these have been wrapped into language-specific libraries by third parties. For example, the silverpeak_python package simplifies using the Silver Peak API in python scripts.
- An emergent feature in both general-purpose network management software and SD WAN products is the use of higher-level Intent-based management semantics. These allow specifying the desired network behavior using a DSL (domain-specific language) which the system translates into detailed configuration parameters and security policies. The IBN (Intent-based management) system then monitors the SD WAN for deviations from the desired policy that it either flags via alerts or automatically remediates to restore the network to its design state.
- Zero touch provisioning with automated configuration of remote devices (CPE) to simplify deployment at home and branch locations. Auto-setup is a prerequisite for service providers and has long been used for consumer CPE like cable/DSL modems and routers, however, most enterprise SD WAN products also provide the feature.
- Support for inserting virtual services (VNFs) into logical links. Popular services include next-generation firewalls, VPN gateways/termination, content distribution and management (e.g. caching and filtering) and APM (application performance management).
- Supports both physical (embedded hardware) and virtual (x86 server) endpoint appliances. Hardware appliances are the traditional way of distributing network access and security functionality to small sites and home offices. However, larger branches and retail locations increasingly combine compute, storage and network services onto standard x86 servers which can run SD WAN endpoint software as a virtual appliance on a local hypervisor.
Benefits and product considerations
Interest in SD WAN soared over the past two years as organisations understood one of the technology’s primary benefits: delivering enterprise-grade networking over any type of physical connection. Thus, enterprises were free to extend access to internal applications, databases and file shares regardless of the location, whether employee homes, branch offices and retail locations and without the hassle of user-unfriendly VPN clients.
The pandemic indirectly accelerated SD WAN adoption as organisations turned to cloud collaboration, video conferencing and application services to address the needs of a newly remote workforce. SD WAN significantly improves network performance for remote employees accessing SaaS applications by obviating the need to backhaul employee traffic to enterprise data centers just to provide VPN, authentication and security services. Allowing centralized policy enforcement without imposing a hierarchical, hub-and-spoke architecture, makes SD WAN ideally suited for the cloud era.
Although secure, ubiquitous remote access was primarily responsible for fueling SD WAN growth during the pandemic, cost cutting was the objective that historically got organisations interested in SD WAN. By delivering MPLS-type network quality and security over consumer-grade circuits, SD WAN allowed organisations to significantly reduce the cost of WAN connectivity. Other benefits include:
- Greater geographic availability of high-speed network service using broadband, wireless and satellite products. Even in locations already served by MPLS, T-carrier or other enterprise network circuits, SD WAN can provide redundancy over consumer-grade circuits.
- Support for low-cost uCPE appliances that combine SD WAN termination, routing, firewall and other network functions in a small, low-power, remotely manageable appliance. New endpoints can also be automatically configured when first installed (zero-touch) and subsequently updated without a local IT administrator.
- Better network performance via traffic shaping, protocols optimisation and route prioritisation based on real-time traffic metrics.
- Application-specific traffic prioritisation and QoS levels for real-time and mission critical transaction processing systems.
- Centralised management and monitoring of network configuration, security policies and endpoint devices across all locations increases operational efficiency and consistency.
- An extensible virtual control plane that can connect SD WAN locations, enterprise data centers and cloud private links (like AWS Direct Connect or Azure ExpressRoute) into a distributed cloud and edge fabric with one set of routing, security and application QoS policies for all environments.
- APIs to enable programmatic automation of routine tasks using popular scripting languages and IaC (infrastructure-as-code) software.
When evaluating SD WAN products, the top priorities of IT leaders are security, performance and reliability. When the same group was asked about the factors behind their decision to adopt SD WAN, the following were the most frequently mentioned reasons:
- Lower cost and more efficient to deploy and manage. (tie)
- Quicker to deploy and reconfigure.
- Network consolidation with centralised management without a centralised topology.
- Adapts to any type of circuit, congestion conditions and bandwidth variations.
- Better performance for cloud services (lower latency, less congestion via direct connections).
- Better overall network performance via access to higher-speed fiber/HFC broadband services.
SD WAN buyers should consider how well each vendor enables these potential benefits, for example, the management console’s ease of use and programmability, or the effectiveness of its zero-touch endpoint provisioning and configuration.
Although security is of paramount importance to all SD WAN implementations, buyers must delve into details to understand each product’s security features and how well it integrates with existing security infrastructure such as enterprise directories (AD, LDAP, RADIUS), federated identity management systems (SAML, OAuth, OpenID, FIDO tokens) and firewalls. Buyers should also pin vendors down about their SASE strategy and whether they offer optional SASE features or rely on third-party vendors and external service chains.
Global organizations should understand a provider’s support processes in different regions and, for SD WAN services, their global POP footprint for on-boarding clients in any area with employees, contractors or partners requiring SD WAN connectivity.
SD WAN Architecture and prerequisites
Before evaluating and implementing SD WAN products, IT leaders must consider the two available deployment models, each with several variants.
- Installed, privately operated software.
- Managed services offered by NaaS providers, carriers or ISPs.
As we mentioned in our earlier article, when considering installable software, buyers must understand:
- The system architecture, including the number and functionality of subsystems (management server, network control server, edge nodes, etc.).
- How it is deployed, whether on dedicated hardware appliances, as virtual appliances on standard servers or a mix.
- The options and client capacity for edge hardware, including uCPE appliances and standard servers with virtual and/or container images.
Having the flexibility to deploy both appliances and virtual servers is critical for organisations that must support a mix of work-from-home (WFH) employees, small branch offices or retail sites and larger remote manufacturing or distribution hubs. Zero-touch appliances, which essentially operate like a fully managed cable modem-router combination, are best for WFH users and retail sites. Larger appliances or virtual appliances, which are often run on an HCI system providing local file shares and applications, are better for locations with hundreds or thousands of employees.
Regardless of the implementation, SD WAN endpoints require one or more network connections — often a wired broadband link as the primary connection and wireless service as a backup — and network equipment — a router and access points — to create one or more remote LANs and WLANs. Converged devices for WFH and SOHO installation will often include routing and Wi-Fi, but larger buildings and campuses will use existing routers, switches and APs.
When designing an SD WAN architecture, the primary consideration is the type of deployment:
- User-premises hardware, self-managed
- User-premises hardware, service-provider managed
- Hybrid, user-premises plus cloud services, service-provider managed
- All-cloud, fully managed
The necessary level of architectural detail is dependent on the type of SD WAN product. Managed NaaS needs little design work beyond that most organisations already have done to provide Internet connectivity to each location. In contrast, self-managed software requires careful planning of network routing, addressing, service port numbering, cloud connectivity, server sizing and system placement. Most vendors have architectural guidelines and recommendations that cover typical installations. For example, Cisco’s SD WAN Design Guide runs to more than 100 printed pages.
For options 1, 2 and 3, network designers must also determine the mix of MPLS and Internet circuits between locations. For example, when substituting SD WAN for traditional MPLS connections between enterprise locations, it’s often preferable to create virtual SD WAN links that combine the existing circuits with Internet connections to create redundancy and improve performance.
NaaS, cloud-native and cloud integrated?
SD WAN buyers might be confused by the many ways vendors use the word “cloud” in describing their products, but it comes down to two circumstances:
- The cloud as a delivery platform
- The cloud as a connectivity destination
Since every cloud service is available over the Internet, all SD WAN products can ‘integrate’ with the cloud. Furthermore, all SD WAN software products can be deployed on cloud instances, for example, using EC2 to run the network controller and management servers. Some vendors also offer pre-packaged virtual appliances on cloud marketplaces. Many SD WAN products also have solution guides detailing the necessary step to connect them to a particular cloud service. For example, here’s a document describing how to integrate Azure Virtual WAN with VeloCloud and here’s the Azure documentation detailing how to connect Azure Virtual Hubs with NVA (network virtual appliance) partners.
In contrast, NaaS products like Aryaka, Cato Networks and others use the cloud as an execution environment and delivery platform just like Office365, Salesforce and other SaaS applications. Indeed, some run their infrastructure on one of the major cloud platforms, while others use colocation centers. Regardless, all NaaS products operate a fleet of POPs in cities worldwide that act as on-ramps to a private backbone network that routes traffic to the nearest operational site. NaaS POPs and application infrastructure are usually in colocation facilities with endpoints for the major cloud private networks like Direct Connect, ExpressRoute, FastConnect, etc., which means they all deliver high-throughput, low-latency cloud connections for SD WAN clients.
Comparing DIY vs Co-Managed vs Fully Managed SD WAN solutions
Like other IT categories, SD WAN has followed an evolutionary path from on-premises systems using installable software to partially or fully-managed cloud services. Initial deployments used self-managed software often derived from WAN optimisation products. Seeing the success of IaaS and SaaS platforms like AWS or Salesforce, many SD WAN vendors now focus on SD WAN and related security (SASE) services delivered from cloud infrastructure. Instead of selling proprietary software, these run their proprietary code on IaaS or multiple colocation sites to create cloud-based SD WAN control and management planes. As with installable software, NaaS provides the flexibility to offer different service bundles with some vendors combining SD WAN and security services into a comprehensive product and others offering an a la carte menu of services spanning basic SD WAN, public cloud connectivity, application optimisation and security.
Carriers and MSPs typically follow a middle ground by offering managed services without the cloud-native technology. These partner with SD WAN system-software vendors and create managed services based on products from network vendors like Cisco, Juniper, SIlver Peak, Versa and others.
The following table summarises the benefits and drawbacks of self-managed software (DIY) versus outsourced services (NaaS).
What are the PROS of VeloCloud SD WAN?
- Complete flexibility in network design, selection of physical circuit types and ISPs.
- Maximal freedom to choose an SD WAN product and network topology.
- Predictable costs
- Potentially better integration with existing network management software, particularly if buying from one’s existing equipment vendor.
- Geater choice of CPE, including the option of using existing branch office routers via a software add-on.
Direct access to SD WAN vendor technical expertise for problem resolution.
What are the CONs of VeloCloud SD WAN?
- Requires deep expertise for network design and operations that is mostly unnecessary with NaaS.
Requires networking expertise, resources and time to evaluate and test products. Must be able to filter vendor slideware claims from product reality since SD WAN vendors often obfuscate the difference between shipping and planned features
- Significant CapEx for servers and software
- Requires making complicated design decisions, particularly related to traffic management and security policies.
Complicated vendor management due to the potential use of multiple network providers for physical circuits. Also requires choosing the service for each remote location from the list of available ISPs. NaaS providers typically offer a limited number of CPE that are preconfigured to join their network
SD WAN Network configuration and policies
MPLS is the most commonly used WAN technology because of its versatility, security and reliability. It works over a variety of L2 protocols, including Frame Relay, SONET and Ethernet, but has less overhead than ATM, a promising technology in the 1990s that proved too difficult to integrate into IP networks. MPLS is typically delivered via one or more carriers, but is costly and not universally available.
Likewise, SD WAN works with a variety of L2 protocols and provides a similar set of security, traffic management and QoS features, but is generally not tied to a particular carrier. Indeed, Cisco considers SD WAN an “evolution of MPLS technology” that uses a software abstraction layer to provide carrier-agnostic connectivity to more locations and scenarios. Furthermore, by decoupling the network control and data planes, SD WAN allows organisations to centralise control over network policies, security and metrics without requiring a hierarchical, hub-and-spoke network design.
Such topological flexibility gives SD WAN a significant advantage over traditional WAN designs now that organisations are substituting internally-operated communications, productivity and information storage systems for cloud services. Even though MPLS supports mesh designs, enterprises traditionally use a hub-and-spoke WAN topology between one or more central data centers and branch offices. Similarly, before SD WAN, when remote employees connected to enterprise networks, it was via a VPN to a central location. In contrast, SD WAN allows branch offices and WFH users to directly access cloud resources without hairpinning traffic into a data center and back out to the Internet.
Being carrier and technology agnostic means that SD WAN works equally well over traditional enterprise circuits like Frame Relay or Metro Ethernet and consumer services like cable broadband or wireless LTE/5G. Indeed, another benefit of SD WAN is the ability for previously bandwidth-starved locations to access gigabit-class (1Gbps or greater) broadband services.
Two technologies that virtually all SD WAN products employ to improve network application performance are dynamic routing and QoS.
- Dynamic routing, aka adaptive path selection, is the ability to direct packets to the optimal link for a virtual connection with more than one physical circuit. Dynamic routing has long been available on IP routers using protocols like RIP, OSPF, IGRP/EIGRP to select the interface when forwarding packets. SD WANs work similarly, however, most algorithms are more responsive to rapidly changing conditions by using real-time telemetry to redirect packets within a flow, not just at connection setup. For example, most SD WAN products allow prioritising latency, jitter or packet loss when making path selection decisions and setting a maximum level before deactivating an interface.
- QoS provides traffic prioritisation within an SD WAN interface to guarantee minimum performance levels for bandwidth or latency-sensitive applications like video conferencing. QoS implementations vary — indeed, the sophistication of a vendor’s QoS technology is a differentiating factor when evaluating products — but operate on the same principles. Typically each SD WAN edge device classifies incoming traffic using L3 headers and ideally L7 packet inspection to differentiate individual applications. The controller then applies application- or category-specific priorities that are used to prioritise traffic forwarding. For example, a policy might guarantee streaming audio and video applications at least 10 Mbps, while limiting social media sites to a maximum of 5 Mbps.
SD WAN security Most SD WAN implementations use three elements to make links inherently secure:
- Authentication: Before establishing an SD WAN connection, endpoints must authenticate themselves (usually to a central server or cloud service provider) must authenticate themselves, typically using the IKEv2 protocol. IKE supports pre-shared keys or certificates that are typically supplied by a RADIUS or LDAP directory server.
- Encryption: SD WAN connections are encrypted using either DLTS (preferred) or IPSec. DLTS is an extension of TLS designed for datagrams (hence the “D”) and that is more forgiving of dropped, duplicated or out-of-order packets.
- Periodic key rotation: A significant vulnerability of symmetric encryption algorithms like AES (prevalent in SD WAN implementations) is flow snooping or side-channel attacks designed to intercept the key-exchange. SD WAN controllers can thwart such attacks by periodically rotating and regenerating the keys using Elliptic Curve Diffie-Hellman exchange.
- Integrity: To ensure data integrity and identify any attempts to tamper with SD WAN datagrams, most systems use AES-GCM (Galois/Counter Mode) to generate message digests for each packet. Upon receiving a packet, the destination regenerates a digest and if the two match, the packet is accepted as valid.
Aside from the inherent security built into SD WAN protocols, some products add a set of features collectively known as SASE (secure access service edge) to bolster network and data security. As we detailed in an earlier article, these are:
- Next-generation firewall (NGFW) services that can be inserted anywhere in an SD WAN fabric.
- Secure Web gateway
- Cloud access security broker (CASB) content filtering, monitoring and sandboxing services.
- Zero-trust network access (ZTNA) supplements VPNs and application passwords with token-based access controls for individual transactions and application connections.
SASE appeals to organisations using SD WAN to enable remote work since it provides control over application- and user-specific security policies, DLP and other content management restrictions and a more granular authentication regime. Since SASE is a relatively new concept, most vendors only support a subset of features, making SASE a critical area of differentiation for organisations requiring a full stack remote network security solution.
Although SD WAN and SASE address most security concerns, one broader challenge is integrating telemetry and security events with an organisation’s central SIEM or similar management system and analysing the data to identify anomalies, breaches or other security incidents. Many products include security analysis features, however, the sophistication, usability and interoperability of SD WAN data collection and analysis features is a crucial factor when evaluating vendors.