In this long form article, we discuss the key areas all IT teams should consider when comparing SD WAN vendors and service providers. The headings contain each area of interest from the common terms used across SD-WAN to SASE security and cloud access.
The task of SD WAN comparison requires consideration of how each vendor delivers digital transformation. While this statement may sound obvious, vendors often deliver basic SD WAN solutions to achieve a price point vs business-driven SD WAN designed to deliver Quality of Experience (QoEX).
Fortunately, Netify provide the research data and tools to help your business shortlist the right SD WAN solution vs your business needs.
SD WAN Orchestration and Automation
Software orchestration and automation means IT teams can set up devices, create a plan for them, and execute it without having to keep an eye on things manually all the time. The orchestration software provisions bandwidth in real-time according to user demands—ensuring application traffic operates with no downtime. And suppose something goes wrong with one of your networks or connections. In that case, other circuits are able to take over seamlessly so that users will never notice anything out of place as they browse their favourite websites or work away at their day jobs. Cloud security offers huge advantages as new policies based on threats can be delivered to devices and instances with zero touch deployment. All new users can be setup fast with zero touch and policies which reflect their needs within the organisation.
“The orchestration software provisions bandwidth in real-time according to user demands—ensuring application traffic operates with no downtime.”
Self learning SD WAN with AI (Artificial Intelligence)
While AI is not quite there yet, the technology will become available over the next few years. Even with SD WAN today, continuous self-learning is another driver and enables business-driven SD WAN. As the network experiences traffic performance issues or the destination cloud service experiences problems, the network can adapt by using alternative links. The self learning aspect of an SD WAN vendors solution is intrinsically linked with how your applications and users will experience using the network during any subsequent contract.
SD WAN Quality of Experience (QoEX)
QoEX is the next frontier for QoS (Quality of Service) as SD WAN features converge to meet the demands of users access their cloud applications across the Internet. An SD solution is capable of evaluating the traffic type (based on priority), sub second failover needs, Security and bandwidth requirements. SD WAN QoE takes technology one step further by using FEC (Forward Error Correction) features to help when the underlay circuit experiences impaired performance.
Basic SD WAN solutions provide the equivalent low cost VPN service whereas business-driven SD WAN is capable of micro-segmentation for WAN, Data Centre, LAN and extranet clients. The policies associated with network segmentation are centrally deployed via the vendor management interface meaning changes can be made in seconds.
Internet Access and Breakout for Cloud Apps
Application types are introduced daily, which means many end up as unclassified or the app becomes identified as a false positive by intrusion protection. Business driven SD WAN is aware of new applications and their associated performance/security characteristics.
“Application types are introduced daily, which means many end up as unclassified or the app becomes identified as a false positive by intrusion protection.”
Packet based vs session based SD WAN
Per packet based SD WAN, data is typically sent across multiple circuits per packet' and re-encapsulated at the destination. In contrast, session based SD WAN sends traffic based on the individual session information. The typical negative for per packet SD WAN is out of sequence delivery of data which could create detrimental network performance issues. If one circuit experiences significant network delay, packets could arrive out of sequence at the destination. Per packet based SD WAN is much more aligned to next generation networks because additional features such as QoS and application path selection can be implemented to enhance performance further.
Session based SD WAN is simpler in concept and deployment but users will experience an outage if a link (which is being used by the session) fails.
Pros for per packet based SD WAN
- More efficient use of bandwidth
- Better bandwidth results
- Simpler to implement
- Cisco is a well resourced company with vast technical documentation
PROS of per SESSION based SD WAN
- Simple in concept
- Fast and simple setup
- Higher throughput is achievable
- Works well across similar application types
Should you choose SD WAN as a Firewall replacement?
The SD WAN market is maturing to include full SASE based Security which also incorporates Next-Generation Firewall. Overall, granular SD WAN reporting and traffic control benefit align well with using the same management interface for control and orchestration of security policies. There are many Enterprise businesses with an existing relationship with one of the major security vendors. These relationships are needed due to their breadth of expertise and understand of network activity. Where this is the case, changing to built-in SASE solutions via SD WAN is not the best outcome.
Why SASE security is now an important feature-set?
Wide Area Network decisions are now equally split between SD WAN and SASE security vendors with SD WAN. Gartner defined the term SASE to classify the elements of Security required to deliver user and device access across public IP networks. IT teams are tasked with reviewing how each SASE feature corresponds to their needs today but also in the future based on business strategy and associated risks.
“Gartner defined the term SASE to classify the elements of Security required to deliver user and device access across public IP networks.”
The components of the SASE security framework are as follows:
Cloud Security - Security teams have a tough time keeping up with the speed and complexity that hackers deploy to keep one step ahead. These days threats arrive from sophisticated techniques like ransomware or phishing emails, which can be difficult for traditional firewalls to detect without heavy reliance on signatures and updates from industry sources. Hackers may also exploit vulnerabilities in operating systems, applications and other software packages in order to steal your data or take control of your system remotely. Adopting cloud-based Security means the vendor is always adding new threats to their database, which is immediately available to their customers. Cloud security spans multiple architectures and deployment options but consideration should be given to management (i.e. reporting and change portals) and how the vendor delivers the latest intelligence surrounding threats.
Zero Trust Network Access - When you're looking for more security, visibility or efficiency in network access control (NAC) deployments, you might be considering Zero Trust Network Access (ZTNA). A ZTNA deployment enables enterprises to identify who's on their network based on what they have been authorised to do - not just where they are coming from. In other words: identity first, location second. ZTNA means that all devices and users are treated as potentially malicious, requiring well-designed policies for each device or user interaction with an endpoint at every level of trust (this includes segregation). This implies that you have to create different layers of defence against attack by enforcing strict rules in your environment. ZTNA does not rely solely on perimeter defences but instead protects from within any layer where possible threats exist through privileged access controls and data enforcement technologies like Data Loss Prevention solutions.
Next Generation Firewall as-a-service - Next Generation Firewall Service (FWaaS), also known as SD WAN with the addition of security services such as DDoS protection or IDPS is an emerging trend in enterprise network architecture. This approach eliminates many layers of labour-intensive monitoring that has traditionally been required to ensure compliance with regulatory standards like PCI DSS for example, by using real-time analytics-driven from machine learning algorithms on top of intelligent sensors deployed through the infrastructure fabric provided via Software.
CASB (Cloud Access Security Broker) - In the past, if an enterprise needed to access their critical files while outside the office, they would have had to use VPNs or email attachments. With today's modern business world being so mobile, it has become more difficult for companies to keep all of their employees connected securely at all times without costly third-party services. That's where CASBs come in - these help organisations maintain security standards across endpoints while roaming on any network connection, whether public Wi-Fi or cellular networks.
“In the past, if an enterprise needed to access their critical files while outside the office, they would have had to use VPNs or email attachments.”
Should you choose Private Gateway, Public Gateway or Edge SD WAN?
One of the key benefits of MPLS VPN surrounded the transport of traffic for Global businesses. With WAN infrastructure using MPLS, applications transit the service providers' private backbone, resulting in predictable application performance with an SLA defining latency and jitter. SD WAN vendors with their own private backbone access offer MPLS core networks with local VPN access into the WAN infrastructure. The VPN (Internet) is only required to access the local PoP, resulting in a hybrid VPN and MPLS architecture. An alternative and middle-ground option exists in the form of public gateways. In the same way as the private backbone SD WAN offering, public gateways are designed to improve middle-mile traffic performance.
Private network connectivity and public gateways are a good option for global Enterprise business but consideration must be given to coverage vs. PoP locations. If private and public gateways are not suited, the default option is end-to-end VPN which is often the choice for national deployments.
Which SD WAN vendors support DIA, 4G/5G or Ethernet?
The majority of SD WAN vendors and providers support cellular connectivity but not all support features such as built-in SIM card. Please refer to our table to learn more about cellular LTE/4G/5G support and which solutions offer native built-in capability.
How to compare Centralised Security or edge SD WAN security?
With most companies adopting cloud-first architectures, it makes sense that almost all aspects of IT will adopt the same posture. Security exists everywhere regardless of how the user or device is connecting to their required resources. As users connect to corporate resources directly from VPN software on their device, the case for edge devices becomes ever less compelling.
How to compare SD WAN service providers vs standalone vendors?
The legacy of large service providers customer lock-in is evident as we witness IT teams cancel their existing MPLS VPN contracts. Depending on contractual status, circuits do not typically co-terminate, leaving a percentage of the network in contract or facing expensive early termination fees. SD WAN solutions present an opportunity to select the SD WAN overlay in isolation to the connectivity underlay. When adopting this design strategy, the vendor is selected as a standalone component of the solutions, enabling IT teams to select their underlay. As the contract progresses, you are free to remove the elements which are not working.
What to know when implementing SD WAN solutions
Implementing SD WAN requires understanding your own individual use case for resilience, application performance, cloud access and network security.
- Evaluate transport-independent WAN underlay, reducing costs and increasing circuit resilience or comparing service providers for fully managed single IP backbone solutions.
- Compare Service-Level Agreements (SLAs) for business-critical and real-time applications.
- Provide end-to-end segmentation of the network and resources.
- Decide upon your cloud strategy for Azure, AWS or Google (single or multi-cloud).
- Which other features are required to optimise and improve Software-as-a-Service (SaaS) application performance?
What SD WAN questions should you ask to identify the right solutions?
Asking the right questions to compare vendors requires creating your own SoR (Statement of Requirements). While IT teams often ask generic questions via an RFI/RFP process, there is a need to identify the key important areas to your specific organisation initially. There are the core areas of any SD WAN solution and the features that fit with the pains and problems within your organisation or business.
The top questions are as follows:
- How does the vendors' management interface provide easy access to orchestration, change requests and general policy management?
- What SASE security capability is available out of the box and how does the vendor deal with false positives?
- How easy is the vendors' management interface to use on a day to day basis?
- Does the vendor support DIY, Co-Managed and fully managed services?
- What reporting is available, how granular is the detail?
- What features does the SD WAN vendor support to improve application performance?
- Does the SD WAN vendor support WAN acceleration and optimisation?
- How does the SD WAN vendor support and provide access to cloud services such as Azure, AWS and Google?
- What is the cost of SD WAN to help set budgets?
- Does the SD WAN vendor support global requirements?
What are some SD WAN prerequisites?
Prerequisites of SD WAN will vary depending on each business use case. In general terms, all SD WAN vendors should offer a base set of capabilities as a prerequisite before comparison and evaluation.
- Support for multiple connectivity options, including 4G/5G cellular services.
- Secure tunnelling with encryption.
- Intuitive management interface.
- Path selection, load balancing and resilience across multiple paths.
- WAN optimisation.
- Application performance enhancements.
- Reporting and statistics at application and host level.
- Orchestration for fast deployment of SD WAN.
- ZTP (Zero Touch Provisioning).
- Comprehensive service level agreement.
- Tiers of managed services.
- Capability to monitor and support SD WAN underlay.
Why should your business choose SD WAN vs alternatives?
Depending on the business use case, SD WAN will typically form one component of Enterprise WAN architecture. Other WAN services include:
- IPSec VPN.
- Layer 3 MPLS (Multi-Protocol Label Switching).
- Layer 2 VPLS (Virtual Private LAN Service).
- VLL (Virtual Leased Line).
- SHDS (Short Hail Data Service).
- Optical Wavelength.
It is clear that the adoption of SD WAN is driven by a number of benefits which typically include public Cloud access, simplicity, cost reduction and application performance enhancements. Other WAN services can be combined with SD WAN to meet the needs of a specific application or SLA. For example, two campus networks that are within 25km radial distance might benefit from short-haul dedicated fibre. Or longer distance connectivity between data centres might require layer 2 VLL or VPLS. In this sense, most networks (SD WAN or otherwise) end up as a hybrid architecture and design.
“Other WAN services can be combined with SD WAN to meet the needs of a specific application or SLA.”
What are some of the use cases for SD WAN?
All SD WAN vendors align their solutions to specific use cases based on their go-to-market strategy. As an example, there are vendors which work across specific business sectors such as retail or manufacturing. On the technology side, vendors will opt to lead with SASE security or application improvement features to support low-cost Broadband connections. And then there are the vendors who have invested heavily in private backbone or public gateways to improve traffic performance. The use cases for SD WAN are constantly evolving, we are witnessing native integration with cloud vendors which essentially provides the option of deploying SD WAN as a cloud marketplace application.
The top 10 use cases for SD WAN include:
- Cloud or multi-cloud access into Microsoft Azure, AWS or Google Cloud.
- Microsoft Azure, AWS or Google Cloud marketplace access to SD WAN vendors.
- SASE security to meet the demands of public-cloud application access.
- Business vertical experience such as Retail, Finance or Manufacturing.
- Application over low-cost Broadband improvement features.
- Support for legacy MPLS networks.
- Support for remote users.
- Cost reduction vs existing WAN services.
- Adoption of DIY or Co-Managed SD WAN.
- Comprehensive network reporting and statistics.
Why users benefit from SD WAN remote access?
The adoption of SD WAN for remote access is significant within almost all businesses regardless of size or market vertical. Certain events have further accelerated the need to support remote workers but the fact remains that almost all users now access public cloud applications from any device, at any time and from any location.
SD-WAN with SASE security supports remote access in several ways which include:
- Zero Touch SD WAN deployment
- Out of the box security policies
- Support for active directory
- Single sign-on with multi factor authentication
- Application acceleration
- Management of cloud resources
- DR (Disaster Recovery)
How does SD WAN QoS work?
We typically think of QoS (Quality of Service) as an MPLS VPN benefit, enabling end-to-end traffic prioritisation between branch locations. While MPLS QoS has the edge over SD WAN regarding end-to-end capability, the effectiveness is weaker overall.
As businesses are no longer static and rely on mobility across public cloud, traffic performance becomes less about QoS and more about QoE (Quality of Experience). QoE is more about the overall experience of using the network, which is delivered via path selection, FEC (Forward Error Correction) and edge traffic shaping.
SD WAN QoS at the edge is much more granular due to improved classification of applications and out-of-the-box recognition of service types. SD WAN QoS's feature-rich nature means all components come together to support resilience, application acceleration and resource allocation, resulting in a better user experience vs simply identifying and prioritising traffic types.
What are the benefits of SD WAN?
The adoption of SD WAN is typically associated with 5 main benefits that solve problems for most medium to large Enterprise businesses. In overall terms, the main benefit revolves around digital transformation from static based MPLS networks to public-cloud-first Software WAN architectures.
The top 5 SD WAN benefits are listed below:
- Public Cloud access - SD WAN is associated with public Internet underlay which means users are able to access their data and applications from wherever they are located.
- Improved Security - the adoption of public WAN requires more focus on Security to ensure users do not compromise their own data and the corporate network. The Gartner SASE framework is designed to encompass the elements required across the majority of WAN requirements.
- Reduction of complexity - SD WAN offers the ability to select DIY, Co-Managed or fully managed services via sophisticated management interfaces. Deployment via SD WAN orchestrator technology becomes much simpler with default policies to get users up and running within minutes.
- SD WAN features - dynamic path selection, WAN optimisation, QoS and FEC (Forward Error Correction) are all examples of features that enable better user experience.
- Cost reduction - removal of costly MPLS circuits offers lower pricing as companies leverage local ISP connections to deliver network access. The ROI (return on investment) for SD WAN requires more analysis as the reduction in complexity, uptime and better application performance all contribute to lower operating costs.
How to create your SD WAN architecture
SD WAN is associated with two abstract network architecture elements:
- The SD WAN control plane - centralised management and orchestration of policies from a cloud-based application.
- The SD WAN forwarding plane - where configuration and deployment options are carried out according to defined polcies.
Components of a typical SD WAN architecture are as follows:
- WAN edge - either on premise as an edge or virtualised device hosted at the branch or data centre.
- Controller - central management with policy configuration.
- Orchestrator - the network administration which carries out policies and configuration of devices.
What is SD WAN as a Service?
The definition of SD WAN as a Service differs across vendors and service providers. In general terms, the model is based on consumption of SD WAN elements which may include management of both overlay and underlay, deployment, change requests, service management and support. As with all 'as a service' products, the commercials are based on mostly recurring subscription revenues which will vary depending on the service elements chosen by the organisation.
Which vendors support SD WAN cloud and multi-cloud access?
SD WAN cloud access into AWS, Azure and Google Cloud is replacing the need for expensive physical or virtual software appliances. Depending on architecture and vendor of preference, the solution may not be considered cloud-native. As an example, certain vendors add their virtual appliance or WAN edge hardware directly into the cloud providers infrastructure. Eliminate any single points of failure with on demand redundancy that is designed for large enterprises.
More and more companies are adopting a hybrid, multi-cloud strategy to better meet their needs. This is because different cloud providers offer certain services that others do not. For example Amazon offers storage while Microsoft Azure can provide compute power for HPC workloads. A company may have applications in the Amazon AWS Cloud, but they also store some of their data on Google Drive due to price or compatibility reasons. With this increase in adoption comes an increased need for Security. Each provider has its own firewall protection that doesn't integrate with any of the others, so all traffic must be routed through them separately even if there's no intention to use it with that particular service provider.
“More and more companies are adopting a hybrid, multi-cloud strategy to better meet their needs.”
SD WAN edge appliance vs virtualised instance
The majority of SD WAN vendor and service providers are expected to adopt virtualised SD WAN as we move toward a Software defined perimeter architecture. In todays solutions, SD WAN is typically deployed as an edge device to support multiple interface and circuit terminations. The Netify team is of the opinion that VPN and Security will be almost entirely device and Software based in the near future as businesses adopt zero trust across every internal and external connection.
What are the differences between MPLS vs. SD WAN?
The Internet of today is maturing and developing faster than ever before. If we think back to connectivity just a decade ago, the difference in performance is startling.
With the past in mind, MPLS Layer 3 routed network services grew out of the need to provide predictable performance without the complexity and overhead of Security with encryption. The Internet of the 2000's simply was not up to the task of providing a consistent experience. Also, the technology of today (tablets, phones etc) did not exist. Therefore the reliance on a 'permanently on' internet connection was not a requirement. If your phone looses connectivity today, you soon realise the productivity decline. In 2006, you would be lucky to have connectivity. A huge step change.
The Internet is now a viable platform to deliver mission-critical data applications including voice and video. As a home or business user, the Internet is regularly leveraged, and for the most part, the experience is positive. In many cases, access to a private data network is too restrictive since our applications now reside within the public cloud.
An SD WAN Internet deployment represents a lower cost vs. MPLS private traditional WAN networks; availability is everywhere, in the main, and the platform just gets better and better.
Should you deploy SD WAN over Broadband?
Fixed and cellular Broadband connectivity are a major component of SD WAN architecture. While speeds vary, the cost of deploying Broadband will vastly reduce network costs for organisations currently using Ethernet over MPLS. Certain SD WAN vendors focus on Broadband application performance improvement to allow the provision of voice, video, and mission-critical applications.
How do you conduct SD WAN price comparison?
Pricing is important when deciding to implement SD-WAN. Many factors should be considered, including topology type and the number of sites. However, it is possible to obtain an accurate price estimate with all variables included to make sure you have enough budget for what your business needs. Netify offers a free tool here to request overlay and underlay pricing.
What is the market share of SD WAN?
For this year, it is estimated that around $14 billion will be spent on software-defined networking (SDN) devices, which includes a fair chunk from SD WANs.
What are the top SD WAN features you should compare?
SD WAN comparison areas are as follows:
- Core functionality.
- Licensed software.
- Application recognition.
- Path selection.
- Network (VPN) and Layer 4 firewall.
- Form factors: Virtual and/or physical.
- Edge and headend.
- Orchestrator (on-premises or in the cloud).
- Optional functionality.
- Native advanced Security.
- Cloud gateways.
- Application performance optimisation.