Network engineering and operations leaders are seeking to replace their traditional wide-area network (WAN) architectures with software-defined wide-area networks (SD-WAN) to support the ever-increasing traffic demands and associated connectivity costs that accompany digital innovation (DI). These DI-driven initiatives improve staff productivity and create new business opportunities. Yet, they also impact networking performance and heighten security concerns.
SD-WAN adoption is accelerating, and many organisations have initiated SD-WAN implementations. However, many SD-WAN solutions present significant challenges, ranging from inadequate security to a high total cost of ownership (TCO). Understanding these issues is key to navigating the increasingly complex market for WAN edge technologies.
Distributed organisations are embracing a wide range of data integration (DI) technologies. This includes the adoption of Software-as-a-Service (Saas) applications, cloud on-ramping connectivity, Voice over IP (Voip) and video communications tools, the use of DevOps to speed up deployment time for new web applications and Internet of Things (Iot) devices for data collection and telemetry.
However, these DI initiatives present new challenges for network engineering and operations leaders, who must sustain both performance and security from the data centre campus to branch offices on the network edge. Outdated traditional Wide Area Networks (WANS) at remote sites are not designed to support the volume and velocity of traffic being pushed to branches and distributed offices. Specifically, these WAN solutions employ a multiprotocol label switching (MPLS)-based network that backhauls all traffic through the corporate data centre for filtering and security checks. This hub-and-spoke architecture can lead to bottlenecks at the network edge, resulting in sluggish performance for end-users, especially under the ever-increasing bandwidth demands that come with DI adoption.
But that is not the only problem with the traditional WAN solutions. MPLS connections are also expensive, and the costs can quickly compound as branch traffic volumes continue to climb with no end in sight.
“The market for SD-WAN will experience a compound annual growth rate (CAGR) of more than 40% through 2022.”
- IDC SD-WAN Infrastructure Research.
“The emergence of SD-WAN technology has been one of the fastest industry transformations we have seen in years. Organisations of all sizes are modernising their wide-area networks to provide improved user experience for a range of cloud-enabled applications.”
– Rohit Mehra, VP, Network Infrastructure, IDC
In response, many organisations are embracing SD-WAN solutions, based on the premise that they deliver better network performance. Yet, there are numerous SD-WAN solutions on the market with varying capabilities, and it can quickly become a challenge to determine which one meets core business requirements. Before a network engineering and operations leader can evaluate available options, they must consider the reasons why this is the case with many SD-WANS.
Although throughput suffers when a WAN routes all traffic through the data centre, MPLS-based WANS are generally perceived as adequately secure. In contrast, for many SD-WAN solutions, advanced security is not built in, or if included, is insufficient. Specifically, the security capabilities in most SD-WAN solutions do not address the entirety of Layer 3 through Layer 7 advanced security, lacking built-in intrusion prevention system (IPS) technology, web filtering, Secure Sockets Layer (SSL)/Transport Layer Security (TLS) inspection and other protection types.
To address these security requirements in branch and remote office networks, network engineering and operations leaders must pair dedicated security appliances with their SD-WAN. At a bare minimum, this involves the addition of a firewall in each location, although sometimes more (e.g., secure sockets layer [SSL]/transport layer security [TLS] inspection may not be available in every firewall on the market). However, this creates complexity, which increases the total cost of ownership (TCO)—from capital expenditures (CapEx) for the additional appliance to staff time (operational expenditures [OpEx]) spent managing the additional firewall and other appliances.
Even among SD-WAN solutions that incorporate more advanced technologies, gaps remain. For example, not every SD-WAN solution offers security options that have been thoroughly vetted by third-party experts, such as NSS Labs. This objective comparison and analysis of SD-WAN solutions enables network engineering and operations leaders to determine which SD-WAN solutions best meet real-world business requirements.
The direct connectivity and load balancing capabilities of SD-WAN solutions enhance performance compared to traditional WANS. However, just as is the case with security, this is another area where all SD-WAN solutions are not created equal. In particular, not every SD-WAN solution is capable of identifying and classifying application traffic, as well as applying routing policies at a very granular level. The result is that certain applications cannot be prioritised over others. With this one-size-fits-all application traffic model, critical applications, Voip calls, and video can slow down. This impedes end-user productivity.
Furthermore, among the subset of SD-WAN solutions with built-in security, some of the security settings have the potential to degrade network performance. For example, enabling deep inspection of encrypted SSL/TLS connections can significantly impact throughput performance. However, for organisations that choose to leave it turned off, they put themselves at heightened risk, as 72% of network traffic is encrypted and 60% of attacks utilise encryption to conceal malware, including SSL and TLS.4. Additionally, if the solution cannot perform encrypted packet inspection, this obstructs correct traffic routing, which degrades the quality of experience (Qoe) for network users.
The increasing volume and velocity of network traffic from Voip, video, and Saas-based applications are alarming, which dramatically increase network bandwidth costs for many organisations. Considering that MPLS costs are growing by as much as four to five times, the cost savings of SD-WAN, which utilises the public internet, are significant.
Still, network engineering and operations leaders who deploy SD-WAN solutions are often surprised to find a significantly higher total cost of ownership (TCO) than they expected. Specifically, adding multiple appliances with different capabilities increases CapEx, as well as the amount of time staff need to spend managing them (OpEx). Network staff must manually monitor and compile log information for threat management. This is time-consuming and highly inefficient.
Furthermore, deploying multiple point products for each remote office and branch location—ranging from routers to firewalls, security web gateways, and WAN optimisation—incurs substantial staff time to manage. Each of these has its own protocols and user interfaces. To achieve visibility and centralised control and demonstrate compliance with various industry and governmental regulations and security standards, network engineering and operations staff must expend manual time aggregating and reconciling data from each technology-specific silo. In the face of a skills shortage, this time expenditure can become quite costly, as network engineering and operations teams struggle to scale to meet these requirements.
Inefficiencies mount in distributed networks where management of networking and security solutions requires staff to travel to remote locations. Specifically, when SD-WAN solutions do not offer either a virtual alternative or zero-touch deployment capabilities, significant time expenditure for initial deployment and ongoing maintenance can add up quickly.
When evaluating the many available SD-WAN solutions, network engineering and operations leaders should ask the following questions about each of the solutions on their shortlist: