The following piece has been co-authoured by Sunil Khandekar, founder and CEO of Nuage Networks and Keith Langridge, VP of global services at BT
Interest in software-defined wide area network (SD-WAN) technology to transform existing enterprise WAN networks is progressing at a rapid pace across the globe. SD-WAN technology leverages software-defined networking (SDN) principles, allowing enterprises to re-invent their networks and their IT services to thrive in the new era of cloud-based architectures.
Specifically, the business value that is expected includes an increase in service agility and operational efficiency, massive scale, and a dynamic and robust security model. However, in order to achieve these benefits there are considerations that each SD-WAN provider should be cognizant of:
- each enterprise’s legacy WAN transport network can be complex, diverse and may require comprehensive SD-WAN routing capabilities to enable enterprises to flexibly and optimally leverage these assets,
- the emergence of cloud-based architectures and the ephemeral and dynamic nature of applications giving rise to a new breed of security threats that traditional tools may not be equipped to address,
- assuring a new SD-WAN service is not trivial as existing assurance tools may not be suitable to provide the visibility and insight needed to understand the entire network and the applications that run across it.
Flexibly leveraging the underlay WAN transport network
The WAN “underlay” transport networks
Unlike the drawings we see in many marketing presentations, not all legacy IP/MPLS WAN transport networks provide homogenous and ubiquitous connectivity. Some WAN networks are disjointed and disconnected preventing a seamless end-to-end SD-WAN connectivity to certain branches. To overcome these realities the right SD-WAN solution would be equipped with highly automated and advanced routing capabilities with the ability to stitch these disjointed segments together enabling a seamless overlay service to the desired branches.
Flexibility of SD-WAN gateways and Hybrid WAN support
Depending upon the business goals of the enterprise, each SD-WAN branch gateway would have the flexibility to connect to multiple transport networks whether that is multiple IP/MPLS transport networks, or a combination of IP/MPLS, Internet access, or even LTE. This flexibility allows for a Hybrid WAN infrastructure enabling an active/active multi-link resiliency model that increases the capacity of each site. With a proper Hybrid WAN configuration, a policy-based, per-application automated routing scheme can be implemented to dynamically select the optimal WAN link for each application optimized for performance and cost.
Support for staggered migration schedules
Each enterprise will have their own SD-WAN migration schedule, and flexibility would be needed in the solution to accommodate a state where there is concurrent support for both SD-WAN branches and non-SD-WAN branches without any service disruption. In fact, there may be cases where an enterprise requires ongoing and concurrent support for new “brownfield” branch locations. The bottom line is that flexibility may be needed in the solution to accommodate these deployment realities.
The new paradigm for SD-WAN security
Software-defined security
Traditional security approaches like Firewalls (FWs) or Intrusion Protection Systems (IPSs) are important but may not be enough to dynamically isolate and protect each application within the perimeter of SDN or SD-WAN networks. In addition, due to the ephemeral nature of cloud-based architectures it may not be practically viable to dynamically configure each switching element within the network to accommodate security on a per-application basis. Due to these restraints it is important for service providers to consider SDN principles to automate and scale security for each application providing enterprises with the following benefits:
- predict the behavior of each application that traverses the network, its traffic footprint, and the network resources it consumes,
- prevent security breaches with micro-segmentation by creating policies that isolate application-specific traffic, and the network resources it consumes, within its own secure logical domain,
- detect emerging security threats by using flow analytics and any other contextual insights throughout each application’s lifecycle
- respond in real-time to emerging security threats by defining and implementing automated remediation policies that can raise alarms, steer traffic to a FW or IPS, or quarantine the traffic
Support for value added security functions within the SD-WAN platform
To complement software-defined security, modern enterprise branch sites may require a range of value added security services (e.g. FW, ACL, URL filtering, Intrusion detection/prevention, NAT) in addition to the core SD-WAN connectivity. These functions are typically delivered through a standalone appliance that can add operational complexity and vendor lock-in. A better approach is to leverage the existing SD-WAN platform to deliver these services. With this approach enterprises will benefit from centralised policy and control for all functions allowing for the following flexible deployment models:
- value-added security functions that are embedded within the SD-WAN CPE software itself. The management and policy constructs for these functions are built into the SD-WAN management and policy layers. Typical examples of include NAT, ACL, Layer 7 ACLs, URL filtering, etc.,
- value-added security functions that are hosted in a data center (or third-party cloud hosted) would be accessed by programming the SD-WAN control and policy layer to route (i.e. service chain) branch traffic flows of interest to these security functions. The key requirement to enable this model is to ensure that the SD-WAN platform works across both WAN and required data center domains,
- value-added security functions that are hosted as a virtual network function (VNF) on the SD-WAN CPE itself. This model is also known as “branch in a box” and provides all functionality needed to operate a branch in a single box with unified/secure policy, control as well as life cycle management of these additional security functions.
Re-inventing service assurance and network management
Ordering and activating the SD-WAN gateway
One of the first SD-WAN service experiences that an enterprise will see is branch service ordering and on-site activation. Ideally, the first part of turning up an SD-WAN service at a branch would start by using a secure, multi-tenant portal where the enterprise can choose the SD-WAN device and select from a menu the desired services for each location. This order would be synchronized with any WAN transport provisioning required for turning up the service.
Once the device arrives on-site, it is important for the activation process to be quick, easy, and secure. A non-technical resource would connect the required cables and ports, then proceed with secure activation to complete the activation process. Ideally, the entire process would take minutes to complete, would be completed without the expertise of on-site technicians, and would be centrally managed and monitored.
Application level visibility
The existing era of cloud-based architectures is enabling an insatiable consumption model for employees and their devices, not to mention the emerging applications driven by IoT. Due to this market reality, applications are becoming more and more ephemeral and dynamic making service assurance a big challenge. To address this, an understanding of each application along with real-time measurements of their network performance is key. The ideal SD-WAN solution would be able to leverage this real-time information and trigger routing policies as required to ensure that each application is routed across the optimal path ensuring that each application is receiving the performance that it needs.
Correlation of underlay and overlay
One of the key elements of an SD-WAN service is represented by overlay VPNs that connect branch sites, private and public clouds and data centers. These VPNs run on top of the underlay WAN transport networks. To deliver seamless service assurance for SD-WAN, service providers may need not only an understanding of both overlay VPNs and underlay transport networks, but how they are correlated together. Having this level of insight allows for a much more effective understanding of the network and leads to more efficient troubleshooting of network faults.
Single point of secure policy-based business modeling and network management
Bringing it all together, modern enterprises that have transformed to SD-WAN technology expect to have access to a secure, web-based portal used for policy-based business modelling and self-service management of the network. From this single portal, enterprises would have a one-stop shop of capabilities from a single pane of glass. As an example, from this portal, the ability to create business policies that dictate the performance requirements of each application and the security measures that should be applied would be facilitated through an abstracted template-driven view. Each enterprise would also expect a customizable dashboard view that can track networks and branches, user activity, SD-WAN branch device health, events, and statistics. In addition, having access to analytics and custom reports such as security audits, as well as user activity, traffic throughput and application performance, would be readily available.
Constant Innovation in the cloud era
As close business partners for decades, British Telecom (BT) and Nuage Networks from Nokia understand that addressing the aforementioned hurdles is just the beginning of supporting the needs of an enterprise WAN in today’s rapidly evolving cloud era. A solution should able to quickly scale up and foster rapid innovation to meet both increased demand and new service models. In addition, it is imperative that the solution provider offer a global cloud strategy that accommodates any enterprise’s multi-cloud or hybrid cloud deployment model.
BT and Nuage Networks believe that a purpose-built solution that address the hurdles outlined as well as these additional considerations will allow enterprises to maximize their network’s increase in service agility, operational efficiency, scale, and security now and well into the future of the cloud era.