SD-WAT?!
The short version: SD-WAN is a way to take cheaper commodity internet and make it viable for business critical applications (e.g. voice services, etc). What that means is you can run voice over the internet in a way that is essentially bulletproof. This is the same way that Multiprotocol Label Switching (MPLS; which is a technique that allows you to customize and manage how the internet traffic on your network functions) has been used in the past, just better.
Traditional VPNs are a terrific and inexpensive way to connect offices. If you’re familiar with how your firewall works (a security device that manages, monitors, and controls incoming and outgoing traffic), you’ll know that connecting through a Virtual Private Network (VPN is a secure way to have remote access to your private network) to a Firewall is a fairly inexpensive and secure way to get your work done when you’re not in the office. This is also helpful if want to centrally manage all of the applications, software, and data that your organization owns and stores. This concept is undergoing an evolution. However, there are vulnerabilities in almost every scenario. If you ever work with someone that says “you’re 100% safe” you should take your business elsewhere. Vulnerabilities exist with VPNs, Firewalls, Carriers (which we’ll get into later) and even redundant internet connections. The following information is about a methodology that we believe is the next step in hardening security, improving bandwidth, and streamlining the quality of connectivity to your organization’s most important data over your network. It’s know as SD-WAN.
As we discussed, the combination of a VPN with a Firewall is a very common scenario with businesses. For example, with VPN, your primary internet line takes on the brunt (if not all) of the traffic. This leaves your second line serving as a failover line. So with the primary line being utilized at essentially 100% and the second line only being utilized in the event of an outage, this gives you what is an called active passive setup (e.g. Internet1 is the primary internet and utilized at 100% whereas Internet2 is only needed/available when Internet1 goes down). This is common and has been a best practice for years. There is a better and more secure way to utilize what you’re paying for.
Let’s look at an example with voice in this active passive environment:
If you have a remote center that’s running voice from your location or getting voice from Vonage (or whatever the case may be) and your internet service provider goes down, a failover occurs. At that point what happens? In our experience we expect that you will drop every one of your calls until the secondary takes over. Again, in this case, it’s either active or it’s passive -unless you’re doing something unique with the traffic. You’re sending the data on one pipe and then, after the outage and the time it takes to switch, sending it on the other pipe. It’s still in effect active and passive.
SD-WAN does a per packet steering of the data. What that means is SD-WAN constantly manages the available bandwidth that you’re paying for and then ensures the most important applications that you depend on to run your business are prioritized. So let’s take that exact same failure (ie Vonage, public interwebs, two circuits). With SD-WAN, it would still drop two packets, but it won’t drop the call and the phone won’t unregister. This means your internet connection stays up and the outage is a non-event.
The other benefit is that you will fully utilize what you’re paying for. Remember that first example where Internet2’s only purpose was to be available when Internet1 goes down? With that, you’re basically paying $200, $300, $400, $1000, or maybe more for that second connection that you rarely use. But when you do have to use it, there’s likely a problem because it takes time to flip over. Now, with SD WAN, you can fully leverage it all the time. That’s because SD-WAN sends data across both connections based on which one will be best for that type of data. SD-WAN is using your bandwidth completely and smartly. So instead of Internet2 being used only when Internet1 is down, you’re using both Internet1 and Internet2 at the same time. This is called an active active configuration. We see this this methodology as investment protection. But it goes beyond just protecting your voice or your business data.
We wanted to dive deeper into the SD-WAN methodology in that it’s not just about protecting your voice or business data. Here’s four findings that we uncovered that really make the case for SD-WAN.
Another security perception is, if I have a private line, the carriers are compliant. So you think that you’re safe, but that’s not entirely true. Yes, the data is passing safely for the most part. But there is a place where your data is unencrypted on these carrier’s networks regardless of how they’ve been segmented. With SD-WAN, all the tunnels are end to end encrypted. This is true when running over your own MPLS, over the internet, or some combination thereof. Further, you’re getting end-to-end encryption using IKEv2 which, to clarify, is set of fairly new technology rules that encrypts data at the pipe (which is not something you’d get from the carriers).
Heads up… this subsection is pretty technical. You might fall asleep. If you’d rather, jump over to #2.
MPLS has been popular because of the “perceived” privacy you get from it. To a large extent it is private. However, when it hits the carrier (e.g. the leveraged boxes in the basement of your building and whatnot) building maintenance does have access to that router. What that means is the comfort of security diminishes quickly should those folks be malicious enough to find a way to tap that line. The difference is SD-WAN does provide end to end encryption from device to device. That’s a higher level of security that MPLS can’t offer.
An oversight that many folks step in to is the assumed trust for carriers. We trust the carriers when logos or promotional materials are stamped with PCI compliance and the lot. SD-WAN places the keys in your hands and gives you complete control over the traffic from device to device within your facility regardless of carrier. This is why it’s so important to trust but verify. Imagine if you are working with the Department of Homeland Security and, as part of your gig, you needed to get onto their MPLS. They’ll get you onto their MPLS but will then make you run an IPsec tunnel over the top of that encrypted data -even though it’s on their MPLS running on Verizon. When you’re talking about a device that you control on both sides of the connection that terminates the tunnel, at least at that point the security is within your control. Without that extra layer, you’re sending the data off premise and the first thing it hits is the carrier’s router in transit that you don’t and can’t control. Sure, the carriers may be adding layers of security or encryption after the fact. There’s a whole bunch of things they could be doing. Simply put, you don’t know and it’s beyond your ability to demand they end to end encrypt it.
This goes back to what was said earlier about utilizing both bandwidth sources. For example, imagine your business pays for both a 100×100 (Internet1) and 150×25 (Internet2) internet connection. Should you opt to utilize SD-WAN, you would add the capability to use both at the same time. This would give you an effective download capability increase to 250mb along with an upload capability to 125mb. So right off the bat, you have more bandwidth capacity. What makes this even more compelling -or would make your admin giggle with excitement is that you can utilize jitter buffers and forward error correction to further enhance the performance of your commodity circuits. A less technical explanation of jitter buffers and error correction is you can tweak and tinker with your bandwidth at a very granular level to improve performance. As a further example, perhaps you have a Comcast line that happens to be a sub-par quality with bunch of annoying connectivity issues that cause you a lot of lot of dropped calls, incapability to stay connected, or lagging load times. SD-WAN would actually clean that up to a certain extent through buffering and steering the traffic immediately down a more viable circuit. Overall though, the quality of experience is excellent. This is because the capability of the device is to buffer it and police – the policing is yet another thing.
Quality of Service (QoS) is a feature that lets you prioritize internet traffic for your most important applications. So let’s say you have five different data types (e.g. voice, video, and cloud storage) that cross your network, one of which is critical, four of which are not. For example, let’s say the two most important data types for you are voice and VDI. Without SD-WAN, it’s harder to police. SD-WAN gives you ability to ensure your important business applications are prioritized vs Ned in Accounting hogging your bandwidth because he’s catching up on the latest season of Game of Thrones. In order to protect yourself from the Ned’s of the world, SD-WAN allows you to guarantee bandwidth by application. Further, imagine that everyone in the office decided to download an iPhone update at the same time. Well, in this case, you’re able to mitigate that because at worst they aren’t going to take up more than x% of your bandwidth. So, because of the policies put in place, only those folks trying to update their phones would suffer versus your business.
If you depend on a cloud-based application, it must be available 24/7…period. Many organizations we work with have public cloud services and an outage could be devastating. In the case of redundant internet (even if it was firewall based) there could be a period of time during an outage where no connection will be present until the failover completes. With SD-WAN, you can leverage tools that can actually let you prioritize the internet traffic to your SaaS based application (e.g. Vonage, Office365, Azure, AWS, all those guys).
We’d love to talk more about this. Fill out this form and we’ll be in touch!