SD-WAN is all the rage these days. Everyone from firewall, router, and WAN optimization vendors (and, of course, actual SD-WAN providers) are touting their “SD-WAN solution”. Why? Because it can really be a game changer for companies like yours.
This guide can help you determine if you’re a good fit for SD-WAN. We’ll help you learn how to evaluate the solutions that are out there to decide which is the best solution for your organization.
First things first: Is SD-WAN right for your organization?
Before we dive into the evaluation criteria, let’s start with determining if you are a fit for all that SD-WAN offers. Consider the following:
- Does your company have multiple sites?
- Do you have a data center from which you deliver services to your users?
- Are you using Office365 or G-Suite for a collaboration platform?
- Does your organization use VoIP/Conferencing solutions like Zoom or Vonage?
- Does your company have an MPLS or site-to-site VPN solution?
- Is network reliability mission critical to your business?
- Are you backhauling network traffic to a central hub for all internet access?
If you answered yes to any of the above, it’s a good chance you’ll benefit from SD-WAN. So, hey – there might be something to this SD-WAN stuff. Let’s figure out how to evaluate it.
There’s a ton of noise out there about what SD-WAN solution is the best, so don’t be wowed by all the gizmos and gadgets. It all boils down to five critical elements that will make or break your solution.
SD-WAN will reduce your costs and/or optimize your spend
In the past, you had to get Multiprotocol Label Switching (MPLS) in order to deliver a highly reliable wide area network for mission critical applications. Since you were leasing a guaranteed piece of the carrier’s network, they were able to provide a high level of performance and reliability. Sounds great, right?
Well, yes. But it was also pretty expensive. In addition, you were forced to lock into a 3- or 5-year contract in an attempt to keep costs as manageable as possible.
And the “cons” didn’t stop there. If you needed to add more bandwidth or another site, you had to wait a long time and pay substantially more. And then you still only had one reliable circuit.
Along the way, firewall vendors saw an opportunity to help IT departments struggling with the enormous costs and offered the allure of building site-to-site VPN tunnels on commodity circuits. This WAN on the cheap was far less reliable and much less expensive. However, the costs popped up in many other areas like unused circuits, lower worker productivity, complex management and additional personnel.
So how does SD-WAN help with costs?
Simply put, SD-WAN delivers a solution that is as reliable as MPLS over commodity internet circuits. Yes, you read that right. Start with two circuits, one of generally good quality (cable or Ethernet based) and another that’s somewhat less reliable (LTE, Satellite, DSL, etc.). Add advanced features like forward error correction or packet duplication that a modern SD-WAN solution provides. The result? A bulletproof infrastructure that enables mission critical applications coupled with a spend that is at or over 50% less than if you tried to do the same with MPLS.
The bottom line is, when it comes to cost, SD-WAN:
- Reduces your costs either by function consolidation or via the use of cheaper circuits.
- Allows you to fully leverage your spend if you are using a “backup” circuit.
- Does not require extra specialized personnel to manage and support.
If your SD-WAN solution isn’t easy, it probably won’t work.
Have you ever seen the acronym “KISS”, which means “Keep it simple, silly?” (Some people use another word besides “silly”, but I won’t do that here.) This is very important when it comes to your network. If you have the all too common sprawl of network devices and vendors, chances are you don’t have the time, training or staff to maximize the capabilities each provides you. In addition, you probably have multiple vendors that need to stay engaged to help you and your team manage the environment.
There are certainly times where good network design dictates some level of complexity like in your data centers or cloud. But your remote locations can and should be as streamlined as possible to allow for effective design, management and flow.
Complexity really revolves around the ability to design, deploy and manage the solution, so let’s tackle each briefly and see where SD-WAN can help.
Design is very critical when considering adding sites, changing circuits or modifying enterprise routing functionality. If the solution you’re looking at implementing doesn’t handle these changes gracefully, then chances are you’re going to need to spend more time and resources than necessary to keep your solution running.
A modern SD-WAN approach should make most of these changes simple and seamless. No major redesign or all-nighter outage windows.
Adding sites is a good example. If you have ever had to provision MPLS in an out-of-market area, then you know all the intricacies involved – local loops, LOAs, circuit handoffs, etc. And heaven forbid there is a problem with the circuit. Then, as a kicker, it takes 45-90 business days to get up and running.
Oh, and lest we fail to mention, once the circuit is ready to turn up you have to get out there and turn up the solution. Which means spending more time and money to make it happen.
This is just an example that shows how using site-to-site VPNs with failover or WAN aggregation has its own set of issues, especially as you scale beyond five sites.
SD-WAN should eliminate these issues if you choose the right solution. Features like edge consolidation, zero touch provisioning and orchestration make getting SD-WAN deployed quick and effective.
If you’ve ever had to sit in a sales meeting about a WAN solution, whether MPLS or VPN/WAN Agg or SD-WAN, you’ve all seen the beautiful graphs and pie charts that make the management of the solution seem so elegant and easy.
Truth is, while the graphs are pretty, very few solutions have a single pane of glass for management, optimization, troubleshooting and security. However, a secure SD-WAN solution that allows you to see all of the above in a single place is a win. Add in a solution that will host the management plane for you and that makes it an even bigger win!
The bottom line is, when it comes to complexity, look for a SD-WAN solution that:
- Makes all management functionality available in a single place.
- Fits into your network easily and can scale.
- Simplifies your networks and design.
Don’t compromise here. This is the goal of your network, right?
It is always shocking to see how many false promises are sold when it comes to networking. You’ll hear details being glossed over, you’ll sign the contract, and then BAM! The first outage has you questioning what you signed up for.
Let’s assume at this point you want to lower your costs and reduce the complexity of your WAN architecture. How do you test the reliability of your SD-WAN options?
Simple. Ask them to do a Proof of Concept (PoC).
Don’t take chances here. Develop real-world scenarios that consistently or probably will happen in your environment as part of the testing success criteria. If you take the time for this a few things will happen:
- Working side by side with the partner on the PoC design will tell you a lot about how the deployment and support after the fact will go.
- You will see which solution can be deployed quickly into your environment. There are many solutions out there that are so complex they can’t do a PoC because of the amount of time it will take to get you going.
- You will be able to witness whether a solution can truly solve the issues you are looking to address with your current design.
- You’ll gain hands-on experience for the entire team. Few things are more valuable than trying it to see if everything you believe about the solution holds up.
Beyond just the specific use cases you come up with for the success criteria, a good WAN solution should hit some general points of performance:
- Traffic engineering – You should be able to tune the Quality of Service (QoS) on a per application basis. That includes layer 7 and not just layers 3 and 4.
- Secure hybrid connectivity – On-premise and cloud systems should be able to be accounted for in the most flexible and secure way possible.
- Brownout conditions – What happens if the circuit doesn’t go all the way down? Many solutions will stumble here. Make sure the WAN solution is capable of fixing or redirecting traffic in a brownout situation.
The bottom line is, when it comes to reliability, all SD-WAN solutions will claim to be reliable. It’s up to you to determine if their version of reliability truly meets your needs.
You can’t optimize what you can’t see.
We have touched a little on this aspect already, but it’s very important so it gets its own section. Most VPN/WAN Aggregation or MPLS solutions provide little in the way of traffic visibility and optimization. This lack of visibility makes it difficult to troubleshoot or optimize the network in a way to meet all of your organization’s needs.
SD-WAN will solve that problem.
The secure SD-WAN solution you choose should account for visibility in three critical areas: applications, monitoring and users. Let’s look at each.
Visibility into your applications is one of the most beneficial things a good SD-WAN solution can provide you. How do we best explain this benefit? Let’s start by taking the case of optimizing Office365 access for your users. We will consider the case of optimizing at Layers 3 and 4 versus Layer 7.
Layer 3 or 4 optimization:
Application policies are controlled by ports, IPs, and hostnames. If one is added or changed you will need to go in and add it. This may work fine for a few on-premise applications but it’s not well adapted for the cloud or for most applications.
Layer 7 optimization:
Being application-aware means that once you have put in an optimization for the application, you won’t need to touch it even if the underlying ports/IPs/hostnames change. It’s basically a set and forget. It also allows for very granular optimizations. As you can see, application level visibility is key.
Let’s take this one step further. Since you are able to see the application, it’s simple to apply per application policing that will allow for steering and delivering a quality user experience no matter where the application lives or how you route folks to get there.
Next, let’s consider environment monitoring. Yes, visibility is critical here too. How many times have you arrived at the office in the morning only to find a ticket about a performance issue that happened last evening or night in the call center or manufacturing facility? This is where granular environment monitoring for both current and historical conditions is key. Instead of having to tell your users that you’ll need to see if you can catch it next time it happens, you can delve into the history and determine a root cause.
Your solution should be able to allow you to look at a point in time and analyze the conditions of the network to pinpoint issues and possible resolutions.
User-level visibility is another very important aspect of being able to understand and adapt to what is happening in your environment. Imagine being able to track performance issues down to the user level across your entire network. That is pretty powerful stuff. Now imagine policing on a per user/group basis. Now we’re really cooking! This becomes even more powerful when we consider security (more on that later).
The bottom line is, when it comes to visibility, SD-WAN should:
- Allow you to deliver an optimized experience per application or user.
- Make troubleshooting historic events easy and available in the management interface.
SD-WAN should up your game.
Did you know security is one of the biggest blockers to adopting SD-WAN?
That’s because most SD-WAN vendors don’t really think about security, and security players that have entered the SD-WAN space aren’t really delivering SD-WAN. What you end up with is a bunch of SD-WAN solutions that have security bolted on as an afterthought. This negatively impacts the first four items we’ve discussed: cost, visibility, complexity and reliability.
Can a secure SD-WAN really improve your security posture? Maybe. But without a doubt it should not hurt or circumvent it.
Some might ask, why would I want an integrated firewall at each location when I backhaul all my traffic to my datacenter? That’s a valid question, but there are a few strong drivers companies are facing: user experience, compliance and cloud adoption. Forcing all the traffic back over the WAN to a central hub can create latency, allow intermingling of traffic and significantly increase bandwidth requirements. Internet breakouts are the best way to handle this but you must still maintain the security posture across the organization.
So, what should you look for in the way of security when it comes to SD-WAN?
Integrated Next Gen Firewall (NGFW) with UTM
An integrated NGFW with UTM capabilities allows for central policy management while providing the option for internet breakouts to optimize the user experience and offload the traffic from the WAN.
User and Application Level Granularity
Security is easier when you know what your users are doing and what apps they are using. Having this level of granularity and ultimately control will enhance your organizations ability to adapt to the constantly changing threat environment.
Central Policy Management
Managing many sites is a tough task. Start throwing in local internet breakouts to optimize your users’ experience and that task gets even harder. With central policy management, your SD-WAN security will be managed from the same place that you manage the rest of the deployment. Having this will greatly enhance the overall supportability and security of the environment.
Security Event Reporting
All the protection and central management in the world won’t help if you can’t report and catch alerts for events in your environment. This is an important item to look for in your secure SD-WAN solution.
The bottom line is, when it comes to security, SD-WAN should:
- Never compromise your security posture.
- Allow you ultimate control over a constantly changing environment.
Where to go next?
Exploring SD-WAN options is a major rabbit hole. It’ll take time and resources to find the right solution, but the rewards for this investment are well worth it.
So where does all this leave you? Basically, if you feel like SD-WAN is an option you want to explore, you should do the following:
- Determine if your environment is a good fit using the questions above.
- Identify the selection criteria based on your environment, i.e. specific uses or things you want in a solution. (Do this before step #3. Once the presentations/demos start to fly it is much harder to develop this criteria.)
- Schedule time with someone who can help you navigate the SD-WAN landscape to find the solution that will meet or exceed your selection criteria.
At Ripple, our team has been implementing SD-WAN since the early 2000s. We’ve been involved with the evolution of the industry, implementing many solutions including Avaya CNA, Talari Networks, VeloCloud, Fortinet and Versa. If you are looking for a seasoned hand to help in your selection, do not hesitate to reach out. We got you!