In Search of the Right SD-WAN SolutionCisco SD-WAN Security

January 2019

In this issue

Welcome 2

In Search of the Right SD-WAN Solution – Cisco SD-WAN Security 3

Today’s SD-WAN Paradox 4

Cisco SD-WAN Security – A Differentiated Solution 6

Research from Gartner Technology Insight for SD-WAN 8

2

Welcome

As organizations rearchitect their networks to enable SD-WAN, they need consistent

security across branches, clouds, and users. Meet an SD-WAN security solution that

only Cisco can offer. As a leader in both SD-WAN and network security, Cisco integrates

a full security stack and highly secure SD-WAN fabric with the most flexibility, from the

branch to the cloud edge.

By embedding application-aware enterprise firewall, intrusion prevention, and

URL filtering capabilities directly into its SD-WAN platforms, Cisco is providing a

comprehensive SD-WAN security and networking solution for the branch. And for

direct connectivity to internet and cloud applications, easily deploy Cisco Umbrella,

with a few simple clicks, on any SD-WAN enabled branch router to protect connections

to and from the cloud.

Cisco

In Search of the Right SD-WAN Solution – Cisco SD-WAN Security

For most enterprises, backhauling traffic to a

datacenter over a private network such as MPLS was a

logical choice, as most of their applications resided in

a datacenter. Clouds and cloud services have redefined

the application delivery model. Accessing a SaaS

application such as Office 365 or deploying an in-

house enterprise application on an IaaS platform such

as AWS or Azure, automatically triggers an Internet-

based service delivery model. Thus, branches and

remote locations are leveraging public internet more

than ever for their mission critical applications and

business processes as part of this new digital journey.

Backhauling all traffic to a datacenter is quickly

becoming a thing of the past.

Widespread adoption of cloud services, support for

more complex application driven networking, and

an increase in smart IoT devices has significantly

upped the demand for easier deployment, simpler

management, and faster WAN connections. More

organizations have realized that their traditional WAN

architecture has become an impediment to achieving

successful digital transformations. This problem is

even more prominent for distributed enterprises like

retail shopping or financial services branches where

the balance of managing opposing forces of cost,

performance, complexity, and agility against each

other is the most significant challenge. The SD-WAN

value proposition hits this quadfecta.

4

SD-WAN uses a software-defined approach to dramatically reduce

both CAPEX and OPEX costs, optimize application reliability and

improve branch agility. Notably, SD-WAN has been touted as a

cost-saving alternative to backhauling WAN traffic using MPLS,

in addition to traffic using MPLS streamlining enterprise branch

networking and simplifying its manageability while providing a

secure and robust Direct Internet Access (DIA) are also major

driving factors. Through SD-WAN, enterprises now have the

versatility of using public broadbands to send their branch’s cloud-

destined traffic directly to the cloud rather than routing it back

through their datacenter.

Today’s SD-WAN Paradox

SD-WAN proves to be an attractive option for the distributed

enterprises’ digital transformation strategy of moving to the cloud.

However, there are several noteworthy concerns with introducing

this new technology.

■ Edge Security

Direct cloud connectivity presents a greater level of exposure

to malware and other internet-borne threats than tunneling

traffic back thru the classic hub-and-spoke network. It’s worth

mentioning that for all its strengths, SD-WAN has not as of yet

offered strong WAN and cloud edge securities, see Figure 1.

Although different SD-WAN technology vendors offer different

degrees of added security, the majority only deliver basic

stateful firewalling and VPN capabilities in their appliances.

There are several major security gaps in current solutions:

■ Intrusion Prevention: A VPN connection simply protects

data in an end-to-end encrypted connection but has no

control on any unauthorized access or any malicious

attacks. Intrusion prevention solutions (IPS), with their

intelligent malware signature and reputation detection

capabilities, are able to identify and stop both known and

unknown attacks.

5

■ Enterprise Firewalling: As threats come

from the application level, branches require

layer 3 through layer 7 security controls like

enterprise firewall that can identify unwanted

content and applications and provide greater

visibility and control.

■ Cloud Security: Direct connectivity to internet

and cloud applications presents a greater

level of exposure to malware for remote users

Figure 1: WAN & Cloud Edge Security Vulnerabilities

Source: Cisco

outside of branches and campuses. Trusted

access such as multi-factor authentication

and an integrated, intelligent secure internet

gateway offer threat protection for cloud

applications and workloads.

Unauthorized access, man-in- the-middle

attacks, ransomwares, data loss, and

distributed denial-of-service (DDoS) attacks

are just few security risks that require never-

6

ending vigilance. Unless potential security

woes are addressed accordingly, SD-WAN cost

reduction and improved performance benefits

may not outweigh its drawbacks.

■ Complex Integration and Orchestration

Inadequate native security capabilities in most SD-

WAN vendor solutions force organizations to use

an additional physical security device or a third-

party security service for their branch connectivity.

Integration of multiple solutions at a branch

makes not only the deployment process complex

and lengthy, but also the overall manageability

difficult and costly.

Cisco SD-WAN Security – A Differentiated Solution

As a leader in both SD-WAN and network security,

Cisco is introducing its end-to-end secure SD-WAN

platform, which simplifies the deployment, operation

and management of the entire enterprise WAN in one

unified solution.

Gartner has outlined, in its recent published

Technology Insight for SD-WAN document, four key

attributes that every SD-WAN solution must possess.

Cisco SD-WAN not only meets all the Gartner’s

requirements, see Table 1, but also provides additional

important and vital capabilities that most other

competitor solutions lack.

Gartner Definition of SD-WAN Cisco SD-WAN Security

Replacing traditional WAN routers

and being agnostic to WAN

transport

Cisco SD-WAN offers integrated WAN edge routers with embedded security.

This all-in-one-box solution simplifies manageability, eliminates complexity,

and reduces cost. It allows branches, headquarters, remote locations, and

public and private clouds to have a common way of for connectivity and

take advantage of the public Internet as a way of transporting traffic safely

and securely. It provides secure traffic flow by encrypting and segmenting

traffic based on user and device groups, and authenticating all devices on

the network.

Allow traffic to be distributed over

multiple WAN connections

Cisco SD-WAN supports mix-and-match multiple protocols and ISPs for

each branch to provide agility and continuity for faster performance. With

its centralized management and enforcement dashboard, it’s able to

define, manage, and deploy unified and automated global, location, group,

and connection-based security policies from a single pane of glass.

Simplify WAN management,

configuration and orchestration

Cisco SD-WAN configures and manages SD-WAN-enabled routers, including

for granular security solution deployment and maintenance. Cisco SD-WAN

can do all this for many of the existing branch routers currently in-use.

Featuring zero touch provisioning of any new appliance with automated

cloud onRamp for SaaS and IaaS applications.

Support secure VPNs and

integrate additional network

services

Secure site-to-site connectivity is critical part of any SD-WAN solution

and Cisco SD-WAN security has taken that security to an all new level. It’s

providing a comprehensive enterprise-grade Firewall, IPS, URL filtering and

simple deployment of Cisco Umbrella cloud security, all powered by Cisco

Talos threat intelligence.

Table 1: Gartner requirements for an SD-WAN solution

7

It is important to understand how Cisco SD-WAN

security is different from other vendors and how that

differentiation can help your organization. Here are a

number of unique benefits:

■ Full Security Stack

By embedding enterprise Firewall, IPS, and URL

filtering capabilities directly into its SD-WAN

platforms, Cisco is providing a comprehensive

SD-WAN security and networking solution for the

branch. Additionally, Cisco SD-WAN is powered

by Cisco Talos, the world’s largest independent

security intelligence organization.

■ Transformative Cloud Security

Easily configure your SD-WAN-enabled branch

routers to leverage Cisco Umbrella as your Secure

Internet Gateway for direct internet access

breakouts. Simply click a checkbox within the

Cisco SD-WAN unified management console

for easy setup and Cisco Umbrella will protect

data sent to and from cloud. Cisco Umbrella’s

statistical and machine learning models constantly

learn, adapt, and protect against where attacks are

being staged.

■ Simple and Automated Management

Featuring integrated security and networking into

one platform for reduced complexity and easier

management. It is also able to set automated

security policy from a global level down to location

and to connection level from a single pane of glass.

As a “leader” by Gartner magic quadrant in WAN Edge

Infrastructure, Enterprise Network Firewalls, and IPS,

Cisco is uniquely positioned to re-invent the WAN and

offer truly best-in-class SD-WAN security.

Learn more about Cisco SD-WAN Security at

cisco.com/go/sdwan-security

Source: Cisco

Research from Gartner

Technology Insight for SD-WAN

SD-WAN is a mainstream technology that offers

several benefits compared to traditional, router-based

WANs. I&O leaders responsible for planning, sourcing

and managing WANs can reduce costs and improve

agility and uptime by using SD-WAN products.

Key Findings

■ The emergence of public cloud computing and

SaaS has rendered traditional enterprise WAN

architectures suboptimal, from a price and

performance perspective.

■ Software-defined WAN (SD-WAN) is a mainstream

product category that provides branch-office

connectivity in a simplified and cost-effective

manner, compared to traditional routers.

■ SD-WAN adoption is growing rapidly. Further, many

network service providers (NSPs) and many non-

NSPs now offer managed SD-WAN services.

■ More than 40 vendors are now offering and/or

claiming to have SD-WAN solutions and products,

causing ongoing confusion in the market.

Recommendations

I&O leaders responsible for planning, managing and

sourcing the delivery of network infrastructure and

network services should:

■ Refresh their branch WAN equipment by

implementing SD-WAN when they’re aggressively

migrating apps to the public cloud, building hybrid

WANs, when equipment is at end of life, or when

Managed Network Service/MPLS contracts are up

for renewal.

9

■ Avoid overpaying for underperforming

infrastructure that doesn’t meet their application

performance needs by leveraging SD-WAN.

■ Follow a comprehensive SD-WAN selection process

by evaluating pivoting vendors, pure-play startups,

as well as established incumbents to validate

vendor claims before making a final decision.

Analysis

SD-WAN products provide improved capability to

handle changing network traffic patterns resulting

from cloud computing and new application

architectures. SD-WANs resolve some of the most

pressing WAN problems when deploying and managing

hybrid WANs, including:

■ The high cost of WAN connectivity, which is

exacerbated by difficulty in intelligently load-

sharing traffic across a mix of WAN connections

■ Complex, static and manual network

configurations that are inflexible in supporting

new applications, map to business-centric

requirements and/or scale to large deployments

■ The manually intensive process required to add

new locations, lengthening deployment times

■ The inability to achieve simplified security and/or

robust visibility for WAN traffic

Definition

Gartner defines an SD-WAN solution as meeting four

requirements:

1 SD-WAN solutions provide a lightweight

replacement for traditional WAN routers and are

agnostic to WAN transport (that is, they support

Multiprotocol Label Switching [MPLS], internet and

4G/LTE).

■ The branch component must have the capability to

physically terminate access circuits.

■ The branch component can be either a physical

appliance or software that can run on industry-

standard hardware (which terminates the physical

connection).

2 SD-WAN solutions allow traffic to be distributed

across multiple WAN connections in an efficient

and dynamic fashion, based on business and/or

application policies.

■ The solution must be able to dynamically recognize

and characterize applications.

■ Traffic routing decisions can be created using

application-centric policies or business logic,

rather than network-centric characteristics, such

as Internet Protocol (IP) addresses and circuits.

■ For example, a policy can be written to route Office

365 traffic, without the requirement to specify IPs

and port numbers.

■ Policies are set centrally, then automatically

distributed to all relevant edge devices in the

network.

10

3 SD-WAN solutions dramatically simplify the

complexity associated with the management,

configuration and orchestration of WANs.

■ Configuration parameters are application-centric

and/or business-centric, and can be created/

applied/changed by personnel who are not well-

versed in networking technologies.

■ The solution must support zero-touch

configuration for new branches, which entails on-

site branch personnel having to make only physical

(such as cabling) changes.

■ The level of expertise required to configure the

branch is akin to what is required to set up a

basic home wireless network with consumer-grade

equipment.

4 SD-WAN solutions must provide secure VPNs and

have the ability to integrate additional network

services.

■ The solution must support service chaining of

other network services and devices, such as WAN

optimization controllers, firewalls, traffic redirection

to secure web gateways (SWGs) and so on.

Figure 1. SD-WAN Definition

Source: Gartner (September 2018)

11

■ The branch component must support automated

creation of secure VPNs with a minimum of 128-

bit encryption (with future support for 256-bit

encryption).

Description

SD-WAN solutions enable the centralized management

and operation of WAN edge devices placed in branch

offices. These products can create secure paths across

multiple WAN connections and carriers, such as hybrid

internet, 4G and MPLS architectures.

SD-WAN products abstract the underlying network

transport/connectivity to present a business-centric

or application-centric approach for configuration

to the end user/administrator. In an SD-WAN

implementation, traditional device-based command

line interface (CLI) configurations can (and should) be

replaced by centralized, application-centric policies

and orchestration. This enables organizations to

centrally configure and manage WAN traffic based on

business-related policies, while providing increased

visibility.

Benefits and Uses

The benefits of an SD-WAN approach are substantial

compared to traditional approaches, including

simplified management and operation, reduced costs,

and increased visibility and security. SD-WAN is

specific to enterprise WANs and applies to branches

of all sizes, geographies and vertical markets.

Agility via Improved Management

Due to simplified operation, orchestration and zero-

touch configuration, Gartner anticipates 50% to

90% improvement in the time it takes enterprises (or

relevant third parties) to provision network changes

at branches, which can improve branch turn-up

times. This is in line with what early adopters have

experienced after implementation.1

Cost Reduction

Compared to traditional WANs, SD-WANs can lead to

substantial savings, via:

■ Reduced capital acquisition costs for hardware,

software and support of remote location WAN

equipment. Based on proposals Gartner has

reviewed across multiple vendors, the five-year

hardware/software/support costs of SD-WAN are

up to 40% less than traditional routers.1

■ Reduced operational expenditures for personnel

to provision, manage and troubleshoot their

WAN equipment. Based on client interactions

from early SD-WAN adopters, as stated above,

organizations have cited they spend 50% to 90%

less time configuring branch equipment versus

traditional routers. This has a direct cost reduction

in managing the network.1

■ Savings in NSP expenses due to better utilization

of WAN connections as SD-WAN dramatically

improves load sharing across multiple ports

(versus active/passive backup configurations).

This can delay the need to add incremental carrier

bandwidth or allow for greater use of lower-cost

internet connectivity. A next level of savings can

be realized by leveraging SD WAN to route traffic

such that only high QoS traffic is delivered over

12

the more expensive link (for example, MPLS) and

where less critical traffic can be delivered over

the less expensive link (for example, broadband

internet). Note: Savings here will vary dramatically

depending on transport type and geography.2

Improved Branch Availability

SD-WAN improves overall availability for a given

enterprise branch for several reasons, including:

■ Simplified failover — Traditional routers are

limited in the granularity of failover policy, due

to the complexity of developing and testing the

necessary configurations relating to different

failure modes. SD-WAN solutions dynamically

assign traffic to links based on application-centric

policies, versus only IP addresses and circuits.

As a result, SD WAN products can detect more

failover scenarios than traditional routers. Thus,

they can more easily accommodate additional

links, such as multiple broadband links or cellular

connections.

■ Faster failover or reallocation of traffic — Many

SD-WAN solutions dynamically measure link

performance and will allocate performance-

sensitive traffic to the best link. This leads to

faster failure and congestion detection compared

with what traditional IP-based routing protocols

support. Further, some vendors have duplication

technology that sends mission-critical traffic down

multiple paths simultaneously, which can lead to

rerouted voice calls being unnoticeable during an

unplanned outage.

■ Better visibility — Most SD-WAN solutions

provide improved analytics and troubleshooting

functionality, which can improve mean time to

repair (MTTR) metrics and lead to more proactive

network operations.

■ Less-brittle configurations — SD-WAN solutions

include a high degree of automation and

orchestration, reducing manual configuration

compared to traditional routers by 90% or more.

Gartner clients report that manual configuration

error is a leading cause of network outages.

SD-WAN Uses

SD-WAN provides the greatest benefit for organizations

that exhibit any of the following characteristics:

■ Aggressively moving applications to the public

cloud, such as Office 365 and Google G Suite

■ Moving toward a hybrid WAN topology by

deploying internet access directly from branch

locations

■ Seeking to reduce traditional business-class carrier

service budgets

■ Wanting to reduce management complexity of its

WAN

■ Having a large number (more than 25) of remote

branches

13

■ Aggressively deploying video or other high-

bandwidth, real-time applications to branch office

locations

■ Maintaining limited or no IT personnel on-site in

remote branches

Additionally, see Figure 2 for a 2017 survey of SD-

WAN drivers from an enterprise perspective.

SD-WAN Consumption Models

In North America, most large enterprises manage their

own WAN equipment and typically select their WAN

edge vendor themselves.3 However, in the rest of the

world, most organizations rely on service providers

for management of WAN equipment. Thus, in these

geographies, SD-WAN solutions will typically be

embedded in their carrier’s managed service offering.3

Figure 2. Where SD-WAN Makes Sense

Source: Gartner (September 2018)

14

Adoption Rate

As of June 2018, we estimate there are over 6,000

paying SD-WAN customers, with more than 80% of

those in production, including more than 200,000

total branches. North American-based retail and

financial service organizations have been the most

aggressively early adopters of the technology. We

estimate spending on SD-WAN technology will grow

Figure 3. Enterprise Network Equipment Forecast

Source: Gartner (September 2018)

at a 30.2% compound annual growth rate (CAGR)

through 2022 (see Figure 3).

Risks

Though SD WAN is a mainstream technology, there

are still risks to consider. While some top vendors

have enjoyed meaningful successes (e.g., Cisco’s

Viptela, VMware’s VeloCloud, and SilverPeak), we

15

have identified over 40 vendors in this market. As

part of those 40 vendors, many overhype their

capabilities with confusing marketing language

and claims. Beyond that, there are differences in

features depending on various enterprise use cases.

Lastly, there are risks of vendor lock-in with limited

intervendor integrations.

Market Confusion

Vendors still make bold claims and are using

confusing marketing language to describe their

features, such as supporting QoS or implementing

zero-touch provisioning. Organizations should carefully

determine what value the features deliver, rather than

merely assuming from the name what the function

does. To address this risk, enterprises should conduct

pilot testing in as real of a scenario as possible with

defined success criteria to ensure that the vendor can

meet the desired needs. Discuss in depth how the

potential vendors will address your needs and test

those exact use cases. For example, if testing QoS,

measure application performance before and after the

vendor solution is utilized. Also, validate how flexible

and dynamic the solution is to handle traffic spikes

and changes in traffic mix. If zero-touch provisioning

is important, measure how long it takes to complete

the task and validate the skills level of the person

required to operate.

Market Fragmentation

The numerous competitors in this market results

in confusion in determining the right solution for a

specific enterprise use case. There are vendors of

all sizes, geographical coverage, feature focus (for

example, application performance, security and

ease of use) and business models (vendor, service

provider or a hybrid). Enterprises should start with

evaluating existing incumbent vendors. After that,

evaluate vendors based on your specific use case (for

example, security or WAN optimization). To ensure as

complete a process as possible, organizations should

ensure that they evaluate pivoting vendors, pure-play

startup vendors and established incumbent vendors.

Organizations should request references of similar

size/complexity/vertical, and confirm appropriate

levels of sales and support resources. Also, consider

utilizing managed SD-WAN services through a network

service provider (NSP) or managed network service

(MNS) provider, in which case, the provider becomes

the vendor of record.

Feature Limitations

Traditional WAN designs often incorporate “heavier”

customer premises equipment (CPE) with the

capability to run additional network functions, such as:

■ WAN optimization

■ Voice services

■ Security (firewall, intrusion prevention/detection

system [IPS/IDS] and SWG)

■ x86 compute, which can be used to further run

additional network or application functions

■ WAN interface termination (such as, T1/E1, xDSL

and 4G/LTE)

16

Some SD-WAN vendors incorporate additional

networking functions, such as WAN optimization

or security, but the availability of such additional

capabilities varies greatly between vendors.

Organizations that have consolidated multiple network

functions into their existing physical router footprint

may have to offload this functionality when moving

toward a lightweight SD-WAN CPE. While this provides

the opportunity to migrate voice and collaboration

services to the public cloud, this process could

undermine the capital and operational savings of

moving toward an SD-WAN.

Organizations that have consolidated voice services

within the router will have particular difficulty

achieving the full benefits of an SD-WAN product.

However, this inability to consolidate functions is not

inherent to the SD-WAN concept, and we anticipate

more vendors will integrate and/or partner to deliver

these services over the next two years.

Vendor Lock-In

While SD-WAN products operate using standard

protocols like IP and Ethernet, most commercial SD-

WAN solutions are controller-based, and there is no

vendor-to-vendor controller integration in the market

today. Further, many vendors use proprietary overlay

tunneling protocols, which only operate with their

controller. Thus, organizations will have to duplicate

their policies and management functions if multiple

vendor products are implemented. This increases

the risk of vendor lock-in versus traditional routers,

although most enterprises typically prefer a single-

vendor WAN router vendor, so this is less of a major

concern.

Evaluation Factors

SD-WAN is a subset of the WAN edge infrastructure

market, which is covered in Gartner’s “Magic Quadrant

for WAN Edge Infrastructure.”

At a casual glance, it can be very difficult to

differentiate between SD-WAN solutions, as they all

provide branch connectivity in a simplified and cost-

effective manner. In addition, this is a fast-moving

market that will continue to undergo substantial

change within the next 12 months. When evaluating

and selecting solutions, organizations should ask

prospective SD-WAN vendors specific questions to

determine which solution best meets their branch

connectivity requirements. For more detailed

evaluation criteria, refer to Gartner’s “Toolkit: RFP

Template for SD-WAN Products and Services.” The

following are high-level evaluation criteria.

Scale and Architecture

■ What is the scale (the minimum and maximum

number of remote branches) supported by the

solution? How many product deployments does the

vendor have at relevant scale?

■ Does the solution include network-based

infrastructure (points of presence) to monitor

internet performance, and/or act as cloud

gateways and/or act as routing hubs? If so, where

and how are the points of presence hosted and

connected?

■ Are full mesh and partial mesh for branch-to

branch connectivity required and/or supported?

17

■ How is resiliency achieved for the different

components in the architecture (particularly the

controller)? What happens if the controller fails or

is unreachable?

■ How is direct internet access supported? Is there

an embedded firewall, or does the solution offer

or integrate with on-premises and/or cloud-based

security services?

■ Does the branch component contain built-in L4 to

L7 network services, including WAN optimization,

SWG, firewall, intrusion detection/prevention

systems (IDSs/IPSs) and data loss prevention

(DLP), and/or offer integration with devices and

services that perform these functions?

Management and Orchestration

■ How is the management capability delivered:

on-premises and/or as a cloud-managed (SaaS)

offering? If SaaS, where and how are the platforms

hosted?

■ Can the solution support multiple criteria for path

selection, including business priority, latency,

packet loss, jitter and so on?

■ Does the solution have a northbound API that

allows programmatic control of the network from

other systems? How many and which features are

exposed via API?

■ What type of application, network and security

analytics are offered? Are there application volume,

uptime and performance metrics? Are there link

quality and uptime metrics?

Form Factors and Deployment

■ Can the branch component be delivered via

physical appliance and/or software (virtual

machine [VM] or container)?

■ Is the vendors’ software available in leading public

cloud provider catalogs, such as Amazon Web

Services (AWS) and Microsoft Azure?

■ Can the branch component support legacy WAN

transmission interfaces, including T1, E1, DS3

and other WAN access types, such as cellular

connections, or is it limited to Ethernet interfaces?

■ What is the maximum capacity of the physical

and/or virtual devices?

■ Does the branch component support embedded

Wi-Fi?

■ Is the platform x86-based, and can it support

third-party network functions?

Application Centricity

■ How many — and which — commonly used

applications and services can be natively identified

with the solution?

■ Can policies be created that are independent of

network/circuit characteristics? (For example,

voice should take the lowest latency path.)

■ How does the solution support cloud-based

applications? Does the enterprise have to create its

own gateways/hubs, or is the solution integrated

18

into cloud services (both infrastructure as a

service [IaaS] and SaaS)?

■ Are custom applications supported? If so, how are

they defined?

■ How are latency-sensitive (that is, real-time)

applications prioritized over non-real-time

applications?

Price

■ What are the three- and five-year total installation/

hardware/software/licensing/service/support

expenses?

■ Can the solution be delivered via a capital

expenditure (capex) and/or a pure operating

expenditure (opex) pricing model, or a hybrid of

these?

■ How is the software priced when included with

vendor-provided hardware versus when sold as a

VNF (without hardware)?

Visibility and Security

■ What level of visibility and reporting for application

availability and performance is supported?

■ Is there an analytics engine with a global view of

the network that the system can report and act

upon in real time?

■ What security mechanisms exist to ensure

unauthorized devices are not added to the WAN?

■ How are logical network segmentation and

multitenancy achieved?

Price/Performance

As described earlier in this report, cost reduction is a

substantial benefit to SD-WAN. We’ve observed early

adopters dramatically reduce their WAN equipment

and operations costs (by more than half) while

maintaining or improving application performance.

SD-WAN Alternatives

Traditional WAN Architectures

This approach combines fully featured, on-premises

physical or virtual devices, including routers, WAN

path controllers, WAN optimizers, and security

products and services. This is currently the most

mature approach to building and managing WANs, and

is employed by most enterprises — but it is also the

most expensive. Traditional WAN architectures allow

(but don’t require) enterprises to select best-of-breed

capabilities in each functional category. Although it is

complex to deploy and manage, this complexity can

be somewhat mitigated by using reference design

templates and/or managed services from MNS

providers or system integrators. Though this solution

is proven and mature, it is less agile and flexible than

an SD-WAN approach.

Network Automation and/or Orchestration Tools

These software-based tools are applied to existing

WAN equipment, without the requirement to add

or replace CPE. These tools are compelling for

organizations that don’t want to replace existing CPE

and that are:

19

■ Primarily struggling with network change

complexity

■ Having difficulty orchestrating WAN traffic across

multiple links

Enterprise-class WAN automation tools are sold by

most router vendors, including Cisco and Juniper, and

independent software vendors (ISVs), such as Infoblox

and SolarWinds. Examples of vendors that provide

advanced WAN network orchestration include Glue

Networks and Anuta Networks.

Virtualized CPE Platforms

vCPE is an early technology that offers several benefits

compared with traditional, appliance-based solutions.

By using vCPE-based solutions, infrastructure and

operations leaders responsible for network planning

can improve agility and flexibility, and reduce key

network expenses by 30%.

Recommendations

SD-WAN should be included in future WAN

architecture discussions. Specifically, organizations

should look to SD-WAN if they are:

■ Aggressively moving applications to the public

cloud, such as Office 365 or Salesforce

■ Seeking to reduce the operational complexity of

their existing WAN

■ Unhappy with the existing expense, performance

and/or availability of their router-based WAN

■ Negotiating an NSP WAN offering, such as MPLS

and/or an MNS offering

■ Refreshing WAN-edge devices, such as routers or

WAN optimization controllers

■ Supporting many small to midsize branch sites

■ Embracing automation

■ Moving toward a hybrid WAN topology

■ Aggressively deploying video or other high-

bandwidth, real-time applications to branch office

locations

■ Maintaining limited or no IT personnel on-site in

remote branches

However, SD-WAN will not be a fit for all organizations,

and may not be ideal when:

■ The WAN consists of a small number of very

large branches, as most SD-WAN products are

optimized for locations with fewer than 200 users.

■ The WAN consists of mostly single-homed

locations, as the value of dynamic path selection

and application-centric routing is diminished.

20

■ The organization is extremely risk-averse and/

or is not adopting applications in the public

cloud because of the relative immaturity of the

technology and/or the lack of need for dynamic

path selection.

■ Many local resources are needed on the branch

CPE platform, including x86 and voice, because

most SD-WAN platforms are lighter-weight and

perform a limited set of functions.

■ There has been a very recent router/WOC refresh,

NSP/non-NSP managed service refresh, and/or

lack of budget.

Representative Vendors

As stated earlier, as of July 2018, there are more

than 40 vendors that provide SD-WAN capability.

This includes pure-play SD-WAN startups (such as

Versa and CloudGenix), acquired startups (such as

VeloCloud and Viptela), pivoting WAN-optimization

vendors (such as Citrix, Riverbed and Silver Peak), and

established router incumbents (such as Cisco). Refer

to “Market Guide for WAN Edge Infrastructure.” As a

result, we expect continued market evolution over the

next 12 to 18 months, including:

■ Continued merger and acquisition (M&A) in the

market (beyond Viptela and VeloCloud)

■ Functional integration onto SD-WAN platforms,

including WAN optimization, cloud gateways and

security

■ NSPs expanding SD-WAN as a key component of

their enterprise managed service offerings

■ More non-NSP companies bringing offerings to the

market

■ Move toward more virtualization and vCPE for

best-of-breed solutions

Evidence

1 Gartner analysts have conducted more than 2,500

interactions with current and prospective Gartner

clients on the topic of WAN between 1 August 2017

and 31 July 2018.

2 The price of internet versus MPLS service varies by

country, as do regulations concerning the availability

and use of both services. Both relative price and the

local regulatory environment factor into the country-

specific ROI of SD-WANs.

3 This is based on two surveys. Gartner conducted a

research circle survey from 3 October to 25 October

2016, among members of the Gartner Research Circle

— a Gartner-managed panel composed of IT and

business leaders. In total, 65 members participated

that were involved in WAN-related discussions and/or

strategic decisions for their organizations, and have

more than 10 locations. Survey participants included

organizations based in North America, Latin America,

EMEA and Asia/Pacific. Also, polling from Gartner

Data Center Conference presentations indicated that

68% of attendees manage the WAN edge with their

own staff, 18% use a network service provider and 9%

use a managed service provider (n = 103).

Source: Gartner Research Note G00369080, Andrew Lerner, Jonathan Forest, Neil Rickard, Ted Corbett, 14 September 2018

In Search of the Right SD-WAN Solution is published by Cisco. Editorial content supplied by Cisco is independent of Gartner analysis. All Gartner research is used with Gartner’s permission, and was originally published as part of Gartner’s syndicated research service available to all entitled Gartner clients. © 2019 Gartner, Inc. and/or its affiliates. All rights reserved. The use of Gartner research in this publication does not indicate Gartner’s endorsement of Cisco’s products and/or strategies. Reproduction or distribution of this publication in any form without Gartner’s prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner’s Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see “Guiding Principles on Independence and Objectivity” on its website.

Contact us

For more information contact us at:

cisco.com/go/sdwan-security

cisco.com/go/sdwan