in search of the right sd-wan solution · 2019-04-04 · 2 welcome as organizations rearchitect...
TRANSCRIPT
In Search of the Right SD-WAN SolutionCisco SD-WAN Security
January 2019
In this issue
Welcome 2
In Search of the Right SD-WAN Solution – Cisco SD-WAN Security 3
Today’s SD-WAN Paradox 4
Cisco SD-WAN Security – A Differentiated Solution 6
Research from Gartner Technology Insight for SD-WAN 8
2
Welcome
As organizations rearchitect their networks to enable SD-WAN, they need consistent
security across branches, clouds, and users. Meet an SD-WAN security solution that
only Cisco can offer. As a leader in both SD-WAN and network security, Cisco integrates
a full security stack and highly secure SD-WAN fabric with the most flexibility, from the
branch to the cloud edge.
By embedding application-aware enterprise firewall, intrusion prevention, and
URL filtering capabilities directly into its SD-WAN platforms, Cisco is providing a
comprehensive SD-WAN security and networking solution for the branch. And for
direct connectivity to internet and cloud applications, easily deploy Cisco Umbrella,
with a few simple clicks, on any SD-WAN enabled branch router to protect connections
to and from the cloud.
Cisco
In Search of the Right SD-WAN Solution – Cisco SD-WAN Security
For most enterprises, backhauling traffic to a
datacenter over a private network such as MPLS was a
logical choice, as most of their applications resided in
a datacenter. Clouds and cloud services have redefined
the application delivery model. Accessing a SaaS
application such as Office 365 or deploying an in-
house enterprise application on an IaaS platform such
as AWS or Azure, automatically triggers an Internet-
based service delivery model. Thus, branches and
remote locations are leveraging public internet more
than ever for their mission critical applications and
business processes as part of this new digital journey.
Backhauling all traffic to a datacenter is quickly
becoming a thing of the past.
Widespread adoption of cloud services, support for
more complex application driven networking, and
an increase in smart IoT devices has significantly
upped the demand for easier deployment, simpler
management, and faster WAN connections. More
organizations have realized that their traditional WAN
architecture has become an impediment to achieving
successful digital transformations. This problem is
even more prominent for distributed enterprises like
retail shopping or financial services branches where
the balance of managing opposing forces of cost,
performance, complexity, and agility against each
other is the most significant challenge. The SD-WAN
value proposition hits this quadfecta.
4
SD-WAN uses a software-defined approach to dramatically reduce
both CAPEX and OPEX costs, optimize application reliability and
improve branch agility. Notably, SD-WAN has been touted as a
cost-saving alternative to backhauling WAN traffic using MPLS,
in addition to traffic using MPLS streamlining enterprise branch
networking and simplifying its manageability while providing a
secure and robust Direct Internet Access (DIA) are also major
driving factors. Through SD-WAN, enterprises now have the
versatility of using public broadbands to send their branch’s cloud-
destined traffic directly to the cloud rather than routing it back
through their datacenter.
Today’s SD-WAN Paradox
SD-WAN proves to be an attractive option for the distributed
enterprises’ digital transformation strategy of moving to the cloud.
However, there are several noteworthy concerns with introducing
this new technology.
■ Edge Security
Direct cloud connectivity presents a greater level of exposure
to malware and other internet-borne threats than tunneling
traffic back thru the classic hub-and-spoke network. It’s worth
mentioning that for all its strengths, SD-WAN has not as of yet
offered strong WAN and cloud edge securities, see Figure 1.
Although different SD-WAN technology vendors offer different
degrees of added security, the majority only deliver basic
stateful firewalling and VPN capabilities in their appliances.
There are several major security gaps in current solutions:
■ Intrusion Prevention: A VPN connection simply protects
data in an end-to-end encrypted connection but has no
control on any unauthorized access or any malicious
attacks. Intrusion prevention solutions (IPS), with their
intelligent malware signature and reputation detection
capabilities, are able to identify and stop both known and
unknown attacks.
5
■ Enterprise Firewalling: As threats come
from the application level, branches require
layer 3 through layer 7 security controls like
enterprise firewall that can identify unwanted
content and applications and provide greater
visibility and control.
■ Cloud Security: Direct connectivity to internet
and cloud applications presents a greater
level of exposure to malware for remote users
Figure 1: WAN & Cloud Edge Security Vulnerabilities
Source: Cisco
outside of branches and campuses. Trusted
access such as multi-factor authentication
and an integrated, intelligent secure internet
gateway offer threat protection for cloud
applications and workloads.
Unauthorized access, man-in- the-middle
attacks, ransomwares, data loss, and
distributed denial-of-service (DDoS) attacks
are just few security risks that require never-
6
ending vigilance. Unless potential security
woes are addressed accordingly, SD-WAN cost
reduction and improved performance benefits
may not outweigh its drawbacks.
■ Complex Integration and Orchestration
Inadequate native security capabilities in most SD-
WAN vendor solutions force organizations to use
an additional physical security device or a third-
party security service for their branch connectivity.
Integration of multiple solutions at a branch
makes not only the deployment process complex
and lengthy, but also the overall manageability
difficult and costly.
Cisco SD-WAN Security – A Differentiated Solution
As a leader in both SD-WAN and network security,
Cisco is introducing its end-to-end secure SD-WAN
platform, which simplifies the deployment, operation
and management of the entire enterprise WAN in one
unified solution.
Gartner has outlined, in its recent published
Technology Insight for SD-WAN document, four key
attributes that every SD-WAN solution must possess.
Cisco SD-WAN not only meets all the Gartner’s
requirements, see Table 1, but also provides additional
important and vital capabilities that most other
competitor solutions lack.
Gartner Definition of SD-WAN Cisco SD-WAN Security
Replacing traditional WAN routers
and being agnostic to WAN
transport
Cisco SD-WAN offers integrated WAN edge routers with embedded security.
This all-in-one-box solution simplifies manageability, eliminates complexity,
and reduces cost. It allows branches, headquarters, remote locations, and
public and private clouds to have a common way of for connectivity and
take advantage of the public Internet as a way of transporting traffic safely
and securely. It provides secure traffic flow by encrypting and segmenting
traffic based on user and device groups, and authenticating all devices on
the network.
Allow traffic to be distributed over
multiple WAN connections
Cisco SD-WAN supports mix-and-match multiple protocols and ISPs for
each branch to provide agility and continuity for faster performance. With
its centralized management and enforcement dashboard, it’s able to
define, manage, and deploy unified and automated global, location, group,
and connection-based security policies from a single pane of glass.
Simplify WAN management,
configuration and orchestration
Cisco SD-WAN configures and manages SD-WAN-enabled routers, including
for granular security solution deployment and maintenance. Cisco SD-WAN
can do all this for many of the existing branch routers currently in-use.
Featuring zero touch provisioning of any new appliance with automated
cloud onRamp for SaaS and IaaS applications.
Support secure VPNs and
integrate additional network
services
Secure site-to-site connectivity is critical part of any SD-WAN solution
and Cisco SD-WAN security has taken that security to an all new level. It’s
providing a comprehensive enterprise-grade Firewall, IPS, URL filtering and
simple deployment of Cisco Umbrella cloud security, all powered by Cisco
Talos threat intelligence.
Table 1: Gartner requirements for an SD-WAN solution
7
It is important to understand how Cisco SD-WAN
security is different from other vendors and how that
differentiation can help your organization. Here are a
number of unique benefits:
■ Full Security Stack
By embedding enterprise Firewall, IPS, and URL
filtering capabilities directly into its SD-WAN
platforms, Cisco is providing a comprehensive
SD-WAN security and networking solution for the
branch. Additionally, Cisco SD-WAN is powered
by Cisco Talos, the world’s largest independent
security intelligence organization.
■ Transformative Cloud Security
Easily configure your SD-WAN-enabled branch
routers to leverage Cisco Umbrella as your Secure
Internet Gateway for direct internet access
breakouts. Simply click a checkbox within the
Cisco SD-WAN unified management console
for easy setup and Cisco Umbrella will protect
data sent to and from cloud. Cisco Umbrella’s
statistical and machine learning models constantly
learn, adapt, and protect against where attacks are
being staged.
■ Simple and Automated Management
Featuring integrated security and networking into
one platform for reduced complexity and easier
management. It is also able to set automated
security policy from a global level down to location
and to connection level from a single pane of glass.
As a “leader” by Gartner magic quadrant in WAN Edge
Infrastructure, Enterprise Network Firewalls, and IPS,
Cisco is uniquely positioned to re-invent the WAN and
offer truly best-in-class SD-WAN security.
Learn more about Cisco SD-WAN Security at
cisco.com/go/sdwan-security
Source: Cisco
Research from Gartner
Technology Insight for SD-WAN
SD-WAN is a mainstream technology that offers
several benefits compared to traditional, router-based
WANs. I&O leaders responsible for planning, sourcing
and managing WANs can reduce costs and improve
agility and uptime by using SD-WAN products.
Key Findings
■ The emergence of public cloud computing and
SaaS has rendered traditional enterprise WAN
architectures suboptimal, from a price and
performance perspective.
■ Software-defined WAN (SD-WAN) is a mainstream
product category that provides branch-office
connectivity in a simplified and cost-effective
manner, compared to traditional routers.
■ SD-WAN adoption is growing rapidly. Further, many
network service providers (NSPs) and many non-
NSPs now offer managed SD-WAN services.
■ More than 40 vendors are now offering and/or
claiming to have SD-WAN solutions and products,
causing ongoing confusion in the market.
Recommendations
I&O leaders responsible for planning, managing and
sourcing the delivery of network infrastructure and
network services should:
■ Refresh their branch WAN equipment by
implementing SD-WAN when they’re aggressively
migrating apps to the public cloud, building hybrid
WANs, when equipment is at end of life, or when
Managed Network Service/MPLS contracts are up
for renewal.
9
■ Avoid overpaying for underperforming
infrastructure that doesn’t meet their application
performance needs by leveraging SD-WAN.
■ Follow a comprehensive SD-WAN selection process
by evaluating pivoting vendors, pure-play startups,
as well as established incumbents to validate
vendor claims before making a final decision.
Analysis
SD-WAN products provide improved capability to
handle changing network traffic patterns resulting
from cloud computing and new application
architectures. SD-WANs resolve some of the most
pressing WAN problems when deploying and managing
hybrid WANs, including:
■ The high cost of WAN connectivity, which is
exacerbated by difficulty in intelligently load-
sharing traffic across a mix of WAN connections
■ Complex, static and manual network
configurations that are inflexible in supporting
new applications, map to business-centric
requirements and/or scale to large deployments
■ The manually intensive process required to add
new locations, lengthening deployment times
■ The inability to achieve simplified security and/or
robust visibility for WAN traffic
Definition
Gartner defines an SD-WAN solution as meeting four
requirements:
1 SD-WAN solutions provide a lightweight
replacement for traditional WAN routers and are
agnostic to WAN transport (that is, they support
Multiprotocol Label Switching [MPLS], internet and
4G/LTE).
■ The branch component must have the capability to
physically terminate access circuits.
■ The branch component can be either a physical
appliance or software that can run on industry-
standard hardware (which terminates the physical
connection).
2 SD-WAN solutions allow traffic to be distributed
across multiple WAN connections in an efficient
and dynamic fashion, based on business and/or
application policies.
■ The solution must be able to dynamically recognize
and characterize applications.
■ Traffic routing decisions can be created using
application-centric policies or business logic,
rather than network-centric characteristics, such
as Internet Protocol (IP) addresses and circuits.
■ For example, a policy can be written to route Office
365 traffic, without the requirement to specify IPs
and port numbers.
■ Policies are set centrally, then automatically
distributed to all relevant edge devices in the
network.
10
3 SD-WAN solutions dramatically simplify the
complexity associated with the management,
configuration and orchestration of WANs.
■ Configuration parameters are application-centric
and/or business-centric, and can be created/
applied/changed by personnel who are not well-
versed in networking technologies.
■ The solution must support zero-touch
configuration for new branches, which entails on-
site branch personnel having to make only physical
(such as cabling) changes.
■ The level of expertise required to configure the
branch is akin to what is required to set up a
basic home wireless network with consumer-grade
equipment.
4 SD-WAN solutions must provide secure VPNs and
have the ability to integrate additional network
services.
■ The solution must support service chaining of
other network services and devices, such as WAN
optimization controllers, firewalls, traffic redirection
to secure web gateways (SWGs) and so on.
Figure 1. SD-WAN Definition
Source: Gartner (September 2018)
11
■ The branch component must support automated
creation of secure VPNs with a minimum of 128-
bit encryption (with future support for 256-bit
encryption).
Description
SD-WAN solutions enable the centralized management
and operation of WAN edge devices placed in branch
offices. These products can create secure paths across
multiple WAN connections and carriers, such as hybrid
internet, 4G and MPLS architectures.
SD-WAN products abstract the underlying network
transport/connectivity to present a business-centric
or application-centric approach for configuration
to the end user/administrator. In an SD-WAN
implementation, traditional device-based command
line interface (CLI) configurations can (and should) be
replaced by centralized, application-centric policies
and orchestration. This enables organizations to
centrally configure and manage WAN traffic based on
business-related policies, while providing increased
visibility.
Benefits and Uses
The benefits of an SD-WAN approach are substantial
compared to traditional approaches, including
simplified management and operation, reduced costs,
and increased visibility and security. SD-WAN is
specific to enterprise WANs and applies to branches
of all sizes, geographies and vertical markets.
Agility via Improved Management
Due to simplified operation, orchestration and zero-
touch configuration, Gartner anticipates 50% to
90% improvement in the time it takes enterprises (or
relevant third parties) to provision network changes
at branches, which can improve branch turn-up
times. This is in line with what early adopters have
experienced after implementation.1
Cost Reduction
Compared to traditional WANs, SD-WANs can lead to
substantial savings, via:
■ Reduced capital acquisition costs for hardware,
software and support of remote location WAN
equipment. Based on proposals Gartner has
reviewed across multiple vendors, the five-year
hardware/software/support costs of SD-WAN are
up to 40% less than traditional routers.1
■ Reduced operational expenditures for personnel
to provision, manage and troubleshoot their
WAN equipment. Based on client interactions
from early SD-WAN adopters, as stated above,
organizations have cited they spend 50% to 90%
less time configuring branch equipment versus
traditional routers. This has a direct cost reduction
in managing the network.1
■ Savings in NSP expenses due to better utilization
of WAN connections as SD-WAN dramatically
improves load sharing across multiple ports
(versus active/passive backup configurations).
This can delay the need to add incremental carrier
bandwidth or allow for greater use of lower-cost
internet connectivity. A next level of savings can
be realized by leveraging SD WAN to route traffic
such that only high QoS traffic is delivered over
12
the more expensive link (for example, MPLS) and
where less critical traffic can be delivered over
the less expensive link (for example, broadband
internet). Note: Savings here will vary dramatically
depending on transport type and geography.2
Improved Branch Availability
SD-WAN improves overall availability for a given
enterprise branch for several reasons, including:
■ Simplified failover — Traditional routers are
limited in the granularity of failover policy, due
to the complexity of developing and testing the
necessary configurations relating to different
failure modes. SD-WAN solutions dynamically
assign traffic to links based on application-centric
policies, versus only IP addresses and circuits.
As a result, SD WAN products can detect more
failover scenarios than traditional routers. Thus,
they can more easily accommodate additional
links, such as multiple broadband links or cellular
connections.
■ Faster failover or reallocation of traffic — Many
SD-WAN solutions dynamically measure link
performance and will allocate performance-
sensitive traffic to the best link. This leads to
faster failure and congestion detection compared
with what traditional IP-based routing protocols
support. Further, some vendors have duplication
technology that sends mission-critical traffic down
multiple paths simultaneously, which can lead to
rerouted voice calls being unnoticeable during an
unplanned outage.
■ Better visibility — Most SD-WAN solutions
provide improved analytics and troubleshooting
functionality, which can improve mean time to
repair (MTTR) metrics and lead to more proactive
network operations.
■ Less-brittle configurations — SD-WAN solutions
include a high degree of automation and
orchestration, reducing manual configuration
compared to traditional routers by 90% or more.
Gartner clients report that manual configuration
error is a leading cause of network outages.
SD-WAN Uses
SD-WAN provides the greatest benefit for organizations
that exhibit any of the following characteristics:
■ Aggressively moving applications to the public
cloud, such as Office 365 and Google G Suite
■ Moving toward a hybrid WAN topology by
deploying internet access directly from branch
locations
■ Seeking to reduce traditional business-class carrier
service budgets
■ Wanting to reduce management complexity of its
WAN
■ Having a large number (more than 25) of remote
branches
13
■ Aggressively deploying video or other high-
bandwidth, real-time applications to branch office
locations
■ Maintaining limited or no IT personnel on-site in
remote branches
Additionally, see Figure 2 for a 2017 survey of SD-
WAN drivers from an enterprise perspective.
SD-WAN Consumption Models
In North America, most large enterprises manage their
own WAN equipment and typically select their WAN
edge vendor themselves.3 However, in the rest of the
world, most organizations rely on service providers
for management of WAN equipment. Thus, in these
geographies, SD-WAN solutions will typically be
embedded in their carrier’s managed service offering.3
Figure 2. Where SD-WAN Makes Sense
Source: Gartner (September 2018)
14
Adoption Rate
As of June 2018, we estimate there are over 6,000
paying SD-WAN customers, with more than 80% of
those in production, including more than 200,000
total branches. North American-based retail and
financial service organizations have been the most
aggressively early adopters of the technology. We
estimate spending on SD-WAN technology will grow
Figure 3. Enterprise Network Equipment Forecast
Source: Gartner (September 2018)
at a 30.2% compound annual growth rate (CAGR)
through 2022 (see Figure 3).
Risks
Though SD WAN is a mainstream technology, there
are still risks to consider. While some top vendors
have enjoyed meaningful successes (e.g., Cisco’s
Viptela, VMware’s VeloCloud, and SilverPeak), we
15
have identified over 40 vendors in this market. As
part of those 40 vendors, many overhype their
capabilities with confusing marketing language
and claims. Beyond that, there are differences in
features depending on various enterprise use cases.
Lastly, there are risks of vendor lock-in with limited
intervendor integrations.
Market Confusion
Vendors still make bold claims and are using
confusing marketing language to describe their
features, such as supporting QoS or implementing
zero-touch provisioning. Organizations should carefully
determine what value the features deliver, rather than
merely assuming from the name what the function
does. To address this risk, enterprises should conduct
pilot testing in as real of a scenario as possible with
defined success criteria to ensure that the vendor can
meet the desired needs. Discuss in depth how the
potential vendors will address your needs and test
those exact use cases. For example, if testing QoS,
measure application performance before and after the
vendor solution is utilized. Also, validate how flexible
and dynamic the solution is to handle traffic spikes
and changes in traffic mix. If zero-touch provisioning
is important, measure how long it takes to complete
the task and validate the skills level of the person
required to operate.
Market Fragmentation
The numerous competitors in this market results
in confusion in determining the right solution for a
specific enterprise use case. There are vendors of
all sizes, geographical coverage, feature focus (for
example, application performance, security and
ease of use) and business models (vendor, service
provider or a hybrid). Enterprises should start with
evaluating existing incumbent vendors. After that,
evaluate vendors based on your specific use case (for
example, security or WAN optimization). To ensure as
complete a process as possible, organizations should
ensure that they evaluate pivoting vendors, pure-play
startup vendors and established incumbent vendors.
Organizations should request references of similar
size/complexity/vertical, and confirm appropriate
levels of sales and support resources. Also, consider
utilizing managed SD-WAN services through a network
service provider (NSP) or managed network service
(MNS) provider, in which case, the provider becomes
the vendor of record.
Feature Limitations
Traditional WAN designs often incorporate “heavier”
customer premises equipment (CPE) with the
capability to run additional network functions, such as:
■ WAN optimization
■ Voice services
■ Security (firewall, intrusion prevention/detection
system [IPS/IDS] and SWG)
■ x86 compute, which can be used to further run
additional network or application functions
■ WAN interface termination (such as, T1/E1, xDSL
and 4G/LTE)
16
Some SD-WAN vendors incorporate additional
networking functions, such as WAN optimization
or security, but the availability of such additional
capabilities varies greatly between vendors.
Organizations that have consolidated multiple network
functions into their existing physical router footprint
may have to offload this functionality when moving
toward a lightweight SD-WAN CPE. While this provides
the opportunity to migrate voice and collaboration
services to the public cloud, this process could
undermine the capital and operational savings of
moving toward an SD-WAN.
Organizations that have consolidated voice services
within the router will have particular difficulty
achieving the full benefits of an SD-WAN product.
However, this inability to consolidate functions is not
inherent to the SD-WAN concept, and we anticipate
more vendors will integrate and/or partner to deliver
these services over the next two years.
Vendor Lock-In
While SD-WAN products operate using standard
protocols like IP and Ethernet, most commercial SD-
WAN solutions are controller-based, and there is no
vendor-to-vendor controller integration in the market
today. Further, many vendors use proprietary overlay
tunneling protocols, which only operate with their
controller. Thus, organizations will have to duplicate
their policies and management functions if multiple
vendor products are implemented. This increases
the risk of vendor lock-in versus traditional routers,
although most enterprises typically prefer a single-
vendor WAN router vendor, so this is less of a major
concern.
Evaluation Factors
SD-WAN is a subset of the WAN edge infrastructure
market, which is covered in Gartner’s “Magic Quadrant
for WAN Edge Infrastructure.”
At a casual glance, it can be very difficult to
differentiate between SD-WAN solutions, as they all
provide branch connectivity in a simplified and cost-
effective manner. In addition, this is a fast-moving
market that will continue to undergo substantial
change within the next 12 months. When evaluating
and selecting solutions, organizations should ask
prospective SD-WAN vendors specific questions to
determine which solution best meets their branch
connectivity requirements. For more detailed
evaluation criteria, refer to Gartner’s “Toolkit: RFP
Template for SD-WAN Products and Services.” The
following are high-level evaluation criteria.
Scale and Architecture
■ What is the scale (the minimum and maximum
number of remote branches) supported by the
solution? How many product deployments does the
vendor have at relevant scale?
■ Does the solution include network-based
infrastructure (points of presence) to monitor
internet performance, and/or act as cloud
gateways and/or act as routing hubs? If so, where
and how are the points of presence hosted and
connected?
■ Are full mesh and partial mesh for branch-to
branch connectivity required and/or supported?
17
■ How is resiliency achieved for the different
components in the architecture (particularly the
controller)? What happens if the controller fails or
is unreachable?
■ How is direct internet access supported? Is there
an embedded firewall, or does the solution offer
or integrate with on-premises and/or cloud-based
security services?
■ Does the branch component contain built-in L4 to
L7 network services, including WAN optimization,
SWG, firewall, intrusion detection/prevention
systems (IDSs/IPSs) and data loss prevention
(DLP), and/or offer integration with devices and
services that perform these functions?
Management and Orchestration
■ How is the management capability delivered:
on-premises and/or as a cloud-managed (SaaS)
offering? If SaaS, where and how are the platforms
hosted?
■ Can the solution support multiple criteria for path
selection, including business priority, latency,
packet loss, jitter and so on?
■ Does the solution have a northbound API that
allows programmatic control of the network from
other systems? How many and which features are
exposed via API?
■ What type of application, network and security
analytics are offered? Are there application volume,
uptime and performance metrics? Are there link
quality and uptime metrics?
Form Factors and Deployment
■ Can the branch component be delivered via
physical appliance and/or software (virtual
machine [VM] or container)?
■ Is the vendors’ software available in leading public
cloud provider catalogs, such as Amazon Web
Services (AWS) and Microsoft Azure?
■ Can the branch component support legacy WAN
transmission interfaces, including T1, E1, DS3
and other WAN access types, such as cellular
connections, or is it limited to Ethernet interfaces?
■ What is the maximum capacity of the physical
and/or virtual devices?
■ Does the branch component support embedded
Wi-Fi?
■ Is the platform x86-based, and can it support
third-party network functions?
Application Centricity
■ How many — and which — commonly used
applications and services can be natively identified
with the solution?
■ Can policies be created that are independent of
network/circuit characteristics? (For example,
voice should take the lowest latency path.)
■ How does the solution support cloud-based
applications? Does the enterprise have to create its
own gateways/hubs, or is the solution integrated
18
into cloud services (both infrastructure as a
service [IaaS] and SaaS)?
■ Are custom applications supported? If so, how are
they defined?
■ How are latency-sensitive (that is, real-time)
applications prioritized over non-real-time
applications?
Price
■ What are the three- and five-year total installation/
hardware/software/licensing/service/support
expenses?
■ Can the solution be delivered via a capital
expenditure (capex) and/or a pure operating
expenditure (opex) pricing model, or a hybrid of
these?
■ How is the software priced when included with
vendor-provided hardware versus when sold as a
VNF (without hardware)?
Visibility and Security
■ What level of visibility and reporting for application
availability and performance is supported?
■ Is there an analytics engine with a global view of
the network that the system can report and act
upon in real time?
■ What security mechanisms exist to ensure
unauthorized devices are not added to the WAN?
■ How are logical network segmentation and
multitenancy achieved?
Price/Performance
As described earlier in this report, cost reduction is a
substantial benefit to SD-WAN. We’ve observed early
adopters dramatically reduce their WAN equipment
and operations costs (by more than half) while
maintaining or improving application performance.
SD-WAN Alternatives
Traditional WAN Architectures
This approach combines fully featured, on-premises
physical or virtual devices, including routers, WAN
path controllers, WAN optimizers, and security
products and services. This is currently the most
mature approach to building and managing WANs, and
is employed by most enterprises — but it is also the
most expensive. Traditional WAN architectures allow
(but don’t require) enterprises to select best-of-breed
capabilities in each functional category. Although it is
complex to deploy and manage, this complexity can
be somewhat mitigated by using reference design
templates and/or managed services from MNS
providers or system integrators. Though this solution
is proven and mature, it is less agile and flexible than
an SD-WAN approach.
Network Automation and/or Orchestration Tools
These software-based tools are applied to existing
WAN equipment, without the requirement to add
or replace CPE. These tools are compelling for
organizations that don’t want to replace existing CPE
and that are:
19
■ Primarily struggling with network change
complexity
■ Having difficulty orchestrating WAN traffic across
multiple links
Enterprise-class WAN automation tools are sold by
most router vendors, including Cisco and Juniper, and
independent software vendors (ISVs), such as Infoblox
and SolarWinds. Examples of vendors that provide
advanced WAN network orchestration include Glue
Networks and Anuta Networks.
Virtualized CPE Platforms
vCPE is an early technology that offers several benefits
compared with traditional, appliance-based solutions.
By using vCPE-based solutions, infrastructure and
operations leaders responsible for network planning
can improve agility and flexibility, and reduce key
network expenses by 30%.
Recommendations
SD-WAN should be included in future WAN
architecture discussions. Specifically, organizations
should look to SD-WAN if they are:
■ Aggressively moving applications to the public
cloud, such as Office 365 or Salesforce
■ Seeking to reduce the operational complexity of
their existing WAN
■ Unhappy with the existing expense, performance
and/or availability of their router-based WAN
■ Negotiating an NSP WAN offering, such as MPLS
and/or an MNS offering
■ Refreshing WAN-edge devices, such as routers or
WAN optimization controllers
■ Supporting many small to midsize branch sites
■ Embracing automation
■ Moving toward a hybrid WAN topology
■ Aggressively deploying video or other high-
bandwidth, real-time applications to branch office
locations
■ Maintaining limited or no IT personnel on-site in
remote branches
However, SD-WAN will not be a fit for all organizations,
and may not be ideal when:
■ The WAN consists of a small number of very
large branches, as most SD-WAN products are
optimized for locations with fewer than 200 users.
■ The WAN consists of mostly single-homed
locations, as the value of dynamic path selection
and application-centric routing is diminished.
20
■ The organization is extremely risk-averse and/
or is not adopting applications in the public
cloud because of the relative immaturity of the
technology and/or the lack of need for dynamic
path selection.
■ Many local resources are needed on the branch
CPE platform, including x86 and voice, because
most SD-WAN platforms are lighter-weight and
perform a limited set of functions.
■ There has been a very recent router/WOC refresh,
NSP/non-NSP managed service refresh, and/or
lack of budget.
Representative Vendors
As stated earlier, as of July 2018, there are more
than 40 vendors that provide SD-WAN capability.
This includes pure-play SD-WAN startups (such as
Versa and CloudGenix), acquired startups (such as
VeloCloud and Viptela), pivoting WAN-optimization
vendors (such as Citrix, Riverbed and Silver Peak), and
established router incumbents (such as Cisco). Refer
to “Market Guide for WAN Edge Infrastructure.” As a
result, we expect continued market evolution over the
next 12 to 18 months, including:
■ Continued merger and acquisition (M&A) in the
market (beyond Viptela and VeloCloud)
■ Functional integration onto SD-WAN platforms,
including WAN optimization, cloud gateways and
security
■ NSPs expanding SD-WAN as a key component of
their enterprise managed service offerings
■ More non-NSP companies bringing offerings to the
market
■ Move toward more virtualization and vCPE for
best-of-breed solutions
Evidence
1 Gartner analysts have conducted more than 2,500
interactions with current and prospective Gartner
clients on the topic of WAN between 1 August 2017
and 31 July 2018.
2 The price of internet versus MPLS service varies by
country, as do regulations concerning the availability
and use of both services. Both relative price and the
local regulatory environment factor into the country-
specific ROI of SD-WANs.
3 This is based on two surveys. Gartner conducted a
research circle survey from 3 October to 25 October
2016, among members of the Gartner Research Circle
— a Gartner-managed panel composed of IT and
business leaders. In total, 65 members participated
that were involved in WAN-related discussions and/or
strategic decisions for their organizations, and have
more than 10 locations. Survey participants included
organizations based in North America, Latin America,
EMEA and Asia/Pacific. Also, polling from Gartner
Data Center Conference presentations indicated that
68% of attendees manage the WAN edge with their
own staff, 18% use a network service provider and 9%
use a managed service provider (n = 103).
Source: Gartner Research Note G00369080, Andrew Lerner, Jonathan Forest, Neil Rickard, Ted Corbett, 14 September 2018
In Search of the Right SD-WAN Solution is published by Cisco. Editorial content supplied by Cisco is independent of Gartner analysis. All Gartner research is used with Gartner’s permission, and was originally published as part of Gartner’s syndicated research service available to all entitled Gartner clients. © 2019 Gartner, Inc. and/or its affiliates. All rights reserved. The use of Gartner research in this publication does not indicate Gartner’s endorsement of Cisco’s products and/or strategies. Reproduction or distribution of this publication in any form without Gartner’s prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner’s Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see “Guiding Principles on Independence and Objectivity” on its website.
Contact us
For more information contact us at:
cisco.com/go/sdwan-security
cisco.com/go/sdwan