SD-WAN purchasing starts with deciding DIY vs. managed service, but includes asking about details like microsegmentation, path control, service chaining, and how it’s going to fit with SASE
Prior to the pandemic, SD-WAN was primarily a niche technology pitched to enterprises as a way to cut costs and improve WAN flexibility by allowing traffic to burst directly from the branch office to the Internet, rather than backhauling it over expensive MPLS links to a central site.
Today, SD-WAN has emerged as a key enabler of the post-COVID enterprise in which mission critical applications live in multiple clouds, employees connect and collaborate from everywhere, and remote access to applications like Office 365, Salesforce and Zoom must be fast, secure, reliable, optimized, and automated for maximum business productivity and end user satisfaction.
SD-WAN technology has evolved from WAN optimization on steroids to encompass a comprehensive set of features that include core routing functionality, advanced WAN optimization and application-aware firewalls, all managed via a centralized software overlay. With SD-WAN, enterprises can replace multiple physical devices with a single appliance or virtual appliance, load SD-WAN software onto a server in a branch office, retail store, restaurant or manufacturing facility, or choose a fully managed, cloud-based service.
For those who want to take advantage of this new functionality, choosing and deploying the right SD-WAN solution has become a more complicated endeavor because SD-WAN cuts across security, networking, application performance and cloud services. This guide will help buyers of SD-WAN technology navigate strategic decision points and will provide key questions to ask potential vendors or service providers.
More features, fewer SD-WAN vendors
Over the past several years, many of the SD-WAN pure plays have been acquired by industry heavyweights and integrated into their broader product portfolios. For example, Cisco bought Viptela, VMware bought VeloCloud, Oracle bought Talari, Palo Alto Networks bought CloudGenix and HPE/Aruba bought Silver Peak, Juniper bought 128 Technology.
If you’re shopping for an SD-WAN vendor today, the landscape looks like this: The top five vendors in revenue share for 2020 were Cisco, VFortinet, Mware, Versa and HPE/Aruba, according to Dell’Oro Group.
The overall market grew 45% in Q3 2021 compared to the prior year, and the projected growth year-over year for all of 2021 is 36% as enterprises recognized the business benefit of SD-WAN technology. Those top five vendors account for almost two-thirds of the total market and Dell’Oro predicts further vendor consolidation going forward.
As a result of acquisitions, the number of pure-play SD-WAN vendors keeps shrinking, but there are still plenty of options. Today that list includes Versa, FatPipe, Cradlepoint and Nuage (owned by Nokia). In addition, Cato Networks and Aryaka provide fully managed, cloud-based SD-WAN on their own networks. And the traditional carriers – AT&T, Verizon, Comcast – are selling fully managed SD-WAN services, using gear from the leading SD-WAN hardware vendors.
For more about the leading SD-WAN providers see “Top SD-WAN vendors and how they got there”.
Asking the right questions
For enterprises looking to acquire SD-WAN functionality, before putting together an RFP or making short list of vendors, there are many questions that need to be answered either internally, or in discussion with vendors or outside consultants.
- What is the business driver for SD-WAN? And how does it mesh with the vendor’s strengths and weaknesses? For example, if security is your pre-eminent concern, then you might prioritize SD-WAN vendors with a security pedigree. If application performance is your top issue, then an SD-WAN vendor with roots in WAN optimization might be your best bet. Or, if your company just made a major acquisition and you have to install SD-WAN at multiple sites in the shortest amount of time, a managed service might make the most sense.
- How can I leverage existing vendor relationships to make the transition to SD-WAN as painless as possible? If you have a strong working relationship with your incumbent networking vendor and you can simply add SD-WAN functionality to existing branch office gear with a software upgrade, that might be an attractive option. Or, if you tell your incumbent MPLS service provider that you’re considering pulling the plug, you’d be surprised at how fast they might come back with a fully managed SD-WAN offering.
- What pricing options work for me? A do-it-yourself SD-WAN implementation requires capital expenditures, licensing and ongoing maintenance. On top of that, you have to procure multiple WAN connections for each branch location, which adds to the cost. If you want to offload all of that, many of the SD-WAN hardware providers offer managed or co-managed options. Of course, the carriers have their own fully managed services on their networks. A managed service enables companies to shift from CAPEX to OPEX. The subscription model creates predictable costs and provides the flexibility to quickly respond to changing business conditions.
- How well does the product or service integrate with my existing infrastructure? The integration question has two aspects. First, if a vendor has acquired SD-WAN functionality through the purchase of another company, how well are the different pieces integrated? Is there a single management console that controls all SD-WAN functionality. And are there pricing implications? In other words, is the SD-WAN an all-in-one purchase, or is the firewall considered an add-on?
The second piece of the puzzle is how well does the SD-WAN system integrate with my existing enterprise infrastructure? The SD-WAN needs to mesh with the rest of my networking infrastructure, my application management and monitoring system, and my security systems. If the company has plans to adopt software-defined networking or intent-based networking, implement Zero Trust network access or make other changes, how easy is it to apply those changes to my SD-WAN? If the SD-WAN offering has a cloud-based management platform, how does it integrate with my existing management systems?
DIY or Managed service?
The knock against SD-WAN has been the complexity and difficultly of implementation. Think about everything that an enterprise has to do in order to deploy SD-WAN. You first have to map your WAN, analyze historic traffic patterns, make a reasonable guesstimate of current and future bandwidth requirements for each site, define policies for each type of traffic, starting with voice, video, data, then drilling down into specific applications. Then you need to go out and buy two WAN circuits for each location, both for optimization and to provide failover. You need to manage all of that, including deploying software updates, handling trouble tickets and generating reports.
One important question to ask a potential SD-WAN vendor is what type of tutorials, training materials, configuration guides, etc., are available? To what extent will the vendor help to determine the appropriate bandwidth levels and system requirements for each site? What is the product roadmap and how often are software updates issued? What are the ongoing licensing costs? What level of support can I expect, and how much does that cost?
If you don’t have the staff time, the expertise or the CAPEX for a DIY approach, there are many alternatives:
- You can hand off the planning, testing, and configuration phases to a third-party integrator. In this scenario, you still make the initial purchasing decision based on the features and functionality that suits your enterprise. You procure the WAN links. The benefit is that the integrator is familiar with the equipment and has the expertise to enable a faster rollout. The question is what happens when you turn on the gear and the integrator goes away? Do you have the skills to handle ongoing maintenance of the system, software updates, and changing business requirements?
- In a co-managed scenario, you might work with the SD-WAN vendor or a channel partner, systems integrator or managed service provider, who can help you scope out the project. The enterprise still makes the purchasing decisions, and retains some level of control, but most deployment, maintenance, and SLA support issues are the responsibility of the managed service provider. The question to ask is: How can the two parties clearly define areas of responsibility so that gray areas don’t crop up?
- In a fully managed scenario, the IT staff outsources the entire SD-WAN to a third-party who has the expertise, the resources and, in many cases, its own network. When it comes to selecting specific features, it might be as easy as going through a drop-down menu. The downsides are that you’re giving up control and it’s difficult to switch vendors once you’ve made a selection.
Some key questions to ask managed service providers are: Whose SD-WAN gear are you using? How do you avoid finger pointing when there’s a dispute over whether an outage or service degradation was due to the network or the SD-WAN gear? How many points of presence do you have and how well does your network map with my remote access locations? What level of visibility do I have into the network? What types of alerts, notifications, and reports do I receive? What types of SLAs are available?
Features to consider when buying SD-WAN
When an enterprise is investigating and comparing SD-WAN feature sets here are some key features to look for.
Full replacement of existing branch office functionality: Modern branch routers provide a wide range of functionality include QoS, IPSec VPNs, dynamic routing, NetFlow, SNMP, logs, access control lists, event management, support for protocols like BGP and OSPF. The SD-WAN needs to be able to do all of that, plus.
Transport Independence: The SD-WAN should be able to leverage high-speed bandwidth across multiple transports, including MPLS, Internet, 3G/4G/LTE and 5G.
Path control: The ability to use multiple active paths for bandwidth efficiency, resiliency and failover is critical. The system needs to be able to dynamically steer traffic based on policies in response to changing network conditions, such as packet loss, latency, and jitter.
Application Optimization: The true benefit of SD-WAN is the ability to optimize application performance. The systems must be able to recognize all of the applications in my portfolio and be able to actively monitor application performance as traffic moves across the WAN, including voice and video traffic, as well as SaaS applications.
Encryption: If you’re reducing reliance on VPN technology, the SD-WAN must be able to encrypt WAN traffic based on policy. In addition, automated key rotation is important so that encryption keys can be swapped out on a regular basis?
Security: Since the SD-WAN topology now connects the branch office directly with the public Internet (rather than funneling traffic back to the central office), security must be distributed to each branch office site. Look for an integrated next-generation, application-aware firewall that offers anti-virus, anti-malware, URL/content filtering, data loss prevention, segmentation, IDS/IPS, and sandboxing.
Zero-touch deployment: With zero-touch deployment, an SD-WAN box can be sent out to a branch office and a non-technical person can simply connect it to power and the WAN links, and the device will phone home and configure itself.
Automation and Orchestration: Management of SD-WAN services should be automated, and the overlay software should be able to orchestrate monitoring, troubleshooting, reporting, and other functions across the entire WAN.
Microsegmentation: Opening up two-way traffic between the Internet and branch offices creates a potential security vulnerability in which an attacker gains access to a branch office device and uses that as a launching pad to attack data center resources. Microsegmentation allows the company to restrict hacker movement by limiting lateral movement.
Service Chaining: Centralized models and de-centralized models each have their pros and cons. SD-WAN replaces the centralized MPLS model, but it does create a level of complexity because now the enterprise is managing so many distributed devices, each handling multiple functions. Service chaining is a middle ground technique that enables enterprises to re-route and aggregate traffic in order to reduce branch office clutter and improve efficiency. For example, a company could use the SD-WAN for routing and optimization, but send traffic to a cloud-based service provider who handles all of the security functionality before allowing traffic to hit the open Internet.
Future-proofing your SD-WAN
For many companies, implementing SD-WAN is part of a larger digital transformation initiative that moves application development functions, mission critical applications, storage, backups, disaster recovery, and data analytics in the cloud. SD-WAN is focused on giving branch office employees a way to access those cloud resources quickly, securely and efficiently. But the industry is moving onto a broader product category called SASE, or secure access service edge, which puts more functionality directly in the cloud and enables secure access from all endpoints, including home offices.
Another way to think of a SASE architecture is that it combines SD-WAN with cloud access security brokers (CASB), firewalls-as-a-service (FWaaS) and Zero Trust network access in a cloud-based service.
According to Gartner, by 2024, over 60% of SD-WAN customers will have implemented a SASE architecture, compared with about 35% in 2020. So, when selecting an SD-WAN vendor, it’s important to ask about their SASE roadmap.
Another question to ask vendors is what they currently offer or plan to offer in the way of AIOps, which uses machine learning to increase the level of automation of IT operations. AIOps reduces human error, which is a major cause of network issues that need to be identified and resolved. With AIOps, companies can create a ‘self-driving’ network. By 2024, 20% of SD-WAN centralized configuration and troubleshooting will be touchless via an AI assistant, compared with none in 2020, according to Gartner.
Finally, IT execs need to analyze present and future business needs. For companies with physical assets in industries like health care, retail, hospitality and manufacturing, IoT is going to have a major impact on the network. How do you plan to handle the vast amounts of sensor data coming from branch locations that needs to be analyzed in the cloud? And for companies in industries like banking, finance, education, and government, secure, dependable remote access to cloud-based productivity and collaboration applications is going to be critical. So, the final question is, how can you make use of SD-WAN technology to help make the business more successful?