It might be flexible but is it secure?
The popularity of SD-WANs for enterprise networks is taking off, but some users are concerned about exposing their traffic to the public internet. Alan Burkitt-Gray looks at the steps MEF, vendors and carriers are taking.
Security has become an essential benefit of software-defined wide-area networks (SD-WANs) for enterprises.
So much so, that Gartner, the market research and analysis company, has determined that network security and SD-WAN “will converge into a single market during the next seven to 10 years”.
This has come at an appropriate time. A few months later Gartner pointed out that by the end of 2023, “60% of enterprises will have implemented SD-WAN, up from less than 20% in 2019, to increase network agility and enhance support for cloud applications”.
Gartner offers up some other statistics that show how urgent this is. “By 2023, 30% of enterprise locations will use internet-only WAN connectivity, up from less than 10% in 2019, to reduce bandwidth’s cost,” it says. And “by 2023, more than 50% of large organisations will connect to cloud providers using direct cloud connectivity from their WANs, up from 10% in 2019.”
There’s more: “more than 75% of enterprises adopting a cloud-first strategy [by 2022] will continue to host business-critical applications in traditional data centre environments”, and, by the end of 2023 “60% of enterprises will have implemented SD-WAN, up from less than 20% in 2019, to increase network agility and enhance support for cloud applications”.
With such a fast rate of adoption, network security is becoming an intrinsic part of SD-WAN applications.
For Andrew Halliwell, product and transformation director at Virgin Media Business, what’s driving SD-WAN is not the rapid move to cloud services but a simultaneous desire by enterprise users to avoid the need for private lines. “We can use new, lower-cost access technologies including fixed broadband and generic 4G wireless, as well as traditional methods such as Ethernet connections,” he says.
“We can deliver higher bandwidth and resilience. It’s particularly popular in branches of retail chains where the previous cost of putting in Ethernet connections was too high.”
But that means, he warns, “we need to provide an enterprise security profile so we can use the public internet”.
Virgin Media Business, part of the Liberty Global group, offers its enterprise services in just the UK, but a number of global carriers have made strategic moves into the enterprise market by offering security as part of their SD-WAN service.
Among them is Epsilon, which in December 2019 announced that security would be part of its cloud-delivered SD-WAN with Data Centre Interconnect and Direct Cloud Connect networking services.
CEO Jerzy Szlosarek, who announced in February that he was stepping down from the role, said in December: “Epsilon has undergone many phases of transformation over the past few years. We have been building our core network and fine-tuning our solutions before embarking on this journey to serve new enterprise customers. “Having supported the telecommunications and service providers market for more than 15 years, we are confident in delivering high-performance carrier-grade connectivity and communications solutions to enterprises of all sizes.”
WAN security and complexity are the biggest challenges of enterprise networking, notes Chin Woon Lee, product director at Epsilon: “By delivering an SD-WAN solution with integrated network security and centralised orchestrator, our enterprise customers can have peace of mind while retaining full control over their WAN.”
It is, she says, “a powerful solution that solves enterprise networking challenges and is flexible enough to meet future connectivity demands”.
Kevin Brown, managing director of BT Security, explains why security is so crucial in SD-WANs. “While moving to SD-WAN brings significant benefits, you are also potentially exposing your business to additional security risks around your network, application availability and performance,” he wrote in a recent blog. “Your SD-WAN routers and management platform are directly connected to the internet. Using the internet for traffic flow means you lose control of the data path; your data is flowing in zones of zero trust. And the physical security of your SD-WAN elements becomes more critical.”
Flexibility and scalability are undoubted benefits of SD-WAN, but they come at a price, notes Charuhas Ghatge, who looks after portfolio and solutions marketing at Nokia’s SD-WAN subsidiary, Nuage Networks.
The question is, he wrote in a recent white paper from the company, “how to secure your data integrity across this end-to-end network? Security needs to be embedded in SD-WAN fabric along with analytics”, to measure and maintain the quality of experience of the application.
“Security has become an important design and selection criterion for SD-WAN vendors and users alike as the branch – where SD-WAN plays an important role – has become a point of concern that can potentially open an entire enterprise to the security threats from outside.”
The demands have widened, notes Halliwell, because the use of cloud services such as Salesforce and Microsoft’s Office 365 mean people expect to be able to use them when working at home or when on the move. “Users want access to 20-30 different services, but meanwhile the CIO wants a secure network.”
A major step forward in the evolution of SD-WAN took place in August 2019 when MEF, the industry organisation that has championed its use, published the industry’s first standard.
This was part of an initiative to define, deliver and certify a suite of services, including security, for SD-WAN.
“Combining standardised SD-WAN services with dynamic high-speed underlay connectivity services – including carrier Ethernet, optical transport, and IP – enables service providers to deliver powerful MEF 3.0 hybrid networking solutions with unprecedented user- and application-directed control over network resources and service capabilities,” said Nan Chen, president of MEF, at the time.
Shawn Hakl, Verizon’s senior vice president for business products, welcomed the move that lets end customers “get a better overall experience relative to their applications, with support for a broader range of use cases, guaranteed service resiliency, and improved service capabilities in an always on, always connected world”.
Vendors backing the standard include Nuage Networks, Versa Networks and Infovista. Each certifies that it conforms to MEF’s SD-WAN Service Attributes and Services (MEF 7.0) global standard.
Sunil Khandekar, head of Nuage Networks, says: “The availability of the MEF 3.0 SD-WAN technology vendor certification is an important step in providing enterprises an industry benchmark for vendor selection.” The move demonstrates that each of the first three “are a standards-based partner for service providers developing SD-WAN services”, says Chen.
Versa Networks was quick to partner with GlobalConnect, which has 18,000 square metres of data centre space and 42,000km of fibre across Europe, to deliver secure SD-WAN services. Sebastian Vad Lorentzen, head of SD-WAN engineering at GlobalConnect, described Versa as “our ideal partner” in the project, which was “needed to support complex cloud integration use cases while being flexible and highly efficient in multiple deployment scenarios, and having a native focus on integration of security features – a combination of competences that are rare in the SD-WAN market space”.
He says the partnership means GlobalConnect can “efficiently and securely manage more features with a higher level of flexibility across more domains and segments than practically possible with legacy technologies”.
Versa’s Chris Kenny looks forward to “what could be an exhilarating journey of SD-WAN expansion across Scandinavian enterprise networks”. He noted: “This was a challenging process and we have an equally ambitious partner to go forward with.”
GTT Communications, the company that two years ago bought pan-European network Interoute, earlier this year confirmed a security deal with Fortinet for its SD-WAN offerings. GTT will offer it as a managed service, to support any last-mile access solution to meet specific client needs for security, application performance and cost efficiency, said the US-based company. “Clients rely on GTT to securely connect their locations across the world and to every application in the cloud,” says Rick Calder, president and CEO. “Clients can run their applications with superior security, performance and reliability to support their business goals.”
John Maddison, SVP of products and CMO at Fortinet, explains what the security specialist will do: “Fortinet Secure SD-WAN allows GTT to build a smart connectivity platform that delivers additional value to customers through security, analytics and cloud-acceleration services. The combination of GTT’s Tier 1 global IP network and Fortinet Secure SD-WAN enables high-performing and differentiated services for GTT clients worldwide.”