VeloCloud launches an SD-WAN security ecosystem

The goal is to work with a range of technology companies to protect branch office, data center and cloud networks

This column is available in a weekly newsletter called IT Best Practices.  Click here to subscribe.  

It’s a great time to be in the SD-WAN business. IDC estimates that worldwide SD-WAN revenues will exceed $6 billion in 2020, with a compound annual growth rate of more than 90% over the 2015-to-2020 forecast period. According to IHS, as of the end of 2016, 13% of North American enterprises already have the technology in production and 62% are in lab trials. By 2018, 82% are expected to be using SD-WAN.

Those are some pretty remarkable adoption rates for a technology that is still in its early days.

Enterprises cite various reasons for wanting to use a software-defined wide area network. For organizations with a lot of branch locations, SD-WAN can help lower the cost of providing a reliable network connection to those branches; a broadband link can be one-tenth the cost of an MPLS line.

Companies gain the flexibility of choosing what kind of link is best in a given situation: MPLS, broadband, LTE, or any combination of links. Having multiple links provides additional capacity as well as redundancy to avoid blackouts and brownouts—especially if different kinds of connections are installed. Businesses can be more agile if they don’t have to wait weeks or months for MPLS installation. And there is opportunity for better application performance if traffic can go straight to the Internet instead of being backhauled through a data center.

In general, the benefits of SD-WAN are just too good to ignore. I guess that’s why a majority of enterprises expect to be in production mode in the next year or so. But if there’s one thing that could put the brakes on the rapid adoption, it’s a concern over security. Enterprises won’t make a move unless they are certain they will get security that is as good or better than their current network situation.

VeloCloud has recently taken a big step toward a comprehensive “security ecosystem” it calls the SD-WAN Security Technology Partner Program. This is a multi-faceted effort to work with a range of technology companies to protect users’ branch, data center and cloud networks. The result is a best-of-breed, end-to-end security option for SD-WAN that incorporates both on premise and cloud networks, and which can be delivered network-wide.

The first aspect of this program gives channel and technology partners access to VeloCloud’s APIs through a formal software development kit (SDK). This greatly simplifies the process for partners to develop security solutions that integrate into the VeloCloud SD-WAN architecture. The intent is that, with a simpler development process, more partners will develop solutions for this platform, thus giving both carriers and enterprise customers more options for how and where to implement network security.

VeloCloud has also introduced a virtual network function (VNF) framework that is open to the security partner ecosystem initially, and then sometime in the future to other types of technology partners. This enables vendors to develop their own security VNFs within that framework.

A VNF is a software-based or virtualized version of a specific function, like a next-generation (NG) firewall. VNFs are centrally managed and orchestrated through policy. They can be service-chained so that traffic flows through multiple VNFs for security processing, and they can be provisioned with zero-touch, often through self-service.

The security VNFs work through the VeloCloud Edge virtual customer premise equipment (vCPE) and are managed by the VeloCloud Orchestrator. This allows carriers and enterprise customers to seamlessly integrate their preferred best-of-breed security technology with VeloCloud’s cloud-delivered SD-WAN.

There are three major elements to the security component of the VeloCloud VNF framework: network, cloud and management. On the network security side, there is interoperability between the security vendor service, appliance or device that might be located on premise in the branch or in the campus headquarters or data center with the SD-WAN. VeloCloud already has support from NG firewall vendors Palo Alto Networks, Check Point Software, and Fortinet for network security, and others are in the works.

The second piece is the cloud security concept. Through the VeloCloud gateways that are distributed around the globe, the SD-WAN is integrated with cloud security services back at the clouds where they live, or within an IaaS instance. Thus, third party security vendors can bring their own services into marketplaces operated by Amazon, Azure and the like. An example partner that fits the cloud security model is Zscaler. Using a Zscaler VNF, customers can secure their access to the Internet, to SaaS applications, and to private apps in the cloud.

The management element of the framework covers functions for visibility, monitoring and analytics. An example VNF would be a SIEM tool. An initial partner here is IBM, with its QRadar security intelligence platform and other security management tools.

VeloCloud has its own security capabilities

In addition to the security elements that channel and technology partners bring to market through the new partner program, VeloCloud has its own security capabilities that are an integral part of the fabric of the SD-WAN architecture. Among them is the zero-touch deployment model where the home office or service provider can ship a non-configured vCPE device to a branch or remote location, and once it is plugged in and connected to a link, the edge device securely authenticates, connects and encrypts across the network.

VeloCloud has a unique way of doing key management for the vCPEs on a network. It’s done by marrying PKI services and key exchange capability with the centralized orchestrator and an integrated certificate authority. This service has the ability to check tunnel integrity. The key management feature really helps with scalability and the dynamic multipath VPN.

Another key feature is true multi-tenancy combined with segmentation. Many large enterprises view themselves almost as a service provider because they are offering their IT, network and security services as if they are serving completely different tenants and customers, even though it’s all under the single umbrella of one holding company.

Then, of course, carriers and telcos have always demanded a multi-tenant solution to be able to achieve the economies of scale that they get from running thousands of customers on a single software instance. VeloCloud delivers that capability at the data plane, control plane or application plane, and can enable segmentation within each one of those tenants. A carrier, for example, has thousands of customers but each one of those customers has a unique need for segmentation. They may have PCI, voice and guest Wi-Fi access that each need to be segmented with varying degrees of bandwidth, prioritization, business policy and security policy.

With its own capabilities and those of its security partners, VeloCloud ensures that security can be implemented everywhere, and in every way, that enterprise customers, carriers and telcos need within SD-WAN.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: 10 new UI features coming to Windows 10