What Larry, Moe and Curly can teach us about network security and SD-WAN agility

A recent survey of 712 IT professionals shows that network complexity remains a problem even after deploying SD-WAN.

the three stooges
Public Domain

In comedy, unexpected actions make for good fun. The pratfalls. The eye pokes. But in networking, the unexpected is hardly funny. And yet it was the antics of the Three Stooges that came to mind as I reviewed the results of Cato Networks’ latest networking survey.

The survey canvassed more than 700 enterprise IT buyers from around the globe about the drivers and challenges facing their networking and security deployments. What we observed serves as a promise and warning for anyone considering SD-WAN.

SD-WAN is supposed to be the answer to network complexity. And like any good slapstick setup, we can almost see how SD-WAN meets that objective. As an overlay aggregating traffic from MPLS, broadband and any other underlying data transport, SD-WAN hides the complexity of a building a network from multiple data transports. Policies provide the intelligence for SD-WAN to select the optimum network for each application freeing IT from making those calculations and changes manually, if that was even possible.

But here’s the thing, SD-WAN only simplifies networks if we don’t consider the rest of today’s enterprise. Add in threat protection for securing branch offices and private backbones for ensuring predictable application delivery, and complexity becomes a major challenge for today’s SD-WANs.

Who we surveyed

The survey asked 1601 respondents about the drivers and challenges facing their networking and security deployments. Of those 1606 respondents, we focused on 713 respondents whose organizations ran MPLS backbones. A range of industries were represented with telecommunications, computers & electronics, and manufacturing being the most popular sectors. More than three-quarters of respondents came from organizations with at least 11 locations, and more than half (57 percent) indicated their organizations had between two and four physical datacenters. Respondents were asked a variety of questions relating to the drivers and challenges they faced with in it today with an emphasis on networking and security.

Complexity: the real problem facing IT

What we found was the complexity of today’s networks to be a common complaint. It wasn’t necessarily called out that way. Respondents often pointed to the symptoms underlying cause of complexity.

As we looked at the primary networking challenges for 2018, for example, 39% of respondents ranked "equipment maintenance and updates" as the number two challenge and 35% of respondents made “managing the network” the number four challenge.

The same was true in the security domain. More than a third (39%) pointed to the “cost of buying and maintaining security appliances and software” as their primary security challenge in 2018. The same is true for “enforcing corporate security policy on mobile users,” which was made a primary security challenge by 34 percent of respondents.

Years of tactical decisions have led to the deployment of discrete management and connectivity tools. The result is a “technical debt” that complicates everything from provisioning new users to delivering new services. Additional tool for managing and connecting to the cloud, and others for managing mobile users, have further complicated our networks.

All of which has a level of complexity that we often take for granted. Think about it. Adding a new application to enterprise networks requires numerous configurations just to deliver the service. More bandwidth might be needed from the underlying MPLS network. WAN optimizers, if installed, need to be configured properly, often checked to be sure they won’t interfere with the application. Depending on how you handle security, ports might need to be opened and with open ports, comes the need for threat protection requiring changes to your NGFW and IPS.

And that’s with just one application on one network. Many enterprises have a mix of MPLS and Internet-based VPNs, security appliances and more. Complexity truly is the enemy of good engineering.

Enterprise are looking at SD-WAN for help with managing that network complexity. Half of the respondents indicated simplifying the network or their security infrastructure will be primary use cases for SD-WAN in 2018.

At the same time, and here’s the slapstick trip, SD-WAN implementations are hardly simple enough. SD-WAN introduces an abstraction layer that needs to be managed along with the underlying data service. Done right that can make networks simpler, more agile. But it raises concerns for enterprise buyers. A quarter of respondents planning to deploy SD-WAN indicated “additional complexity” as a primary barrier to further investment.

In fact, as we looked at the enterprises who deployed SD-WAN complexity continues to be a challenge. Respondents also had complexity concerns with SD-WAN vendors and providers. Overall, 30% say SD-WAN appliances are too complex followed by SD-WAN services (23%).

SD-WAN’s complexity crutch

To some extent, that’s understandable. Deploying an appliance, yourself (do-it-yourself or DIY) is always more complicated than purchasing a managed services. But any complexity isn’t a requirement for SD-WAN. The real problem comes when SD-WAN is taken in context with the rest of the network.

So much of SD-WAN’s benefits — cost savings, shorter deployment times, and better cloud performance — stem from leveraging direct Internet access. But to connect branch offices directly to the Internet, they must be protected from Internet-borne threats. And while traditional SD-WAN architectures claimed to be secure that was only in the sense that they established encrypted tunnels between locations. They lack the next-generation firewall, security web gateway or IPS/IDS capabilities to protect the perimeter.

Factoring security into SD-WAN complicates network configuration and troubleshooting significantly. Additional security appliances or cloud-based services are needed at branch locations. Operations teams must jump between SD-WAN and security management interfaces to configure users. Troubleshooting is made more difficult. And with data fragmented across multiple domains, spotting the indicators of potential threats is made more difficult.

Security and SD-WAN belong together. And while integrating external security appliances doesn’t address the full problems, the plethora of partnerships between SD-WAN and security vendors attest to the importance the market places on converging the two domains.

Respondents would agree. The vast majority (81 percent) of respondents deploying SD-WAN in the next 12 months, identify “protecting locations and the site-to-site connections from malware and other threats” as a “critical” or “very important” priority in their SD-WAN decision making.

Focusing only on the simplicity engendered by SD-WAN tells half the story. Security agility must be considered as well. By tackling both — network and security agility together — organizations will reduce the complexity that constrains today’s networks. And that’s no joke.

This article is published as part of the IDG Contributor Network. Want to Join?

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Now read: Getting grounded in IoT