• United States

What Larry, Moe and Curly can teach us about network security and SD-WAN agility

Apr 05, 20186 mins
Network SecurityNetworkingSD-WAN

A recent survey of 712 IT professionals shows that network complexity remains a problem even after deploying SD-WAN.

In comedy, unexpected actions make for good fun. The pratfalls. The eye pokes. But in networking, the unexpected is hardly funny. And yet it was the antics of the Three Stooges that came to mind as I reviewed the results of Cato Networks’ latest networking survey.

The survey canvassed more than 700 enterprise IT buyers from around the globe about the drivers and challenges facing their networking and security deployments. What we observed serves as a promise and warning for anyone considering SD-WAN.

SD-WAN is supposed to be the answer to network complexity. And like any good slapstick setup, we can almost see how SD-WAN meets that objective. As an overlay aggregating traffic from MPLS, broadband and any other underlying data transport, SD-WAN hides the complexity of a building a network from multiple data transports. Policies provide the intelligence for SD-WAN to select the optimum network for each application freeing IT from making those calculations and changes manually, if that was even possible.

But here’s the thing, SD-WAN only simplifies networks if we don’t consider the rest of today’s enterprise. Add in threat protection for securing branch offices and private backbones for ensuring predictable application delivery, and complexity becomes a major challenge for today’s SD-WANs.

Who we surveyed

The survey asked 1601 respondents about the drivers and challenges facing their networking and security deployments. Of those 1606 respondents, we focused on 713 respondents whose organizations ran MPLS backbones. A range of industries were represented with telecommunications, computers & electronics, and manufacturing being the most popular sectors. More than three-quarters of respondents came from organizations with at least 11 locations, and more than half (57 percent) indicated their organizations had between two and four physical datacenters. Respondents were asked a variety of questions relating to the drivers and challenges they faced with in it today with an emphasis on networking and security.

Complexity: the real problem facing IT

What we found was the complexity of today’s networks to be a common complaint. It wasn’t necessarily called out that way. Respondents often pointed to the symptoms underlying cause of complexity.

As we looked at the primary networking challenges for 2018, for example, 39% of respondents ranked “equipment maintenance and updates” as the number two challenge and 35% of respondents made “managing the network” the number four challenge.

The same was true in the security domain. More than a third (39%) pointed to the “cost of buying and maintaining security appliances and software” as their primary security challenge in 2018. The same is true for “enforcing corporate security policy on mobile users,” which was made a primary security challenge by 34 percent of respondents.

Years of tactical decisions have led to the deployment of discrete management and connectivity tools. The result is a “technical debt” that complicates everything from provisioning new users to delivering new services. Additional tool for managing and connecting to the cloud, and others for managing mobile users, have further complicated our networks.

All of which has a level of complexity that we often take for granted. Think about it. Adding a new application to enterprise networks requires numerous configurations just to deliver the service. More bandwidth might be needed from the underlying MPLS network. WAN optimizers, if installed, need to be configured properly, often checked to be sure they won’t interfere with the application. Depending on how you handle security, ports might need to be opened and with open ports, comes the need for threat protection requiring changes to your NGFW and IPS.

And that’s with just one application on one network. Many enterprises have a mix of MPLS and Internet-based VPNs, security appliances and more. Complexity truly is the enemy of good engineering.

Enterprise are looking at SD-WAN for help with managing that network complexity. Half of the respondents indicated simplifying the network or their security infrastructure will be primary use cases for SD-WAN in 2018.

At the same time, and here’s the slapstick trip, SD-WAN implementations are hardly simple enough. SD-WAN introduces an abstraction layer that needs to be managed along with the underlying data service. Done right that can make networks simpler, more agile. But it raises concerns for enterprise buyers. A quarter of respondents planning to deploy SD-WAN indicated “additional complexity” as a primary barrier to further investment.

In fact, as we looked at the enterprises who deployed SD-WAN complexity continues to be a challenge. Respondents also had complexity concerns with SD-WAN vendors and providers. Overall, 30% say SD-WAN appliances are too complex followed by SD-WAN services (23%).

SD-WAN’s complexity crutch

To some extent, that’s understandable. Deploying an appliance, yourself (do-it-yourself or DIY) is always more complicated than purchasing a managed services. But any complexity isn’t a requirement for SD-WAN. The real problem comes when SD-WAN is taken in context with the rest of the network.

So much of SD-WAN’s benefits — cost savings, shorter deployment times, and better cloud performance — stem from leveraging direct Internet access. But to connect branch offices directly to the Internet, they must be protected from Internet-borne threats. And while traditional SD-WAN architectures claimed to be secure that was only in the sense that they established encrypted tunnels between locations. They lack the next-generation firewall, security web gateway or IPS/IDS capabilities to protect the perimeter.

Factoring security into SD-WAN complicates network configuration and troubleshooting significantly. Additional security appliances or cloud-based services are needed at branch locations. Operations teams must jump between SD-WAN and security management interfaces to configure users. Troubleshooting is made more difficult. And with data fragmented across multiple domains, spotting the indicators of potential threats is made more difficult.

Security and SD-WAN belong together. And while integrating external security appliances doesn’t address the full problems, the plethora of partnerships between SD-WAN and security vendors attest to the importance the market places on converging the two domains.

Respondents would agree. The vast majority (81 percent) of respondents deploying SD-WAN in the next 12 months, identify “protecting locations and the site-to-site connections from malware and other threats” as a “critical” or “very important” priority in their SD-WAN decision making.

Focusing only on the simplicity engendered by SD-WAN tells half the story. Security agility must be considered as well. By tackling both — network and security agility together — organizations will reduce the complexity that constrains today’s networks. And that’s no joke.


Dave Greenfield is the secure networking evangelist in the office of the CTO of Cato Networks. He brings more than 20 years of experience in IT and telecoms having worked as an award-winning journalist, blogger, and a technology analyst advising companies on their IT and WAN strategies.

Dave has a background in philosophy and computer science and is the author of the “Ultimate WAN RFP” and the “Essential Guide to Optical Networks.”

The opinions expressed in this blog are those of Dave Greenfield and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author