WAN Summit recap: challenges facing SD-WAN services

If the recent WAN Summit in New York where I moderated a panel on last-mile access (more on that later) was any indication, the SD-WAN market is shifting towards a service-delivery model where sufficient network security and predictability are baked into the SD-WAN so the service can replace MPLS.

In session and private conversations, topics related to secure SD-WAN services kept popping up. The challenges of today’s managed services. The impact of the cloud. The need for SLAs in SD-WAN services. How encryption complicates visibility and, by extension, enterprise security. These and other issues point to the change and challenges facing SD-WAN services.

SD-WAN and the rise of co-managed services

During his talk, “WAN design in the age of SD-WAN” Jim Fagan, director of global platforms at Telstra spoke about how the definition of what is a managed service changes with SD-WAN. It used to be that carriers provided fully-managed networking services —  the service delivery, design, maintenance and more were controlled by the carrier. To the enterprise, the a fully managed service is a black box. Got a problem? Open a ticket. There’s little visibility and no control over the service.

The cloud has changed how we think about networks, though. We’ve entered the world of co-management where the provider runs the underlying infrastructure, but the enterprise customer (or their MSP) is responsible for their SD-WAN instance across that infrastructure. Think AWS for networking services. In this new model, costs are much lower while control and visibility are much higher.

SD-WAN services also need to become more predictable if they’re to replace the role of MPLS. In a panel discussion, one panelist observed that there are many reasons for keeping MPLS even after deploying SD-WAN. The Internet is still too unpredictable in some regions or between regions to deliver the consistent, end-to-end performance needed by some corporate applications.

One enterprise user on the panel, Mike Howell, the Global Infrastructure Engineering Manager at Rentokil, the biggest pest control company in Europe and the second largest in the US, believes that MPLS performance will move into the ISP space. He noted that some ISPs already give SLAs on their networks, but that’s not done globally. “Perhaps in five years’ time MPLS will trend down fast.”

And if secure SD-WAN is to be delivered as a service, visibility is going to be critical. “If you don’t have visibility into the network, you can’t have the best security,” says Ripin Checker, director of cloud solutions, at Juniper Networks. Application-layer visibility into all traffic is important for enterprises or providers to gather the indicators pointing to potential threats. But the widespread adoption of encryption, organizations lose traffic visibility, which makes traffic intercept important and that’s a problem.

SD-WAN and the problems of the thin branch

There’s a push among service providers, vendors and many enterprises to reduce the hardware footprint in the branch office. There are the facility costs (heating, electricity, and real estate) that need to be considered when running multiple appliance in a wiring closet. Those appliances need to be deployed, sized, and maintained properly. All of which exacts a toll on operational expenses not just in terms of keeping the appliances running, but also in terms of complexity. Troubleshooting becomes more complicated with more components in the network. Agility is constrained.

It’s why Amar Abdelhak, the enterprise architect at AbbVie Inc., a pharmaceutical company with sites in more than 100 countries, believes in hyper-convergence, where multiple functions are offered on one or a few boxes, reducing appliance sprawl. Network Function Virtualization (NFV) is often seen as the way forward for providers to deliver hyper-convergence. WIth NFV, virtual network functions (VNFs) providers can run from different vendors run on an appliance.

But consolidating VNFs alone on branch appliances may not solve the problem. Life cycle management is vital when thinking of VNF across the branches, said Sunit Chauhan, senior director of product management at Nuage Networks, in one session. “Using VNFs with firewalls and WAN optimization is a complicated architecture.”

It’s made even more difficult by the constraints of the underlying appliance. Running so many functions on one appliance is bound to force hardware upgrades. Traffic spikes is one potential problem, but the other is applying all functions to all existing traffic. Enabling compute-intensive features, such as traffic decryption, exacts a heavy toll on the appliance, forcing unexpected hardware upgrades.

The answer? Moving more to the cloud, it seems.  “Shangri-La is moving the hardware into the cloud,” said Michael Kaehly, technical director in the advanced technology group of Riverbed.