TelcoNews Australia - Telecommunications news for ICT decision-makers
Story image
Are all SD-WANs created equal? (Quick answer: No)
Thu, 3rd Aug 2023

While the concept of SD-WAN is well-defined, how it's delivered isn't. Services, devices, and therefore outcomes, vary from vendor to vendor, as do use cases.

In its 2022 article on 'Magic Quadrant for SD-WAN', Gartner offers up this definition: "SD-WAN products replace traditional branch routers. They provide dynamic path selection, based on business or application policy, centralised policy and management of appliances, virtual private network (VPN), and zero-touch configuration. SD-WAN products are WAN transport-/carrier-agnostic, and create secure paths across WAN connections. SD-WAN products can be hardware-/software-based, managed directly by enterprises or embedded in a managed service offering."

As you can see, even Gartner acknowledges there are many delivery either/or's in the world of SD-WAN. 

What's changing in the SD-WAN world?

Less than a decade ago, we focused on partnering with end-to-end integrated technology vendors. But now, we're more often opting to work with specialised vendors to provide specific functions – because that's what they're good at.

And as the market grows, the application usage of SD-WAN, and the choices to be made, are also changing – and becoming increasingly specialised.  

For example, as the ability to send data rapidly from point A to B to Z has improved significantly over the years, speed is no longer a deciding factor when choosing between SD-WAN offerings. Instead, businesses realise that performance comes second to first-class security. 

And SD-WAN use case has changed too. One size doesn't fit all.

Case in point, in Gartner's whitepaper, Critical Capabilities for SD-WAN, they discuss the application usage of SD-WAN by use case from WAN for small branches, large global WANs, security-sensitive WAN, cloud-first WAN, to remote workers. As you'd expect, the requirements and expectations for each use case are quite different (although the list of standout vendors tends to be remarkably consistent).  

But regardless of the use case, Gartner concludes that "Software-defined, wide-area network vendors are aggressively adding security service edge capabilities to position their offerings as single-vendor secure access service edge offerings." And for that, we are all thankful.

Is choosing an SD-WAN plane sailing?

In a nutshell: No, it's not. SD-WAN control planes and data planes have become defining differences between vendor solutions. 

Here's a quick refresher for those who don't live and breathe SD-WAN: The control plane is the brain – it decides how your data is managed, routed, and processed (traffic). Whereas the data plane is the muscle – it does the heavy lifting and moves the data from A to B to Z. Over and above this is a management plane, which is a centralised console for onboarding, provisioning, monitoring, and, if needed, troubleshooting. And some vendors offer a fourth plane for orchestration. 

The thing to note is where these components 'reside' in an SD-WAN offering. For example, one vendor may use a distributed architecture where the planes are separated to enable easier multi-cloud deployment.

Yet another may physically embed the data and control planes in the SD-WAN device to provide a more robust, fully integrated security offering. (I'm not saying either option is good or bad – just different.)

Are we all on the same plane here? And should we be?

I recently talked to a potential client keen to offer their customers a subscription SD-WAN service. They expected that, as a software-defined system, the SD-WAN hardware device would include the data plane but not the control plane. The control plane, they argued, is traditionally in the cloud. 

And they're almost correct. Often, it is – but not always. But would that model of SD-WAN fit their particular use case? 

I argued that if they wanted to offer their customers a secure SD-WAN service, it had to come with on-premises security. I.e., the control plane and the data plane need to be natively integrated into the device itself along with such functionality as access control list (ACLs), VPN, segmentation, and firewalls (and advanced functionality like intrusion prevention system (IPS), Layer 7 firewall, anti-malware, URL/content filtering, lite DLP, and more).  

Whereas if they opt for cloud-delivered security, where the control plane and data plane are distributed, it would be much harder to guarantee and manage the robust security their subscribers expect. My point is that if you use cloud-based software to manipulate your traffic based on where you want it sent, you must also rely on the cloud to issue instructions - introducing more complexity and points of potential weakness to the subscriber package. 

So, in this use case, would their end users really want high-speed processing and security as separate services? Or would a single integrated package with fewer 'moving' parts be a better proposition? 

In my opinion, the answer to that question is obvious. Simplicity always wins.

Changing times = changing needs

The SD-WAN vendor who doesn't move with and even ahead of the times is vulnerable. Reflecting back three to four years ago, there are significant changes to how we work and, therefore, what we need to enable and protect us, and our networks. 

Only five years ago, we expected to commute to the office and work all day within the safety of a firewall-protected network. To mitigate the stress on the gateway, we'd usually use an SD-WAN to manipulate the flow of traffic. 

During- and post-COVID, the en masse move to work-from-home and from remote locations sees us (or our data centre) still reliant on SD-WAN. But now, it also serves the purpose of supporting easy and secure access to applications and cloud resources – from wherever we are. 

Where to next?

Security, security, and more security. We've all seen the incredible growth in the volume and complexity of cyberattacks, and we're rightly cautious. That's why so many vendors have enhanced their SD-WAN offerings to embrace SASE (Secure Access Service Edge), edge network intelligence (ENI), artificial intelligence (AL) and machine learning (ML). 

Gartner says (and I agree): "By 2025, 50% of new software-defined WAN (SD-WAN) purchases will be part of a single-vendor secure access service edge (SASE) offering, which is a major increase from 10% in 2022."

I think it's safe to say that while use cases for SD-WAN may vary, the case for prioritising security will remain steadfast.