View
11
Download
0
Category
Preview:
Citation preview
T h e F u t u r e o f S D -WA N . To d a y.
SD-WAN Services
The Difference BetweenCarrier-Managed SD-WAN & SD-WAN as a Service
2Carrier-managed SD-WAN vs. SD-WAN as a Service
T h e F u t u r e o f S D -WA N . To d a y.
As CIOs seek to reduce the connectivity costs of MPLS or deliver more efficient global networks, many are considering software-defined wide area network (SD-WAN) solutions.
SD-WAN appliances aggregate multiple network services with a virtual overlay, forming a network with more bandwidth and better availability for less cost than MPLS. At the same time, SD-WAN appliances don’t provide predictable connectivity and advanced security (see “So Why Not an Appliance?”). SD-WAN services address these limitations:
yy Managed SD-WAN services offered by carriers ("Carrier-managed SD-WAN"), package third-party SD-WAN and security appliances with carrier transport.
yy SD-WAN as a Service (SDWaaS) offered by specialized cloud providers, converges networking and security into a cloud service.
Each approach has strengths and weaknesses. Which is right for you? Let’s find out.
With carrier-managed SD-WAN, carriers design, build, and maintain an SD-WAN using customer premise equipment (CPE) — the SD-WAN appliances. The carrier brings enterprises the assurance of the familiar, though frustrating, partner, who provides:
yy Service level agreements (SLAs) and predictable network transport not provided by SD-WAN appliance vendors
yy Expertise to integrate disparate IT tools and services into an SD-WAN
yy Ongoing SD-WAN management, enabling enterprises to focus IT personnel and resources on other, higher-value projects
Technically, carrier-managed SD-WAN operates no differently than the underlying SD-WAN appliances. he appliances form an encrypted overlay, routing traffic between them based on real-time traffic conditions, business priorities, and application requirements. To provide network security and additional services, carriers will integrate third-party appliances or services using service insertion and service chaining, or run third-party, security software in the SD-WAN appliance.
Why SD-WAN Services?
Carrier-Managed SD-WAN: Old Carrier Style in New Carrier Clothes
HQ / Datacenter
SD-WAN Device
NOC
CarrierNetwork
BranchSD-WAN Device
Managementcontrol
ManagedConnectivity
ManagedConnectivity
Unmanaged connectivity
With carrier-managed SD-WAN, the network operator deploys and manages SD-WAN appliances at the customer premises,
connecting them with its (often regional) network.
3Carrier-managed SD-WAN vs. SD-WAN as a Service
T h e F u t u r e o f S D -WA N . To d a y.
SD-WAN as a Service: Powerful Cloud Computing Meets NetworkingSD-WAN as a Service (SDWaaS) converges SD-WAN and network security into a global, private cloud. The many third-party appliances comprising service provider networks are replaced by a converged, cloud-scale, network and security software stack. This software stack runs across a global, geographically distributed, SLA-backed network of points-of-presence (PoPs), interconnected by multiple tier-1 carriers.
The SDWaaS provider maintains the underlying shared infrastructure — the networks, servers, storage, and software — forming the cloud. Enterprises instantiate, configure and manage their SD-WANs running across this cloud as if they ran on their own dedicated equipment. This gives enterprises the best of both worlds: the low-costs of shared infrastructure and the flexibility and performance of dedicated devices.
More specifically, SDWaaS uses a “thin edge” architecture where most processing happens in the core of the SDWaaS network. The edge device needs just enough intelligence to select the optimum Internet transport to reach the closest PoP (or alternative transport, such as MPLS). By minimizing processing, the edge can be implemented anywhere: as stand-alone, zero-touch appliances for physical locations, mobile client software for mobile devices and laptops, or just as an IPsec tunnels for third-party firewalls or cloud services.
The cloud software handles the “heavy lifting,” executing the routing, optimal path selection, throughput maximization, and advanced security services. It analyzes traffic entering the PoP, applies the necessary security and networking optimizations, and routes the traffic across the optimal path to the PoP nearest to the destination.
SDWaaS converges SD-WAN capabilities and network security onto a global, private cloud.
Branch Cloud Datacenter Mobile User
Global Network Built AcrossMultiple Tier-1 Backbones
Distributed SD-WAN Software Stack
Integrated Network Security
HQ / Datacenter
SD-WANas a Service
4Carrier-managed SD-WAN vs. SD-WAN as a Service
T h e F u t u r e o f S D -WA N . To d a y.
Agility and Change Management
Complexity typifies traditional network services. They involve many discrete appliances — routers, firewalls, WAN optimizers and more — with cumbersome command line interfaces. The opportunity for misconfigurations and unique site configurations (“snowflake implementations”) only grows. Customers need open tickets for even minor network changes, often taking hours to fix issues enterprises could resolve in minutes.
Carrier-managed SD-WAN brings that philosophy to SD-WAN, leaving enterprises with the same cumbersome, process-laden approach. Moves, adds or changes require opening support tickets. Simple configurations, like adding a static route, take hours not minutes, and often only after late-night calls or after-hour disruptions.
Some carrier-managed SD-WAN services claim to be “co-managed” where the enterprise and the carrier can change the SD-WAN (though not necessarily the security infrastructure). Even in these cases, carriers recommend enterprises don’t “do it alone,” clearing changes with their customer-service engineer.
But IT pros have enough basic networking knowledge to configure an SD-WAN. Requiring them to pay for the same costly, process-intensive, service and support structures as MPLS and then wait for a carrier response makes no sense and is typical of the pre-cloud way of thinking. With a well-designed interface, customers can safely make changes to the network themselves, leaving the provider to keep “the lights on” just as Amazon AWS enables us to manage our servers and storage and leaves Amazon to maintain the underlying service.
SDWaaS brings the same “cloud” mentality to network services. With full-featured, self-service portals, SDWaaS customers provision new users, configure and change firewall and access policies, add static routes and more without any provider involvement. All of which becomes possible because the network and security infrastructure underlying SDWaaS not only appears to be simpler, but is in fact simpler.
What to ConsiderTo determine the right service model for your organization, consider the strengths of MPLS that are missing from SD-WAN appliances. More specifically, compare carrier-managed SD-WAN and SDWaaS — across the following domains:
yy Agility and Change Management
yy Monitoring and NOC Services
yy Global Connectivity
yy Network Security
yy Cloud and Mobile Coverage
yy Last-mile Aggregation
yy Service Onboarding and Customer Experience
yy Affordability
5Carrier-managed SD-WAN vs. SD-WAN as a Service
T h e F u t u r e o f S D -WA N . To d a y.
In part due to their complexity, carrier-managed services require 24x7x365 network operations center (NOC) monitoring services. NOC services include event monitoring and management, incident alerting, problem resolution, and change management. All of which brings peace of mind — at a price.
With SDWaaS, providers continue to monitor the underlying infrastructure 24x7x365 but, as mentioned, customers can also monitor their SD-WANs. The result: a far nimbler, more affordable service customer can purchase. Full management is optionally available with SDWaaS giving organizations the flexibility they need to adapt to today's business realities. Specifically, SDWaaS partners offer 24x7x365 management, single-ticket submission, centralpoint of contact and consolidated billing.
Monitoring and NOC Services
Global Connectivity
Carrier-managed SD-WAN provides the predictable transport missing with SD-WAN appliances. However, the networks underlying carrier-managed SD-WAN are often regional. For global access, carriers must partner with one another to deliver an end-to-end managed service. The result: choice will be limited to carrier partners and often at a premium. The alternative, connecting across the public Internet, exposes enterprises to the unpredictability of this transport.
SDWaaS providers are designed for global connectivity. Leveraging multiple tier-1 carriers provides them greater reach than any one network — and better performance. For one, the SDWaaS overlay will choose a better performing carrier network, if available. What’s more, the SDWaaS mitigates the effects of latency and reduces packet loss with advanced network optimization, such as TCP proxies and pack loss compensation techniques.
Cloud and Mobile Coverage
The SD-WAN appliances comprising carrier-managed SD-WAN are not inherently designed for the cloud. Enterprises need to deploy (and pay for) an SD-WAN appliance near (or in) the appropriate IaaS and SaaS provider datacenter.
Some SD-WAN appliance vendors provide regional carriers with limited cloud access, offering shared gateways to select datacenters of cloud datacenter providers. But the lack of middle-mile control hampers the optimization of access between branch locations and cloud datacenters. No SD-WAN appliance supports mobile users.
By contrast, SDWaaS is inherently mobile- and cloud-friendly. Mobile clients connect to the nearest PoP, allowing oneset of policies and traffic rules to govern users in an out of the office.
Cloud datacenter and cloud application services support are included in SDWaaS. The PoPs are often collocated in same the physical datacenters as the cloud datacenter and cloud application entrance points. Application-aware routing, directs cloud traffic across the SDWaaS network to the PoP closest to the destination, in this case the doorstep of the cloud datacenter or application provider.
6Carrier-managed SD-WAN vs. SD-WAN as a Service
T h e F u t u r e o f S D -WA N . To d a y.
Cato vs. MPLS:Annual Spend Comparison
Cato + Internet$115,000
Cato Cloud$30,000
Last Mile$85,000
MPLS$324,000
Other$233,000
Connectivity$84,000
WAN Optimization$7,000
Network Security
SD-WAN appliances lack advanced network security, such as a next-generation firewall (NGFW), IPS, and secure web gateway (SWG). Instead, carrier-managed SD-WAN will use service insertion and service chaining to integrate with external security appliances or dedicated cloud services, or by running VNFs (virtual network functions) within the appliance.
Both approaches have problems. Running external security appliances/services can add latency, forcing traffic through an additional service or device. Visibility is obscured and service delivery made complicated by the disparate devices. And carriers remain burdened with additional costs of patching, scaling, and maintaining the appliances, which ultimately impacts the costs or quality of the service to the customer.
VNFs are not the answer, either. Running VNFs on a physical CPE risks cross-VNF processing and memory degradation of the underlying appliance. Some VNFs, such as routers SD-WAN appliances, consume relatively few resources. Others, such as URL filtering, anti-malware or IPS are very sensitive to the traffic mix and will require more (or less) resources as traffic changes. Sizing CPEs is not a trivial matter and forced upgrades will become routine. Carriers must assume these costs and pass them onto their customers to be competitive. Management is also per point solution, leaving visibility fragmented and complicating management.
Moving VNFs into the carrier core requires a scalable and elastic underlying infrastructure. As the load on VNFs increase, extra resources need to be allocated dynamically. Otherwise, carriers risk impacting the other VNFs sharing the host. But carriers often lack such an infrastructure, leading to the under utilization of hardware and inefficiencies that again ultimately impact the customer.
SDWaaS builds security services into the network. There are no distinct virtual appliances or VNFs. The multitenant cloud software provides security and networking capabilities for all users. The SDWaaS cloud software is elastic, automatically provisioning and deprovisioning resources as necessary. As such, SDWaaS faces none of the scaling challenges confronting carrier-managed SD-WAN.
With a single, converged portal, SDWaaS allows IT teams to identify patterns normally obscured when data is spread network and security appliances. Service delivery is also simplified by not havingto configure disparate devices.
Like many companies, Fisher & Company,
Manufacturer in the automotive industry, relied on
a managed MPLS service for its global network.
And like many IT pros, Kevin McDaid, systems
manager at Fisher & Company, grew tired of the
complexity of working with MPLS operators.
“Something as simple as enabling access to a
website through our firewall meant having to call
support. It was very frustrating, he says.
He decided to switch to SD-WAN and trialed
a managed SD-WAN service from a different
network service provider. “They wanted us to
submit requests for configuration changes; it was
like our old MPLS provider all over again, he says.
Ultimately McDaid turned to Cato Cloud. He
reduced his annual spend to a third and improved
uptime. “I can definitely sleep better at night with
Cato,” he says.Ultimately McDaid turned to Cato
Cloud. With Cato, McDaid could retain control over
his network and security infrastructure yet gain
the agility and scaling benefits of a cloud service.“
I don’t have exact percentages, but uptime has
certainly increased,” he says, “I can definitely sleep
better at night with Cato.
Learn more about Kevin’s experiences
Case Study Managed SD-WAN Services: Too Difficult to Work With
Cato vs. MPLS: Annual Spend Comparison
7Carrier-managed SD-WAN vs. SD-WAN as a Service
T h e F u t u r e o f S D -WA N . To d a y.
Last-mile Aggregation
Service Onboarding and Ongoing Customer Experience
Carrier-managed SD-WAN bundles SD-WAN appliance with their own last-mile networks, simplifying deployment. At the same time, enterprises lose the ability to easily switch between last-mile service providers; carriers require sites to have at least one of their network connections.
SDWaaS utilizes the customer’s existing last mile. As such, enterprises have more flexibility in picking their ISP. The additional freedom leaves enterprises responsible for negotiating those relationships. Centralized ordering, monitoring, invoicing, and billing can be provided by last-mile aggregators, who maintain relationships with localISPs and other last-mile providers around the globe.
Carrier-managed SD-WAN services bring the complexity typical of adopting a carrier service. Unlike cloud services, there’s no free service trial. If a Proof of Concept (PoC) needs to be run, setup and execution can take weeks. Carrier-managed services often require three- to five- year commitments.
By contrast, SDWaaS can be trialed easily either by simply connecting an existing firewall or downloading somesoftware. Multiyear commitments are optional.
Affordability
The overhead of carrier networks impacts the affordability of carrier-managed services. There are the markup costs of reselling third-party appliances. The goods and personnel needed to manage the network. Additional tech personnel required to support customers. All of those costs and more elevate carrier-managed SD-WAN prices, which either impacts service quality or increases pricing to the customer.
By simplifying their networks, SDWaaS providers eliminate that overhead. SDWaaS providers own the software; there are no additional markup fees. With fewer parts, less personnel is needed to run the network. By leveraging inexpensive Internet backbones, not traditional carrier services, bandwidth costs are also far lower. As result,SDWaaS can be a fraction of carrier-managed SD-WAN.
8Carrier-managed SD-WAN vs. SD-WAN as a Service
T h e F u t u r e o f S D -WA N . To d a y.
So Why Not an SD-WAN Appliance?SD-WAN services arose because SD-WAN appliances alone fail to address the range of interrelated networking and security challenges facing organizations. They require additional equipment and services, making the complete SD-WAN far more complex and costly than just the price tag of SD-WAN appliance hardware. Specific problems include:
Ultimately, SD-WAN appliances make WANs simpler but not simple. They still require experienced engineers to design, deliver, and manage the network and security infrastructure, which is why many organizations turn to SD-WAN service providers for help.
Internet Unpredictability
The lack of a global, predictable transport prevents the SD-WAN appliances from displacing MPLS.
Scaling Limitations
The limited processing of an appliance-form factor prevents integrating resource-intensive services, such as content inspection, into the SD-WAN, forcing third-party security solutions.
Poor Internet Performance
Without the necessary security, SD-WAN appliances alone cannot provide branch offices with safe, direct access to the public Internet. They require companies centralize Internet-facing firewalls, adding latency to Internet and cloud connections, or, once again, increase costs with additional security infrastructure.
Cloud and Mobile Problems
SD-WAN appliances ignore mobile users. As for the cloud, appliances must be located in or near the datacenters of cloud providers making deployment far more difficult.
For years, MPLS services were the defacto
standard for building a predictable, enterprise
network between locations. And like many
enterprises, Humphreys & Partners Architects, a
Dallas-based, architectural services firm, built its
U.S. network on an MPLS service. “The problem
with MPLS is that it’s expensive, slow, and takes
forever to get anything done,” says Paul Burns, IT
Director at Humphreys.
When Humphreys needed to open a new office in
Uruguay, Burns began investigating augmenting
and replacing MPLS with SD-WAN and Internet
connectivity. He gradually deployed SD-WAN
appliances in Uruguay and four other locations,
swapping MPLS inflexibility for SD-WAN
complexity “The configuration pages of the
SD-WAN appliance were insane. I’ve never seen
anything so complicated,” says Paul. “Even the
sales engineer got confused.”
The appliance-based architecture also proved
difficult to get fully working, “Sometimes our Dallas
office could connect to two sites, but they couldn’t
connect to each other. The vendor’s answer:
update our firmware and reboot. But that didn’t
work,” he says.
Ultimately, Paul abandoned the SD-WAN
appliance architecture for Cato Cloud. “Cato gave
us freedom,” says Paul. “Now we can use a socket,
a VPN tunnel, or the mobile client, depending on
location and user requirements.”
With SD-WAN appliances, connecting
international locations was going to be a problem.
“My biggest concern with our previous SD-WAN
was shipping the appliance,” says Paul, “There
was the matter of clearing customs and
installation. We’d be dealing with a communist
country [in the case of Vietnam], and I wasn’t
familiar with its culture. Instead, users can now just
download and run Cato’s mobile client.”
Click here to learn more about Paul’s experiences.
Case Study Humphreys Replaces SD-WAN Appliances, MPLS and Mobile VPN with Cato Cloud
9Carrier-managed SD-WAN vs. SD-WAN as a Service
T h e F u t u r e o f S D -WA N . To d a y.
Carrier-Managed SD-WAN SDWaaS
Agility and Change Management
yy Limited; bandwidth can be added or removed rapidly.
yy Requires use of carrier's MPLS or Internet services
yy Changes to network/security infrastructure requires opening tickets"
yy Extensive; bandwidth can be added or removed rapidly
yy SDWaaS can use any data service
yy Organizations can change network/security infrastructure themselves "
Monitoring and NOC Services
yy Included; 24x7 network event monitoring are part of the SD-WAN service
yy Optional; Security monitoring requires additional equipment or services"
Included; 24sx7 network and security event monitoring are part of SDWaaS
Global Connectivity Optional; typically requires carrier to work with third-party providers at signficantly increased costs and often with limited end-to-end management
Included; global footprint is part of SDWaaS
Network Security Optional; third-party, security solutions must be integrated by the carrier with the SD-WAN
IIncluded; network security is fully converged into SDWaaS, requiring no additional security appliances or services
Cloud support Included; carrier extends its network, but not necessarily its SD-WAN, to the IaaS service
Included; IaaS and SaaS are intrinsic to SDWaaS
Last-mile Aggregation Yes, third parties often needed for global deployments
Yes, third party partners required.
Service Onboarding and Customer Experience
Not provided; Carrier-managed services require opening tickets to make even small network or security changes to onoard new users
Included; self-service or co-managed models are available for rapid onboarding and troubleshooting
Affordability Expensive; the licenses needed to maintain the SD-WAN and security appliances increase costs
Affordable; no third-party licenses to increase service costs
Carrier-managed SD-WAN vs. SD-WAN as a Service (SDWaaS)
10Carrier-managed SD-WAN vs. SD-WAN as a Service
T h e F u t u r e o f S D -WA N . To d a y.
Cato Cloud is SD-WAN as a ServiceCato Cloud is Cato’s secure global SDWaaS. Cato Cloud is comprised of two complementary layers — the Cato Cloud Network and Cato Security Services. The Cato Cloud Network is a global, geographically distributed, SLA-backed network of PoPs, interconnected by multiple tier-1 carriers. Cato Security Services are fully managed suite of enterprise-grade and agile security capabilities, built into the network. Current services include a NGFW, SWG, Advanced Threat Prevention, Cloud and Mobile Access Protection and Network Forensics.
By converging networking and security onto an SLA-backed backbone, Cato Cloud lets organizations drop MPLS without compromising network performance, eliminate branch appliances, gain direct, secure Internet access everywhere, and seamlessly extend the enterprise WAN to mobile users, cloud datacenters, and cloud applications.
HQ/Datacenter Branch
Cato SocketSD-WAN
Cato ClientAgentless
www
Security
Network
Mobile UsersCloud Datacenter
aws
Cato Cloud
Advanced ThreatPrevention
Secure Cloud andMobile Access
NetworkForensics
EncryptionOptimization
Next GenerationFirewall VPN
Secure WebGateway
Routing Reliability
MPLS
11Carrier-managed SD-WAN vs. SD-WAN as a Service
T h e F u t u r e o f S D -WA N . To d a y.
Where do you want to start?
BRANCH APPLIANCE
ELIMINATION
SECURE CLOUD-BASED
SD-WAN
AFFORDABLE MPLS
ALTERNATIVE
CLOUD DATACENTER INTEGRATION
SIMPLE NETWORK
AUTOMATION
MOBILE ACCESS OPTIMIZATION
Global Backbone. Cloud-Based SD-WAN. Firewall as a Service. All in OneGlobal Backbone. Cloud-Based SD-WAN. Firewall as a Service. All in One
Cato Networks provides organizations with a cloud-based and secure global SD-WAN. Cato delivers an integrated networking and security platform that securely connects all enterprise locations, people, and data. Cato Cloud cuts MPLS costs, improves performance between global locations and to cloud applications, eliminates branch appliances, provides secure Internet access everywhere, and seamlessly integrates mobile users and cloud datacenters into the WAN.
Based in Tel Aviv, Israel, Cato Networks was founded in 2015 by cybersecurity luminary Shlomo Kramer, co-founder of Check Point Software Technologies and Imperva, and Gur Shatz, co-founder of Incapsula.
For more information:
www.CatoNetworks.com
@CatoNetworks
11Carrier-managed SD-WAN vs. SD-WAN as a Service
T h e F u t u r e o f S D -WA N . To d a y.
Recommended