SD-WAN Drives Interoperability
by Steve Woo
This fall ONUG participants are focusing on interoperability. For enterprises and service providers alike interoperability means avoiding vendor lock in, but even more importantly it means achieving the ability to piece together the best solutions for their needs. Interoperability may be considered a key promise of applying SDN principles to the WAN. It goes beyond the architectural separation of the control plane from the data plane to explicitly focus on the goal of open and interoperable systems. Let’s look at some examples of innovation in interoperability in the four key areas below:
- Network connectivity
- Security services
- Application / policy services
- Service provider clouds
The most fundamental interoperability goal for SD-WAN is transport independence or abstraction of application flows from the underlying physical transport. This enables interoperability with different provider networks. Prior to SD-WAN, multiple provider and hybrid WAN configurations were dependent on complex and fragile routing configurations. Network resources were too often under-utilized and application resiliency was not achieved.
SD-WAN logical overlay networks are delivering the business level abstraction and configuration simplicity desired. It is easy to construct WANs that interoperate with networks from different providers, and hybrid WANs that more easily leverage broadband Internet.
However, a loftier interoperability goal is to enable application performance over the most flexible choice of transports. The most network sensitive real-time voice, video and unified communications applications should perform with high quality over broadband Internet networks whether in hybrid or broadband only WANs. Enterprises and their service providers are keenly interested in the ability of SD-WAN to enable over-the-top (OTT) delivery. Unified communications-as-a-service (UCaaS) providers are one category at the forefront of deploying this capability.
Security is one of the critical services, whether it is application level firewalling, web security or advanced threat protection, so interoperability with different solutions and vendors is the common refrain. Most will see the value of a virtual service such as a firewall deployed in the cloud, however many may see this as more of a network services virtualization (NSV) than SD-WAN added value.
SD-WAN contributes to interoperability in three distinct use cases. First, the SD-WAN solution itself might serve as the virtual services platform, particularly for the customer premise equipment (CPE) in the branch. The business level abstractions and automation of SD-WAN solutions simplify the instantiation of interoperable security services into the remote branch. Secondly, the SD-WAN service itself might be deployed as a virtual network function (VNF) on a universal CPE or on the cloud platform, enabling interoperability with any desired security service.
Both of these deployment options ultimately contribute to the third and most powerful value add, which is simplified, policy based forwarding or service chaining of traffic to different security services. These security services might be deployed within the CPE, as traditional appliances deployed in enterprise central datacenters or regional hubs, or as virtual services deployed in the cloud.
Application / Policy Services
Interoperability with different orchestration frameworks is a given objective for SD-WAN and is enabled by the control plane abstractions as well as ability of some solutions to be deployed directly as a VNF.
However, consider the additional potential for policy interoperability within specific chained services such as the security services discussed above. SD-WAN innovation can not only provide the service chaining across the WAN to a cloud deployed function, but also offload some of the functionality best done before forwarding the traffic. The SD-WAN data plane connects multiple service delivery points i.e. the branch and cloud, therefore should coordinate policy across these nodes as well. In the cloud deployed security use case, there will often be policies disallowing specified application flows regardless of embedded threats, suspicious behavioral patterns or source reputations. If no further inspection and analytics is required at the cloud, the application aware SD-WAN edge at the CPE can execute a subset of the policies. Service chaining is achieved while optimizing use of network resources.
Service Provider Clouds
SD-WAN solutions can also facilitate interoperability with diverse cloud platforms from SPs and CSPs. In addition to the continuing migration of enterprise applications to the cloud, IoT deployments are further adding to this shift. Migrating applications from enterprise datacenters to a provider’s IaaS sites brings significant complexity to provisioning virtual connections from every enterprise branch site to the new destinations. Enterprise site to site VPNs could leverage single vendor automation for enabling remote branch secured access. Now provisioning site to IaaS VPNs entails a branch by branch manual configuration process, multiplied by 100s of branches and increasing numbers of cloud sites.
An SD-WAN “head-end” node hosted in the cloud, independently or by the CSPs themselves, can deliver automatic secure connectivity between SD-WAN enabled branches and IaaS data centers. The SD-WAN multi-tenant head-ends provide the interoperable connection to different service providers and cloud datacenter locations, and the automated cloud based VPN network for the enterprise branch sites.
These four areas of interoperability and examples of the innovations and benefits of SD-WAN will drive its increasing adoption by enterprises and service providers alike.
Steve co-founded VeloCloud and leads product and marketing strategy. Prior, he lead the cloud strategy at Aerohive Networks after it acquired Pareto Networks, a cloud-based networking innovator, where he was VP of Product Management. Steve also spent time as VP of Product Management at McAfee, where he led the development of a next generation firewall after McAfee acquired Secure Computing / Securify where he was VP of Products. Steve worked for Cisco Systems twice, after acquisitions of two companies where he was an executive (Riverhead Networks and Class Data Systems) that resulted in 50x return on investment to investors. Early in his career he worked at SynOptics Communications / Bay Networks where his product line generated $1.7 billion of cumulative revenue, and he also spent time at McKinsey & Company. Steve has an MBA and MSEE from Stanford, and a BSEE from Cornell.
Steve is a passionate tennis player and spectator. He fearlessly participates in all manner of sports with his sons that he probably shouldn’t, including snowboarding, wakeboarding, surfing, ATVing and others, that have earned him many weekend warrior injuries, but priceless memories.