Choosing an SD-WAN vendor/platform has become increasingly difficult as the WAN edge market rapidly expands. This blog provides a summary of my thought process when down selecting SD-WAN vendors/platforms.
SD-WAN Vendors/platforms typically fall into one of four categories:
- Pure Players – are start-ups such as VeloCloud and Viptela which are the two main disrupters in the WAN edge market. Both start-ups were acquired by VMware and Cisco respectively and lead the Gartner magic quadrant for WAN edge 2018.
- WAN Optimization – This category includes companies such as Riverbed, Silverpeak and Citrix, essentially businesses which out of necessity to survive have diversified from the dying WAN Op market to SD-WAN. In my opinion Riverbed should have bought Silverpeak to boost there market share as Silverpeak has a decent amount of customers and a very solid platform. That’s not to say Riverbed’s acquisition of Ocedo was bad as the Riverbed platform is pretty good from what I have evaluated and will get better over time. However unless you already have a Riverbed WAN Op deployment would you consider Riverbed over a pure player which is designed from the ground up to be cloud driven SD-WAN not WAN OP with a SD-WAN bolt-on.
- Security – This category includes traditional security vendors such as Barracuda, Fortinet and Palo Alto Networks. NGFW’s already have VPN capabilities so SD-WAN is a natural feature to provide. What puzzles me is why Checkpoint haven’t ventured into the fray when the other NGFW leaders have. While these vendor offerings will be secure they lack a mature cloud management platform and similarly to the WAN Op category feels like a bolt-on feature to try and maintain existing customers.
- Managed Service – As organisations start to move away from MPLS, providers are pivoting to provide managed SD-WAN services. Now this is an interesting and valid proposition depending on your business requirements and operating model. Orange Business Services offer some good solutions here if you are looking at a managed service (Note. I don’t work for OBS). The managed services I have seen are using Viptela or VeloCloud under the hood which I think says a lot about the strength of the pure player category.
Your existing network architecture and/or experience in some of the above vendors may influence your decision or at least help narrow down the field. However your decision should be based on which vendor/platform meets your business and technical requirements. I’ve pulled together some key technical requirements below when evaluating SD-WAN vendors/platforms. This is not an exhaustive list by any means.
- Virtual Appliance – Whilst all SD-WAN vendors will have a physical appliance available, ensure that their range of appliances meet all your site and bandwidth requirements. However not all SD-WAN vendors have a cloud based appliance. Most organisations will have a public cloud presence so it is important to ensure your SD-WAN vendor has an appliance available in the respective cloud’s marketplace. VeloCloud and Viptela both support both AWS and Azure so it is relatively easy to extend your WAN to the cloud. If your SD-WAN vendor doesn’t have a public cloud appliance then what are your options? Well from a Microsoft perspective they have recently released Azure Virtual WAN which integrates with a number of SD-WAN vendors such as Citrix, Riverbed and VeloCloud among others so you don’t need a dedicated virtual appliance. The downside is that you don’t get complete visibility of your SD-WAN environment, you loose out on network and application visibility statistics and any QoS or application prioritization you may want to configure. I see this integration for smaller enterprise customers or perhaps Dev/Test and Pre-Production environments to reduce cost.
- VPN Throughput – Typically most SD-WAN vendors have a range of physical appliances which will fit most organisation’s bandwidth/throughput requirements however their respective virtual appliance can often be quite poor with regards to VPN throughput. Now if your public cloud deployment is quite large then is a key requirement. I have been provided with some truly terrible solutions (workarounds by Vendors) by spreading the load across multiple appliances using IP prefixes which would be a routing nightmare in Azure or AWS and this is just masking their problem.
- Cloud Management – You would assume this was a given but even big players like Citrix don’t have a cloud management platform. My main considerations around cloud management are typically, where is it? Working in the UK/EU you want to ensure that your cloud management is in the same region to ensure data compliance. Most vendors will host you on your nearest Orchestrator, for example VeloCloud’s EU Orchestrator is hosted in AWS in Frankfurt and I believe London is on the road map but if you are a multi-national organisation you may want to consider which region you want your orchestrator. The next consideration is what data is held and does this have GDPR implications. Ensure your SD-WAN vendor has GDPR information available and that you engage your legal department to ensure you are compliant.
- Cryptography – Having evaluated a number of leading SD-WAN vendors, I was surprised how lacking some were in terms IPsec variables such as IKE version, encryption and hashing algorithms. Typically I hold NCSC’s IPsec foundation profile as the benchmark. VeloCloud can meet this profile which is a big tick if you are working with UK defence and public sector customers. Not only does it meet the criteria but some parameters are meet the PRIME profile which is like the unicorn of crypto security.
NCSC Foundation Profile – IKEv1, AES-128 CBC, SHA-256, DH group 14 and Certificate based authentication.
Most secure VeloCloud Profile – IKEv2, AES-256 GCM, SHA-256, DH group 14 and Certificate based authentication.
- PKI – Use of certificates for authentication requires a PKI. Certificate based authentication is the preferred method of authentication because it is more scalable and secure than pre-shared keys. Most organisations will have a PKI (of sorts) however it is doubtful this will be exposed to the Internet, assuming your SD-WAN will be configured in Internet or hybrid mode. The VeloCloud Orchestrator has a CA baked in which makes deploying certificate authentication very easy. Upon activating a VeloCloud Edge device the Edge is issued a 90 day RSA 2048 bit certificate. This certificate is renewed at 80% to ensure continued connectivity. You can revoke certificates in the Orchestrator or by deleting an Edge the certificate is also revoked.
You can use a mix of PSK and Certificates in the VeloCloud platform if you wish, sometimes integration with 3rd parties doesn’t allow for certificate authentication so you can fallback to PSK. VeloCloud give you the option of Certificate disabled, Optional or Required. Disabled is fairly obvious but Optional means a VPN device/edge using PSK can communicate to Edges using PSKs or Certificates which allows for flexibility but does reduce security somewhat. Required means that if an edge uses certificate authentication it can only communicate to other edges that use certificates, this is very secure but not as flexible so really depends on your requirements.
- Ease of Deployment – One of the big selling points of SD-WAN is the ease of deployment. Most Pure Players and WAN Op SD-WAN vendors offer this. What I have found though is that when you do have deployment issues they have very little local troubleshooting capabilities which is very frustrating when you can’t even run a ping to your gateway or do a DNS lookup.
- Service Chaining – Depending on which SD-WAN vendor you’ve chosen and how you are going to break out to the Internet this may or may not be a consideration for you. However if you already use a cloud security service like Zscaler then tunnelling your local branch Internet traffic to the Zscaler cloud is a no-brainer as it is no additional cost (depending on your bundle). Large enterprises like Siemens do this as opposed to running local branch firewalls or VNFs. With over 2200 branch sites that’s a very scalable solution.
- Dynamic Routing – As I have said before SD-WAN appliances are not Cisco routers. If you need routing resilience or integration with your Interior Gateway Protocol (IGP) be sure your chosen SD-WAN vendor supports your IGP fully. Viptela and VeloCloud supports OSPF and BGP but a lot of SD-WAN vendors have pretty poor IGP support so ensure you research this. In particular when they say OSPF supported it is typically only in passive mode, yeah thanks for that.
There are lots of other considerations when choosing an SD-WAN vendor/platform, there is no one-size fits all so spend your time building your requirements, engaging with vendors and do a or multiple proof of concepts. What the vendor says and how the platform performs can differ considerably.