We are pleased to share with you all an interesting article contributed by Michel Boulay who is expert in networks, security and architecture, specialized in SD-WAN and teacher in some IT engineer schools.
|
Michel Boulay Expert network engineer and architect at FMlogistic
|
|
|
Recently i mixed my experience of ONUG, SD-WAN summit and my personnal LABs tests to point security implementations and risks of SD-WAN solutions. (i'll take some real exemples and some random names that are better than "manufacturer A" and "manufacturer B"). My goal is not to say if a product is good or bad, i'm not in the roadmaps or secret strategy and i want to remain independant and credible ;)
Most of SD-WAN players focus on site-to-site links (through MPLS or VPNs) or site-to-cloud (mainly AWS and Azure). This means that this devices will be exposed on internet. Are they strong enough to protect themselves from botnets, scripts kiddies or some other basic attaks? Most of SD-WAN manufacturer don't care about it, they request no security certification to prove that they are not a security flow to our business.
Most of pure SD-WAN products are very young (1-3 years) and will need time to pass a security certification. Are we ready to take a risk to replace our firewalls by this kinds of products???
Of course nice UI, automation, easy setup, 0 touch, 0 IT, etc... are a good marketing arguments and are really amazing. There are wonderfull products on the market, they do the job for some usecases.
Take, for exemple, Steelconnect from Riverbed that have a very simple, intuitive and nice UI to manage interconnections between your sites and some cloud players. Steelconnect is a great SD-WAN product, it works great and it will answer to many uses cases today. What are the possible strategies for this type of product ? If they develop their own security layer (it's a real job) it can take long. If they choose to integrate another product, let's say Checkpoint for this exemple, what will happen? Can i dream of an unique management console to manage riverbed SD-WAN and checkpoint security? Difficult, and a crazy challange to maintain compatibility when an OS upgrade is deployed. So, 2 different consoles to manage? create all objects, networks, routing policies twice? check logs on differents products to troubleshoot issues? How to check packets comming from internet with the checkpoint and check the packets coming from the LAN with the checkpoint too? Make a sandwitch of VMs? checkpoint-riverbed-checkpoint ? And what about 1 or 2 DMZs for guests or clients on site? What will happen the day a big issue occurs? Riverbed support will tell that it's an issue with checkpoint (auto-update?) and Checkpoint support will argue that they have no issue on their own products and it must be a Riverbed issue... A long ping-pong match that can be very expensive for our business. A real architecture and strategy challange too. There is no easy solution.
Versa networks has the best multilink, multiprovider agregation system that i saw, with high quality algorithm and many metrics for link QoS analyse. It's the only tested product where i loss not a single ping when i cut one of the internet links. Of course it needs extra implementation time as they use VXLAN through VPNs, so it's not as easy as some other product but it works fine once installed. Nevertheless management system needs more maturity. I use this exemple to point another security issue. In real SD-WAN, all devices needs to discuss with their controler. So the controllers are themselves a critical SPOF. Of course, we can put some controllers in HA and synchronize their configurations and datas. But what if? What happens if controlers fail? DDoS attack, hacking, major bug in the code, human error, licence expire, certificate expire? Then you'll instantly loss your whole WAN and your business will be stopped. This is a major risk of SD-WAN pure player, and some of them has only SaaS controlers that are more exposed to attacks than your company controlers... Another challange to address by products architects.
On the other side we have some pure security players that begin to implement SD-WAN. Forcepoint products are very powerfull and featured and works very fine. It's not real SD-WAN yet but it allow ISP aggregation, full mesh links, path analysis (with fixed metrics only, you can't change them yet). And all of this with top security suite (IPS, APT, DLP, ssl interception, etc...)
And then you have fortinet, that has an oppisite UI strategy than riverbed : a crazy management console for maniacs, complex and confuse but that allow to do nearly anything with exceptions in exceptions to match all usecases. It's not SD-WAN but it can be an opportunity for them in the future. NB: fortinet just published that they'll invest in SD-WAN R&D ;)
Then, what happen if your company have some autonomy zones? Imagine 600 sites shared accross the world : Russia choose to deploy Velocloud, France decide to deploy Infovista (ipanema), USA deploy Steelconnect and Asia deploy Versa. How can we do an any to any network between different products that use their own standards and own algorythmes ? Manufacturers will say : "oh, but you can establish a basic IPSEC tunnel between your areas HQs". Of course, but you'll loss SD-WAN features, link aggregation, redondancy, visibility, QoS on links and you'll overload your HQs (new SPOF) for transit to other countries... And it will be a pain to setup and manage. So, in my mind, it should be great that all manufacturers works a little together to define a standard to have a minimum compatibility between them. As spanning-tree, ethernet or WiFi can work with different manufacturers. For exemple ONUG can be a good opportunity to work on this ;)
So we have, in right corner, security players that are focusing on SD-WAN, and in left corner SD-WAN players that should focus on security. Who will be the winner? |
||
|
|
Register | About Us | Sponsor Channel Service (Korean Market) | Advertise | Contact Us | LinkedIn | Our Korean Site
|
|||
|
HQ: 201, Hanho Building 33, Nonhyeon-ro 64-gil, Gangnam-gu, Seoul, 06228, Rep. of KOREA Netmanias USA: 5214 36th Ave. NE Seattle, WA 98105 USA Netmanias was founded in year 2002, and provides in-depth analysis and overview of 4G & 5G mobile, IoT, SDN/NFV, Gigabit Internet and video streaming technologies as well as trends in the evolution of Korean operators’ networks and services Copyright ⓒ 2002-2023 NMC Consulting Group. All rights reserved. |
||||
Why not SD-WAN and Security? Cato Networks solves exactly this challenge by converging SD-WAN and Network Security into a single cloud service with one management interface.
Following & Reading all articles, good one.
Every time new and informative post.
I saw no mention of VeloCloud SD-WAN or mention of the integration of VeloCloud with Fortinet (though that wont be public for a little while). Why did you only review Versa Networks and Riverbed? (just curious) The largest area of question with SD-WAN vs MPLS is when security is of the highest concern. Traffic over the open internet requires a lot of "devils advocate" and a good security fabric. Good review and read! Thank you for posting this!
Good read and food for thought on SD-WAN
Many options for many needs. Until the likes of Microsoft or Google drop everything they are doing, there will never be an all encompassing SDx solution. The answer is definitely in integration. Give me APIs and good documentation and I'll buy from the market what I need. Also, security is all about being the least tasty, fastest fish in the sea, and not necessarily the one that can simply disappear.
SD-WAN isn't inherently opposed to security like the title suggests. In fact, solid SD-WAN implementations can increase security, visibility, control, and functionality
that's why we focus on SECURE SDWAN because the market is neglecting this. SDWAN is more secure and with the right feature much more than just smart path control.