Is SD-WAN the future of connectivity? An interview with our Head of Pre Sales

SD-WAN stands for software-defined wide area networks. At its simplest, SD-WAN is a telecoms network that extends over a large geographical area, often using leased circuits.

Since its inception from the US to European and UK markets, SD-WAN has been met with much confusion as to what it is, what it does, and what the benefits are for different companies. In a recent interview, our Head of Pre-Sales, Paul Krarup attempts to clear this up, before showing how partnering with Virtual1 for SD-WAN can provide businesses with optimum connectivity performance.

Paul, in your own words, what is SD-WAN?

SD-WAN is a way of creating a multi-site Wide Area Network (WAN) using internet connections rather than private connectivity.

An obvious use case is an organisation with ten sites across the UK with one head office that houses their IT equipment, often co-located within a secure Data Centre. The remote sites all need to get to the Hosted IT equipment to access Email Servers, Domain Controllers and other communication systems. Virtual1 has facilitated that in the past by creating a Private Layer 3 VPN over MPLS. This requires putting in dedicated access products like Fibre Ethernet or ADSL and then, using our core network, creating a Virtual Private Network that interconnects those ten sites — the only sites with access to that network.

With SD-WAN you can now use internet circuits to virtualize that Private Layer 3 VPN using security functions, typically IPsec VPN tunnels. This means SD-WAN heavily relies on smart software and security to understand where traffic needs to flow and create those IPsec VPN tunnels to connect each of the sites dynamically.

What are the main benefits of SD-WAN?

In the past the internet has been seen as ‘the wild west of connectivity’. Put simply, everybody with an internet connection can reach anybody else with an internet connection and, roughly speaking, it’s possible to scan corporate firewalls and create security headaches or ‘threats’. But, if the security is adequate, this is negated and corporate traffic is safe.

SD-WAN security devices are smart and application-aware. They can manage private interconnections across this ‘wild west’ of the internet which gives an organisation peace of mind that their connection won’t be as easily infiltrated, as it may have been before the advent of unified threat protection or unified threat management.

SD-WAN doesn’t require you to take all of your internet connections from one vendor. When Virtual1 provide a layer 3 VPN or MPLS, we are responsible for putting in the fibre, ADSL or 4G connections. This is because all of those connections need to reach our core network or we can’t create that private network. With SD-WAN you can just use the internet. Vendors have internet connections across the globe and, because you’re now Carrier-agnostic, you can plug a single SD-WAN appliance into anybody’s internet connection; the security devices are clever enough to reach each other and create that virtualized network. This ‘frees up’ people’s buying options while maintaining network security without needing one single vendor - which tends to be the most expensive element.

Finally, SD-WAN reached Europe from the United States with the perception of being a big money saver. While private layer 3 VPN over MPLS is still very expensive in the US, internet circuits are relatively cheap. So, having SD-WAN appliances on the end of DIA circuits is very beneficial in the US.

In the UK and Europe however, the price disparity between MPLS and DIA services isn’t huge so we’re not actually seeing the same cost savings. However, we still reap a number of benefits. One of the primary functions of SD-WAN is that it is application aware— it knows exactly what you’re using across internet connections, which means you can make smart routing and security decisions, while having unprecedented network visibility. Although SD-WAN is panning out as slightly more expensive than MPLS, or private layer 3 VPN’s, the network visibility, control and access is vastly improved. While SD-WAN could be perceived as a ‘like-for-like’ replacement for MPLS to the end user, you actually get far more sophisticated reporting tools, far more utilisation statistics and overall, it’s a smarter product.

When wouldn’t a company require SD-WAN?

If you have a simple network where you don’t need to see what’s going on every minute of every day, and you don’t need really sophisticated security then go with MPLS. If you want a private network that you build once, leave, and that works for the duration of the contract without much adjustment then it will still do a fantastic job.

SD-WAN is aimed at ‘hands-on’ IT managers and IT support desks who need to see what’s going on – this is often in cases where the end user experience is absolutely paramount. An example of this would be a finance business relying on low-latency and efficient performance to make trades; or a SaaS provider relying on the consistent, strong execution of their product. You need to be able to realise a tangible benefit, not just purchase SD-WAN because you can ‘see’ everything.

The other thing is control. SD-WAN allows end users to make live changes to the way their network behaves, so if they have regular changes to their network design, and want to be in control, then SD-WAN offers far more flexibility.

What does the current SD-WAN market look like?

SD-WAN is about 5 years old and there are about 90 international SD-WAN vendors. The Metro Ethernet Forum [MEF] are currently in the process of defining what SD-WAN means because, being such a new product, there are variations with vendors trying to manipulate their solutions to fit.

SD-WAN should be multi-site, Carrier-agnostic, resilient, secure; and have a centralised control plane—they’re the big 5 things that define SD-WAN for Virtual1.

Why purchase SD-WAN through Virtual1?

It’s thought that SD-WAN sales will grow by about 25% each year for the next five years globally. So, it’s no surprise that 60-70% of enterprises have said they see the future of connectivity being ‘Managed SD-WAN’ — and we know our partners are seeing an increasing demand in this area.

Because of this we’ve spent the last 18 months exploring the different technologies, particularly with Juniper Networks and Fortinet. That experience means that we can help our partners take SD-WAN to market fast and manage the day-to-day network behaviour for them, including looking after reporting tools. We can offer end user log-ins to see the reporting features available, but they won’t be able to make changes unless they’re accredited because, unlike a managed MPLS solution, SD-WAN gives users full control of their network and has the potential to drastically impact their services. Operating an SD-WAN can require significant networking skills and knowledge which many businesses have outsourced over the past 15 years.

With our SD-WAN offering, you also get uplifted features such as application-based routing and application-aware reporting tools, so you can be safe in the knowledge that we will fix things if anything goes wrong or if there are any necessary changes. Virtual1 aim to be the ‘one-stop-shop’ for this service. Our USP centres on being accommodating and agile. For us this is to get things done quickly and to be there to help partners and their end users when they need it.

Does SD-WAN help with homeworking?

Homeworking tends to rely upon the initiation of IPsec VPNs from user devices to an IPsec VPN server somewhere within a managed core network. The user wouldn’t, necessarily, need there to be direct connectivity to a corporate SD-WAN from the home.

There will be instances where Business Executives want SD-WAN appliances in the home so that they’re constantly connected to their corporate WAN. In this case, every device on the LAN within their home will be connected to the corporate WAN.

For example, one of our solutions Virtual1 utilise Fortinet’s SD-WAN product, which has the Endpoint Security feature – FortiClient. This is used to initiate IPSec VPN connections back to our Corporate LAN services. So, if you had SD-WAN for an organisation, as a homeworker, you would still use FortiClient to connect your laptop back to your head office that may have some SD-WAN connectivity, but you wouldn’t consume SD-WAN directly.

As a homeworker using FortiClient on an MPLS network you will get an identical experience. The thing that SD-WAN enables is the ability to have localized internet breakout, from every site. One of the key architectural components of an MPLS network is having a single point of internet breakout. Virtual1 would deploy a single firewall, or high availability pair, located in a data centre allowing all remote sites within a private WAN to use that one internet breakout point. This hugely decreases the potential attack vectors, so that anyone who wants to get into your network only has a single point of ingress. If you have localised internet breakouts at all ten sites, that’s ten potential locations where somebody can identify vulnerabilities. But, because the SD-WAN software is so sophisticated you can have localized internet breakout and localized security policies and be assured that your corporate network is secure, everywhere. Plus, it’s a way of ‘splitting up’ your available bandwidth on a fibre tail or a broadband connection – you can have some of that connection prioritized for your corporate network and the rest of it going straight to the internet for browsing.

What’s the process for buying SD-WAN through Virtual1?

When a partner is looking to take access products from us accompanied by SD-WAN then that has a lead time and SD-WAN won’t improve that, but it won’t slow it down either. With SD-WAN, as long as an end user has an internet connection, we can theoretically ship the SD-WAN boxes and they can use their existing connectivity to start experiencing the Virtual1 SD-WAN product.

We can also ‘stitch’ SD-WAN together using a combination of the access products we put in, plus the access products already there — so we can virtualize that WAN for an end user. This could speed up deployments but wouldn’t give the benefits of Virtual1 connectivity services. Ultimately, there are ways we could expediate functions but the configuration would look slightly different versus our native access products paired with SD-WAN.

What’s the overarching goal of SD-WAN?

When I talk about SD-WAN, what I say to people is ‘the internet is back’. Once again we can use the internet for connectivity without a dependency upon private layer 3 VPNs to ensure security. It’s also about the user experience — the ability to see the network clearly, report on it, and improve it dynamically, rather than just accepting its limitations. End users are often impartial about the technology being used, they just want their key applications to work, and work well. SD-WAN puts that visibility and control in their hands.