Building an enterprise grade SD-WAN
One of the key factors of digital transformation is, without a doubt, multi-cloud. Multicloud should rather be viewed as every network or collection of servers, so it could also be your branch or on-premise datacentre. The demands on the network and especially the WAN and the way we connect to all of those clouds is changing. This change is happening because multi-cloud enables you to work from different locations while having access to all of your data regardless of your location.
This in turn influences the way security is implemented. In the past, the typical approach would have been to deploy a big firewall in the datacentre; whereas now multiple smaller firewalls are on-premise or in every cloud. This trend brings a whole new level of complexity into the network. New solutions are needed, to enable the management of different clouds, the connections to those clouds and the application of policies in the same way. Inevitably, this will augment the cost.
Evolution of business connectivity services
In the early 1990s, we began to see technologies like Frame Relay and Leased Lines. Over the years, this grew into IP/MPLS VPNs and by the mid-2000s into technologies like Hybrid WAN and IPSec VPN. The next step in the evolution of these connectivity services is an SD-WAN solution, where the underlying technology is not new, but rather the way in which it is managed is new. Changing business needs have caused this evolution, as the need for people to work anywhere and lowering costs have become fundamental business drivers.
Past/Present/Future modes of operation enterprise
Typically, connections were built from the data centre in the corporate headquarters via traditional MPLS towards their branch offices. In the past, all traffic was backhauled to that corporate datacentre and processed through a big, centralised firewall.
With the current adoption of hybrid cloud solutions and SaaS hosted solutions, it does not make sense to first backhaul all traffic from the branches through the corporate datacentre and then send it to a public cloud. In a lot of cases, these cloud-based services (such as Office 365, Salesforce, …) have already been adopted. These connections would be more efficient if they could go through a local breakout to the internet. Where it shouldn’t matter what underlay you are using. In most cases, you would be able to use plain internet as an underlay for SD-WAN solutions. With faster connections and cost efficiency as a result. For example, if you see a lot of traffic between one of your branch offices and your warehouse, this does not have to go through your corporate data centre first.
Traditional network simplified into SD-WAN
An SD-WAN approach is changing the way that we traditionally think of networking. This means not backhauling all traffic centrally, but using the full network and all of its capable links. The solution is more than SD-WAN, there are also switches and wireless access points (APs) and this solution is supporting the configuration, management and monitoring of such typical LAN access devices.
Now let’s consider the major building blocks of an SD-WAN solution. The first and most important one is the enterprise site. An enterprise site can be divided into campus sites, datacentres and branches. Typical devices in a branch are switches, wireless APs and secure routers. These devices need to connect to another building block, which is the public cloud, using a set of private or a service provider’s WAN backbone (think of 4G/LTE, Broadband Internet, …). An SD-WAN approach allows you to connect all of the different enterprise sites to each other and to the public cloud.
There are six capabilities to be considered when implementing an SD-WAN solution:
- Multiple active paths: use all underlay technologies which are available and combine those paths.
- Any transport technology: use MPLS for your business-critical traffic, internet for less sensitive traffic or combine both to have more bandwidth available.
- Application-aware routing: make routing decisions based on the application itself.
- Zero-touch deployment: roll out new services without having to go on-site or use remote hands.
- Centralized controller: manage and deploy your whole network centrally from a single management interface.
- Support for virtual network functions.
One of the key features of a well-rounded SD-WAN solution is that it can be delivered as a service in the cloud. An organisation with a couple of smaller or bigger campuses can have a small IT team. This team will have to manage not only IT, but also security and wired and wireless networking, which is a huge scope. In this case, consuming SD-WAN as a service in the cloud will help them to manage their entire infrastructure. A second important feature is having an integral all-inclusive security policy. This means that you are able to perform the SD-WAN capabilities of the device and security features at the same time. Finally, the Zero Touch Activation feature of an SD-WAN solution supports a faster roll-out of your SD-WAN deployment. It will eliminate the unpacking of the device, the pre-staging, the configuration and shipment to the remote location. Provisioning is accelerated from days to hours.
When considering an SD-WAN solution, the way in which you configure firewalls and security policies will change. The defining move is from a Layer 4/IP address-based policy to an intent-driven policy, where the policy is based on what needs to be achieved. For example, minimal latency or application first configuration. As a result, there should be no further struggle between IP addresses, objects and subnets. You are able to define your objects once, and use them in a more natural language policy.
An intuitive SD-WAN should also offer the option of configuring wired and wireless LAN management from the same interface that is used to define your security and SD-WAN policies. This is to be considered as your single pane of glass for managing the enterprise branches.
Why should you consider adopting an SD-WAN solution?
By choosing an open, cloud-ready platform, you are in the best position to benefit from integration with third party partners and eventually simplify your branches.
Nomios performs network security assessments that allow you to decide how to move forward and to examine whether an SD-WAN solution would benefit your organisation. Nomios has years of experience in planning, building and operating multi-cloud environments and is ready to support you today!