Shift from SDN to SD-WANs to SASE Explained; Network Virtualization’s important role

Disclaimer:

The IEEE Techblog has not covered this topic for a very long time, because there are no standards or accepted specifications for any type of SD-WAN or SASE interoperability.  Those networks are all supplied by a single vendor, but that hasn’t stopped them from gaining market share, especially from legacy IP-MPLS VPNs.  That’s even though functionality differs for each vendor’s SD-WAN or SASE offering and there is no interoperability, especially from one provider’s SD-WAN to another’s.

Explanations:

SD-WANs use Application-aware routing across the WAN, whereas classical SDN used a centralized controller to compute routes at the Network layer for the Control plane with “L2/L3 packet forwarding engines” in the Data Plane.  The SDN Control and Data planes are separated with the “OpenFlow” API used to communicate between them.

NFV is not about routing but virtualizing network functions (“virtual appliances”) that would otherwise be implemented in hardware-firmware boxes.

Network virtualization (defined below) has played a key role in the popularity of SD-WAN and SASE, even though that network paradigm was not included in the original definition of SDN in which no overlay networks were permitted.  (That was referred to as “SDN Washing” from 2011-2014, by SDN strongman Guru Parulker, now Executive Director of the Open Network Foundation.)

………………………………………………………………………………………….

Discussion:

At many data networking industry conferences and events from 2011 to 2014, participants claimed that Software Defined Networks (SDNs) would usher in a whole new era for networking.  One colleague of mine said it would be “a new epoch for networking.”  Instead, there were various versions of SDNs, used primarily by hyper-scale cloud service providers (most notably Google and Microsoft) and a few large telcos (e.g. NTT, AT&T).  But SDN never spread to enterprise or campus networks.

When SDN fizzled out, the industry’s focus shifted to Software Defined WANs (SD-WANs), which provides user control of a virtual network overlay via the Application layer. There are three components to a SD-WAN:

  • SD-WAN edge is where the network endpoints reside. This can be a branch office, a remote data center, or cloud platform.
  • SD-WAN Orchestrator is the virtualized manager for network, overseeing traffic and applying policy and protocol set by operators.
  • SD-WAN Controller centralizes management, and enables operators to see the network through a single software interface, and set policy for the orchestrator to execute.

In addition, there are three main types of SD-WAN architecture: on-premises, cloud-enabled, and cloud-enabled with a backbone.

SD-WANs continue to roll out in many different shapes, forms and flavors, without any standards for any type of interoperability (e.g no UNI, NNI, Interface to legacy IP-MPLS VPNs, etc).  Even the definition and certification by the MEF (Metro Ethernet Forum) has failed to catch on so there is no uniform functionality between one SD-WAN and another.

Because of its virtualized network architecture [1.], SD-WANs don’t require specific hardware for specialized network functions. Instead, the infrastructure is made of commercial off-the-shelf (COTS) equipment, also known as white-boxes.  Therefore, all SD-WAN products are 100% software based.

Note 1. Network virtualization is the process of transforming network functions into software and disconnecting them from the hardware they traditionally run on. The software still consumes the hardware’s resources, but is a separate entity that can be changed, moved, and segmented while the hardware remains the same.

The virtualized and software-based version of the network is an overlay on top of the physical network infrastructure. The physical network’s devices like switches and routers still perform tasks like packet forwarding, while how to forward those packets is handled by the software running on the switches and routers.

………………………………………………………………………………………….

Meanwhile a newer entry known as Secure Access Service Edge (SASE) has garnered a lot of media attention.  This Gartner-coined product category, which combines elements of SD-WANcloud-based security, and edge computing, has gained significant traction in the two years since its inception.

SASE’s remote access functionality and low barrier to entry made it an attractive option for enterprises trying to cope with the rapid shift to remote work due to the pandemic. Within months of the first lockdown orders going into effect, nearly every SD-WAN and security vendor had announced a SASE security architecture, either through internal development, partnerships, or acquisitions.

SASE is the convergence of wide area networking, or WAN, and network security services like CASB (Cloud Assisted Security Broker), FWaaS (Firewall as a Service) and Zero Trust, into a single, cloud-delivered service model.

According to Gartner, “SASE capabilities are delivered as a service based upon the identity of the entity, real-time context, enterprise security/compliance policies and continuous assessment of risk/trust throughout the sessions. Identities of entities can be associated with people, groups of people (branch offices), devices, applications, services, IoT systems or edge computing locations.”

Gartner forecasts that, “by 2024, at least 40% of enterprises will have explicit strategies to adopt SASE, up from less than 1% at year-end 2018.”

A SASE architecture identifies users and devices, applies policy-based security, and delivers secure access to the appropriate application or data. This approach allows organizations to apply secure access no matter where their users, applications or devices are located.

According to Cisco’s latest CISO Survival Guide, almost all (98%) CISOs plan to spend money on secure access service edge (SASE), and 55% of them intend to prioritize 25% to 75% of future IT security budgets on it, according to

Cisco surveyed more than 100 CISOs and security leaders for this report. The biggest shift for CISOs this year is toward SASE, following the pandemic and related trend of working from anywhere in the world, said Dug Song, chief strategy officer at Cisco Secure.

“I think hybrid work is here to stay,” Song told SDxCentral in an interview. Most organizations have decided to maintain flexible work for employees even post-pandemic, which requires changes to their IT security programs.

………………………………………………………………………………………….

Many industry experts say SASE services must be built on a cloud-native architecture (like 5G SA core network) and distributed across multiple edge locations.

While several vendors including Cisco and Fortinet have rejected the cloud native approach, arguing that networking and security appliances still have a role to play both at the branch and the edge, it’s a principle that’s reflected in Gartner’s own literature and wholeheartedly embraced by VMware, CATO and other SASE vendors.

 

Specifically, VMware offers a cloud-native SASE architecture that has combined multiple solutions in it such as SD-WAN Gateways, VMware Secure Access, ZTNA solution, SWG, CASB, AND VMware NSX Firewall. VMware delivers all these solutions through PoPs. It delivers the network and security services in an intrinsic or sequenced manner.

Cato CMO Yishay Yovel told SDxCentral, “The feeling I have is that a lot of the market is trying to talk about SASE now in a generic way, like everybody has everything, or everybody has the same capabilities, and it doesn’t matter exactly how they’re done.”

Yovel also said that just because a vendor claims to offer the full SASE software stack, doesn’t mean it’s been implemented in a way that’s scalable.

Many of the SASE functions — cloud-based firewalls in particular — are compute-intensive, they usually have to be run in cloud data centers and can’t run on the cloud provider’s more numerous content delivery network edge locations.

This dramatically limits the number of locations a SASE vendor can offer if relying on public cloud infrastructure. For example, Google Cloud claims services in 146 edge locations around the globe, but only operates 21 global data centers, which it refers to as regions.

Scalability and availability are another challenge, Yovel noted. In many cases, these virtual appliances aren’t multi-tenant and have to be assigned to a specific customer account, resulting in additional resources being required should the customer bump up against the limits of a single instance.

Yovel argues that unless a vendor’s SASE software stack is unified, customers may miss out on the ability to share context across multiple security or network functions.  He explained that many functions, SD-WAN for example, are only aware of certain contexts like what application is being used, but this context could be used in conjunction with other contextual information like time, location, or identity to inform other parts of the SASE stack.

“We collect all the context elements. It doesn’t matter which part of these engines need them. Everything is built into a unified thing,” Yovel said.

The bottom line for today’s cybersecurity professionals is that both zero trust and SASE networking trends should be watched closely and integrated into forward-looking enterprise network architectural decisions.

…………………………………………………………………………………….

References:

https://www.sdxcentral.com/networking/sd-wan/definitions/software-defined-sdn-wan/

https://start.paloaltonetworks.com/gartner-report-roadmap-for-sase-convergence.html

https://www.paloaltonetworks.com/cyberpedia/what-is-sase

https://www.softwaretestinghelp.com/top-sase-vendors/

https://www.sdxcentral.com/articles/news/cisco-report-cisos-sase-spend-edges-toward-75-of-budget/2021/07/

https://www.sdxcentral.com/articles/news/cato-ribs-palo-alto-networks-other-sase-imposters/2021/07/

https://www.sdxcentral.com/networking/sd-wan/

https://www.sdxcentral.com/networking/nfv/definitions/network-virtualization-and-how-it-works/

https://searchcloudsecurity.techtarget.com/tip/Why-its-SASE-and-zero-trust-not-SASE-vs-zero-trust

 

4 thoughts on “Shift from SDN to SD-WANs to SASE Explained; Network Virtualization’s important role

  1. “Going forward, multi-cloud is at the center of gravity for everything we do,” said VMware CEO Raghu Raghuram said his opening keynote at VMworld.

    And then he announced VMware Cross-Cloud, which is a set of integrated services that the vendor says provides customers the flexibility to build, run, and secure applications across any cloud.

    “There are three key advantages you get with VMware Cross-Cloud services,” Raghuram said. “First: Go faster. With Cross-Cloud services, you can accelerate your cloud journey. Second: Spend Less. You get big gains and cost efficiency. And third: Be free. With Cross-Cloud services you get maximum flexibility and choice across any cloud.”

    The services include five key pieces:

    A platform for building and deploying cloud-native apps;
    Cloud infrastructure for operating and running enterprise apps;
    Cloud management for monitoring the performance and cost of apps across multiple clouds;
    Security and networking that spans customers’ multi-cloud environment to connect and secure apps;
    And a digital workspace to accommodate the distributed workforce and manage edge-native apps.
    Not coincidentally, VMware also announced new products or updates across all of these five areas.

    The vendor originally announced Tanzu Application Platform, its cloud-native app platform currently in beta, at its SpringOne developer event last month. Today, VMware announced new capabilities including more developer tooling and a framework for platform operators to configure policies of deployed workloads to ensure that all workloads follow best practices.

    For cloud infrastructure: VMware announced Project Arctic, a tech preview, that natively integrates cloud connectivity into vSphere and allows IT admins to access Cross-Cloud services through vCenter.

    Project Ensemble is VMware’s new unified control plane for VMware Cloud. It’s also a tech preview, and it provides a unified view across vRealize Cloud Management Services to monitor app performance and cost.

    At VMworld, the vendor added API and Kubernetes security capabilities to cover multi-cloud security and networking.

    And finally, VMware announced a new Edge Compute Stack — an integrated virtual machine and container-based stack for edge-native apps.

    “What is Cross-Cloud all about at the end of the day? It’s about giving you the power to make your own decisions and control your destiny,” Raghuram said. “I call this enterprise sovereignty.”

    Similar to data sovereignty, which involves controlling enterprise data where it resides, “enterprise sovereignty speaks at a higher level about preserving your freedom of choice, both now and in the future,” he said. “At VMware, we give you the freedom and control.”

    https://www.sdxcentral.com/articles/news/vmware-ceo-flies-multi-cloud-flag-at-vmworld/2021/10/

  2. SD-WAN provides a secure path from siloed enterprise networks to the public, private and hybrid cloud
    SD-WAN is a reset in thinking about how a Wide Area Network (WAN) should work. It’s a virtual WAN architecture, an overlay that can work with different network transport services, including broadband. SD-WAN enables organizations to centrally manage traffic using the principles of Software Defined Networking (SDN), without the limitations imposed by physical network infrastructure.

    SD-WAN centralizes network control, management, provisioning and security, despite the continued decentralization of data, as businesses move to the cloud. A few companies stand apart from the rest when it comes to offering SD-WAN solutions. Cisco is the market leader, followed by Fortinet and VMware, according to a report from Dell’Oro Group.

    Enterprise spend on SD-WAN has accelerated in recent times. Businesses are upgrading network infrastructure to accommodate changing objectives and shifting workforce demands, as well. Sales of SD-WAN solutions rose 45% year-over-year for the third calendar quarter of 2021, according to Dell’Oro. The research firm noted that Cisco’s quarterly SD-WAN revenue nearly doubled in the quarter, with especially strong growth in North America.

    The State of the WAN
    For years, the literal backbone of enterprise WAN connectivity has been Multi-Protocol Label Switching (MPLS). MPLS is a routing technique which directs data based on short path labels rather than long network addresses. Those paths labels speed network traffic by identifying virtual links between distant network nodes, eliminating routing delays.

    MPLS supports a range of network transport services. And as the acronym implies, it supports multiple networking protocols: Internet Protocol (IP), Asynchronous Transport Mode (ATM) and Frame Relay, for example.

    Regardless of protocol, MPLS connections all have one thing in common: They’re dedicated circuits, and require specialized routing hardware at both ends. This complicates provisioning and limits scale. What’s more, traditional WAN topologies typically backhaul all network traffic for security. This creates bottlenecks and complicates network traffic management.

    A WAN topology that restricts the flow of network traffic to the cloud is at direct odds with enterprise digitalization strategies. Enterprises depend on more cloud-based services than ever to manage essential business functions. SaaS platforms like Customer Relationship Management (CRM) and Enterprise Resource Planning (ERP) are examples. These platforms provide organizations with agility, flexibility, and scale, but being cloud-native demands a new approach when it comes to practical network management.

    SD-WAN modernizes network operations for the cloud
    As enterprises and users turn to the cloud, the difference between data center cloud and public cloud can get nebulous. Increasing public cloud-dependence and adjacency introduces complications to network security and compliance. Data sovereignty, compliance and security is top of mind for every IT professional.

    Many enterprises leaning into to the cloud are implementing Software-Defined Wide Area Networking (SD-WAN) to manage their networks. SD-WAN abstracts the networks’ transport service altogether. It’s a virtual WAN architecture which enables organizations to leverage whatever transport service they need — broadband, MLPS, 4G LTE, 5G.

    By separating the network’s control plane altogether, SD-WAN enables businesses to centralize network management, security, and provisioning. SD-WAN replaces dedicated network hardware with Virtual Network Functions (VNFs) in place of physical networking hardware.

    VNFs specifically replace devices like network routers and firewalls. VNFs are implemented as Virtual Machines (VMs) which run as software in the IT cloud, operating on commercial off-the-shelf (COTS) server hardware. Accompanied by Cloud-native Network Functions (CNFs), they provide IT departments with the ability to scale services instantly to meet demand. As software rather than hardware, VNFs and CNFs can be continuous updated and optimized.

    While VNFs are nothing new to enterprise IT, what’s new here in the SD-WAN equation is how SDN itself helps IT operations manage network operations and data security for branch and remote locations. There are some key differences, too.

    “SDN advocates a central controller to dictate network behaviors. In contrast, SD-WAN generally manages based on central policy control, but decisions may also be made locally while taking into consideration the corporate policies. Or decisions can be made centrally while incorporating knowledge of local conditions reported by remote network nodes,” said VMware.

    SD-WAN in the wild
    SD-WAN has emerged as an opportunity for carriers and hyperscalers, Over-the-Top (OTT) service providers, and edge services. In December, Amazon introduced AWS Cloud WAN as a way to replace what it called a “patchwork” of services needed to handle private network control and management. AWS Cloud WAN connects on-prem data centers, branch offices and cloud resources together on AWS’ global backbone, consolidating management through a central dashboard.

    Verizon features SD-WAN managed by Cisco as an option for its Network as a Service (NaaS). It comprises Cisco Umbrella security framework, manages zero trust application access and provides managed services through Cisco products including Pluggable Interface Modules and Catalyst Cellular Gateways.

    https://www.rcrwireless.com/20220113/telco-cloud/what-is-software-defined-wide-area-networking-sd-wan

Comments are closed.