SD-WAN Buyer's Guide: Key Questions Enterprises Need to Ask Vendors and Themselves

An enterprise's adoption of SD-WAN will start with deciding whether to DIY or go with a managed service, but will include asking about things like micro-segmentation, path control, service chaining and how it fits with SASE.

Before the coronavirus pandemic, SD-WAN was primarily a niche technology for enterprises, designed to reduce costs and increase WAN flexibility by allowing traffic to be transported directly from branch offices to the internet rather than backhauling it to the internet over expensive MPLS links.

[[417107]]

Today, SD-WAN has become a key enabler for enterprises to conduct business in the post-epidemic era, where mission-critical applications exist in multiple cloud platforms, employees can connect and collaborate anytime and anywhere, and applications such as Office 365, Salesforce and Zoom must be accessed remotely quickly and securely, reliably, optimized and automated to maximize business productivity and end-user satisfaction.

SD-WAN technology has evolved from WAN optimization to include a comprehensive set of features that include core routing functions, advanced WAN optimization, and application-aware firewalls, all managed through a centralized software overlay. With SD-WAN, enterprises can replace multiple physical devices with a single appliance or virtual appliance, load the SD-WAN software onto a server at a branch office, retail store, restaurant, or manufacturing facility, or choose a fully managed cloud-based service.

For enterprises that want to take advantage of these new capabilities, selecting and deploying the right SD-WAN solution becomes more complex because SD-WAN spans security, networking, application performance, and cloud computing services. This guide will help buyers of SD-WAN technology understand strategic decision points and present key questions to ask potential vendors or service providers.

SD-WAN vendors offering more features

Over the past few years, many SD-WAN products have been acquired by industry heavyweights and integrated into their broader portfolios: Cisco acquired Viptela, VMware acquired VeloCloud, Oracle acquired Talari, Palo Alto Networks acquired Cloud Genix, HPE/Aruba acquired Silver Peak, and Juniper acquired 128 Technology.

According to Dell'Oro Group's survey data, the top five suppliers in terms of global market revenue share in 2020 are Cisco, VMware, Fortinet, Versa and HPE/Aruba. As enterprises recognize the commercial benefits of SD-WAN technology, the overall market in the fourth quarter of 2020 increased by 50% compared with the previous year and increased by 32% for the whole year. The market revenue of the top five suppliers in the market accounts for almost two-thirds of the overall market revenue. According to Dell'Oro Group's forecast, there will be further consolidation of suppliers in the future.

As a result of these acquisitions, the number of SD-WAN vendors in the market continues to shrink, but users still have a lot of choices. Today, the list includes Versa, FatPipe, Cradlepoint, and Nuage (owned by Nokia). In addition, Cato Networks and Aryaka offer fully managed, cloud-based SD-WAN on their own networks. Traditional operators (AT&T, Verizon, Comcast) are selling fully managed SD-WAN services using equipment from the industry's leading SD-WAN hardware vendors.

For enterprises looking to acquire SD-WAN capabilities, there are many questions that need to be answered, or discussed with the vendor or outside consultants, before signing a contract or settling on a vendor.

(1) What is the business driver for SD-WAN? How does it tie in with the vendor’s strengths and weaknesses? For example, if security is a top concern, then working with a security-conscious SD-WAN vendor may be a priority. If application performance is a top concern for the enterprise, then an SD-WAN vendor with extensive experience in WAN optimization may be the best choice for the enterprise. Alternatively, if the enterprise has just made a major acquisition and must install SD-WAN at multiple sites in the shortest possible time, then a managed service may make the most sense.

(2) How can an enterprise leverage existing vendor relationships to make the transition to SD-WAN as easy as possible? If an enterprise has a strong working relationship with its existing network vendor and can simply add SD-WAN capabilities to existing branch equipment via a software upgrade, this may be an attractive option. Alternatively, if an enterprise examines its MPLS service provider partners, it may be surprised at how quickly they can deliver a fully managed SD-WAN offering.

(3) Which pricing options are more suitable? An SD-WAN built by an enterprise requires capital expenditures, licensing, and ongoing maintenance. On top of that, the enterprise must procure multiple WAN connections for each branch location, which increases costs. If you want to offload all of these connections, many SD-WAN hardware providers will offer managed or co-managed options. Of course, network operators have their own fully managed services on their networks. Managed services enable enterprises to move from capital expenditures (CAPEX) to operating expenses (OPEX). The subscription model creates predictable costs and provides the flexibility to respond quickly to changing business conditions.

(4) How well does the product or service integrate with your existing infrastructure? The question of integration has two aspects: First, if the vendor acquired the SD-WAN by acquiring another company, how well are the different parts integrated? Is there a single management console to control all SD-WAN functions? Are there any pricing implications? In other words, is the SD-WAN an all-in-one purchase, or is the firewall considered an add-on?

The second question is how well the SD-WAN system integrates with existing enterprise infrastructure? SD-WAN needs to integrate with the rest of the enterprise's network infrastructure, application management and monitoring systems, and security systems. If the enterprise plans to adopt software-defined networking or intent-based networking, implement zero-trust network access, or make other changes, how easy is it to apply these changes to the enterprise's SD-WAN? If the SD-WAN product has a cloud-based management platform, how does it integrate with existing management systems?

DIY or managed service?

The challenge with SD-WAN is the complexity and difficulty of implementation. Consider everything an enterprise must do to deploy an SD-WAN. First, the enterprise's WAN must be mapped, historical traffic patterns must be analyzed, current and future bandwidth requirements for each site must be reasonably estimated, and policies must be defined for each type of traffic, starting with voice, video, data, and then drilling down to specific applications. Then, two WAN links must be purchased for each location for optimization and to provide failover. The enterprise needs to manage all of this, which includes deploying software updates, handling trouble tickets, and generating reports.

An important question for enterprises to ask potential SD-WAN vendors is, what types of tutorials, training materials, configuration guides, etc. are available? To what extent will the SD-WAN vendor help determine the appropriate bandwidth levels and system requirements for each site? What is the product roadmap? How often are software updates released? What are the ongoing licensing costs? What level of support can enterprises expect, and how much will it cost?

If a business does not have the staff time, expertise or capital expenditure for a DIY approach, there are a number of options:

• The enterprise can hand over the planning, testing, and configuration phases to a third-party integrator. In this case, the enterprise still makes the initial purchase decision based on the features and functionality that are right for the enterprise. The enterprise can purchase the WAN link with the benefit that the integrator is familiar with the equipment and has the expertise to speed up deployment. The question is whether the enterprise has the skills to handle the ongoing maintenance of the system, software updates, and changing business needs?

• In a co-managed scenario, an enterprise might work with an SD-WAN vendor or channel partner, system integrator or managed service provider, who can help the enterprise determine the scope of the project. The enterprise still makes the purchasing decision and retains a degree of control, but most deployment, maintenance and service-level agreement (SLA) support issues are the responsibility of the managed service provider. The question to ask is: How can the two parties clarify the scope of responsibility to avoid gray areas?

• In a fully managed scenario, IT outsources the entire SD-WAN to a third party that has the expertise, resources, and in many cases, its own network. When it comes to selecting specific features, it may be as simple as clicking on a drop-down menu. The downside is that the enterprise is giving up control, and it is difficult to change vendors once a choice is made.

Some key questions you need to ask your managed service provider are: Whose SD-WAN equipment do you use? How can you avoid finger pointing when a dispute arises as to whether an outage or service degradation is due to the network or the SD-WAN equipment? How many access points do you have and how well does the network map to your remote access locations? What level of visibility do you have into the network? What types of alerts, notifications and reports do you receive? What types of service-level agreements (SLAs) are available?

Features to consider when purchasing an SD-WAN

Here are some key features to look for as organizations investigate and compare SD-WAN feature sets.

(1) Completely replace existing branch office functions: Modern branch office routers provide a wide range of functions, including QoS, IPSec VPN, dynamic routing, NetFlow, SNMP, logging, access control lists, event management, support for protocols such as BGP and OSPF. SD-WAN needs to be able to do all of these.

(2) Transport independence: SD-WAN should be able to utilize high-speed bandwidth of multiple transports, including MPLS, Internet, 3G/4G/LTE, and 5G.

(3) Path control: The ability to use multiple active paths to improve bandwidth efficiency, resiliency, and failover is critical. The system needs to be able to dynamically steer traffic based on policy in response to changing network conditions such as packet loss, latency, and jitter.

(4) Application Optimization: The real benefit of SD-WAN is the ability to optimize application performance. These systems must be able to identify all applications in an enterprise's portfolio and be able to proactively monitor application performance as WAN traffic (including voice and video traffic and SaaS applications) moves.

(5) Encryption: If enterprises are to reduce their reliance on VPN technology, SD-WAN must be able to encrypt WAN traffic based on policy. In addition, automatic key rotation is important so that encryption keys can be changed regularly.

(6) Security: Because SD-WAN topologies now connect branch offices directly to the public internet (rather than routing traffic back to the central office), security must be distributed to each branch office site. Look for an integrated next-generation application-aware firewall that provides antivirus, anti-malware, URL/content filtering, data loss prevention, segmentation, IDS/IPS, and sandboxing.

(7) Zero-touch deployment: With zero-touch deployment, the SD-WAN box can be sent to the branch office and a non-technical person only needs to connect it to power and the WAN link, and the device will configure itself.

(8) Automation and orchestration: Management of SD-WAN services should be automated, and the overlay software should be able to orchestrate monitoring, troubleshooting, reporting, and other functions across the WAN.

(9) Micro-segmentation: Opening up two-way traffic between the public Internet and branch offices creates a potential security hole where cyber attackers can access branch office devices and use them as a springboard to attack data center resources. Micro-segmentation allows enterprises to limit hacker attacks by limiting lateral movement.

(10) Service chaining: Both centralized and decentralized models have their pros and cons. SD-WAN replaces the centralized MPLS model, but it does introduce a degree of complexity because many enterprises are managing so many distributed devices, each handling multiple functions. Service chaining is an intermediary technology that enables enterprises to reroute and aggregate traffic to reduce branch clutter and improve efficiency. For example, an enterprise may use SD-WAN for routing and optimization, but send the traffic to a cloud-based service provider, which handles all security functions before allowing the traffic to enter the open internet.

Future-proofing SD-WAN

For many enterprises, implementing SD-WAN is part of a larger digital transformation initiative that moves application development capabilities, mission-critical applications, storage, backup, disaster recovery, and data analytics to the cloud. SD-WAN focuses on providing branch office employees with a way to quickly, securely, and efficiently access these cloud resources. But the industry is moving toward a broader product category, called secure access service edge (SASE), that puts more capabilities directly in the cloud and enables secure access from all endpoints, including home offices.

Another way to think about the SASE architecture is that it combines SD-WAN with cloud access security brokers (CASBs), firewall as a service (FWaaS), and zero-trust network access in cloud-based services.

According to Gartner, by 2024, more than 60% of SD-WAN users will adopt SASE architecture, compared to about 35% in 2020. Therefore, when selecting an SD-WAN vendor, it is important to ask about their SASE roadmap.

Another question for enterprises to ask vendors is what do they currently offer or plan to offer in the form of AIOps? It uses machine learning to increase the level of automation in IT operations. AIOps reduces human error, which is the main reason for network problems that need to be identified and solved. With AIOps, enterprises can create "autonomous" networks. According to Gartner, by 2024, 20% of SD-WAN centralized configuration and troubleshooting will be contactless through artificial intelligence assistants.

Finally, your IT executives need to analyze current and future business needs. For organizations with physical assets in industries such as healthcare, retail, hospitality, and manufacturing, IoT will have a significant impact on the network. How do you plan to handle the large amounts of sensor data from branch locations that need to be analyzed in the cloud? For organizations in industries such as banking, finance, education, and government, secure and reliable remote access to cloud-based productivity and collaboration applications will be critical. So, the final question is, how can SD-WAN technology be leveraged to help your business be more successful?