Ten underutilized SD-WAN features

SD-WAN is more than just an alternative to Multiprotocol Label Switching (MPLS). Zero-touch provisioning, application-aware routing, and micro-segmentation are also some of the features that SD-WAN products and services can provide.

[[319057]]

Early SD-WAN products provided organizations with a way to decommission MPLS links, connect branch offices directly to cloud platforms, and optimize WAN traffic. But many of the initial SD-WAN products lacked features such as integrated firewalls, application-aware routing, and advanced data analytics.

Over time, SD-WAN vendors have enhanced their products to include a robust set of additional features. However, many organizations are not taking advantage of the full capabilities of the latest SD-WAN products and managed service options.

So why aren’t IT managers fully adopting these new capabilities? In some cases, vendors are lacking proper training in delivering the benefits and ease of use of these advanced capabilities to IT leaders.

In other cases, organizational silos, such as barriers between network and security teams, prevent organizations from activating next-generation firewalls or intrusion prevention systems, such as those included with SD-WAN appliances.

In many cases, network professionals have followed a standard set of methods and procedures for years and they have done their job well. When it comes to a new way of working, such as zero-touch provisioning, there can be a reluctance to take risks that could backfire if something goes wrong. However, organizations should consider the benefits that the underutilized SD-WAN features listed below can provide. After all, organizations are still paying for the SD-WAN appliance or managed service, so why not take advantage of these features?

1. Zero-touch configuration

The traditional method of deploying branch office network equipment is to bring the physical equipment to a staging area, configure and test it, and then ship it to the branch office to be set up by network professionals. For organizations deploying dozens or hundreds of SD-WAN devices across a wide geographic area, this is a manually intensive and time-consuming process.

Zero-touch provisioning is standard on most SD-WAN devices and automates the configuration of off-the-shelf devices. According to Kunal Thakkar, director of network engineering at Apcela, all the device requires is a global internet connection to fully configure it based on predefined templates in a fast, efficient, and standardized manner.

2. Encryption key rotation

For organizations that do business with government agencies or have PCI compliance responsibilities, encryption keys need to be rotated regularly (usually every 90 days). This can be a tedious manual process that requires complex change control strategies and may require planned downtime.

SD-WAN platforms can replace traditional VPN-based key rotation with an automated system that can be programmed to perform rotations every minute without disrupting data platform traffic. The result is better security with no downtime and no manual intervention.

3. Multi-VPN

In many cases, organizations need to keep different types of traffic separate from each other. For example, in the case of an organizational merger or acquisition, each of its business units will continue to operate independently for business, compliance, or security reasons. If the organization then decides to upgrade to SD-WAN, it may consider purchasing a physical appliance.

But SD-WAN technology allows multiple virtual routing and forwarding (VRF) and VPN links to be multiplexed with a single overlay. This was not feasible with previous VPN technology. For large and complex organizations with multiple business units, traffic isolation can be achieved by simply setting policies. Thakkar said that SD-WAN technology is able to create up to 16 virtual VPNs, all running on the same physical WAN link.

4. Application-aware routing

SD-WAN products have the ability to inspect Layer 7 traffic in order to apply granular routing policies for specific applications. In fact, some devices can recognize more than 3,000 different applications and understand the performance requirements of each application. This capability helps organizations optimize costs by continuously monitoring latency, jitter, and other characteristics of sensitive applications in real time and moving applications to the most cost-effective transport method that meets performance thresholds.

Ashwath Nagaraj, CTO of Aryaka Networks, said application-aware routing is not widely deployed. This may be because Layer 7 traffic inspection does incur a certain degree of performance overhead and does require organizations to spend time and effort to define policies for each application. But he believes application-aware routing can provide significant performance and cost advantages.

5. Programming API

The use of APIs can help organizations orchestrate and automate functions throughout the SD-WAN lifecycle, said Raviv Levi, senior director of product management at Meraki at Cisco. Levi said that while current capabilities are underutilized, interest is growing as IT leaders begin to understand that using APIs, large organizations can gain ownership and control over their networks in ways that were previously unavailable.

APIs allow organizations to customize and automate the initial configuration of SD-WAN devices, make configuration changes at scale over time, automate trouble ticket processes, and collect data about WAN performance for real-time traffic optimization and long-term monitoring and management of the infrastructure. For example, organizations can use APIs to program devices to perform more frequent polling than required by the default settings.

Through the API, organizations can set up their SD-WAN infrastructure to automatically collect data that helps manage user groups, view audit logs, collect device inventories, conduct real-time monitoring and troubleshoot network equipment, among other functions.

6. Optimized cloud computing connection

Cloud breakout, or the ability to connect branch office traffic directly to the cloud rather than back to the data center, is one of the main benefits of SD-WAN. But in many cases, network administrators have limited or no visibility into the performance characteristics of the network between end users and cloud SaaS applications. However, vendors now offer a feature, called Cloud OnRamp in the case of Cisco Viptela, that uses programmatic APIs to measure the performance of SaaS applications, or IaaS services from Amazon Web Services and Microsoft Azure.

In IaaS scenarios, virtual instances of SD-WAN routers within the cloud service provider's domain continuously measure application performance, giving network administrators unprecedented visibility into application performance. In SaaS scenarios, SD-WAN devices connect to the nearest SaaS point of presence and make real-time decisions on which path to choose for the best performance. For popular productivity applications such as Office 365, end-user performance has improved by 40%, said Rohan Grover, senior director of product management, SD-WAN and enterprise routing products at Cisco.

7. Data Analysis

Another underutilized feature of SD-WAN systems is the ability to use data analytics to troubleshoot network performance issues and perform remote network capacity planning. Whether an organization uses a managed service or does its own analytics, a wealth of traffic data is available to cover end-to-end WAN connections. The use of analytics eliminates the typical finger-pointing that occurs between customers, cloud service providers, and network service providers.

8. End-to-end micro-segmentation

Microsegmentation has become an increasingly popular method for protecting applications running in data centers and cloud computing environments by isolating workloads based on policy. Microsegmentation enables organizations to better control east-west traffic and, if a breach occurs, limits the potential lateral movement of hackers.

The rise of software overlays such as SDN and NFV paved the way for microsegmentation, so it is natural for microsegmentation to become a feature of the SD-WAN overlay. Sunil Khandekar, CEO of Nuage Networks, believes that the benefit of microsegmentation is that if a branch node is attacked, the central policy server can automatically take measures to isolate the branch from the rest of the network.

9. Service Chain

When branch traffic was routed back to the data center over secure multiprotocol label switching (MPLS) links, no additional network and security functions were needed in the branch. But now that branches are directly connected to the global Internet, organizations may find themselves with multiple branch devices such as firewalls, NAT devices, and intrusion prevention systems. As Khandekar said, service chaining enables organizations to reduce branch clutter. Organizations can create chains of connected network services and automatically handle different traffic flows based on the traffic requirements in areas such as security, latency, or QoS.

10. Fixed wireless connection

Experts say that while not specifically offering SD-WAN capabilities, organizations should consider using fixed wireless connections when building branch office links, especially if speed of deployment is a top priority. For some organizations, it may be relatively easy to order a WAN link from an existing network service provider (ISP). But for organizations in rural areas without traditional broadband service, or that need to quickly deliver SD-WAN to new retail stores or other pop-up business locations, fixed wireless circuits may be a better approach.

Khandekar said that early SD-WAN deployments focused on basic connectivity and cost savings. However, today, SD-WAN is viewed as a network automation platform that supports digital transformation. Deploying these underutilized capabilities can help IT organizations align the WAN with business needs.