What is SD-WAN?
The concept of software-defined networking (SDN) can be traced back to common channel signaling (CCS) technology developed during the 1970's and 1980's for use in telecom networks. The CCS #7 protocol operates via a signaling network independent of the telephony traffic (e.g., bearer) network and provides call setup, routing, release and related functions. In an analogous fashion, SDN decouples the data or bearer plane from the control or signaling plane. As illustrated in Figure 1, the data plane comprises network routing hardware or virtualized network functions while the control plane includes software that “defines” or monitors, manages and reconfigures network routers to achieve optimal performance.
Software-defined wide area networks (SD-WANs), the WAN component of SDN, enable organizations to partially or entirely supplant private network services such as Multi-Protocol Label Switching (MPLS) in order to improve network performance, centralize provisioning, simplify operations, and reduce costs. These benefits can be realized via dynamic path selection for load balancing and redundancy as well as support for multiple network interfaces, e.g., for the Internet, VPN, 5G and MPLS.
The SD-WAN Controller is an entity within the control plane which performs the monitoring of network traffic and enables the dynamic configuration of software-defined routers (SD-routers) to enable routing over various networks with corresponding adjustments to application traffic prioritization, treatment and routing as necessary. To illustrate a benefit of the SD-WAN architecture, let’s contrast it to the traditional private WAN with a single Internet connection. In the traditional architecture, as illustrated on the left side of Figure 2, internal enterprise sites interconnect via a private network such as MPLS. Access to the Internet is funneled through one or just a few Internet egress points, secured via demilitarized zone (DMZ) infrastructure. One major benefit of this approach is a limited attack surface from which Internet-based attacks may target. However, it suffers from forcing enterprise devices from sites geographically dispersed, perhaps globally, to transit the enterprise network to the DMZ then to the intended Internet destination.
As illustrated on the left of Figure 2, Internet traffic is routed to the destination nearest the DMZ, e.g. Cloud POP Y in the figure, not necessarily the originating device. Thus, accessing an Internet site physically located down the street could traverse the globe to route via the DMZ egress. This is particularly menacing when accessing enterprise applications hosted in the cloud where application traffic interfaces via the cloud point of presence (POP) closest to the DMZ and not the application user, potentially introducing excessive latencies.
Contrast this approach with the right side of Figure 2, where local Internet access has been provisioned to each site to support direct Internet access from each site. While we illustrate only the Internet “cloud” on the right of Figure 2, in practice two or more networks may be accessible from all or selected sites to enable multi-network access for particular connections or connection types. The local Internet “breakout” illustrated on the right side of Figure 2 accentuates the ability of each site to be routed to Internet destinations in an optimal fashion. This architecture enables each site to connect to the closest (in terms of routing) Internet-based destination, including cloud POPs, affording better application performance thanks to lower roundtrip time and latency than the traditional approach. The downside is a broader Internet-facing attack surface, which requires more protection and vigilance from a network security perspective.
- Network cost savings through the use of multiple network interfaces, reducing reliance on expensive private network services like MPLS.
- Cloud adaptable with application performance through optimal routing among multiple interface options including Internet breakout
- Flexibility in deployment enabling evolution from WAN to SDWAN and the addition or removal of selected network interfaces over time
- Increased resiliency in the face of network outages to reroute among multiple networks
- Improved device utilization efficiency with the use of orchestration for virtualized network functions or containers on some SDWAN routers enables deployment of additional network services such as DNS locally without additional hardware requirements (see my companion post on SD-IPAM for SD-WAN)
- Larger attack surface with more Internet access points, so security policies must be enacted across all Internet breakout points
- Higher cost of network access of each network type across multiple sites as well as SD-WAN routers though this can be offset and paid back through network cost savings
- While SD-WAN routers generally provide improved monitoring and reporting, staff need to remain vigilant and proactively manage; e.g., staff training required.
Comments
Post a Comment