Straight to the Point is a new blog series by Zachary Grant, MetTel’s Vice President of Solution Architecture. Each article will break down the benefits and functionality of the latest communications technology in an easy-to-understand way that gets past the fluff and gets Straight to the Point. Zachary oversees a fleet of Senior Technology Architects and Engineers that have designed and deployed thousands of Enterprises and Federal networks globally.
3 (Not So Obvious) Considerations When Choosing an SD-WAN Platform
Software Defined Wide Area Network (SD-WAN) is somewhat of an industry marketing term because there is no uniform definition of features that SD-WAN provides. All of the platforms offer the benefits of increased resilience, enhanced visibility and management, network path selection, and enterprise reporting. These are very important functions but, in a sales presentation, they all start to sound the same. To really understand and ensure you are choosing a platform that aligns with your business practices, there are three technical areas worth exploring that may not be clear in marketing material and/or a sales team may not volunteer to discuss.
In this article, I will break down three different concepts to consider in helping you better understand SD-WAN and evaluate features that may be critical to your business.
1. How is the SD-WAN aggregating your Wide Area Network (WAN) circuits?
Marketing material can make it difficult to understand the true function of an SD-WAN platform. When evaluating platforms, the following should be discussed with your sales engineer to better understand the functionality. All SD-WAN platforms claim that they do circuit aggregation to provide WAN resilience, but you should understand exactly what that means.
- Stream-by-Stream (also referred to as flow-by flow): This method of aggregation will take your traffic and choose a WAN path best suited for your application. The traffic will stay on this path until the session is ended. A new session may take the same or a different path. To illustrate this, imagine if a user was to perform a speed test from behind the SD-WAN network. They would achieve the speed allowed by a single circuit. The SD-WAN solution is using all circuits available, but it’s only putting your session on a single circuit. The next session may go on a different circuit and the resources are load-balanced, but not combined or “bonded” together.
- Packet-by-Packet: This method of aggregation will take your traffic and will distribute the traffic from a single stream over multiple circuits, essentially load balancing active WAN circuits. This allows the traffic to remain stateful, so if one of your WAN circuits goes down in the middle of your transmission, the traffic will not be interrupted and will survive a WAN circuit interruption. In this methodology, if a user was to perform a speed test from behind the SD-WAN network, they would achieve the speed of multiple WAN circuits, essentially functioning as if the circuits are bonded together. Therefore, your users will receive more bandwidth. Two 10Mb circuits will act as a single 20Mb circuit. This method is highly desirable for organizations with critical traffic with no tolerance for network disruption.
Straight to the Point: I have a strong preference for packet-by-packet aggregation. There are limited downsides to using this technology. In today’s post-pandemic environment, businesses rely on real-time communications. Dropped calls and poor-quality presentations can be very interrupting. If one of your goals is to reduce calls and “noise” from your user community into your helpdesk, a packet-by-packet aggregation platform will help you achieve that goal. Additionally, there are some scenarios when packet-by-packet does not apply. For example, stream-by-stream is a good fit for organizations that have a primary WAN circuit and use LTE as a backup, where usage is a concern, and the secondary circuit is only used when the primary circuit goes down. If that is your business model, stream-by-stream should suffice.
2. Experience Optimization
Most SD-WAN platforms will include experience optimization algorithms. Experience optimization does not eliminate underlying network issues, but it does mask the issues and prove automatic real-time resolution for the end-users, so they do not “feel” the network issues. It also gives IT organizations the opportunity to be proactive and resolve the issues before they become obvious to the end-users. SD-WAN will not reduce the amount of work for your IT staff when having to repair network issues, but it will reduce the amount of user calls into a helpdesk because a properly deployed SD-WAN network should allow the users to work unimpeded.
Below are the top six experience optimization features.
- Jitter Buffers
- Packet Duplication
- Forward Error Correction
- Packet Replication
- Packet Caching
Straight to the Point: At a minimum, a good SD-WAN platform will possess at least 4 of the 6 experience optimization features. Ask your sales engineer how the platform will help your users receive a better experience without any human intervention. If they start providing you with alternative answers such as better visibility, better reporting, tighter security; remember your end-users don’t care about those topics like a CIO might. Reclarify your question to address exactly how the technology algorithm works to enhance your customers’ experience. Also, it is important to understand what optimization algorithms best suit your traffic needs. For example, compression and caching may not be a good fit for real-time communications. Most communication protocols are already compressed and do not need to cache real-time traffic. However, if your organization moves very large files constantly over the network and bandwidth is limited, caching and compression may be the best technology fit. A competent sales engineer should be able to talk in-depth about exactly how each feature works and why it benefits the end-user (not the IT department).
When it comes to security strategies, a one size fits all approach doesn’t work and you won’t get all the answers in a short blog—but I can guide you to a good first step. When evaluating an SD-WAN security platform, it is best to understand the security enhancements at the transport level. The SD-WAN platform may have a built-in firewall, SASE, CASB, or unified threat management (UTM) engines; however, so do most enterprise firewalls on the market. If your SD-WAN platform provider is working too hard at showing shiny UTM features that are traditionally found outside of SD-WAN, they may not have a compelling transport security story. UTM security is important but often the reverse occurs—where the focus on UTM-based security is heavy and considerations for transport security are ignored. You should strive for a clear understanding of what enhancements are traditionally not affiliated with firewalls as part of your evaluation.
These are some questions you can ask:
1) Can the platform detect tunnel or data manipulation and revoke encryption certificates?
2) Are the encryption keys different, dynamic, and unique for different tunnels?
3) Where are those keys and what happens if someone gains access to them?
4) What protections are there for “man in the middle” attacks?
These are transport security topics that are often left out of SD-WAN platform discussions.
Straight to the Point: Of course, security should come first when it comes to enterprise networks. If your security posture is already built and in production, then it is an easy conversation to evaluate SD-WAN platforms and have Sales Engineers provide exact details on how their platform will integrate and enhance your existing strategy, in detail. If you are taking the opportunity during a digital transformation to include both security and SD-WAN, start with security. Without listing any SD-WAN components, build the blueprints for what your security will look like when fully implemented. Once that is in place, you can then work to understand how the SD-WAN platform (or engine) will integrate and enhance your security vision just like you would if the security posture was in production. When doing that exercise, use traditional networking with routers as your baseline and let the SD-WAN platform experts show you how they can enhance that security posture without compromising your security teams’ vision. This is the best method for evaluation. Note that I used the phrase “compromising your security team’s vision.” When it comes to security, this methodology can help guide your security teams from their starting point and move at everyone’s pace to make sure nothing was forgotten or missed. Security is always mission-critical.
If you have questions, comments, require clarifications or would like to learn more about some of the enterprise SD-WAN deployments that MetTel has enabled, you can solicit further information directly from Zachary at his Straight to the Point blog email at STTP@mettel.net.