When I studied for my CCDE, I had the good fortune of receiving mentoring from Russ White. Something he taught me, that I really took to heart, is that in every design and choice you make, there is a tradeoff.
If you haven’t found the tradeoff, you haven’t looked hard enough.
From a SD-WAN perspective, in selecting your vendor of choice, what does that mean?
SD-WAN vendors, for a loose definition of SD-WAN, come mainly from three different camps:
- Router vendor
- Firewall vendor
- WAN optimization vendor
There are also vendors that were born in the SD-WAN era and have no previous background.
Cisco of course, through the acquisition of Viptela, bought a company that was very strong in routing, control- and data plane design. A solution designed by Architects/Engineers with profound experience of large scale networking, from large enterprises and service providers. Viptela was born in the SD-WAN era, with no legacy platforms or products to take into consideration. With the background of Viptela, this means that this is a SD-WAN product where the main strength is on routing, separation of control- and data plane, and the flexibility of the product. Other vendors with the same background will also likely have their main strength in the routing side of things. These products often have security features as well. However, they are often more basic than what the firewall vendors can offer. It may also have a larger impact to performance, than when using a firewall to do things like IDS/IPS.
Firewall vendors, such as Fortinet, come from a security background. These are companies that don’t have the same background and experience of large scale routing and designing protocols. The firewall vendors aren’t very strong on routing and separation of control- and data plane. In fact, many of these solutions are just IPSec tunnels with a sprinkle of IP SLA on top. Some of them also use DMVPN-like technologies. These are all 15 year plus old technologies. While these companies are weaker on the routing side, where they excel is on the security side, considering that is their background. This means they probably have a decent DPI engine, they have features such as access lists, IDS/IPS, TLS inspection, antivirus scanning and so on. If your main focus is security, these products are compelling. Keep in mind though, a product that wasn’t designed to have a separated control- and data plane from the beginning, will never become that product during the lifetime of the product. That is, you lose a lot of flexibility here. Also keep in mind that more than 70% of all traffic today is encrypted. TLS 1.3 makes it more difficult to inspect traffic as well.
Then we also have companies such as Silverpeak, Riverbed, Citrix that came from a WAN optimization background. These companies have a lot of experience of optimizing WAN traffic, which is a dying technology, but that also means they a lot of application experience. From a product like this, I would expect a good DPI engine, that the product can do fancy things with the packets such as load balancing, sending duplicate packets, measuring application- and user experience. In the end, it’s about providing a good user experience and these companies should be well versed in that domain. They are likely not as strong on the routing side though. Also be aware, like I mentioned before, that almost all traffic today is encrypted. This makes it more difficult to do intelligent things with packets and look into the payload of the packets.
When you pick your vendor, you are not going to find one that is the best at routing, best at security, and best at optimizing user experience. This is because the vendors have to make design tradeoffs when creating their products. You can’t be the best at everything, because you can’t design a cost effective product that way. When you buy a car, you can’t get one that is both the safest, has the best acceleration, and fits 10 people. There’s always a tradeoff.
What is the most important to your business? Is it being flexible? Is it having the most security features? Or is it have a nice GUI where you can see the effect of your SD-WAN product? Whatever you choose, keep in mind that a product that is not SDN now, will not be SDN later.