Yet Another Threat to VPNs as We Know Them!

The attack on MPLS VPNs seems to be expanding. SD-WAN, originally conceptualized as an extension strategy for small sites, has been quietly growing more toward MPLS replacement. Now we have a new offering that combines SD-WAN with a backbone network to create an MPLS replacement. In fact, this is the second such offering that I’m aware of, so the trend is worth reviewing, particularly since it creates another possible competitor for telcos’ embattled MPLS services.

Business data services have become a bit of a floating-deck-chair-for-Titanic-survivor thing as far as telcos are concerned. Residential broadband’s profit per bit is in the toilet, and there’s little chance for improvement. Businesses’ current VPN services are the CFO’s delight of the moment, and nearly all enhanced services an operator might offer are also credible only to business. No wonder there’s a growing fear that competitors are going to eat both pies.

The growing competitive situation with regard to SD-WAN and VPNs is similar to the recent risk that cloud providers pose, something I blogged about only yesterday. In this case, you take an edge element, SD-WAN, and combine it with a backbone network other than the public Internet. This is actually something that Cato Networks has done for a while now, but of course they’re a startup, where the Cloudflare Magic WAN service involves some big-name players, and that may be critical for the combination of SD-WAN and non-Internet backbone to succeed.

The standard way for SD-WAN to provide connectivity has always been through the public Internet, which is pervasive and cheap. The problem is that the Internet is also a hotbed of hacking in various forms as well as a best-efforts service. Both Cato and Cloudflare are banking on a private backbone to resolve those problems, which is also what Microsoft is doing with its Azure cloud network expansion. The personality of the service is created on premises, so what we’re seeing is proof that most of the “service” is really the edge.

For managed services, some credible backbone strategy is critical even if its features are largely invisible. Managed services depend on service level agreements (SLAs), and it’s hard to write one if you can’t provide any QoS at the network level, and have no control over network status or behavior. However, companies are almost universally betting their customer relationships on the Internet, and since COVID have expanded that bet with WFH, which uses the Internet as well. The attitude toward what SLAs are involved in managed services is slowly transforming for sure.

It hasn’t transformed yet, though. Businesses are still reluctant to bet major-site connectivity on the Internet (though that’s changing too, just slowly), and it’s this reluctance that these SD-WAN-plus-backbone offerings are exploiting, to the detriment of MPLS. It’s not provably a runaway trend yet; Cato, the longest-standing player, is private so we don’t have revenue numbers from them, but their total valuation is over a billion dollars. Cloudflare push things faster; they’re publicly traded (NYSE) and their 2020 revenues were over $400 million.

The prospect of an explosion in SD-WAN-plus-backbone stuff isn’t just a threat to the operators, either. SD-WAN has been increasingly competitive, which means that more features are getting glued onto it in various ways. It’s also interesting that both Cato and Cloudflare are positioning their offerings around the beloved-by-analysts-new-product-category of Secure Access Service Edge (SASE). This, as it happens, only multiplies the risk to network vendors.

Anything that undermines MPLS undermines network vendors, because operator sales of MPLS services creates a revenue stream to justify router purchases. The growth of SD-WAN could significantly reduce the business service revenue stream in and of itself, and if SD-WAN is combined with a private backbone, it could pull more MPLS traffic away.

Then there’s the SASE dimension. Network vendors have made a lot of money on glue-on security. How much of that is at risk if there’s a level of intrinsic security created by a VPN or by zero-trust session awareness? You could argue that the whole concept of SASE was promoted in part by network vendors’ desire to bundle glue-on security into a new SD-WAN-created service edge, making it seem less likely that SD-WAN evolution would impact the old security model. Both Cato and Cloudflare, though, have adopted the SASE term for their offerings, and Cato at least has provided a level of intrinsic security all along. Does this then threaten the SASE defense for security?

Both these factors may explain why traditional network vendors have been slow to fully exploit the virtual-network trend, and have largely ignored the SD-WAN-plus-backbone opportunity. Juniper seems to have at least some ambition there with session-smart routing, which brings zero-trust security to the network, but they’ve been cautious with positioning it. They do have a pretty active security business, after all.

The problem all the doubters of the concept face is that it might well become a populist revolution. Any MSP with a decent SD-WAN tool and access to backbone capacity could enter this space and carve out a credible position. If enough of them try that, it could be enough to force the big telcos to introduce their own offerings, on the sound theory that it’s better to self-cannibalize than to be cannibalized by others. If any major operator gets really serious about an MPLS alternative approach, it would make it very difficult for other operators to hold back.

Why should anybody be holding back? You would think that the SD-WAN-backbone option would let operators create VPNs at a lower cost, which could help them boost profit per bit. The additional features that could be added would be another potential revenue boost, and of course the whole thing could end up evolving into a form of network-as-a-service (NaaS), which is how Cloudflare classifies its new service. So, what’s not to like?

Change, essentially. The problem with virtual networking, SD-WAN, and NaaS is that any of them could shake up the concept of services, and the valid players in the space. The fact that we’re seeing people offer assured-quality-of-service VPNs using SD-WAN technology is an indicator that the space would be accessible to many new competitors. It’s further pressure on the traditional network operators, at a time when they don’t need it.

The space to watch now is mobile networks and services in general, 5G and wireline/wireless convergence in particular. All these SD-WAN service offerings are business services and exploit wireline connectivity. If that becomes less profitable, then wireless is pretty much the only game in town, and we know that open-model 5G is already a target for the public cloud providers. Spectrum license fees will likely constrain competition in the wireless space for a time, but even if operators don’t have “new competitors” in 5G, they are almost certainly going to have new partners, in no small part because the operators have failed to account for the growing importance of hosted control-plane features, and have no plans to do the hosting themselves. If open-model 5G proceeds as it has been, things could get very difficult for the traditional telcos and even cable companies over time.