This is going to be a year of great change in networking, which means both great opportunities and great risks. In particular, we really seem to be setting up for a major shift in the virtual networking and SD-WAN space. The question, as it often is, is what exactly we’re going to be fighting over, and who’s going to take what critical positioning steps to grab control of the new situation.
SD-WAN is already hot, and its fundamental value proposition, lower-cost VPNs, is getting hotter. As I noted last week, a major improvement in consumer broadband technology drives the cost of high-speed Internet connectivity down. That makes SD-WAN more attractive than MPLS VPNs, cost-wise at least. SD-WAN as a VPN extension, or even a VPN replacement, is essentially old news here, but if the economies of consumer broadband drive more businesses to reconsider IP VPNs even where they’re available, the technology could get a boost.
Even with a boost, though, differentiation is the key to success in sales, which means that SD-WAN vendors have to push beyond the obvious. I’ll illustrate what I think is happening with three references, below.
One place they’ve been pushing is undergoing its own revolution—the cloud. Even before COVID, there was growing enterprise interest in creating Internet-based portals for customers and partners, and when WFH was added in in 2020, we saw a major upswing in the use of the Internet as an employee empowerment tool. The cloud was the primary vehicle enterprises used to create portals to their legacy application, and that’s been (and will remain) the primary driver of enterprise cloud commitment. SD-WAN, in software form, can create a direct-to-cloud connection just as it can support a thin-site connection.
This could be critical for a number of reasons, not the least being that while cloud providers are now starting to offer VPN-like services for enterprises’ cloud-hosted elements, these aren’t helpful in multi-cloud because they’re cloud-specific. On the other hand, an SD-WAN could link the cloud to the VPN, whatever cloud we’re talking about, and could also link branch offices and other remote sites, even home workers. Cloud connectivity is already recognized as a new SD-WAN driver, but it’s going to get a lot more recognized this year.
Then, of course, there’s security. The first of the three sources I promised to cite, from VentureBeat, is about what should have been the security focus all along, zero trust. I’d love to say that this piece frames the future of security, and the relationship between it and SD-WAN, but it totally misses the mark. The story doesn’t even talk about the real zero-trust model, which has to be based on substituting explicit connection permission for IP networks’ traditional promiscuous connectivity.
Like any term that gets media attention, zero-trust has gotten expanded to the point where it’s about almost anything and everything related to security. That’s probably largely due to the fact that software vendors and network vendors with established security portfolios aren’t particularly interested in seeing their business impacted by something new, but the fact is that the “trust” that we’re talking about in zero-trust is about trust in connectivity.
IP networks are inherently promiscuous in terms of connectivity, meaning that if you don’t want some connections to be made, you have to do something to block them. Traditionally that blocking has evolved into an endpoint feature, a “firewall” that stands between a user or application and the wide and evil world. However, once you decide that you’re going to create a higher-layer network service, as virtual networking and SD-WAN do, you have a chance to define connection rights there.
Back in 2019, I did a short report on SD-WAN, and in the report, I made the point that the number one requirement for SD-WAN was session awareness, meaning the ability of the software to recognize users and applications, and the network relationships (sessions) between them. Session awareness means that an SD-WAN can control what sessions are permitted, and that’s what I’ve believed from the first is the foundation not only of zero-trust security, but of security overall.
It’s possible to introduce something like session awareness via an expanded definition of a firewall, but that approach has challenges. Firewalls are per-packet elements; they look at packet headers to decide what to admit and what to reject. To make them aware of even the “allowed” IP addresses (and ports) but worse the list of ones not allowed, would make them impossibly complex and introduce significant latency. You need to introduce session awareness at the connection level, and manage the overhead.
I know of only two companies in the SD-WAN space who even claim any level of session awareness, and that hasn’t changed for several years. If there were a realization of the security side of SD-WAN, the connection with zero trust, you’d expect to see SD-WAN vendors adding the features to their own products. They haven’t, they’ve only band-aided and fuzzied up the concept with a loose link to firewalls.
What are vendors doing? That’s the target of my second reference. Cisco is of course the gorilla of network equipment, and they’ve recently announced a link between SD-WAN and their WebEx collaboration. This is consistent with recent announcements that have linked their SD-WAN to cloud and multi-cloud. The Cisco drive is sales-friendly, tactical, but it doesn’t reflect any Cisco awareness of a seismic shift in SD-WAN and virtual networking. Yes, as I’ve noted many times, Cisco likes to be a “fast follower”, but it seems to me that their recent announcements epitomize “follower” more than “fast”.
Cisco isn’t going to drive an SD-WAN or virtual-network revolution. Like most SD-WAN players, they’re committed to simple changes to their base technology, which means that even a strong cloud position is a bit of work. Security? Forget it; they’re well behind the positioning of other SD-WAN providers.
Including arch-rival Juniper. Juniper’s acquisition of 128 Technology gave them a major edge in the technology of SD-WAN and the implementation of a true zero-trust model. Their most recent announcement on SD-WAN, the third of my references, linked their “Session Smart Routing” (128 Technology) approach with Mist management, which not only simplifies operations for the typically small-to-fringe SD-WAN sites where local support is likely unavailable, but also makes their solution more attractive as a managed service. MSPs are a major conduit for SD-WAN sales, and the operational benefits of Mist would also make the Juniper strategy just as attractive to network operators.
One way or the other, SD-WAN is going to grow significantly. As it does, it’s inevitable that the market looks further and harder for differentiation, particularly when what looks like it might be developing is a true shift from a limited SD-WAN position to a much more interesting and important virtual-network positioning. The improvements in FWA and fiber broadband are priming the pump now, but it’s going to be the cloud and security that deliver buckets of opportunity. You can bet that these areas will be getting a lot of attention in 2022, but buyers will need to beware of the tendency of vendors to position old technology to address new missions. Vendors will need to start thinking about making real enhancements to some creaky old offerings, because things will get real, and very quickly, in the SD-WAN wars.