11/16/2016 SD-WAN Trends · Mushroom Networks, Nuage Networks, Silver Peak and Sonus Networks. A special note on Cisco's WAN solutions: No discussion on SD-WAN would be complete without

Trend Report

SD-WAN Trends

Disclaimer – This document has been prepared solely for Trace3's internal research purposes without any

commitment or responsibility on our part. Trace3 accepts no liability for any direct or consequential loss arising

from the transmission of this information to third parties. This report is current at the date of writing only and

Trace3 will not be responsible for informing of any future changes in circumstances which may affect the accuracy

of the information contained in this report. Trace3 does not offer or hold itself out as offering any advice relating to

investment, future performance or market acceptance.

Innovation Research Team

11/16/2016

Reshaping the WAN, the Remote Office,

WAN Management and WAN Security

© 2016 Trace3, Inc. All Rights Reserved

SD-WAN Trends

Reshaping the WAN, the Remote Office, WAN Management and WAN

Security

This trend report looks at how today's solutions are reshaping traditional WANs and was conducted from the customer's

point of view, gathering feedback from actual users, field engineers, published material and direct product

demonstrations. It analyzes each solution's ability to deliver the 26 use cases found to be most critical to customer

purchasing decisions [8]. These use cases can be categorized into four groups based upon how the solution reshapes:

• The Remote/Branch Office • WAN Management • WAN Security • The WAN Itself

This study selected six of the leading SD-WAN solutions on the market today and the accompanying comparison matrixpresents each product's capabilities to support these key use cases. This report also makes predictions of future trending

and recommendations based on these predictions. This report does not delve into remote office onsite networking issues

such as ROBO wireless solutions.

Executive SummaryAs the SD-WAN market continues to gain momentum, so do questions on how best to select, design and deploy asolution. A barrage of new features is being introduced that improve network traffic patterns across any medium, while

decreasing the time and labor needed to deploy, manage and secure the enterprise WAN. These developments have

widespread implications not only on IT operations, but are also reshaping the larger business landscape in general.

Report Scope

• SD-WAN is expected to grow at a CAGR of 90% through 2020, with global annual revenues reaching $6 billion. [1]

• By the end of 2019, 30% of enterprises will use SD-WAN products in all their branches, up from <1% today. [2]

• SD-WAN is on 90% of companies' road maps. [3]

• Redundant telecommunications links connecting remote sites date back to the 1970's, with X.25 links used for remotemainframe terminal access.

• The term SD-WAN started showing up in networking publications as early as 2014. [4]

Did You Know...

2© 2016 Trace3, Inc. All Rights Reserved

SD-WAN TrendsReshaping the WAN, the Remote Office, WAN Management and WAN

Security

It is an obvious understatement that the SD-WAN space ischanging rapidly at present and therefore any reportattempting to detail its nuances is doomed to instantobsolescence. Nonetheless, at present, there are fourWAN technology groups providing SD-WAN solutions:

• WAN Networking - These are well establishedproviders in the overall WAN space and adding softwaredefined features to their solution stacks. • SD-WAN Pure Plays - These are developers who havebuilt their solutions from the ground up to address thechallenges of the SD-WAN space. • WAN Optimization - These are companies with

TrendsOverview - The SD-WAN Landscape

As today's enterprises increase their adoption of cloudapplications, growing mobility and wider distribution oftalent and assets, the traditional model for Wide AreaNetworking (WAN) becomes steadily more costly andexponentially more complex. SD-WAN solutions haveemerged to reduce both WAN costs and complexity,allowing the business to be more agile, secure and easierto manage by introducing table stake features such as:

• Offering a lightweight replacement for WAN Routers • Supporting multiple connection types (e.g., MPLS,Broadband, LTE) • Providing secure VPNs

SD-WAN Reference Features

advanced optimization solutions and underlying technologies which are being adapted to handle software definedmanagement of remote location networking. • Content Delivery Network and WAN Security - These vendors have security-centric cloud networking solutions forremote networking and are adding software-defined features to their cloud-based solutions.

For this study, five leading SD-WAN pure-play products and one WAN Optimization platform provider were selectedbased on feature set and market presence; • CloudGenix, Riverbed, Talari, Velocloud, Versa and Viptela.

We also evaluated 15 other SD-WAN solutions, however these products are not covered here. This space is evolvingrapidly and these other solutions should definitely be considered as candidates for any SD-WAN initiative. These are:

• 128 Technology, Aryaka, Bigleaf, Cato Networks, Citrix, Cradelpoint, Ecessa, Elfig, Fatpipe, Glue Networks,Mushroom Networks, Nuage Networks, Silver Peak and Sonus Networks.

A special note on Cisco's WAN solutions: No discussion on SD-WAN would be complete without a section on the WANmarket leader, Cisco. Their IWAN suite is a transport-independent design, intelligent path control, applicationoptimization, and secure encrypted communications between branch locations [7]. IWAN provides a highly configurableseries of networking components (e.g. DMVPN, LAN/WAN/DMVPN routing schemes, PFR traffic classifications andpolicies, Frontend VRF and WAAS) from which to build complex network topologies requiring substantial manualcustomization. They also offer APIC-EM for lighter weight implementations. As such, IWAN and its components falloutside the primary evaluation feature set and will not be explored within the scope of this report. Cisco also recentlyintroduced Meraki MX for a more turnkey solution, but due to its newness to the market it is not covered in this report. Fororganizations looking to implement bespoke WAN configurations, it is recommended that the Cisco suite be considered.



Security

Branch office network solutions are increasingly complexand inflexible, as well as costly to deploy and manage. Inaddition, it is equally complex and difficult to obtainvisibility into application performance across the hybridWAN and to ensure applications receive appropriateprioritization and are forwarded over an appropriate WANpath.

One of the complexities involved with installation ofremote or branch offices connectivity is the requirementfor a bevy of remote networking devices. This typicallyrequires an IT engineer to physically travel to the remote

Reshaping the Remote Office

Some of today's SD-WAN solutions also provide advanced "nice-to-have" features such as: • Remote office/branch office (ROBO) device reduction or elimination • Service chaining or service insertion (e.g., integration with Zscaler) • Cost-based/quality-based/performance-based connection selection • Dynamic traffic steeringTypically, these features are provided by an appliance installed at each remote location that is managed and configuredby a secure centralized cloud-based management console that sets access, routing and configuration policies for theentire enterprise WAN across all media types.

site to install and configure all the devices. Many SD-WAN solutions seek to solve this problem with plug and playappliances that can be easily connected at the remote site by local untrained staff, after which the device automaticallyconfigures itself; a practice commonly dubbed “Zero Touch Install”.

Traditionally networked remote offices typically include a plethora of network devices such as firewalls, routers andswitches, each of which requires periodic configuration, maintenance and tech refreshing. Many of today's SD-WANsolutions pack a stack of functionality into their appliances, allowing for the removal of many remote network devices andthe avoidance of periodically putting an engineer on a plane. Although many SD-WAN solutions can replace numerousremote devices, they typically don’t have more advanced features built in like Next Generation Firewalls, IntrusionPrevention Systems or Anti-Malware. This can be remedied through a technique called service chaining or serviceinsertion in which the SD-WAN appliance provides a virtual space that can host other advanced feature applications intheir own VMs. Many of the SD-WAN vendors in this study have already established partnerships with various vendors toprovide these advanced features out of the box.

Customers consistently request that an SD-WAN delivers six key features for their remote offices: • Zero-Touch Install - Remote devices only require a local untrained staff member to connect power and network(s) tocomplete a branch install. • Remote Device Elimination - The solution provides enough capability to eliminate other remote devices such asrouters and firewalls. • Service Chaining/Insertion - The solution provides a mechanism to chain or insert other services. • Automated IP Address Discovery - The solution can detect a DHCP server, address itself and update the addresstable without human intervention. • Brown-Out Resiliency - The solution can maintain connectivity in the event of a transient drop in connectivity orconnection quality. • MOS Scoring - The solution computes metrics that measure changes or degradation in the quality of video and voiceconnections as a consolidated MOS score. • Edge Device - Describes the remote office deployment form factor.



Security

Today's SD-WAN solutions are also reshaping the waynetwork teams monitor and manage WAN traffic,connectivity, access and performance by transformingfunctions from command line configuration, point-to-pointaccess rules and manual monitoring into a more nimble,adaptable and resilient platform. SD-WAN managementsolutions are typically built with four key characteristics: • Cloud-based Management Platform - the solutionmanages WAN operations from secure cloudmanagement consoles, making them accessible andcontrollable from anywhere and allowing availability ofmanagement functions even in the event of a loss

Reshaping the WAN Management

Security is of paramount importance in every IT setting. Inthe early days of SD-WAN, security was a notedweakness and prohibited many organizations fromadoption. However, SD-WAN solutions have steadilyadded both fundamental and advanced security featuresand now integrate with technologies like Zscaler and otherservice chaining alternatives to provide an unprecedentedsuite of security layering options.

Although not as robust as a dedicated security appliance,most of today's SD-WAN platforms are delivered withenough out of the box security features for widespread

Reshaping WAN Security

of connectivity to, or from, the data center. • Application Awareness - The solution is aware of what applications reside where, what connectivity they require andwhat access should be granted to its users or dependent systems and allows network operators to easily adjust priorityacross the network to any application. • Centralized Policy Engine - Instead of relying on a myriad of manual point-to-point configuration rules spread across awide range of devices and locations, the solution uses its application awareness and roles-based policy engine toconfigure complex access topologies with only a handful of policies written with business-intelligible terms. • Analytics & Reporting - The solution can collect key metrics, performance analytics and give visibility to both networkoperations teams and security analysts as needed. The solutions application awareness also allows operators to gathervoluminous data for real-time and historical reporting eliminating the need for packet capture tools or other complex andtime consuming traffic monitors. • API Exposure - The solution exposes a RESTful API allowing it to integrate with other existing operations, network orsecurity monitoring and management platforms giving operations staff a "single pane of glass". It is important to notemany incumbent and traditional WAN solutions have difficulties exposing their APIs to other monitoring and managementplatforms. • Export to SIEM - Describes the capability to natively export logs to a Security Information Event Management (SIEM)tool.

use. Most solutions provide end to end encrypted tunnels on top of basic firewall capabilities and many can incorporatea host of third party security tools.

SD-WAN is also dispelling the common misconception that MPLS is completely secure while every other medium is rifewith risk. However MPLS is a shared connection and subject to the same security concerns as other media.Nonetheless, many enterprises are still worried about leakage of highly sensitive data and employ a hybrid strategy usingSD-WAN to segregate sensitive traffic to MPLS in normal operations with an alternative option as failover.



Security

Gone are the days of traditional WAN topologies where ahub and spoke architecture satisfies even the mostadvanced shops. Today, both branch offices and datacenters increasingly use cloud-based applications,participate in video conferences, conduct online videotraining and require direct access from branch to branch.A simple point-to-point link between offices is no longeradequate.

Utilizing software to define and manage the WAN provideson-demand switching decisions in response to real-timechanges in traffic demands, priority, connection quality,

Reshaping the WAN

SD-WAN is also changed by the WAN fabric provided bylarge carriers and telcos. At some point, most telcos haveattempted to build their own SD-WAN solutions, primarilyby layering functionality on top of Cisco iWAN.

Although there are still a few DIY stalwarts, the vastmajority of carriers are abandoning internal developmentefforts and opting to partner with other companies coveredin this report. [5] The most popular partnering choice todayis clearly Velocloud, who has inked agreements withAT&T, Deutcshe Telekom, Sprint, EarthLink, Vonage andMetTel. Not to be left out of the party, Versa Networks has

Customers consistently request SD-WAN solutions deliver four key security features: • Built-in FW Capabilities - The solution provides basic firewall rule functionality. • Built-in IPS Capabilities - The solution provides a basic Intrusion Prevention System functionality. • AES-128 Encryption - The solution provides the Advanced Encryption Standard supporting 128 key length. • AES-256 Encryption - The solution provides the Advanced Encryption Standard supporting 256 key length. • FIPS 140-2 Certified - U.S. Government computer security standard used to accredit cryptographic modules.

cost and available bandwidth. This agility is something that traditional WAN routers, routing algorithms and manualconfiguration have not been, and will not be, able to accomplish.

Customers consistently request this new WAN topology deliver six key features: • MPLS Replacement - Solution allows for the replacement of one or more MPLS point-to-point connections to andbetween remote offices. • Centralized Configuration - The solution makes WAN configuration changes from a centralized management consoleinstead of on each remote device. • Hosts Own POPs - The vendor owns a series of geographically dispersed Points of Presence (POPs) to increaseperformance/quality by using local cloud connections. • Multiple Connection Types - Solution supports the use of many different media types such as LTE, MPLS orBroadband. • Traffic Steering - The solution can dynamically steer traffic to the most optimal path, locations, functions or devicesbased on configurable policies. • Support Legacy WAN Interfaces - The solution supports integration with older WAN interfaces such as E1/T1. • OpEx/CapEx - The solution is licensed as Operational Expenses (OpEx) and/or Capital Expenses (CapEx).

signed with CenturyLink/Level3 and Viptela has partnered with Verizon. Other agreements are also certainly in the works.



Security

1. As is common in rapidly growing markets, the SD-WAN market will continue to expand both in the spend and thenumber of players. Trace3 expects most, if not all, CDN, WAN Security, WAN optimization, WAN monitoring and otherWAN related technology companies will develop and deploy their own SD-WAN solutions in the coming year. Although itis unlikely these latecomers will be able to generate much traction against today's established players, they will providethe kindling for an inevitable consolidation phase as networking incumbents, CDNs and larger telecommunications firmsacquire many of the players in the SD-WAN space. Undoubtedly a few of today's SD-WAN leaders will remainindependent, but it is too early to make bets on which ones will hold out.

2. Network service providers are taking advantage of emerging SD-WAN technologies to provide the MPLS alternativestheir customers demand. It is inevitable all carriers will need an SD-WAN solution and it is unlikely they will be able todevelop internal solutions that can compare in cost, features or agility of the products already on the market. As such,Trace3 sees and expects to continue to see carriers abandon their own internal SD-WAN development projects and formpartnerships with the SD-WAN providers already on the market. The economics of the larger telecommunicationscompanies will also compel them to acquire SD-WAN product vendors.

3. SD-WAN killed the Optimization Star? In the past, technologies like traffic shaping, packet prioritization and other WANoptimization solutions have been developed to overcome the runaway cost of MPLS connectivity as bandwidth demandsskyrocket. SD-WAN products are also targeting this very pain point and developing features to obviate this need for WANoptimization or deliver these features "out of the box". However, Trace3 does not predict that SD-WAN solutions willreplace the need for WAN optimization, but they will certainly change the perception of WAN optimization as an advancedstandalone product into a table stake feature of a larger WAN platform. Some WAN optimization vendors, like Riverbed,recognize this and are attempting to get ahead of this trend by developing and acquiring SD-WAN solutions andintegrating their optimization solution into a new larger SD-WAN platform - a tricky proposition to be sure, but Trace3expects this trend to continue.

4. Looking longer term, Trace3 expects to see SD-WAN solutions continue to evolve into more of an on-demandconnectivity model much like other consumer products on the market today.

Predictions

Trace3's Take



Security

1. Although the SD-WAN space is evolving rapidly, waiting for the calm in the storm is illusory. If you have a businessneed for an SD-WAN solution, the benefits of immediate implementation will outweigh waiting for a plateau in productofferings.

2. MPLS replacement should not be the sole driver for transitioning from a traditional WAN topology to an SD-WANimplementation. Although the cost savings from MPLS replace can be compelling, in the long-term savings in the remoteoffice infrastructure, centralized management and security efficiency will approach MPLS savings.

3. Professional services costs are often overlooked when pricing SD-WAN solutions, which can hide the true TCO of asolution requiring manual configuration as opposed to those that provide "out-of-the-box" implementation.

4. Failing to solidify your WAN underlay before rolling out an SD-WAN solution can become a showstopper duringdeployment. A full WAN assessment and remediation is highly recommended.

5. Traditional WAN solutions are typically architected so that all remote internet bound traffic runs over the WAN back tothe corporate data center and out to the internet - a technique commonly dubbed 'data center backhauling'. Today's WANmust handle an increasing amount of uncompressible, un-deduplicatable, and prioritized communications such as voiceand video, and so, the option to send this traffic directly from the remote site to the Internet is a very compellingalternative to backhauling. Therefore, quantifying the amount of backhaul elimination is critical.

6. Conversely, while backhaul elimination is a boon for network simplification, it can present a larger attack surface thatmust be protected. Many advanced security tools are housed in the corporate data center. Thus, it may make sense froma security operations, management and cost perspective to have internet bound traffic flow back through the data center.A close evaluation of corporate security policies and restrictions can help determine if backhaul elimination is desirable oreven possible.

7. There are three recommended methods to secure the Internet-connected branch office: a). Service chaining additional security appliance features. However, if these virtual appliances do not incorporate astrong central management strategy, this can be costly and arduous to manage. b). Service insertion of cloud-based security features. This removes the need for an appliance to be managed in thebranch by providing centralized management. c). Integration of a hybrid approach. This provides a combination of virtual appliances and cloud-based solutions inwhich the onsite SD-WAN appliance provides local services but is managed by a central cloud-based solution service.

8. Finally, an SD-WAN solution should be viewed as a component of an overall WAN ecosystem that also includes WANOptimization, WAN Security, Analytics, Networking Infrastructure and even other IT operations use cases like cloudconnectivity, DR, backup and restore and copy data management.

Recommendations



Security

1 – IDC - IDC Forecasts Strong Growth for Software-Defined WAN As Enterprises Seek to Optimize Their Cloud

Strategies – 20162 – Gartner – Market Guide for Software Defined WAN – 20153 – Forrester – The Future of The WAN is Software-Defined – 20164 – Network Computing – Software-Defined WAN: A Primer – 20145 – Fierce Telecom - Level 3: We don’t want to release a me-too SD-WAN product – 20166 - QOS Consulting - Debunking Common SD-WAN Misconceptions - 20167 - Cisco - Intelligent WAN Technology Design Guide - 20168 - Open Networking Users Group - SD-WAN Working Group - 2016

Sources

Software-defined WAN (SD-WAN) is an approach to designing and deploying an enterprise wide area network (WAN)that uses software-defined networking (SDN) to determine the most effective way to route traffic to remote locations.

Software Defined WANNew Hotness: VeloCloud, CloudGenix

Featured Use Cases

Appendix



Security

SD-WAN Reference Features

Overview - The SD-WAN Landscape



Security

Reshaping the WAN Management

Reshaping the Remote Office



Security

Reshaping the WAN

Reshaping WAN Security



Security

(end of report)


Documents

11/16/2016 SD-WAN Trends · Mushroom Networks, Nuage Networks, Silver Peak and Sonus Networks. A special note on Cisco's WAN solutions: No discussion on SD-WAN would be complete without