Sunday, June 26, 2016

Blueprint: Why SD-WAN Cannot Solve for the MPLS Conundrum

by Gur Shatz, Co-Founder and CTO, Cato Networks

Software-defined infrastructure has firmly gained traction in public and private data centers and clouds, because of its game-changing nature: It has virtualized the server, giving it scalable capacity on demand at a fraction of the cost of its hardware counterpart. And what software-defined did for the server and storage markets, it is bound to do for the network, too.

Initial advances in software-defined networking include SD-WAN, which is poised to grow from $225 million in 2015 to $6 billion by 2020, according to IDC. Yet, SD-WAN has not fully cracked the network performance and security conundrum. SD-WAN still relies on MPLS links to ensure low-latency connectivity, and the use of the Internet is mostly for WAN backhauling and doesn’t fully address the need for secure Internet and cloud access.  This points to the need for a new software-defined approach that firmly binds network and security as one, and which frees up valuable networking resources.

Why SD-WAN Is Not Enough

The promise of SD-WAN lies in providing standard, low-cost Internet connections to supplement the managed, low-latency, yet expensive MPLS with its guaranteed capacity. However, a survey of network security professionals found that one-third cited latency between locations as their biggest network security challenge, and a quarter cite direct Internet access from remote locations.[1]

SD-WAN, while taking some of the network performance issues and costs out, cannot fully provide the game-changing impact of true software-defined infrastructure; it is a primarily a networking technology, not a security solution. For SD-WAN to be a viable solution for today’s hybrid networks, it needs to be secured in a way MPLS is not. Due to its nature as a private network, companies didn’t need to encrypt MPLS traffic. While MPLS networks are often not encrypted, SD-WAN cannot forego encryption – a new problem for most network teams. Furthermore, it has no impact on enabling direct internet access – for example, at the branch level – without adding third-party security solutions. SD-WAN requires investment in core security capabilities, such as app control, URL filtering, next-generation firewalls, and cloud access control (among others) – all of which add costs and management complexity right back into the enterprise.

SD-WAN++

SD-WAN tackles the legacy enterprise WAN: branches and datacenters. It adds Internet links to the MPLS-based WAN, but must continue and rely on MPLS for low-latency connectivity. This limits its impact. A contemporary WAN design should integrate, in addition to physical locations, mobile users and public cloud infrastructure. It should enable low-latency connectivity on a global basis to ensure consistent user experience, even if MPLS is not used. And, it should include an integrated security stack to protect WAN and Internet-bound traffic to Public Cloud Applications (SaaS) for all network users. To truly evolve the network, today’s IT leaders need a new simple, scalable and secure solution that binds a global network and built-in security. Such a unified, software-defined solution could enforce policies for all users and locations, with access to all data, in a way that reduces complexity and management overhead.  

Effectively, such a system becomes the real solution to the MPLS conundrum: it optimizes performance/latency and enables enterprise-grade security, creating the true hybrid network of the future - today. 

About the Author

Gur is co-founder and CTO of Cato Networks. Prior to Cato Networks, he was the co-founder and CEO of Incapsula Inc., a cloud-based web applications security and acceleration company. Before Incaspula, Gur was Director of Product Development, Vice President of Engineering and Vice President of Products at Imperva, a web application security and data security company.
Gur holds a BSc in Computer Science from Tel Aviv College.

About Cato Networks

Cato Networks is rethinking network security from the ground up and into the cloud. Cato has developed a new Network Security as a Service (NSaaS) platform that is changing the way network security is delivered, managed, and evolved for the distributed, cloud-centric, and mobile-first enterprise. Based in Tel Aviv, Israel, Cato Networks was founded in 2015 by cybersecurity luminary Shlomo Kramer, who previously cofounded Check Point Software Technologies and Imperva, and Gur Shatz, who previously cofounded Incapsula. Cato Networks is backed by Aspect Ventures and U.S. Venture Partners. For more information, visit http://www.catonetworks.com/.




[1] Based on feedback from 70+ network professionals who took part in “MPLS, SD-WAN and Cloud Networks: The path to a better, secure and more affordable WAN," May 18, 2016.