Blueprint: Why SD-WAN Cannot Solve for the MPLS Conundrum

by Gur Shatz, Co-Founder and CTO, Cato Networks

Software-defined infrastructure has firmly gained traction in public and private data centers and clouds, because of its game-changing nature: It has virtualized the server, giving it scalable capacity on demand at a fraction of the cost of its hardware counterpart. And what software-defined did for the server and storage markets, it is bound to do for the network, too.

Initial advances in software-defined networking include SD-WAN, which is poised to grow from $225 million in 2015 to $6 billion by 2020, according to IDC. Yet, SD-WAN has not fully cracked the network performance and security conundrum. SD-WAN still relies on MPLS links to ensure low-latency connectivity, and the use of the Internet is mostly for WAN backhauling and doesn’t fully address the need for secure Internet and cloud access.  This points to the need for a new software-defined approach that firmly binds network and security as one, and which frees up valuable networking resources.

Why SD-WAN Is Not Enough

The promise of SD-WAN lies in providing standard, low-cost Internet connections to supplement the managed, low-latency, yet expensive MPLS with its guaranteed capacity. However, a survey of network security professionals found that one-third cited latency between locations as their biggest network security challenge, and a quarter cite direct Internet access from remote locations.[1]

SD-WAN, while taking some of the network performance issues and costs out, cannot fully provide the game-changing impact of true software-defined infrastructure; it is a primarily a networking technology, not a security solution. For SD-WAN to be a viable solution for today’s hybrid networks, it needs to be secured in a way MPLS is not. Due to its nature as a private network, companies didn’t need to encrypt MPLS traffic. While MPLS networks are often not encrypted, SD-WAN cannot forego encryption – a new problem for most network teams. Furthermore, it has no impact on enabling direct internet access – for example, at the branch level – without adding third-party security solutions. SD-WAN requires investment in core security capabilities, such as app control, URL filtering, next-generation firewalls, and cloud access control (among others) – all of which add costs and management complexity right back into the enterprise.

SD-WAN++

SD-WAN tackles the legacy enterprise WAN: branches and datacenters. It adds Internet links to the MPLS-based WAN, but must continue and rely on MPLS for low-latency connectivity. This limits its impact. A contemporary WAN design should integrate, in addition to physical locations, mobile users and public cloud infrastructure. It should enable low-latency connectivity on a global basis to ensure consistent user experience, even if MPLS is not used. And, it should include an integrated security stack to protect WAN and Internet-bound traffic to Public Cloud Applications (SaaS) for all network users. To truly evolve the network, today’s IT leaders need a new simple, scalable and secure solution that binds a global network and built-in security. Such a unified, software-defined solution could enforce policies for all users and locations, with access to all data, in a way that reduces complexity and management overhead.  

Effectively, such a system becomes the real solution to the MPLS conundrum: it optimizes performance/latency and enables enterprise-grade security, creating the true hybrid network of the future - today. 

About the Author

Gur is co-founder and CTO of Cato Networks. Prior to Cato Networks, he was the co-founder and CEO of Incapsula Inc., a cloud-based web applications security and acceleration company. Before Incaspula, Gur was Director of Product Development, Vice President of Engineering and Vice President of Products at Imperva, a web application security and data security company.

Gur holds a BSc in Computer Science from Tel Aviv College.

About Cato Networks

Cato Networks is rethinking network security from the ground up and into the cloud. Cato has developed a new Network Security as a Service (NSaaS) platform that is changing the way network security is delivered, managed, and evolved for the distributed, cloud-centric, and mobile-first enterprise. Based in Tel Aviv, Israel, Cato Networks was founded in 2015 by cybersecurity luminary Shlomo Kramer, who previously cofounded Check Point Software Technologies and Imperva, and Gur Shatz, who previously cofounded Incapsula. Cato Networks is backed by Aspect Ventures and U.S. Venture Partners. For more information, visit http://www.catonetworks.com/.

[1] Based on feedback from 70+ network professionals who took part in “MPLS, SD-WAN and Cloud Networks: The path to a better, secure and more affordable WAN," May 18, 2016.

Read More

Ayla Networks Raises $39 Million for IoT Platform

Ayla Networks, a start-up based in Santa Clara, California, announced $39 million in Series C funding to propelling its global Internet of Things (IoT) platform for manufacturers.

Ayla's end-to-end software, which is offered as a Platform-as-a-Service, runs across devices, the cloud, and applications to provide secure connectivity, data analytics, and feature-rich user experiences for our customers as well as the end consumer. The company has now established IoT clouds in North America, China and Europe.

The company said its IoT platform is gaining traction with manufacturers in many markets, including home appliances, residential and commercial HVAC (heating, ventilation, air conditioning) systems, water heaters, water softeners, and home fire and safety products. During the past year, the company has announced new or expanded relationships with manufacturing customers that include Changhong, Dimplex, Fujitsu General, Hampton Brinks, Hunter Fan, Kidde, LockState, Ozner, TCL and United Technologies Electronic Controls (UTEC).

The Series C financing round was led by Ants Capital, a boutique investment bank based in China, and co-led 3NOD, a leading original design manufacturer (ODM) of smart lifestyle products; and joined by new investors Mitsui and Acorn Pacific. Existing Ayla investors Cisco Investments, Crosslink Capital, International Finance Corp. (IFC, a division of World Bank Group), Linear Venture, SAIF Partners/Oriza Ventures, SJF Ventures and Voyager Capital also reinvested in this financing round.

http://www.aylanetworks.com

Read More

Big Switch Rolls Out Big Enhancements for SDN

Big Switch Networks rolled out significant updates to its SDN-based Big Monitoring Fabric and Big Cloud Fabric solutions. The enhancements target use cases in security monitoring, network function virtualization (NFV) and IP storage, as well as support for the latest open networking switches.

Big Monitoring Fabric (BMF) is a next-generation network packet broker (NPB) that leverages SDN principles, Open Networking switches and an x86-based DPDK service node to provide feature-rich, scale-out data center monitoring.  New capabilities in Big Monitoring Fabric include advanced feature additions to the Big Switch DPDK service node and enhanced network services for out-of-band network monitoring to achieve pervasive network visibility and security. Big Cloud Fabric updates include deeper integration with VMware vSphere, and support for Red Hat OpenStack Platform 8, with a recently completed 300 node scale benchmark validation test with Dell & Red Hat. Big Switch is also announcing support for the latest open networking switches based on Broadcom Trident-II+ and Tomahawk ASICs, including copper 10G (10GbT) and higher-density 64x40G to double the scale of both SDN fabric solutions.

Big Cloud Fabric (BCF) is a leaf/spine SDN fabric promising hyper-scale agility, economics and operational simplicity for OpenStack Platform clouds or VMware virtualization environments. Updates to Big Cloud Fabric include:

• NFV Everywhere -- To expand NFV deployments beyond the data center to Central Offices, smaller POPs and remote locations via NEBS support, a new VM controller option and stretched-fabric deployments
• Enhanced VMware vCenter GUI Plug-in -- To deliver physical network automation, visibility and now troubleshooting directly from vCenter to simplify provisioning and operations for the cloud/virtualization admin.
• Support for Software-Defined Storage -- In addition to traditional IP storage, now supports production deployments with Red Hat Ceph
• Inter-Pod/Inter-DC L2 Extension -- Enables tenant services and application mobility across pods and data centers leveraging VXLAN (beta support)
• Expanded SDN Security -- Crypto security for SDN control-plane (CPSec) now includes controller-to-vSwitch and controller-to-controller traffic as well as controller-to-pSwitch previously supported
• Container Networking Demonstration -- Plug-in for Kubernetes container orchestration to demonstrate network automation, visibility and troubleshooting in Docker container environment

Expanded Support for Open Networking Hardware -- Both Big Monitoring Fabric and Big Cloud Fabric to support latest Broadcom Trident-II+ and Tomahawk based Open Networking switches from Dell and Edgecore Networks, including:

• 64x40G: Dell's S6100 high-density Broadcom Tomahawk-based platform to double 40G fabric scale for both Big Cloud Fabric and Big Monitoring Fabric
• 10GbT: Copper 10G platform (48x10GbT + 6x40G) based on Broadcom Trident-II+ for cost-optimized deployments
• 32x40G and 48x10G + 6x40G: fiber 10G and 40G platforms based on Broadcom Trident-II+
• These platforms are available for beta trials in Q3 2016.

http://www.bigswitch.com

Read More