Cisco’s announcement earlier this month that it will add the Viptela SD-WAN technology to the IOS XE software running the ISR/ASR routers will be a mixed blessing for enterprises.

On the one hand, it brings SD-WAN migration closer to Cisco customers. On the other hand, two preliminary indicators —  one-on-one conversations and Cisco’s refusal to participate in an SD-WAN test —  suggest enterprises should expect reduced throughput if they enable the SD-WAN capabilities on their routers.

Cisco’s easy migration to SD-WAN

By including the SD-WAN code with IOS XE, Cisco will provide a migration path for the more than one million ISR/ASR edge routers in the field. There’s been a lot of conversation as to whether or not SD-WAN is going to kill the router performance. Delivering SD-WAN code on the ISRs is Cisco’s answer: routers are here to stay but they’ll morph into SD-WAN appliances.

To read this article in full, please click here

A new global backbone provider emerged from stealth last week, giving organizations even more choice in how they build their Internet-based SD-WANs.  Mode introduced what it calls a “software-defined core” (SD-CORE) network that offers IT “affordable private-network reliability and quality of service” across the globe.

The company joins Aryaka and Cato Networks as one of the few independent backbone providers helping enterprises solve the variability problems of the Internet core. Middle-mile performance forms the biggest challenge for delivering stable, global, low-latency connections.

To read this article in full, please click here

You simply can’t take advantage of all that SD-WAN has to offer without giving branch offices local Internet access and you can’t give them local Internet access without securing them. SD-WAN for all its strengths does not provide robust edge security. Yes, data is encrypted in transit. And, yes, some SD-WAN appliances come with basic stateful firewalling capabilities. But with attacks coming at layer-7, branches require a next-generation firewall (NGFW) and updated IPS/IDS capabilities to protect locations —  not a basic firewall. For all intents and purposes, branch SD-WAN needs layer-7 security, which is why you see so many SD-WAN vendors striking partnerships with security vendors or some building security into their appliances.

To read this article in full, please click here

If the recent WAN Summit in New York where I moderated a panel on last-mile access (more on that later) was any indication, the SD-WAN market is shifting towards a service-delivery model where sufficient network security and predictability are baked into the SD-WAN so the service can replace MPLS.

In session and private conversations, topics related to secure SD-WAN services kept popping up. The challenges of today’s managed services. The impact of the cloud. The need for SLAs in SD-WAN services. How encryption complicates visibility and, by extension, enterprise security. These and other issues point to the change and challenges facing SD-WAN services.

To read this article in full, please click here

Is it only me who finds it just a bit dubious that carriers are advocating SD-WAN? SD-WAN was practically invented to get away from the clutches of carriers, and now we're supposed to trust them to be the stewards of WAN transformation?

Carriers lost that privilege when their business model grew out-of-step with how we do business. We grew tired of being charged double Internet prices for MPLS capacity. In an era of self-service, carriers were still making us wait to troubleshoot problems. And we were astonished that new MPLS circuits could take weeks, even months, to bring into a new site when you could often get started with broadband in a matter of days and upgrade to DIA when ready.

To read this article in full, please click here

I was in the local Best Buy the other day and overheard a conversation between a saleswoman and a father looking to buy a computer for his daughter. Apparently, the daughter is a designer, which of course requires lots of heavy graphics work. Anyway, the saleswoman was trying to explain how he should invest a little bit more in an expensive graphics card because of her work. The father wouldn’t hear of it. He wanted the least expensive machine possible.

It was a mistake.

Part of the art of life is knowing when and where to invest your resources for maximum return. Sometimes less is, well, less and investing a bit more really can make a difference. I know you didn’t come to this blog for self-help advice, but life’s truism has real-world implications for wide area networks and, in particular, when selecting the Internet infrastructure underlying your SD-WAN.

To read this article in full, please click here

A new Chinese policy going into effect next week, will have profound impact on businesses relying on Internet VPN or SD-WAN access within China.

According to a notice from China Telecom obtained by SD-WAN Experts, the Chinese Government will require commercial Chinese ISPs to block TCP ports 80, 8080, and 443 by January 11, 2018. Port 80 is of course the TCP port commonly used for carrying HTTP traffic; 8080 and 443 are used for carrying HTTPS traffic. Commercial ISP customers interested in maintaining access to those ports must register or apply to re-open the port through their local ISP.  

The news, first reported by Bloomberg July, was expected to be implemented by February, 2018. This is the first time a specific date has been provided for the action.

To read this article in full, please click here

In a rush to capitalize on the SD-WAN market opportunity, some SD-WAN vendors seem to be playing fast and loose with their appliances.

At a recent customer site of ours, Nirvik Nandy, CISO of SD-WAN Experts and CEO of Red Lantern, a security and compliance consultancy, and I collaborated on a security analysis of SD-WAN architectures. We conducted penetration testing of several SD-WAN solutions, looking at

the appliances and cloud architectures. Details of how we tested and vendor results are necessarily confidential. However, I can share with you some of our overall findings about appliances – we’ll get to the cloud at a later date.

SD-WAN security: what it really means

First, some context: SD-WAN vendors speak about their architectures as being secure and that’s true to an extent. All SD-WAN solutions secure traffic in transit. But there’s more to network security than protecting data against eavesdropping and wiretapping, which is why companies deploy next-generation firewall (NGFW), intrusion prevention systems (IPS), and more.  SD-WAN and security vendors have been addressing this need, integrating the functionality of one another into solutions that provide networking and security.

To read this article in full, please click here

The recent news around VMware’s acquisition of SD-WAN provider VeloCloud is puzzling from a lot of angles but particularly in what it says about SD-WAN services.

Let’s make a deal

VeloCloud is a leader, and some would say the leader, in the SD-WAN market. The company has been in the space since its founding in 2012 and has raised $84 million in private funding, according to CrunchBase. It claims around 1,000 enterprise customers (1,000).

The VeloCloud acquisition will help VMware compete with Cisco, who acquired SD-WAN provider Viptela for $610 million in May. VeloCloud isn’t VMware’s first virtual networking acquisition. Back in 2012, the company acquired Nicira, which became the basis for its NSX network virtualization offering. Integrating the two technologies creates an interesting end-to-end solution. VeloCloud’s approach of coupling appliances with aspects of a cloud service, will play well with VMware’s premise-oriented strategy.

To read this article in full, please click here