Wide Area Networking in an Era of Mobility and Cloud

Starting in the 1980s, a number of technologies have been used to create a branch office WAN. This includes TDM, X.25, Frame Relay, ATM, MPLS and the Internet. However, independent of the technologies that were used, the primary WAN design objective remained constant - provide communications within the closed system that is comprised of an organization's branch offices and their data centers. 

The legacy approach to designing a branch office WAN is described below. That approach works well as long as the design objective of providing connectivity within a closed system is valid. There are, however, two fundamental trends that are invalidating that design objective and driving the need for a new WAN architecture. One of those trends is that an organization's employees no longer reside solely in a branch office as the vast majority of employees are mobile for at least part of their work week. The other trend is that in addition to accessing the organization's private data centers, employees now also need to access a large and growing number of public cloud providers. Taken together, these two trends highlight the fact that in virtually all instances organizations no longer have a well-defined perimeter and as a result, their WAN can no longer function just within a closed system.

The goal of this TechNote is to contrast the traditional approach to designing a branch office WAN with two emerging WAN architectures. One of those emerging architectures is a Software Defined WAN (SD-WAN) and the other is a Secure Cloud Network.

In the legacy approach to designing a branch office WAN it is common to have T1 access to a service provider's MPLS network at some or all of the organization's branch offices and to have one or more higher speed links at each data center. Either as an alternative or as a supplement to having MPLS access at branch offices, connectivity between a branch office and a data center is sometimes provided by unmanaged VPN tunnels that run over the Internet. One of the limitations of the legacy design approach is that it does not support mobile users. Another limitation is that the traffic that is destined for a public cloud provider is typically backhauled to one of the company's data centers before being handed off to the Internet. This adds both cost and delay.

Each of the two services that currently provide the bulk of WAN connectivity, MPLS and the Internet, offer a number of benefits. Some of the benefits of an MPLS service are that it provides QoS functionality and it typically has high availability. Some of the benefits of the Internet are its ubiquity and relatively low cost. The 2015 Guide to WAN Design and Architecture contained the results of a survey in which the respondents were asked to identify the concerns that they have with each service. Two of the primary concerns that the respondents expressed about MPLS were the cost of the service and the amount of time it takes to get new circuits installed. Two of the primary concerns that were expressed about the Internet were security and latency.

As is the case with any software defined network, an SD-WAN centralizes the network control function into an SDN controller. The controller abstracts the user's private network services from the underlying IP network and it enables the operation of the user's private network services via centralized policy. Leveraging the underlying WAN platforms, which may include physical or virtual routers, the controller sets up virtual overlays and it also enables the automation of management tasks such as configuration and provisioning.

To date the discussion of an SD-WAN has focused primarily on one use case. That use case is a hybrid WAN that features dynamic load balancing of traffic over the MPLS and Internet links that connect an organization's branch offices to its data centers. This application of SDN concepts in the WAN enables organizations to either reduce the cost of their WAN or reduce how much the cost of their WAN increases. An SD-WAN does this by enabling organizations to replace or augment their relatively expensive MPLS capacity with relatively inexpensive Internet capacity. 

As organizations adopt an SD-WAN and hence make less use of MPLS and more use of the Internet, they reduce the negative impact of MPLS services but they also increase the negative impact of the Internet. As mentioned, two of the primary concerns that network organization have with the Internet are latency and security. Since an SD-WAN solution has no control over the Internet middle mile, it cannot do anything to improve Internet latency. In addition, SD-WAN solutions don't provide any sophisticated security functionality that is tightly integrated into the solution and these solutions do nothing to improve security for mobile workers. 

Organizations of all sizes and types are adopting the use of public cloud applications and services in part because providing those applications and services themselves is too complex and too costly. In similar fashion, organizations are beginning to make use of a new, powerful class of WAN solution. That new class is a Secure Cloud Network which provides connectivity between mobile users, branch offices, private data centers and cloud service providers in such a way that the network has full visibility into all the traffic. Since security is an integral part of the design of a Secure Cloud Network, it is possible to create and enforce a unified policy across all asset types without the need for additional point solutions. 

A Secure Cloud Network is typically built using a core, CDN-like network that interconnects a distributed set of Points of Presence (POPs). To avoid the latency concerns that are associated with the Internet, the service keeps the latency between their POPs to a minimum by carrying traffic across a private Tier-1 carrier backbone. The service should also provide functionality such as forward error correction and application throttling in order to improve application performance. Since the service is cloud-based, organizations can avoid the long lead times and cost of MPLS by being able to add Internet capacity rapidly, rather than provisioning and paying for expensive bandwidth whose only purpose is to support future requirements. 

From the perspective of providing effective security, a minimum requirement is that it must be possible to access a Secure Cloud Network using a secure tunnel from branch offices, mobile devices, private data centers and cloud service providers. The Cloud represents another opportunity to embed elastic security services directly into the fabric. In this way next generation firewall, URL filtering and other deep packet inspection capabilities can be applied to the traffic and evolve over time. 

Another advantage of a Secure Cloud Network is that it eliminates the need for multiple branch office appliances such as firewalls and WAN optimization controllers. A potential disadvantage of a Secure Cloud Network is that replacing MPLS access in branch office with Internet access may reduce availability. One way to compensate for this is to have multiple Internet links in each branch office that are carried over diverse access services (i.e., DSL, cable, 4G) to multiple ISPs.

The fact that the legacy approach to designing a branch office WAN has remained constant over the last few decades even as the enabling technologies changed, can cause a network organization to assume that their WAN design never needs to change. That assumption might be correct if the goal of the branch office WAN was just to provide communications within the closed system that is comprised of the company's branch offices and data centers. However, virtually all organizations also have to ensure that their WAN can effectively and securely support connectivity to mobile users and public cloud providers. Given this requirement, network organizations need to analyze alternative WAN architectures.

One emerging WAN architecture is an SD-WAN. As mentioned, to date the discussion of an SD-WAN has focused on dynamic load balancing of traffic over the MPLS and Internet links that connect an organization's branch offices to its data centers. While this is an important use case, an SD-WAN doesn't address the needs of mobile employees and it doesn't feature any sophisticated security functionality that is tightly integrated into the solution.

Another emerging WAN architecture is a Secure Cloud Network that is built using an optimized global backbone that interconnects a distributed set of POPs. This architecture features integrated cloud and mobile support, sophisticated security functionality as well as the ability to enforce a unified policy for all WAN and Internet traffic across all users, locations and applications. If needed, the availability of this architecture can be increased by having multiple Internet links in each branch office that are carried over diverse access services to multiple ISPs.