CSO Perspectives (Pro) 10.26.20
Ep 26 | 10.26.20

SD-WAN: around the Hash Table.


Rick Howard: Hey, everybody - Rick here. When I decided that SDWAN was going to be one of our topics for Season 3, I just assumed that the technology was already established, that most network managers had already widely deployed it. I couldn't have been more wrong. The basic idea of it, a software abstraction layer that controls the priority of network traffic flow for all internet connections across an international space, has been around since 2013. But none of our CyberWire hash table experts have deployed it. Only a few even have it on their roadmap. And Gartner forecasted at the end of 2019 that only 30% of enterprises had deployed it. Although they did say adoption was rapidly growing, in the previous year, the deployment number was only 1%. So that's significant. But the general consensus from our hash table experts is that, when it comes to SDWAN technology, they are putting it into the bucket of perhaps useful technology but not quite ready for primetime. And I thought we should explore that and find out why.

Rick Howard: My name is Rick Howard. You are listening to CSO Perspectives, my podcast about the ideas, strategies and technologies that senior security executives wrestle with on a daily basis. Today we are talking to two hash table experts to get their thoughts on the state of the SDWAN idea and where it might go in the future. 

Rick Howard: Let's start with the evolution of internet connectivity. In the last episode, I covered this changing environment from the early 1970s and the use of X.25 networks to connect mainframes to each other to the use of MPLS circuits in the early 2000s to connect data centers to remote locations around the world. We also got the introduction of broadband to the home and to small businesses at the same time. And by the way, for you nerds out there, MPLS stands for multiprotocol label switching. I know many of you were just about reaching for the Google machine to find that out. I thought I would do that for you. You're welcome. 

Rick Howard: In the early days, MPLS provided fast and high-quality connections, and broadband provided cheap but more unreliable access to the internet. Over time, though, broadband connections and the internet in general became faster, more stable and more resilient. And with 5G on the near horizon, it is only going to get better. Further enterprises are well on their journey to move workload to the cloud. The need for high-speed, high-quality internal circuits is not as important today as it was back in the early 2000s. 

Rick Howard: Paul Calatayud is the chief security officer for the Americas at Palo Alto Networks. Full disclosure - he's an old friend of mine, and he used to work for me when I was at Palo Alto Networks. But he is one of the smartest people on the planet about how technology works and why, and he has this rare ability to be able to explain it in terms that your mom can understand. Here's what he had to say about the changing internet connectivity environment and the need for SDWAN technology. 

Paul Calatayud: If I look at what's driving the need for SDWAN at the highest level, I think it's the fact that network traffic is no longer a simple hub and spoke, right? And so the idea of having a branch remote office is no longer as needed. And I don't need to - as a productivity worker, I no longer need to simply, you know, have access back to a data center, right? If I look at network traffic today, it's very distributed. It's very multi-cloud, public cloud, SaaS, right? 

Paul Calatayud: And so all of a sudden, now the needs aren't necessarily about back hauling the traffic to corporate. It's about creating a secure, dedicated, you know, connectivity to allow for different use cases. And so there's still a need for something, right? But it's just no longer the same, what I'll call, static routes and kind of dedicated networking that is traditionally used in lieu of SDWAN, right? So SDWAN, I think, is a response to that distributed agility. 

Rick Howard: Steve Winterfeld is Akamai's advisory CISO. He is also a very old friend of mine. In fact, he is my best friend. Alert listeners will have already figured out that the hash table membership today is mostly a collection of my old friends who I have browbeat to bring their expertise to this show. Shh (ph). Don't tell anybody. I'm trying to keep it a secret. Anyway, like me, Steve's cybersecurity career has occurred in parallel to all of this internet connectivity evolution. 

Steve Winterfeld: My understanding was because the bandwidth was becoming so rich that the risk was acceptable to move off of MPLS. And you know, the days of having horrible latency and unreliable communication is fading fast, and 5G is going to make it even lower-risk. And all those dedicated circuits weren't the return on investment. 

Rick Howard: The main reason that SDWAN appears so shiny for those 30% of early adopters is the reduction in cost. Internal MPLS circuits are really expensive compared to cheap broadband connections. Here is Paul explaining the potential impact to the bottom line. 

Paul Calatayud: But then there's usually significant amount of cost savings from the circuits that are being collapsed as well. That's usually where people go after when they think about the TCO of SDWAN - is they're not - I mean, it's an incremental savings on the hardware. One could argue, if I don't touch it, it's cheaper because that hardware's has been sitting there for five years. But you're probably not getting the new needs of the business being met. So there's uninvested opportunity, right? But the real cost, I think, the big one is usually the network collapses. People are going from, you know, thousands and thousands of dollars for these lines that might be 5% utilized to, you know, tens of dollars - right? - per megabit for those same connections. 

Paul Calatayud: So that's - I think on average, I think most SD-WAN ROI calculators are probably going to see a 50% reduction in cost. Like, if you were to put your network in and say, how much is it going to cost to service it through an SD-WAN, it's going to be a 50% decrease on top of the investment you've made on the new hardware, right? So essentially, it's free. 

Rick Howard: But it is also more than that. If deployed correctly, SD-WAN gives the network manager more flexibility and agility in managing their network. It provides a lever to move that network traffic to the edge. And when I say the edge, I mean that network traffic flow sits as close as possible to the customer. It doesn't have to traverse multiple nodes of an internal network very deep in your organization. 

Rick Howard: Here's Steve again, talking about that characteristic of SD-WAN. 

Steve Winterfeld: SD-WAN is giving you more flexibility and allowing you to optimize those routes. It's very similar on the content delivery side with dealing with customers. You want to push that interaction as close to the edge, as close to the customer as possible and speed up those interactions. 

Steve Winterfeld: In the past, we've really minimized our risk on the network by going with MPLS or some kind of direct connect to guarantee that performance. And as the internet has gotten more resilient and more robust, especially with things like, you know, moving to 5G, which will extend that robust footprint, we're able to accept more risk by just depending on the internet for our connectivity. And that's what SD-WAN is allowing us to do. 

Steve Winterfeld: The internet's simply more dependable. We can depend on that and not worry about the fact that the bandwidth won't support our employees when their kids are playing, you know, games and going to school and the neighbors on the same, you know, segment are doing all that stuff as well. There have been a few performances (ph), but by and large, most people are still able to get on video calls. 

Steve Winterfeld: Now, I think we're at the point now where, you know, because of the robustness, because of the capabilities, we're able to reassess what it makes sense to invest in and an infrastructure to support our business. 

Rick Howard: With SD-WAN, the idea is to move away from a handful of high-cost dedicated MPLS circuits and move towards a bucketload of low-cost broadband connections. The SD-WAN extraction layer manages all that complexity for you. Here's Paul again. 

Paul Calatayud: I think as network engineers look at it - right? - which is this idea that you have a single point of failure in your data center, and so you have to create multi (ph) paths and dedicated circuits that are very reliable because everyone's traversing it. And if I think about what an SD-WAN architecture looks like, it's kind of more of a mesh. 

Paul Calatayud: There's many, many different ways to get back home. And so I just need to create some level of, we'll say, beaconing back home - right? - something that says, here I am. And ultimately, the way, the destination on getting there can become a little bit rocky, but ultimately, the, you know, the protocols and the way these things fast-pass selection, kind of the technical bits and bytes of it, is ultimately it's going to make me get home eventually. And I think that creates some of the agility - right? - and resilience. 

Paul Calatayud: It essentially makes up for the lack of dedication and lack of reliability because now I have many, many unreliable options to get back home, and eventually some of those paths - it's like Waze - right? - like the maps. You know, all of a sudden, it's telling you to go a different path, but ultimately, it's looking and going, yeah, we'll get you there eventually - right? - like, on time. And you're going in back neighborhoods and going through dirt trails and you're like, well, this is efficient. But that's kind of the way SD-WAN works. Like, the big visualization here is SD-WAN is the Waze for networking. 

Rick Howard: I love that. If you are having trouble understanding the SD-WAN abstraction layer, this is the one takeaway to remember - SD-WAN is the Waze GPS of network traffic flows. Not to put too fine a point on this, but here's the description of the Waze mapping program from the Google website - quote, "always know what's happening on the road with Waze. Even if you know the way, Waze tells you about traffic, construction, crashes and more in real time. If traffic is bad on your route, Waze will change it to save you time," end quote. Exactly - that is what SD-WAN does for you on your network. So that's the good news. 

Rick Howard: The bad news is that if you don't design it carefully and ensuring that all that traffic flow goes through a security stack somewhere, you could have a real problem. From Paul's perspective, though, SD-WAN just exposes a security problem that we already had - namely, why weren't we already protecting our internal east-west traffic in the first place? 

Paul Calatayud: I think it does put some of the burden into the security world. If I look at a lot of networks that are dedicated today, there is no east-west inspection - right? - because they just - like you said, it's essentially my core network being extended to a physical branch that is, you know, states and miles away. But it's a dedicated circuit, so I essentially trust it, just like I trust the corporate laptop, you know, that's 5 feet away. But as we all know in cybersecurity, I can't trust the device that's 5 feet, let alone 5 miles away. 

Paul Calatayud: What it does is it exposes a vulnerability that has always been there, meaning it causes the network team to be - and security teams to be a little bit more cognizant of the threat landscape because now they're not necessarily trusting the network, which they should have never have trusted in the first place. But now they're like, whoa, I definitely don't trust an internet connection. That's the wild, wild West, right? And so it does put some burden into the cybersecurity realm, again, which isn't - wasn't there, which ought to have been there. 

Rick Howard: We are seeing this convergence of networking and security like we have never seen before. I mean, firewalls have always been fancy routers anyway, even way back in the early 1990s. They handled routing but also allowed security managers to block things. 

Rick Howard: When firewall vendors turned their machines into security platforms circa 2015 or so, those machines still did routing but could also handle the zero trust policy, intrusion kill chain prevention plans and an entire host of other security functions. With that evolution, the networking side and the security side move closer to each other, but with the SD-WAN abstraction layer, the distinction between the two sides may be coming less clear. 

Rick Howard: What is clear is that the cost reduction, flexibility and agility we get on the networking side is not free. Securing all of that could become a lot harder if we don't pick the right design. Here's Paul again, describing the burden transfer from one side to the other. 

Paul Calatayud: So what you're seeing is a convergence, if you will, between SD-WAN and security. I have a network. I need to secure it. I need to create assurances and get past some of the concerns that I might have with the internet. And so it does put security front and center, but it also puts the opportunity to - and one of the reasons why SD-WAN is very important is because it's software-defined. It opens the door that I actually look at multiple strategies of software-defined - software-defined WAN, software-defined security - right? - aka SASE or aka, you know, firewall fabric. 

Paul Calatayud: And so that creates, I think, a strategy where most people should not be thinking about SD-WAN as an independent strategy just to accelerate the network. It needs to have the security context in it. 

Rick Howard: The interesting question to ask is how to do it. Do you take an SD-WAN appliance and integrate security features into it, or do you take your security platforms and integrate SD-WAN technology into them? Or do you just punt and keep them separate - in other words, run stand-alone SD-WAN appliances and separate security platforms? 

Rick Howard: The answer today is a little bit of all three, depending on the business needs. I think that is one reason that many CIOs and CISOs have been slow to adopt the technology right now. There's no clear winning architecture that everyone agrees on. There are pluses and minuses to all of them. And let's say you commit to one of them and you are wildly successful at the deployment. You may get to the end and find that the benefits you thought you were going to get are outweighed by other issues you hadn't anticipated yet. 

Steve Winterfeld: You can put a lot of effort into this and end up with what I call bring your own network, overcoming this and not needing it. I find our need to have a network based on the fact that we've always had a network. And I was saying 20 years ago the future is bring your own network, not bring your own device, because bring your own device immediately moves to bring your own network. And to just try to expand your network doesn't pass the common sense to me. 

Rick Howard: So you have three options. No. 1 - find an SD-WAN vendor that has enough security integrated to satisfy your requirements. No. 2 - find a security platform that has enough SD-WAN functionality to make it useful. And No. 3 - forget about this convergence of security and network management and just deploy separate SD-WAN and security stack hardware and software. 

Rick Howard: There is a fourth interesting and incremental option to consider. This is a little bit technical, so let me see if I can break it down. Instead of keeping everything internal, you could run your SD-WAN appliances on your internal network but install your preferred security stack in one of the big cloud provider networks, like Google, Amazon or Microsoft. The SD-WAN abstraction layer includes not only the SD-WAN appliances, but also the security stacks you have deployed in the cloud. 

Rick Howard: What that means is that any employee web-surfing to the internet would first go to one of the local SD-WAN appliances, then to the local internet service provider - which probably has a peering relationship with your cloud provider, so it's really fast - and then through your deployed security stack and then off to the internet. That has the benefit over the other three options I mentioned in that you don't have to deploy the SD-WAN hardware and the security platform hardware at every remote location in the enterprise. The solution might be cheaper, too, since you are still eliminating most of the MPLS circuits. 

Rick Howard: That said, there is still a lot of complexity to this. If it appeals to you, though, make sure that your virtual security platform deployed in the cloud has the ability to join your SD-WAN layer. Not all of them do. 

Paul Calatayud: If you do that in-house, what ends up happening, through my own experience - the network team, the security team, the firewall team spends all of their time servicing the availability of that service and tends to lose sight of the policy itself because their focus is on making sure it's available and scalable. And so you're doing all this performance management, performance engineering, patch management, vulnerability management, platform management, and that's the same team that is also in charge of the policy. And ultimately, they create, you know, which one is going to cause the most pain for the business. If the firewall is not available - right? - everyone knows about it. If the firewall is the Swiss cheese and it's very flexible, no one is going to complain until there's, you know, a compromise. 

Paul Calatayud: And so I think - like you were saying, I think the ultimate value of SASE is removing the burden and the distraction of managing the service and focusing more on the efficacy of the service. Now I am in charge of this policy. And I can focus on that. It's very similar to cloud, right? The pros of cloud are I no longer have to manage active directory or manage, you know, Outlook as a platform. I just need to make sure the security of Outlook is working or the security of Office 365 is working. So it allows us to rise above and get less distracted with things that, ultimately, are not in our core competency. 

Rick Howard: But if you're going to take that admittedly incremental step in the architecture when you are running split operations, SD-WAN hardware and software deployed internally and the virtual security stack deployed in the cloud, what's stopping you from taking a giant step forward? Have a cloud provider do everything. In other words, enterprise sites have broadband connections or, in the very near future, 5G connections. The first hop is to the cloud provider who manages the SD-WAN infrastructure and the security stack. If you do this, you move the management complexity of keeping the blinking lights up and running on all of that software and hardware. And you simply focus on managing the network and security policy. Now, at this point, you might be saying to yourself, wait a second. This sounds very similar to what Rick has been blabbing on and on about for three seasons of this podcast. Isn't this SASE - or secure access service edge? 


Unidentified Person: Winner, winner, chicken dinner. 

Rick Howard: Aw, you've been paying attention. It does my heart good. I go in-depth on SASE in Season 1, Episode 1. And I provided a little recap in the last episode. If you are not familiar with SASE, you should go back and listen to those shows in the archive. But just so you know, I'm not the only one that thinks SASE is in all of our futures. Here's Paul and Steve again. 

Paul Calatayud: Yeah. I think SASE is the future. I think it is where, ultimately, advanced security services are going to be fulfilled. SASE is taking a physical firewall, virtualizing it, putting it in someone else's data center and creating a availability that is taking advantage of cloud dynamics, right? And so what it is that it's similar to is it's very similar to the way I manage my physical firewalls today, like a VPN tower or an internet PoP. But what it's introducing is higher availability, because now I have these things all over the world and creating what I call cloud dynamics. And what cloud dynamics is, it's elasticity, it's auto-provisioning. Its capacity on demand, right? And so even if I were to create my own competitive, internal SASE, I'm still going to be hardware-limited, right? And so all of a sudden, I now have to say how many customers around the world are going to be accessing my firewall that I've put in my own data center near them, right? So I've solved the near problem. But I haven't necessarily solved the capacity problem. And so the additional thing, I think, that a lot of people don't know about and I think is worth highlighting is SASE is elastic by definition. And so what that means is I can have one customer on that network or I can have a thousand customers. And the experience should be the same. 

Steve Winterfeld: SASE has impressed me because it is a model that reflects what was already happening. It ties the network portion closer to security. You know, I had designed all my security controls only to be told some of the apps I'm protecting are being moved to Google public cloud. So now I'm scrambling to relook at my controls. And so - you know, that's a bad story where you want to be closely integrated with those networking - with that networking side so you're all on that one page. It puts a framework out there as an industry best-practice on what we were already doing, you know, already frustrated with complexity, with the number of vendors. I've talked to some of our customers that have over a hundred security vendors. And so by moving to SASE, by moving to fewer platforms, you know, you're reducing complexity while increasing situational awareness because the visualization is on that one platform. You're simplifying vendor management. And if you're working with the right SASE provider, you know, they're already thinking about international compliance. And so they're addressing some long-term global needs you may have to deal with. And then, for me, I had engineers, one engineer maybe managing five or six capabilities. So consequently, that DLP or the IPS was never truly optimized. And so - you know, you're reducing the number of skills needed and, potentially, the amount of staff you needed. And so all of this, you know, depending on moving to an SD-WAN or a CDN or something like that, you're also improving performance, so reducing latency and having a better overall experience. So any time you can reduce that friction, I think, overall, SASE is a great thing to build your strategy for the edge around. 

Rick Howard: One note of caution while choosing your SASE vendor - remember, one of the perks of using a SASE vendor is that the good ones have already gone to the trouble of establishing peering relationships to all the big content providers. If a SASE vendor doesn't have the peering relationships that you need, you shouldn't get in bed with them. For example, if you are deploying boatloads of services to the Amazon Cloud for your customers, your SASE vendor should have a peering relationship with Amazon at all of your remote location's local internet service providers. If they don't, why bother? 

Paul Calatayud: Here's the nuance. And this actually applies to both SASE and SD-WAN. Some SD-WAN vendors are actually just replicating the - like, they're hosting the SD-WAN in their data centers. And so they're having to build peering agreements and relationships with the ISPs and with the Googles and with the Netflixes of the world in order to create efficiency. So there's a little bit of a misnomer. When people think they're using SD-WAN and surfing the internet, you are until you get to the SD-WAN vendor's network. And now you're actually, good or bad, working within their ecosystem - right? - and same with SASE. SASE - some of the SASE vendors have dedicated data centers, dedicated appliances, and there are really cloud - they're not really next-gen because all they're doing is incremental value. They've removed the burden of the datacenter from you. 

Rick Howard: What Paul is saying is that smaller SASE vendors who don't have global networks probably will not provide you the resiliency and robustness that you were looking for. That said, if they are deploying their services with one of the big cloud providers, let's say Google, their SASE service benefits from the scale and efficiency of that giant, worldwide network. A small SASE startup won't have the capacity to build that kind of network themselves, but they exponentially increase their worldwide presence if they build their service on top of one of the large content providers. Remember; according to the original Gartner white paper on SASE, a SASE service bundles three cloud services together - a security stack, an SD-WAN abstraction layer and peering connections to important content providers. For SASE to get you that giant leap forward in efficiency, complexity, reductions and cost, your vendor has to have all three. 

Rick Howard: As you might have noticed, I have been rambling on and on about SASE in this episode that I advertised is supposed to be about SD-WAN technology. The fact is that today, I think that SD-WAN is just an interesting networking technology that may only be useful for a very limited number of business use cases. In the near future, it has the potential to be used for that giant leap forward but only if you couple it with SASE in order to get the security stack and only if the SASE vendor has a global network. SD-WAN by itself will not get her done. So when you hear me say SASE is the future, I'm really using the description of SASE from the Gartner team's original white paper - security stack plus SD-WAN plus fast global network all delivered from the cloud. 

Rick Howard: But before I wrap up here, Paul mentioned something to me about a potential future of SD-WAN that is, to say the least, intriguing. He said that it might be possible to use some sort of machine learning algorithm on the network data flowing through the SD-WAN abstraction layer that could guess with high confidence what the next network packet was going to be before it arrived. 

Paul Calatayud: We're starting to see the use of AI in video rendering - right? And so, like, Nvidia is kind of pioneering this. And it's starting to have real world applications, right? In theory, it can scale 4K to 8K without any new coding - right? - as far as the rendering of bits. But that's good for a gamer. But all of a sudden now, I'm starting to see that they're exploring it for video. And all of a sudden your Zoom or your video conferencing, instead of having the pixelations, it's actually just filling in the gaps with what it thinks the next pixel should be adjacent to the real pixel. And that is what SD-WAN creates - right? - is the opportunity to really transform the network and do it in such a way that it actually - I think, in theory, like, half your traffic could actually just be simulated traffic that the box interprets - right? That's kind of where we're going directionally with some of this AI. 

Paul Calatayud: But SD-WAN creates that conduit. I think we're really close there. Right now, the SD-WAN can do caching. So it knows - if you go after a certain application and you make requests, it'll actually keep it because the customer - your - the employee next to you might make the same request. So it's keeping some of that data and regenerating it locally. But if I look at where machine learning and AI is going in terms of network optimization, I think that's, like you were saying - and I'm agreeing - is I think that's where we're going directionally, like, we're heading. Like, if I were to make a prediction, I would say the prediction for SD-WAN is further use of AI in order to allow for true network efficiencies. 

Rick Howard: That would be amazing indeed, to have the SD-WAN anticipate network traffic when, for whatever reason - congestion, outages, whatever - traffic isn't flowing normally, the SD-WAN abstraction layer machine learning algorithm makes educated guesses about what the networking package should be until the real traffic flow catches up. Now, we don't have that yet. But as my geek friends would agree... 


Leonard Nimoy: (As Mr. Spock) But it would be a fascinating project. 

Rick Howard: And that's a wrap. If you agreed or disagreed with anything I have said about SD-WAN, SASE or really anything, hit me up on LinkedIn, and we can continue the conversation there. Next week, we will be talking about securing containers and lambda functions, and you don't want to miss that. The CyberWire's "CSO Perspectives" is edited by John Petrik and executive produced by Peter Kilpe. Our theme song is by Blue Dot Sessions. And the mix of the episode and the remix of the theme song was done by the insanely talented Elliott Peltzman. And I am Rick Howard. Thanks for listening.