From the first time I heard the abbreviation “SDN” I’ve been hearing about all the amazing things I’ll be able to do with my programmable network -- as soon as I master Python, of course. The thing is, I don’t believe this is how most companies will consume SDN because most of us are not in the NetOps/DevOps business; we just want a network that works better than it does today.
Happily, software-defined WAN is the perfect example of a programmable network, the inner workings of which are elegantly abstracted to a pretty interface where I can point and click. This is why SD-WAN is one of the hottest growth areas in the network space with companies such as Cisco, Viptela, Glue Networks, Talari, Silver Peak, CloudGenix, VeloCloud, and Riverbed Technology all vying to be the chosen solution. Most of these companies seem to have taken the same basic approach, but Riverbed tackles SD-WAN from a slightly different direction.
While other vendors focus on optimizing the utilization and performance of hybrid WAN links (MPLS + Internet), Riverbed instead focuses on the behavior of the applications going over the hybrid WAN -- perhaps not a surprise for a company known for WAN optimization.
Applications using SSL to encrypt data are opaque to SD-WAN edge routers, which have to rely on tracking circumstantial data like DNS queries to make a best guess as to the logical destination and type of the application flow within. This can be particularly challenging with content delivery networks where it’s possible for many hostnames to be mapped to a single public IP. Riverbed’s solution is to terminate SSL sessions on the local WAN appliance, inspect the unencrypted content to gain insight into the flow, then re-encrypt the traffic before sending it on to its destination.
Appliances performing SSL proxy functions are often restricted to secure data centers because they contain trusted SSL certificates and keys that allow clients to believe they have actually connected to the remote server even though they have not. The compromise of those certificates could be devastating. To mitigate this risk, Riverbed appliances can proxy the SSL session establishment to an appliance within a secure data center, then once the session encryption key has been determined, communicate that securely back to the branch appliance, after which the branch appliance can exchange encrypted data with the local host.
Adoption of cloud-based SaaS, especially Microsoft’s Office365, has increased dramatically over the last few years, but this can present some real challenges for SD-WAN. Most SD-WAN systems are focused on optimizing traffic between branches and data centers, but when an application flow goes to the Internet the main choice is whether to direct that session out of the local Internet circuit, or send it back to a data center to exit from there. Riverbed addresses this issue by leveraging an agreement with Akamai -- and some per-user licensing fees -- to spin up a virtual SteelHead instance on demand so that traffic between the branch and each geographic cloud location can be optimized.
One downside to Riverbed's SD-WAN is that it appears to run entirely on proprietary protocols, meaning that users are locked in. This problem is not uncommon in the SD-WAN market right now, from controllers (Riverbed’s SD-WAN is managed by its SteelCentral product) to routing and configuration mechanisms, and I doubt this will change any time soon. To that end, the quality of the controller software and the visibility it provides of the proprietary network is a critical element for any SD-WAN implementation, regardless of vendor.
Riverbed customers undoubtedly will enjoy the easy "upgrade" to SD WAN from their existing appliances, but for smaller branches, it may well be more cost effective to buy a very fast Internet link than to deploy WAN optimization. Riverbed has recognized this problem and announced “Project Tiger,” a lower-cost edge router appliance -- without WAN optimization -- scheduled for release in 2016.
Today's SD-WAN market is inhabited by a bewildering array of vendors seeking a chunk of an anticipated $7.5 billion by 2020. They are selling similar solutions with broadly comparable features, and as you’d expect in a relatively new product space, none of the products work with each other. Big players like Cisco and Riverbed are trying to ensure that their existing customers have an “in-family” upgrade path to SD-WAN while startups, unencumbered by legacy products, are trying to establish themselves with low prices and high feature counts running on commodity hardware. If this sounds a little like the white-box switching market, you’d be right.
If there’s one problem with SD-WAN, it’s that many people I’ve spoken to are interested in it, but are not yet buying; they're waiting for the technology to mature and want to figure out which vendors will be here for the long haul. However, once that confidence grows, I believe SD-WAN is going to become ubiquitous across the enterprise and we’ll wonder how we ever operated our WANs without it.