The #4 reason it’s time to retire conventional routers at the branch: Broadband internet is relegated to failover only for the enterprise WAN!
Almost every branch office has a broadband connection in addition to MPLS or other connectivity services (4G/LTE, ethernet, etc.). Broadband is deployed at a minimum to provide internet access for employees, customers and guests. While enterprises sometimes use broadband as a back-up transport, broadband capacity is often underutilized, or worse, sits idle.
So, why aren’t broadband services used actively for enterprise applications, especially as more and more applications move to the cloud? Until SD-WAN emerged, broadband was largely deemed insecure and unreliable for business application traffic. And, using two or more circuits actively with a conventional router-centric network model is extremely complex and time consuming to configure, often requiring two routers at each site. However, to use broadband actively as a transport for the enterprise WAN, both security and reliability must be addressed.
Basic and not-so basic security considerations when using broadband
Even basic SD-WAN architectures typically build encrypted tunnels between sites. With 128- or 256-bit AES encryption, traffic traversing a broadband link is as secure as it is on a private MPLS circuit. That takes care of traffic that stays within the boundaries of the enterprise WAN. But what about cloud-destined traffic?
Routing SaaS and IaaS traffic directly across the internet from branch sites requires additional, more complex security measures since not all web applications are fully trusted. A sample cloud application security policy might encompass:
- Connecting users to trusted SaaS apps like O365 or Salesforce.com directly from the branch using the internet
- Steering application traffic for recreational or unknown applications to more advanced security services in the cloud or back at headquarters, before connecting users to their web destination
- To enforce granular security policies, applications must first be identified and classified, and the traffic steering decision must be made on the first packet. While most basic SD-WAN solutions offer some level of application identification, only more advanced SD-WAN offerings identify applications on the first packet to automate traffic steering while enforcing the correct security policy.
Cloud applications and their IP address tables can change frequently. This requires daily updates to provide the highest cloud application performance while still protecting branch offices from threats – and do so all the time. Unlike basic SD-WAN solutions, a business-driven SD-WAN provides automatic, daily updates to all branch offices so users can always connect to applications without IT intervention.
End-to-end segmentation across the LAN-WAN-cloud and LAN-WAN-data center provides an added layer of security. Assigning cloud application traffic to its own segment isolates it from other traffic such as real-time communications or data center-hosted application traffic. Segmentation not only prevents unauthorized access but also contains threats within the affected segment in the event one is introduced. However, segmentation must be consistent and centrally administered when additions or changes are to be made. Unlike the manual, device-by-device configuration required with traditional router-based solutions, a business-driven SD-WAN centralizes segmentation and distributes it across all sites, minimizing human errors to ensure consistent and continuous policy enforcement.
Addressing broadband reliability and packet loss
Even business-grade broadband or direct internet access (DIA) services don’t match the quality and reliability of an MPLS service. However, by intelligently bonding multiple WAN transport services into a single, shared logical resource, even higher levels of application performance and reliability can be realized. A business-driven SD-WAN with packet-based load balancing and advanced error correction techniques can deliver the highest quality of experience to users across two or more consumer-grade internet services, often exceeding the application SLA possible with a single MPLS circuit.
A recent Miercom test-report validated the ability of the Silver Peak Unity EdgeConnect™ SD-WAN platform to deliver business-class voice across two broadband services when both simultaneously experienced as much as 20 percent packet loss!
By using two or more circuits actively – whether broadband, MPLS or other – an SD-WAN can recover from a brownout or complete outage of a transport service. However, the failover time for a basic SD-WAN that only sends traffic from a session across a single link can take as much as 30 seconds or longer. This delay results in application interruptions. A business-driven SD-WAN performs instantaneous and imperceptible failovers, maintaining a voice call connection or a video conference without a glitch.
Broadband is a better choice for the cloud
As more enterprise applications are hosted in the cloud and end-user expectations escalate, the ability to actively use broadband services enables enterprises to:
- Eliminate cloud application backhaul to deliver the highest quality of experience to users
- Increase application availability
- Significantly reduce WAN transport costs