Cisco, Versa, Fortinet, VMware, HPE, Palo Alto Networks envision new SD-WAN features related to 5G, AIops, automation
By Jeff Vance
Network World | 28 FEBRUARY 2022 19:00 SGT
As the COVID-19 pandemic drags on and continues to impact the way people work, SD-WAN vendors are responding by investing heavily in new capabilities that extend the enterprise edge to wherever workers happen to be—branches, campuses, home offices, co-working spaces, mobile, etc.
The main thrust of this evolution in SD-WAN technology is the merger of networking and security functions into a single platform, which most vendors now call Secure Access Service Edge (SASE).
SASE, a term coined by Gartner in 2019, converges SD-WAN with basic security offerings, including encryption, anti-malware, and firewalls, while adding advanced services, such as Next-Generation Firewall (NGFW), Firewall-as-a-Service (FWaaS), Data Leak Prevention (DLP), Secure Internet Gateway (SIG), and Zero Trust Network Access (ZTNA).
While the top SASE vendors largely agree on the table stakes outlined by Gartner, they are also looking to gain an edge on the competition by developing innovative new features, such as 5G for WAN links, advanced behavior-and context-based security capabilities, and integrated AIOps for troubleshooting and automatic remediation.
The six vendors below are listed in order of their market share, according to IDC’s most recent Worldwide SD-WAN Infrastructure Market Share report. The top six accounted for 78.3% of the market. These same vendors are also the only ones listed in the “leaders” category in Gartner’s latest Magic Quadrant for WAN Edge Infrastructure.
Cisco: Orchestration and automation
Market position: Cisco leads the SD-WAN market, with 37% market share. IDC puts Cisco’s SD-WAN revenues of $630.3 million in the first half of 2021, a 20.3% increase over the same period in 2020.
Cisco’s SD-WAN revenue comes from internal SD-WAN development and a series of strategic acquisitions that include Meraki (2012), Viptela (2017), Duo Security (2018), and ThousandEyes (2020).
Current SD-WAN/SASE offerings: Cisco offers a range of SD-WAN options. These include Meraki SD-WAN appliances, which connect to branch offices and public clouds via auto-provisioned IPsec VPNs, and SD-WAN Cloud OnRamp, a SaaS offering that connects branches, colocation centers, and various clouds.
Cisco’s approach to SASE combines network, security, and observability capabilities into a single cloud-managed offering. In recent months, Cisco has added SIG service level and network health checks. A Layer 7 Application Health Check proactively sends notifications if the SIG connection deteriorates to help customers automatically meet SLAs.
Cisco has also enabled policy-based routing from Cisco Cloud OnRamp for SaaS with Cisco Umbrella to provide security for SaaS traffic. Through ThousandEyes integration with Cisco’s SD-WAN, Cisco can now measure, test, and report on the underlay connectivity and the condition of Internet circuits.
New Features: In January, Cisco released the Meraki Umbrella SD-WAN Connector, which integrates networking and security into a SaaS offering. For organizations that have both Meraki MX and Umbrella SIG licenses, Meraki Umbrella SD-WAN connector simplifies the deployment of cloud security across distributed locations into a task that only takes a few clicks in the management dashboard.
In February, Cisco extended Meraki virtual MX appliances (vMX) to the Google Cloud Platform (GCP). Organizations can now securely connect branch sites with a physical MX appliance to resources in GCP with Auto VPN.
Cisco also integrated cloud-native, zero-trust security tools into its SD-WAN portfolio. Duo Passwordless authentication uses platform authenticators and security keys from devices to secure application access without passwords.
Roadmap: In November, Cisco provided a preview of a forthcoming addition, Remote Desktop Protocol (RDP) support for Duo Network Gateway (DNG). This will enable VPN-less remote access, secured with risked-based authentication, including device posture assessments and access control.
Cisco intends to further enhance its SD-WAN with capabilities that target MSPs and large enterprises. These new features will simplify the complexity of implementations at scale and enable new services.
Further SD-WAN/SASE investments will focus on unifying orchestration beyond secure connectivity and application experience. Cisco also plans further investments into the automation of AI/ML-powered predictive inferences, so network infrastructure is able to react in real time to the demands of applications.
Versa: Beefed up sandboxing, DLP, CASB; future expansion of AI/ML
Current market position: According to IDC, Versa captured 11.8% of the market in the first half of 2021 with revenues of $200.6M, a year-over-year jump of 77.2%.
Versa is backed by $196 million in venture capital funding and has landed major customers that include BP and Capital One. The company has also established strong channel partnerships with carriers and service providers, including Comcast and NTT Communications.
Current SD-WAN/SASE offerings: Versa’s Secure SD-WAN is now part of its SASE Portfolio. Secure SD-WAN provides a range of capabilities, including sub-second packet steering across multiple WAN interfaces, packet loss reduction, and poor performing link avoidance. Versa SD-WAN also acts as a DNS Proxy with SD-WAN Traffic steering, MP-BGP route exchange with SDN controllers, link aggregation, hierarchical QoS, per tunnel QoS, and overlay encapsulation options (VXLAN, IPSec).
Versa SASE uses its proprietary Versa Operating System (VOS) to tightly integrate networking and security services into a platform that supports cloud, on-premises, and hybrid environments. Versa SASE includes VPN, secure SD-WAN, edge compute protection, NGFW, FWaaS, SWG, DLP, ZTNA, Cloud Access Security Broker (CASB), network obfuscation, and Remote Browser Isolation (RBI).
Versa SASE also provides contextual security based on user, role, device, application, location, security posture of the device, and content.
New features: Over the past few months, Versa has expanded support for cloud-based malware sandboxing. Before a file is sent to the sandboxing infrastructure, it is processed on the Versa Cloud Gateway (VCG) through the following services: IP-filtering, URL-filtering, Antivirus (AV), Intrusion Prevention System (IPS), file-filtering, DNS-Filtering, CASB, and DLP. If there is no definitive verdict on the file, then it is sent to the Versa Sandboxing Infrastructure, which analyzes the file in greater detail.
Versa has also beefed up its DLP capabilities, adding support for contextual DLP based on user, group, application, file-type, geo-location, device posture, and all Layer 3-4 fields. The DLP engine now also supports redaction, quarantine, tokenization, encryption, block, allow, notify, alert, and others automatic reactions.
Other recent additions include improvements to CASB to support fine-grained security access control policy rules based on application, user, group, device, device-posture, geolocation, compliance status, etc.; support for Scalable/Security Group Tag (SGT); extended RBI capabilities that provide an air-gapped web browsing environment; and DNS tunneling support.
Roadmap: According to a Versa spokesperson, SD-WAN is a critical component of Versa SASE, and both services will continue to improve in 2022. Innovations and improvements on Versa’s near-term SASE/SD-WAN roadmap include Cloud Security Posture Management (CSPM) functionality that includes cloud workload discovery and visibility into multi-cloud workloads, as well as automated remediation of security vulnerabilities; identity-based segmentation for datacenter workload protection; and expansion of AI/ML capabilities to apply them to more use cases.
Fortinet: Heavy on AI, automation, IAM
Current market position: Fortinet captured 9.2% of the market over the first half of 2021, according to IDC, with $157.8M in revenues, up 48.2% year-over-year.
Fortinet acquired startup Opaq in 2020, which coincided with its pivot from SD-WAN to SASE. Fortinet’s hardware is based on its own proprietary ASICs, and with the addition of Opaq’s SASE capabilities, Fortinet’s already strong security capabilities have been bolstered.
Current SD-WAN/SASE offerings: Launched five years ago, Fortinet Secure SD-WAN consolidates routing, SD-WAN, and NGFW into one platform. Other features include threat protection, SSL inspection, centralized management and orchestration, and built-in ZTNA access proxies.
The FortiOS operating system is designed to support multiple networking environments, including on-premises, cloud, and hybrid. Fortinet’s cloud-based SWG provides CASB and ZTNA solutions for remote users.
New features: Since the release of FortiOS 7.0 in early 2021, Fortinet says that it has added 40 SD-WAN features that focus on boosting application performance, enhancing operations, and improving monitoring and visibility.
Roadmap: According to Fortinet, the pandemic-driven, work-from-anywhere model has changed the edge dramatically, with users moving between on-premises locations, interconnected branches, home offices, and temporary locations during travel, to name only a few locations where employees now conduct business. This means that SD-WAN offerings cannot just focus on a single architecture, such as the cloud.
A Fortinet spokesperson says the company will continue to invest heavily in developing a “Security Fabric Platform” that further converges networking and security into a single solution that establishes a “Zero Trust Edge.” The goal is for the platform to automatically adapt to dynamic changes to the underlying network infrastructure, including connectivity, while also providing explicit access to applications based on continuous validation of user identity and context.
In order to achieve this, other near-term enhancements planned for Fortinet Secure SD-WAN include integrating AI/ML security functionality, improving management capabilities, boosting security features, and adding AIOps and digital experience monitoring.
VMware: Self-healing plus services based on 5G WANs
Current market position: According to IDC, VMware captured 8.2% of the market in the first half of 2021, with revenues of $139.8 million, a year-over-year increase of 18.8%. VMware became a serious SD-WAN contender in 2017 with its acquisition of VeloCloud.
Current SD-WAN/SASE offerings: VMware’s SD-WAN offering is comprised of three main components: VMware SD-WAN Orchestrator, the central management platform; VMware SD-WAN Gateways, which are deployed at 3,000+ PoPs around the globe; and VMware SD-WAN Edge, the on-premises appliances that connect to the VMware global network.
VMware SASE is cloud-native platform that integrates SD-WAN with security services delivered from the cloud. Security features include ZTNA, SWG, CASB, DLP, URL Filtering, and RBI.
VMware Edge Network Intelligence offers an AIOps solution that provides AI/ML-enabled visibility from the WAN to branch to Wi-Fi/LAN to deliver actionable insights for performance assurance and self-healing of the network.
New Features: VMware enhanced protection against enterprise data leaks by providing new capabilities to detect and prevent sensitive data from exiting the network. Full IPv6 support was added to VMware SASE, as well as self-healing features that enable users to quickly detect, understand, and remediate issues with AIOps.
Roadmap: VMware notes that SD-WAN is evolving from an “edge-to-edge technology” and is now expanding through the cloud deeper into the branch to the individual clients (whether at home, on a mobile device, in a large campus setting, etc.). SD-WAN is also becoming application-aware, all the way down to individual application containers in public or private clouds.
Future enhancements will focus on expanding security features, bolstering work-from-anywhere performance, building multi-cloud interconnects, adding edge compute features, and furthering self-healing capabilities. VMware also intends to invest in features for carriers and service providers that will enable new services, such as 5G-based WAN links.
HPE: Silver Peak meets Aruba to support home offices
Current market position: According to IDC, HPE captured 6.5% of the market in the first half of 2021, with revenues of $111 million. This was a decrease of 4.3% year-over-year.
HPE entered the SD-WAN market with its acquisition of Silver Peak in 2020, integrating it into the Aruba platform. (HPE acquired Aruba in 2015.)
Current SD-WAN/SASE offerings: HPE EdgeConnect SD-WAN gives organizations the ability to create virtual WAN overlays for different classes of traffic. After classes are set, application performance, security, and routing policies are automatically programmed to all sites. Other capabilities include real-time monitoring of network and application performance, automated remediation in the event of an outage, integrated firewall, and WAN optimization.
EdgeConnect is tightly integrated with the broader Aruba platform, which includes a range of switches, gateways, and controllers.
Aruba SASE unifies WAN edge functions with advanced security services delivered in the cloud, including SWG, CASB, and ZTNA. Aruba SASE also provides APIs to integrate other best-in-class cloud security tools, such as Zscaler, Netskope, Check Point, Palo Alto Prisma Access, and McAfee.
New features: In December, Aruba introduced a new EdgeConnect Microbranch solution. With the rise of remote working, this solution was developed to provide remote workers with an in-office connectivity experience by extending SD-WAN and SASE security services via a single access point.
With EdgeConnect Microbranch, IT departments can ensure the employee experience is consistent no matter where workers are located, while also accelerating troubleshooting and maintaining corporate protections by extending on-campus Zero Trust and SASE security frameworks to the home office/small office.
Roadmap: HPE’s future plans include accelerating the ability for their customers to consume Networking- and Security-as-a-Service. HPE will continues to develop SaaS offerings that provide on-demand usage, a consumption-based billing model, self-service capabilities, and elements such as network routers, switches, gateways, and firewalls.
Palo Alto Networks: 5G and stronger AIops support
Current market position: Palo Alto Networks captured 5.1% of the market in the first half of 2021, according to IDC, based on revenues of $86.8 million. That represented a year-over-year increase of 19.3%.
Palo Alto Networks entered the SD-WAN market with its acquisition of CloudGenix in 2020. It has a number of named customers, including Salesforce, AutoNation, and Aaron’s.
Current SD-WAN/SASE offerings: The foundation of Palo Alto’s Prisma SD-WAN solution is Instant-On Network (ION) devices deployed at both branches and central sites. Its AppFabric software consolidates WAN resources (MPLS, broadband, cellular), giving enterprises the ability to create policy-based connectivity for each application and site. ION devices automatically establish secure connectivity among sites and continually monitor the health and performance of WAN links and applications, dynamically choosing the best performing path. Autonomous Digital Experience Management (ADEM) manages the digital experience for mobile users. It enables organizations to gain end-to-end visibility from the management console without the need to deploy additional agents or appliances.
Palo Alto’s Prisma SASE integrates the SD-WAN capabilities from Prisma SD-WAN with cloud-based SASE security capabilities, including ZTNA, Cloud SWG, CASB, and FWaaS.
New features: In 2021, Palo Alto introduced several new security capabilities, including such CASB features as real-time data and zero-day protections. To accommodate hybrid workforces, it also integrated CSWB capabilities to offer web security rules with predefined recommendations and continuous assessments.
Palo Alto released a new version of ION, the ION 1200, which includes 5G support. This gives organizations the ability to deliver 5G WAN connectivity to branch networks as part of the Prisma SASE solution, including the ability to run active/active 5G WAN interfaces for carrier redundancy. Palo Alto also added AIOps capabilities to use ML and analytics to automate IT operations. AIOps provides real-time analysis and detection of IT issues.
Roadmap: In the coming year, Palo Alto plans to invest in a range of additions and upgrades to its SASE/SD-WAN portfolio. These include bandwidth-on-demand service models that give users the flexibility to move bandwidth across branches, home offices, mobile users, etc.; deeper integrations between security and SD-WAN; and further enhancements to multi-cloud and collaboration use cases.
Comments