SD-WAN Services...SD-WAN appliances aggregate multiple network services with a virtual overlay, forming a network with more bandwidth and better availability for less cost than MPLS

T h e F u t u r e o f S D -WA N . To d a y.

SD-WAN Services

The Difference BetweenCarrier-Managed SD-WAN & SD-WAN as a Service

2Carrier-managed SD-WAN vs. SD-WAN as a Service


As CIOs seek to reduce the connectivity costs of MPLS or deliver more efficient global networks, many are considering software-defined wide area network (SD-WAN) solutions.

SD-WAN appliances aggregate multiple network services with a virtual overlay, forming a network with more bandwidth and better availability for less cost than MPLS. At the same time, SD-WAN appliances don’t provide predictable connectivity and advanced security (see “So Why Not an Appliance?”). SD-WAN services address these limitations:

yy Managed SD-WAN services offered by carriers ("Carrier-managed SD-WAN"), package third-party SD-WAN and security appliances with carrier transport.

yy SD-WAN as a Service (SDWaaS) offered by specialized cloud providers, converges networking and security into a cloud service.

Each approach has strengths and weaknesses. Which is right for you? Let’s find out.

With carrier-managed SD-WAN, carriers design, build, and maintain an SD-WAN using customer premise equipment (CPE) — the SD-WAN appliances. The carrier brings enterprises the assurance of the familiar, though frustrating, partner, who provides:

yy Service level agreements (SLAs) and predictable network transport not provided by SD-WAN appliance vendors

yy Expertise to integrate disparate IT tools and services into an SD-WAN

yy Ongoing SD-WAN management, enabling enterprises to focus IT personnel and resources on other, higher-value projects

Technically, carrier-managed SD-WAN operates no differently than the underlying SD-WAN appliances. he appliances form an encrypted overlay, routing traffic between them based on real-time traffic conditions, business priorities, and application requirements. To provide network security and additional services, carriers will integrate third-party appliances or services using service insertion and service chaining, or run third-party, security software in the SD-WAN appliance.

Why SD-WAN Services?

Carrier-Managed SD-WAN: Old Carrier Style in New Carrier Clothes

HQ / Datacenter

SD-WAN Device

NOC

CarrierNetwork

BranchSD-WAN Device

Managementcontrol

ManagedConnectivity

ManagedConnectivity

Unmanaged connectivity

With carrier-managed SD-WAN, the network operator deploys and manages SD-WAN appliances at the customer premises,

connecting them with its (often regional) network.



SD-WAN as a Service: Powerful Cloud Computing Meets NetworkingSD-WAN as a Service (SDWaaS) converges SD-WAN and network security into a global, private cloud. The many third-party appliances comprising service provider networks are replaced by a converged, cloud-scale, network and security software stack. This software stack runs across a global, geographically distributed, SLA-backed network of points-of-presence (PoPs), interconnected by multiple tier-1 carriers.

The SDWaaS provider maintains the underlying shared infrastructure — the networks, servers, storage, and software — forming the cloud. Enterprises instantiate, configure and manage their SD-WANs running across this cloud as if they ran on their own dedicated equipment. This gives enterprises the best of both worlds: the low-costs of shared infrastructure and the flexibility and performance of dedicated devices.

More specifically, SDWaaS uses a “thin edge” architecture where most processing happens in the core of the SDWaaS network. The edge device needs just enough intelligence to select the optimum Internet transport to reach the closest PoP (or alternative transport, such as MPLS). By minimizing processing, the edge can be implemented anywhere: as stand-alone, zero-touch appliances for physical locations, mobile client software for mobile devices and laptops, or just as an IPsec tunnels for third-party firewalls or cloud services.

The cloud software handles the “heavy lifting,” executing the routing, optimal path selection, throughput maximization, and advanced security services. It analyzes traffic entering the PoP, applies the necessary security and networking optimizations, and routes the traffic across the optimal path to the PoP nearest to the destination.

SDWaaS converges SD-WAN capabilities and network security onto a global, private cloud.

Branch Cloud Datacenter Mobile User

Global Network Built AcrossMultiple Tier-1 Backbones

Distributed SD-WAN Software Stack

Integrated Network Security

HQ / Datacenter

SD-WANas a Service



Agility and Change Management

Complexity typifies traditional network services. They involve many discrete appliances — routers, firewalls, WAN optimizers and more — with cumbersome command line interfaces. The opportunity for misconfigurations and unique site configurations (“snowflake implementations”) only grows. Customers need open tickets for even minor network changes, often taking hours to fix issues enterprises could resolve in minutes.

Carrier-managed SD-WAN brings that philosophy to SD-WAN, leaving enterprises with the same cumbersome, process-laden approach. Moves, adds or changes require opening support tickets. Simple configurations, like adding a static route, take hours not minutes, and often only after late-night calls or after-hour disruptions.

Some carrier-managed SD-WAN services claim to be “co-managed” where the enterprise and the carrier can change the SD-WAN (though not necessarily the security infrastructure). Even in these cases, carriers recommend enterprises don’t “do it alone,” clearing changes with their customer-service engineer.

But IT pros have enough basic networking knowledge to configure an SD-WAN. Requiring them to pay for the same costly, process-intensive, service and support structures as MPLS and then wait for a carrier response makes no sense and is typical of the pre-cloud way of thinking. With a well-designed interface, customers can safely make changes to the network themselves, leaving the provider to keep “the lights on” just as Amazon AWS enables us to manage our servers and storage and leaves Amazon to maintain the underlying service.

SDWaaS brings the same “cloud” mentality to network services. With full-featured, self-service portals, SDWaaS customers provision new users, configure and change firewall and access policies, add static routes and more without any provider involvement. All of which becomes possible because the network and security infrastructure underlying SDWaaS not only appears to be simpler, but is in fact simpler.

What to ConsiderTo determine the right service model for your organization, consider the strengths of MPLS that are missing from SD-WAN appliances. More specifically, compare carrier-managed SD-WAN and SDWaaS — across the following domains:

yy Agility and Change Management

yy Monitoring and NOC Services

yy Global Connectivity

yy Network Security

yy Cloud and Mobile Coverage

yy Last-mile Aggregation

yy Service Onboarding and Customer Experience

yy Affordability



In part due to their complexity, carrier-managed services require 24x7x365 network operations center (NOC) monitoring services. NOC services include event monitoring and management, incident alerting, problem resolution, and change management. All of which brings peace of mind — at a price.

With SDWaaS, providers continue to monitor the underlying infrastructure 24x7x365 but, as mentioned, customers can also monitor their SD-WANs. The result: a far nimbler, more affordable service customer can purchase. Full management is optionally available with SDWaaS giving organizations the flexibility they need to adapt to today's business realities. Specifically, SDWaaS partners offer 24x7x365 management, single-ticket submission, centralpoint of contact and consolidated billing.

Monitoring and NOC Services

Global Connectivity

Carrier-managed SD-WAN provides the predictable transport missing with SD-WAN appliances. However, the networks underlying carrier-managed SD-WAN are often regional. For global access, carriers must partner with one another to deliver an end-to-end managed service. The result: choice will be limited to carrier partners and often at a premium. The alternative, connecting across the public Internet, exposes enterprises to the unpredictability of this transport.

SDWaaS providers are designed for global connectivity. Leveraging multiple tier-1 carriers provides them greater reach than any one network — and better performance. For one, the SDWaaS overlay will choose a better performing carrier network, if available. What’s more, the SDWaaS mitigates the effects of latency and reduces packet loss with advanced network optimization, such as TCP proxies and pack loss compensation techniques.

Cloud and Mobile Coverage

The SD-WAN appliances comprising carrier-managed SD-WAN are not inherently designed for the cloud. Enterprises need to deploy (and pay for) an SD-WAN appliance near (or in) the appropriate IaaS and SaaS provider datacenter.

Some SD-WAN appliance vendors provide regional carriers with limited cloud access, offering shared gateways to select datacenters of cloud datacenter providers. But the lack of middle-mile control hampers the optimization of access between branch locations and cloud datacenters. No SD-WAN appliance supports mobile users.

By contrast, SDWaaS is inherently mobile- and cloud-friendly. Mobile clients connect to the nearest PoP, allowing oneset of policies and traffic rules to govern users in an out of the office.

Cloud datacenter and cloud application services support are included in SDWaaS. The PoPs are often collocated in same the physical datacenters as the cloud datacenter and cloud application entrance points. Application-aware routing, directs cloud traffic across the SDWaaS network to the PoP closest to the destination, in this case the doorstep of the cloud datacenter or application provider.



Cato vs. MPLS:Annual Spend Comparison

Cato + Internet$115,000

Cato Cloud$30,000

Last Mile$85,000

MPLS$324,000

Other$233,000

Connectivity$84,000

WAN Optimization$7,000

Network Security

SD-WAN appliances lack advanced network security, such as a next-generation firewall (NGFW), IPS, and secure web gateway (SWG). Instead, carrier-managed SD-WAN will use service insertion and service chaining to integrate with external security appliances or dedicated cloud services, or by running VNFs (virtual network functions) within the appliance.

Both approaches have problems. Running external security appliances/services can add latency, forcing traffic through an additional service or device. Visibility is obscured and service delivery made complicated by the disparate devices. And carriers remain burdened with additional costs of patching, scaling, and maintaining the appliances, which ultimately impacts the costs or quality of the service to the customer.

VNFs are not the answer, either. Running VNFs on a physical CPE risks cross-VNF processing and memory degradation of the underlying appliance. Some VNFs, such as routers SD-WAN appliances, consume relatively few resources. Others, such as URL filtering, anti-malware or IPS are very sensitive to the traffic mix and will require more (or less) resources as traffic changes. Sizing CPEs is not a trivial matter and forced upgrades will become routine. Carriers must assume these costs and pass them onto their customers to be competitive. Management is also per point solution, leaving visibility fragmented and complicating management.

Moving VNFs into the carrier core requires a scalable and elastic underlying infrastructure. As the load on VNFs increase, extra resources need to be allocated dynamically. Otherwise, carriers risk impacting the other VNFs sharing the host. But carriers often lack such an infrastructure, leading to the under utilization of hardware and inefficiencies that again ultimately impact the customer.

SDWaaS builds security services into the network. There are no distinct virtual appliances or VNFs. The multitenant cloud software provides security and networking capabilities for all users. The SDWaaS cloud software is elastic, automatically provisioning and deprovisioning resources as necessary. As such, SDWaaS faces none of the scaling challenges confronting carrier-managed SD-WAN.

With a single, converged portal, SDWaaS allows IT teams to identify patterns normally obscured when data is spread network and security appliances. Service delivery is also simplified by not havingto configure disparate devices.

Like many companies, Fisher & Company,

Manufacturer in the automotive industry, relied on

a managed MPLS service for its global network.

And like many IT pros, Kevin McDaid, systems

manager at Fisher & Company, grew tired of the

complexity of working with MPLS operators.

“Something as simple as enabling access to a

website through our firewall meant having to call

support. It was very frustrating, he says.

He decided to switch to SD-WAN and trialed

a managed SD-WAN service from a different

network service provider. “They wanted us to

submit requests for configuration changes; it was

like our old MPLS provider all over again, he says.

Ultimately McDaid turned to Cato Cloud. He

reduced his annual spend to a third and improved

uptime. “I can definitely sleep better at night with

Cato,” he says.Ultimately McDaid turned to Cato

Cloud. With Cato, McDaid could retain control over

his network and security infrastructure yet gain

the agility and scaling benefits of a cloud service.“

I don’t have exact percentages, but uptime has

certainly increased,” he says, “I can definitely sleep

better at night with Cato.

Learn more about Kevin’s experiences

Case Study Managed SD-WAN Services: Too Difficult to Work With

Cato vs. MPLS: Annual Spend Comparison

http://bit.ly/2zIp7lQ



Last-mile Aggregation

Service Onboarding and Ongoing Customer Experience

Carrier-managed SD-WAN bundles SD-WAN appliance with their own last-mile networks, simplifying deployment. At the same time, enterprises lose the ability to easily switch between last-mile service providers; carriers require sites to have at least one of their network connections.

SDWaaS utilizes the customer’s existing last mile. As such, enterprises have more flexibility in picking their ISP. The additional freedom leaves enterprises responsible for negotiating those relationships. Centralized ordering, monitoring, invoicing, and billing can be provided by last-mile aggregators, who maintain relationships with localISPs and other last-mile providers around the globe.

Carrier-managed SD-WAN services bring the complexity typical of adopting a carrier service. Unlike cloud services, there’s no free service trial. If a Proof of Concept (PoC) needs to be run, setup and execution can take weeks. Carrier-managed services often require three- to five- year commitments.

By contrast, SDWaaS can be trialed easily either by simply connecting an existing firewall or downloading somesoftware. Multiyear commitments are optional.

Affordability

The overhead of carrier networks impacts the affordability of carrier-managed services. There are the markup costs of reselling third-party appliances. The goods and personnel needed to manage the network. Additional tech personnel required to support customers. All of those costs and more elevate carrier-managed SD-WAN prices, which either impacts service quality or increases pricing to the customer.

By simplifying their networks, SDWaaS providers eliminate that overhead. SDWaaS providers own the software; there are no additional markup fees. With fewer parts, less personnel is needed to run the network. By leveraging inexpensive Internet backbones, not traditional carrier services, bandwidth costs are also far lower. As result,SDWaaS can be a fraction of carrier-managed SD-WAN.



So Why Not an SD-WAN Appliance?SD-WAN services arose because SD-WAN appliances alone fail to address the range of interrelated networking and security challenges facing organizations. They require additional equipment and services, making the complete SD-WAN far more complex and costly than just the price tag of SD-WAN appliance hardware. Specific problems include:

Ultimately, SD-WAN appliances make WANs simpler but not simple. They still require experienced engineers to design, deliver, and manage the network and security infrastructure, which is why many organizations turn to SD-WAN service providers for help.

Internet Unpredictability

The lack of a global, predictable transport prevents the SD-WAN appliances from displacing MPLS.

Scaling Limitations

The limited processing of an appliance-form factor prevents integrating resource-intensive services, such as content inspection, into the SD-WAN, forcing third-party security solutions.

Poor Internet Performance

Without the necessary security, SD-WAN appliances alone cannot provide branch offices with safe, direct access to the public Internet. They require companies centralize Internet-facing firewalls, adding latency to Internet and cloud connections, or, once again, increase costs with additional security infrastructure.

Cloud and Mobile Problems

SD-WAN appliances ignore mobile users. As for the cloud, appliances must be located in or near the datacenters of cloud providers making deployment far more difficult.

For years, MPLS services were the defacto

standard for building a predictable, enterprise

network between locations. And like many

enterprises, Humphreys & Partners Architects, a

Dallas-based, architectural services firm, built its

U.S. network on an MPLS service. “The problem

with MPLS is that it’s expensive, slow, and takes

forever to get anything done,” says Paul Burns, IT

Director at Humphreys.

When Humphreys needed to open a new office in

Uruguay, Burns began investigating augmenting

and replacing MPLS with SD-WAN and Internet

connectivity. He gradually deployed SD-WAN

appliances in Uruguay and four other locations,

swapping MPLS inflexibility for SD-WAN

complexity “The configuration pages of the

SD-WAN appliance were insane. I’ve never seen

anything so complicated,” says Paul. “Even the

sales engineer got confused.”

The appliance-based architecture also proved

difficult to get fully working, “Sometimes our Dallas

office could connect to two sites, but they couldn’t

connect to each other. The vendor’s answer:

update our firmware and reboot. But that didn’t

work,” he says.

Ultimately, Paul abandoned the SD-WAN

appliance architecture for Cato Cloud. “Cato gave

us freedom,” says Paul. “Now we can use a socket,

a VPN tunnel, or the mobile client, depending on

location and user requirements.”

With SD-WAN appliances, connecting

international locations was going to be a problem.

“My biggest concern with our previous SD-WAN

was shipping the appliance,” says Paul, “There

was the matter of clearing customs and

installation. We’d be dealing with a communist

country [in the case of Vietnam], and I wasn’t

familiar with its culture. Instead, users can now just

download and run Cato’s mobile client.”

Click here to learn more about Paul’s experiences.

Case Study Humphreys Replaces SD-WAN Appliances, MPLS and Mobile VPN with Cato Cloud

https://www.catonetworks.com/case-studies/humphreys-replaces-mpls-sd-wan-appliances-and-mobile-vpn-with-cato-cloud/

https://www.catonetworks.com/case-studies/humphreys-replaces-mpls-sd-wan-appliances-and-mobile-vpn-with-cato-cloud/



Carrier-Managed SD-WAN SDWaaS

Agility and Change Management

yy Limited; bandwidth can be added or removed rapidly.

yy Requires use of carrier's MPLS or Internet services

yy Changes to network/security infrastructure requires opening tickets"

yy Extensive; bandwidth can be added or removed rapidly

yy SDWaaS can use any data service

yy Organizations can change network/security infrastructure themselves "

Monitoring and NOC Services

yy Included; 24x7 network event monitoring are part of the SD-WAN service

yy Optional; Security monitoring requires additional equipment or services"

Included; 24sx7 network and security event monitoring are part of SDWaaS

Global Connectivity Optional; typically requires carrier to work with third-party providers at signficantly increased costs and often with limited end-to-end management

Included; global footprint is part of SDWaaS

Network Security Optional; third-party, security solutions must be integrated by the carrier with the SD-WAN

IIncluded; network security is fully converged into SDWaaS, requiring no additional security appliances or services

Cloud support Included; carrier extends its network, but not necessarily its SD-WAN, to the IaaS service

Included; IaaS and SaaS are intrinsic to SDWaaS

Last-mile Aggregation Yes, third parties often needed for global deployments

Yes, third party partners required.

Service Onboarding and Customer Experience

Not provided; Carrier-managed services require opening tickets to make even small network or security changes to onoard new users

Included; self-service or co-managed models are available for rapid onboarding and troubleshooting

Affordability Expensive; the licenses needed to maintain the SD-WAN and security appliances increase costs

Affordable; no third-party licenses to increase service costs

Carrier-managed SD-WAN vs. SD-WAN as a Service (SDWaaS)



Cato Cloud is SD-WAN as a ServiceCato Cloud is Cato’s secure global SDWaaS. Cato Cloud is comprised of two complementary layers — the Cato Cloud Network and Cato Security Services. The Cato Cloud Network is a global, geographically distributed, SLA-backed network of PoPs, interconnected by multiple tier-1 carriers. Cato Security Services are fully managed suite of enterprise-grade and agile security capabilities, built into the network. Current services include a NGFW, SWG, Advanced Threat Prevention, Cloud and Mobile Access Protection and Network Forensics.

By converging networking and security onto an SLA-backed backbone, Cato Cloud lets organizations drop MPLS without compromising network performance, eliminate branch appliances, gain direct, secure Internet access everywhere, and seamlessly extend the enterprise WAN to mobile users, cloud datacenters, and cloud applications.

HQ/Datacenter Branch

Cato SocketSD-WAN

Cato ClientAgentless

www

Security

Network

Mobile UsersCloud Datacenter

aws

Cato Cloud

Advanced ThreatPrevention

Secure Cloud andMobile Access

NetworkForensics

EncryptionOptimization

Next GenerationFirewall VPN

Secure WebGateway

Routing Reliability

MPLS



Where do you want to start?

BRANCH APPLIANCE

ELIMINATION

SECURE CLOUD-BASED

SD-WAN

AFFORDABLE MPLS

ALTERNATIVE

CLOUD DATACENTER INTEGRATION

SIMPLE NETWORK

AUTOMATION

MOBILE ACCESS OPTIMIZATION

Global Backbone. Cloud-Based SD-WAN. Firewall as a Service. All in OneGlobal Backbone. Cloud-Based SD-WAN. Firewall as a Service. All in One

Cato Networks provides organizations with a cloud-based and secure global SD-WAN. Cato delivers an integrated networking and security platform that securely connects all enterprise locations, people, and data. Cato Cloud cuts MPLS costs, improves performance between global locations and to cloud applications, eliminates branch appliances, provides secure Internet access everywhere, and seamlessly integrates mobile users and cloud datacenters into the WAN.

Based in Tel Aviv, Israel, Cato Networks was founded in 2015 by cybersecurity luminary Shlomo Kramer, co-founder of Check Point Software Technologies and Imperva, and Gur Shatz, co-founder of Incapsula.

For more information:

www.CatoNetworks.com

@CatoNetworks



Documents

SD-WAN Services...SD-WAN appliances aggregate multiple network services with a virtual overlay, forming a network with more bandwidth and better availability for less cost than MPLS