Today we will be talking about SD-WAN, a solution from the Kaspersky laboratory.
We have 6 hardware appliances in our warehouse for SD-WAN, which we can provide for you to test independently.
And in our data center, there is a management component to which you can connect and test this solution.
So, what is SD-WAN? First of all, it is a solution for building distributed networks that must be reliable, scalable, and secure. The solution consists of special routers, which are called CPE or ViewCPE in Kaspersky terminology. They are installed in offices, branches, points of sale, and data centers. The solution also consists of an intelligent management system. It is an orchestrator and controller that are installed in the head office or in the data center. All routers connect to the intelligent system, and it manages them.
What does SD-WAN provide? First of all, it is the rapid connection of new facilities, support for various communication channels and their combinations. That is, the SD-WAN gateway can work with Ethernet, MPLS, LTE channels. SD-WAN allows you to simplify network management. SD-WAN provides reliable network connections and centralization of security policies and network settings through templating. The high-level architecture of SD-WAN looks like this. We will go through each level separately so that you have an idea of how it all works together. Because there are really a lot of components here.
Let's start with the lower level. These are SD-WAN CPEs, which are installed in branches and points of sale. They provide quick connection of remote sites to the corporate network.
Gateways can be represented as physical or virtual equipment. Their tasks include secure data transmission and built-in encryption. Note that, starting with version 2.3, GOST encryption algorithms are supported. Also, their tasks include compliance with routing and security policies. That is, templates are created that are attached to the device, and due to this, the unity of policies is observed. They also provide the collection and export of information for monitoring systems. In this case, it is ZABEX, which will be located in the central office or data center. They support the Zero Touch Provision fast deployment functionality and provide wired and wireless connection of users. Two models are CPE module 1 and module 2, they have Wi-Fi modules.
This is an SD-WAN gateway. In fact, it is the same CPE that was at the level below. The fact is that it simply has a different role in the network topology. It can also be either physical or virtual equipment.
Here we can already talk about fault-tolerant deployment, so there is VRRP support for the Active Standby scenario. If we want to implement an Active-Active scenario, then here it is already resolved at the level of dynamic routing protocols. For example, through the use of OSPF. These devices are usually installed in data processing centers, in central offices, or in private public clouds. They provide aggregation of secure tunnels from lower-level CPEs.
Let's move on to the management components. This is the SD-WAN controller. It is he who forms all the switching tables, routing tables, he provides the construction of tunnels and, according to the Open Flow protocol, he lowers these settings to SD-WAN gateways. The controller also provides security policy management. In a typical scenario, this is a virtual machine, there is also the possibility to deploy it in a fault-tolerant manner.
Here, the (2N+1) mode is already used. And, once again, this is the main interface for interaction between SD-WAN CPE and the management plane.
VNF-manager, what is it? Often there is a situation when it is necessary to carry out, for example, stream filtering of traffic, Kaspersky SD-WAN gateways do not have this capability. Next Generation Firewall is ideal here, and you can create a service chain that will include stream traffic inspection. How is this implemented? There are universal CPE devices on which it is possible to deploy virtual appliances of the necessary machines of the same Next Generation Firewall. Or, for example, you can deploy the same Next Generation Firewall in a data center on a virtual machine and use the VNF-manager to configure the traffic flow chain specifically through it. This is also a virtual machine, there is the possibility of fault-tolerant deployment (N+1). And according to its main tasks, as we discussed, this is the management of network functions and control of installation, activation, scaling, updating and termination of virtual network functions.
And now we move on to the SD-WAN orchestrator. This is a Management Plane solution, a single window for interacting with all its components, because it is from the SD-WAN orchestrator that settings are made to the CPE, which then go to the controller, and the controller already lowers the settings towards the SD-WAN gateways.
The SD-WAN orchestrator also manages the VNF-manager. Usually this is also a virtual machine, deployed in a fault-tolerant mode (N+1), manages controllers and virtualization. It also collects telemetry received from SD-WAN gateways and provides the launch of service chain templates.
Now let's talk about the shortcomings of traditional solutions in the organization of WAN. Here we can highlight three main problems. First of all, these are dissatisfied customers and employees.
They may be dissatisfied for several reasons. The first of these is delays in network connections. The second is often the poor quality of business-critical applications. And the third is the long time to fix problems. The second problem is holes in network security due to the lack of a unified policy. Since a large amount of network equipment is used in branches, respectively, access lists are configured on each, and over time it becomes more and more difficult to monitor them, because some cease to be used, they are forgotten. When deleting any access list, the service may simply fail, or we create a hole in network security, which is very critical. And the third key problem is the cost of support and maintenance, since 85% of changes in the network are configured manually, which is long, expensive and not optimal. And, most importantly, there is a risk of errors in the configuration, which in turn can lead to the problems described above, when customers and employees are dissatisfied due to the fact that applications and services work poorly. Also, holes in network security may arise, which can lead to financial and reputational losses.
And now we will compare classic WAN networks with the Kaspersky SD-WAN solution. We can say that here I correlate the shortcomings of WAN networks and each shortcoming correlates with the advantage of the Kaspersky SD-WAN solution. And, if in classic WAN networks the problem is that we connect new offices for a long time, then in SD-WAN it is all automated due to the Zero Touch Provision function. If in classic networks, in order to ensure high speed on the WAN channel, we are forced to use expensive MPLS channels, or, for example, we want to improve the quality of a business-critical application, then in Kaspersky SD-WAN the reliability of the connection can be ensured even on ordinary Ethernet channels through duplication mechanisms.
And, if in classic networks each device is managed separately, this is a separate control plane, a separate Management plane, then in the Kaspersky SD-WAN solution all management is centralized from under the administrator interface. Specialists in each branch are needed to manage classic networks, and one or two specialists are enough to manage the entire network to manage Kaspersky SD-WAN. Well, the disadvantage in classic WAN networks is security breaches. And in Kaspersky SD-WAN, this is closed by the fact that through templates we can upload identical security policies to a group of devices, and protection tools and other network services are easily integrated there.
Summing up, Kaspersky SD-WAN is fast due to the fact that we have automation when connecting new branches, due to the fact that one employee can manage the entire SDN factory. And the third advantage is convenience. Due to the fact that there are built-in intelligent traffic processing mechanisms, for example, in case of any problems with the channels, all switches occur automatically, and it often takes about one second.
Now let's talk about what tasks Kaspersky SD-WAN helps to solve. Here we will talk about the profile of a possible client.
If we generalize everything said above, we can say that SD-WAN is suitable for those who have a large distributed branch network, for those clients who are actively developing and opening new offices and branches, for those who want to reduce the cost of connecting new offices to the network. It is also suitable for those who have a shortage of qualified IT specialists, and those who want to ensure the guaranteed quality of business-critical applications. By industry, these can be banks, insurance companies, healthcare, large retail, educational organizations, industry and telecom operators who can provide SD-WAN as a service.
Here it is appropriate to talk about some examples. Let's start with a large chain of stores. This is a large retailer that purchased channels from a provider to include internal services. And the implementation of SD-WAN helped the retailer save about 165 million rubles annually on communication channels.
The second example is a large banking network. She was faced with replacing old ATMs. And with the traditional approach to building WAN networks, the entire process of switching to new ATMs usually took several years. With the implementation of SD-WAN, the connection of new ATMs became fast. They connected about 50 ATMs per day, and that was a logistics limitation, and the implementation process accelerated several times. Everything was implemented in about 3 months. And the third example is an organization that provides the production of mineral water. Very often inside the organization there were cases with problems in the configuration of equipment, applications constantly came that something was not working. And the implementation of SD-WAN significantly reduced problems in the network, because in this organization, most of the problems were due to the wrong chain of equipment configuration.
Now a few words about the licensing policy, about how it is carried out. Licensing occurs by CPE depending on the bandwidth and the required functionality. For example, we have a network of 50 devices that require 50 megabits per second, one device that must aggregate all channels, for example, a gigabit per second, and we will need to purchase 50 licenses for the first batch of devices and one license for the second device.
Now a little about the models. 5 models of SD-WAN gateways are highlighted. The first two models support Wi-Fi and LTE. Older models, 4 and 5, support the VNF function and uCPE mode. The fifth model has a performance of up to a gigabit per second in encryption mode and with DPI rules enabled. On the first two models, it is possible to install SIM cards and use the LTE WAN channel.
Here I will also talk about licensing, about the capabilities of the solution. Two types are distinguished – Standart and Advanced. To meet the needs of a typical customer, the Standart functionality will actually be enough. Since Advanced includes support for "multitenancy", which is mainly needed by telecom operators, and supports working with multicast.
Some items are highlighted in green specifically, because these items appeared in the new version of SD-WAN, version 2.3.
The model range of network equipment is presented in front of you.
The performance of the first model on WAN is 50 Mbps, for the second model the performance is significantly higher – it is already 350 Mbps. For the third model, the bandwidth is even higher – 600 Mbps. The fourth and fifth models are the most productive, respectively, 1.2 and 10 gigabits.
Let's summarize the key features of Kaspersky SD-WAN.
First of all, it is centralized management of the entire solution and the "multitenancy" functionality. Secondly, these are Zero Touch Provisioning templates, which allow you to automate the process of connecting a new device and eliminate human errors. Thirdly, it is the possibility of fault tolerance and redundancy with priority to the traffic of applications critical to the business. Fourthly, it is the possibility of balancing over several communication channels. For example, you may have a gateway that has four WAN channels, and all four will work in Active-Active mode. And there is the possibility of integrating network security solutions as virtual network functions.
Now let's go through the features of Zero Touch Provisioning in more detail, let's see what its algorithm is.
For example, a CPE device is purchased, which is sent to the central office. The administrator adds this device to the inventory and binds the unique identifier of the device inside the system. After that, he generates a URL link and sends both the gateway and the link to an employee in the branch. A remote employee connects via Wi-Fi to the device or via a wired connection, enters this link, and the device connects automatically.
The Forward Error Correction mechanism, which is used to improve the SLA of the communication channel due to redundant encoding of packets.
This is clearly visible in the figure, that we send 4 packets, the fourth is lost, and due to the fact that we redundantly encode, one lost packet can be restored.
Next, packet duplication. In fact, the function is intended for exactly the same thing, for working with low-quality and unstable communication channels. The only difference is that packet duplication is possible only in scenarios where we use two or more communication channels on the CPE device. If we have two or more channels, then we can use duplication or we can even combine them. But here it is important to note that when using these mechanisms, the performance of the device will be slightly lower, because these mechanisms affect the CPU.
Monitoring the quality of tunnels. We can track Packet Loss, Jitter, latency indicators. All this is possible due to the fact that Ginev is used in the overlay, in which you can transmit additional fields. These are indicators of channel quality.
That is, for example, we can set some threshold limits, for example, we want to use a channel on which Jitter is less than 30 ms, the loss rate is less than 1%, the delay is less than 150, and channels that do not meet the requirements will be discarded from the transmission path.
Amortization with context also has a similar functionality. Here we, for example, due to the DPI engine, can select specific applications and say that these applications should go through, for example, the first-second channel.
And very flexible work with network topologies.
We can implement absolutely any topology. We can, for example, implement hub-and-spoke, familiar to everyone DMVPN, we can, more precisely, DMVPN in the first phase, we can implement Full Mesh, we can organize All Mesh parties. All this is quite easy to configure.
I will briefly talk about the innovations of version 2.3, which was recently released. Here I want to immediately note that support for GOST encryption has appeared, which many customers asked for.
Secondly, a Link State Control mechanism has appeared, which allows us to detect any problems with communication channels much faster, because before that it was the controller that ensured the determination that, for example, there is a high delay on the channel. Now it all works already on the CPE and failures are detected much faster, and can be detected faster than in a second. And there were also other changes that are aimed at improving the user experience, i.e. a mechanism for restarting the gateway registration process has been added, the Zero Touch Provisioning interface has been improved, the CPE removal algorithm has been improved, and now the gateway settings are automatically reset when deleted, and the solution installer has been improved.
Illustrations provided by the press service of Kaspersky