Fundamentally, the way that carriers (i.e. telcos) deliver managed network services hasn’t changed in decades. The core architecture of this network, known as hub and spoke, consists of branches talking to the data center over a managed network with a separate firewall in the middle. However, this type of legacy WAN can’t support today’s business needs, which include a seminal shift to the cloud, as well as mobile users that need network access from anywhere, not just from the branch.
Yishay Yovel, vice president of market strategy at Cato Networks, has followed the carriers’ dilemma for years. According to Yovel, there are numerous catalysts to this evolutionary change in the managed network services market.
“Traffic flows across the network have changed significantly in recent years,” he says. “Sending all network traffic to the data center before it can go to the cloud is actually quite a hindrance to performance, but when security is centralized, backhauling traffic is necessary to enforce security parameters. But now companies are shifting their traffic patterns to go directly to the cloud or the internet, and this breaks the old security model. Security has to be put all over because traffic no longer goes strictly to the center.”
Another catalyst to change is worker mobility. Yovel says the managed network is only for branches and physical locations, which leaves mobile workers off the network. Companies are forced to find an alternative connectivity method for them, such as VPN. This just increases complexity overall.
Globalization is yet another issue.
“Multi-national companies typically have to stitch together multiple MPLSproviders to create a global network,” says Yovel. “It’s a real challenge to find consistent and affordable networking everywhere that companies operate today, and there is this pressure to manage all of this with a very small staff.”
In short, legacy WANs aren’t built for this deep level of change.
“The first challenge for the managed network servicesmarket is that what used to be a very well-defined, very well-understood managed network that has specific goals, specific designs, specific best practices—it’s basically falling apart. It has to address so many objectives and so many needs that the typical hub-and-spoke MPLS-based network with centralized security simply doesn’t work well anymore,” Yovel says.
The first evolutionary step: NFV
The first step toward evolving the managed network services market was network function virtualization (NFV).
“When the service providers were facing the need to streamline their operation, move faster, respond faster, they took an approach of virtualizing appliances,” says Yovel. “Think about all the different network functions that used to be in the old network—next-generation firewalls, various orchestration solutions, VPN solutions, and so on. They virtualized all these boxes, but that didn’t change the core dynamic of the network itself. Each function coming from different vendors still had its own management interface, plus its own scaling and sizing environment. The fact the appliance was virtualized didn’t change that. They still had the same problem with the centralized architecture as in the past.”
Consider the example of virtualizing a firewall. Mobile users still need to connect over the internet over long distances to some firewall in some location to get the security they need. The fact that the firewall is virtualized doesn’t change that dynamic.
“I still have a firewall in a specific location that is now virtual that I need to connect to, and all the challenges that I had before for my users. They didn’t benefit from virtualization at all,” says Yovel.
The bottom line is that NFV doesn’t go far enough to transform the operator network to achieve real agility and flexibility and to have an appropriateness for today’s business needs.
Follow the AWS model of managed services
“Customers want managed network services, and I believe they want an [Amazon Web Services] AWS-like handling of the network,” says Yovel. “They want a managed network the same way they now have managed servers, managed storage, and all these other great things that move to AWS. Unfortunately, telcos don’t have this business model today. They are still very expensive and very complex underneath.”
A new approach to managed network services is needed, and several major providers are tackling this challenge. Yovel’s company, Cato Networks, is one of those providers, as are a few other companies, such as Microsoft, Aryaka, Meta Networks, and Mode.
In general, the new type of managed network service provider is cloud-native, where everything resides in the cloud and customers simply subscribe to a service, as they do today with AWS. The provider establishes a private global network comprised of numerous points of presence over a multi-carrier Tier 1 backbone. The managed service provider then controls the routing and latency of packets on a global scale over this predictable and SLA-backed backbone. By using multiple links and load-balancing among them, the service provider can offer reliability, high availability, guaranteed performance, and consistency all around the world. What’s more, all traffic on the backbone is encrypted for secure transport.
Customers can connect their data centers, branches, and mobile users to this global network at the nearest PoP. The network also peers with public clouds and SaaS applications, giving customers direct and secure access to them. Security, such as firewalls, anti-virus and anti-malware, and IDS/IPS, are generally integrated right into the network and are readily available from anywhere, including for mobile workers.
This new architecture solves the problems that the legacy WAN architecture can’t. Network transport is consistent everywhere around the world. Customers can get direct access to the cloud and the internet without backhauling traffic or sacrificing security. Mobile workers can gain access without the need for a VPN. And since the network is offered as a service, there is no waiting for customer premise equipment or circuits to be installed in order to provision service to a new location.
One approach: Full ownership of the platform
Cato Networks’ approach is to own the entire platform, with the exception of the underlying transport circuits. Cato has rewritten the old point solution bundle from the legacy telco model and changed it into a cloud-native platform. The telco bundle typically includes MPLS, SD-WAN, next-generation firewall, WAN optimization, policy management, cloud integration, mobile VPN, and software-defined perimeter—all coming from numerous third-party vendors. Cato’s model allows them to control the stack, meaning they have written and full control of their own converged networking and secure software stack, instead of taking third-party elements and integrating them together.
According to Yovel, this provides several advantages. First, Cato is not dependent on any third party to release new features, patch a bug, or make enhancements based on customer requests. Second, costs can go down because there’s no need to pay royalties for third-party software. Third, there is just one set of code for the entire platform, so it’s simpler to manage.
Yovel says these all add up to less complexity and greater velocity. “We can deploy new features and jump on service requests very quickly because everything is under our control. We don’t have to involve other companies to get things done,” he says.
Another approach: Integrate best of breed
Other companies are jumping into the new managed network services space. Microsoft has an offering called Azure WAN. It offers simple, unified and global connectivity using an underlying Microsoft network. The Azure WAN includes automated large-scale branch connectivity, unified network and policy management, and optimized routing and security. While many of the network elements are developed by Microsoft, the company does use components from technology partners such as Citrix, Riverbed, Palo Alto, and Check Point Software to round out the stack.
Aryaka is a fairly mature company with a global enterprise WAN offering. However, Aryaka prefers to partner with best-of-breed technology partners instead of rolling its own stack. Among the partners are Symantec, Palo Alto, Zscaler, Radware, 8×8, and all the major public cloud platforms.
Meta Networks offers a network-as-a-service solution that takes security a step further with a software-defined perimeter (SDP) for every user connecting to the network. SDP complements the open security stack embedded in the network.
Another provider with its own backbone is Mode. It’s a startup, so the offering isn’t fully fleshed out yet, but they do offer managed global connectivity as an alternative to traditional telcos.
Enterprise newcomer Teridion leverages the public cloud to deliver their WAN service. They prefer to focus on the multi-cloud aspect of their network service, which closely ties in SaaS applications and cloud workloads so that they perform as well as sites on the WAN backbone.
There probably will be other companies getting into this market in the future, as this is the evolutionary direction of the network carrier. It’s exciting to see so many options and alternatives to the traditional, rigid WAN architecture.