SD-WAN is quickly transforming from a standalone product to a table-stakes feature within a broader set of capabilities at branch and remote networks. Startups and incumbents alike are adding new capabilities to—and supporting third-party virtualized network functions (VNFs) within—their branch gateways.
The goal is to reduce the number of standalone devices (for instance, a router, a firewall, a WAN optimization box, and so on) at branch offices to simplify operations, and to cut down on the number of vendor support services that have to be engaged if problems arise.
In addition, many startups and incumbents are also extending their reach from the WAN edge and into the branch access layer via wireless and wired switching.
One of the companies driving this “branch in a box” idea is Versa Networks, which has announced that it’s adding new security functions, Wi-Fi, and third-party VNF support, to its SD-WAN devices.
Let’s start with VNF support. As with other SD-WAN vendors, Versa’s solution includes a device that gets deployed at branch and data center locations. (It can also be deployed in Amazon and Azure.)
This device, which can run on a generic server or a Versa-branded appliance, includes a KVM hypervisor that supports third-party software to run virtualized services, such as a firewall or WAN optimization. In a briefing with Versa, the company used Fortinet as an example of security software that could run on its device. Versa and Fortinet announced a partnership in March.
You can run virtualized software on the Versa device, and Versa says it can insert these VNFs into a policy-based service chain. Besides Fortinet, Versa says it has tested software from Riverbed and Palo Alto Networks, though these two companies are not official partners.
Customers can activate and deactivate the VNF from Versa’s cloud-based console, but detailed policy settings for VNFs will have to be set from within the individual management systems of the third-party software.
More Built-In Security
Besides running third-party software on its box, Versa had extended its own security capabilities. The company already offers a firewall and URL filtering. It’s now adding signature-based malware detection.
The company has a set of on-box signatures, and can also access cloud-based lookup services, though it wouldn’t identify the services it’s using. It can also warn users of potentially risky files and ask users if they’re sure they want to download it.
Wi-Fi And Switching
Versa is also adding Ethernet switching software and Wi-Fi connectivity to further reduce infrastructure requirements at remote locations.
In particular, the company has included a wireless access point as a configuration option in certain models of its white boxes. Versa says mid-range and high-end APs are available, including an AP that can support 867 Mbps and a large number of users.
However, a single AP isn’t likely to provide the most robust wireless coverage unless you’re dealing with a small branch or remote location.
Versa also says it can support third-party Wi-Fi controller software to manage additional APs via the KVM hypervisor. However, Versa declined to specify which controller vendors it can support. The company says it will engage with third-party controller vendors based on customer requests.
Drew’s Views: The Dream Of The Unified Branch
In its present configuration, Versa’s Wi-Fi play doesn’t represent much of a threat to Aruba, Cisco/Meraki, Ruckus and other Wi-Fi leaders.
But it does serve as the first step of a broader effort that various vendors have undertaken to lock up the customer branch from inside the office (via wireless and wired Ethernet) out to the WAN edge (via SD-WAN, security, routing, WAN optimization, and other services).
The goal here, over the long term, is to build a common infrastructure for management, policy and operations at the branch that incorporates users, their devices, the applications they use, the context of that use (location, time of day, etc.), and their connectivity options.
A unified branch that could capture the user at the access layer and then extend all the way through the WAN would provide for the customer an unprecedented degree of control and a bounty of analytics.
It would also provide a tasty chunk of an organization’s IT spend for a vendor.
Versa Networks isn’t the only company pursuing this strategy. Consider Riverbed’s recent acquisition of Xirrus, which includes a unified wired/wireless branch networking portfolio; or Meraki, which has extended its WLAN portfolio to include branch security and hybrid WAN products; or Avaya’s ambitious but still-in-progress Pivot and Arc initiatives.
If these and other companies can truly integrate their offerings within the branch and at the WAN edge to enable unified management and policy enforcement, they’ll have a compelling story for potential customers.
There are, of course, significant roadblocks. At the WAN edge, for instance, it’s easy enough to call something “NFV” and to invoke “service chains” to imply a well-orchestrated procession of packets or flows through a box. It’s another thing to actually pull it off in production.
And as we know from UTMs, the more features you add to a device and then activate, the bigger the impact on performance.
All the SD-WAN vendors I’ve talked to that are stuffing new features into their boxes speak confidently of their ability to wring stellar throughput out of x86 chips, and to ride the performance curve that the industry has come to expect from this platform.
But as always, potential customers should step hard on these claims to see how far they bend—and where they break.
Perhaps most importantly, the real value from this kind of integration will come from a cohesive and comprehensive management and policy interface for wired/wireless access and WAN networking. If the branch-in-a-box or unified branch notion appeals to you, you’ll want to drill deep here to see what the vendor can do today, and whether they have a roadmap that’s going in your direction.