Analysts are not employed by SDxCentral and the views, thoughts, and opinions expressed in their content belong solely to the author and do not reflect the views of SDxCentral. Note: AvidThink is a separate organization, created by Roy Chua, that is not affiliated with SDxCentral.
(Author’s Note: Readers may notice that I’m posting this as the founder of AvidThink, the new name of SDxCentral Research. AvidThink is an independent company and I’ll be writing regular analysis columns and posting AvidThink research on SDxCentral.com. I’ll share more exciting news in the months ahead as AvidThink rolls out new research. Stay tuned!)
One of the more contentious threads of discussion at the SD-WAN Summit 2018 in Paris last week was between the traditional next-generation firewall (NGFW) vendors and other SD-WAN vendors with different roots. (As an aside, I don’t consider “traditional next-generation” to be an oxymoron). I view NGFW versus SD-WAN as the new MPLS versus SD-WAN debate, which seems to have finally been resolved. As I’ve said all along, MPLS and SD-WAN will co-exist, and while there’s long-term impact on MPLS, for the immediate future the impact on MPLS will be a slowing of growth instead of any dramatic cliff-drops.
Some of this NGFW versus SD-WAN debate was fueled by recent NSS Labs test of SD-WAN vendor capability, which aside from the debacle around Cisco not participating, also strongly highlighted NGFW capabilities. While the NSS Labs test produced other metrics, what I’ve seen touted by most vendors are not the voice-over-IP (VoIP)/Unified Communications (UC) or other elements, but instead a graph demonstrating security capabilities.
Regardless of the NGFW results, the basic SD-WAN pitch to service providers and enterprises alike centers around whether building an SD-WAN solution on top of an existing NGFW platform is superior to adding security (NGFW) capabilities to another SD-WAN platform. Other options for this SD-WAN base platform include (a) a universal CPE (uCPE) approach with a basic cloud-managed generic platform with basic connectivity, or (b) one of the multitude of flavors from the taxonomy diagram below: WAN-optimization, branch WiFi, WAN bonding, virtualization, cloud networking, etc.
Which Comes First: NGFW or SD-WAN?
And this chicken-egg paradox around which comes first, security/NGFW or other SD-WAN capabilities will continue for a while. Why? Because for many enterprises (and service providers), security at remote locations is one of the top concerns that have to be resolved. Protection against the ever-increasing set of cyberthreats, along with the need to demonstrate compliance (corporate and regulatory) drive many CIOs to consider the security capabilities of an SD-WAN solution as a top priority. In addition, the NGFW vendors have built a good business around collapsing other WAN capabilities into their platform (VoIP/UC support, multi-link, cloud-management, improved routing, WAN optimization to name just some) and would argue that they are the logical platform to add other SD-WAN functions—after all, the installed footprint of NGFW across enterprises is quite large.
Through 2017 and 2018, I’ve seen an increasing number of security vendors claim their stake in the SD-WAN space, with Palo Alto, Fortinet, and now Barracuda all becoming SD-WAN vendors. And in a nod to the security-first strategy, Hughes, one of the lesser known entrants into the SD-WAN market, quietly entered the SD-WAN market last year by partnering with Fortinet. Hughes uses Fortinet’s NGFW platform and adds its unique WAN optimization secret sauce (developed from its expertise in optimizing satellite links) to provide a managed SD-WAN service.
Best-of-Breed and Service Chaining?
SD-WAN vendors still tout their service-chaining capabilities — just about every SD-WAN presentation at the SD-WAN Summit had a service-chaining demonstration. The strangest one for me was Juniper demonstrating how it could service-chain a Fortinet firewall for security capabilities — true multi-vendor interoperability, I guess. Regardless, while many SD-WAN vendors continued to tout their service-chaining at the SD-WAN Summit, it appears that the simplicity of all-in-one NGFW-type approaches might have strong appeal to enterprise customers and service providers providing managed SD-WAN services.
SD-WAN Eats NGFW or NGFW Eats SD-WAN?
Any way you slice it, if you add a substantial chunk of the NGFW market into the SD-WAN market sizing, we just grew SD-WAN substantially — regardless of whose SD-WAN market size estimates you believe (there’s another whole post in there). And while market sizing may be important to vendors deciding whether to get into the already-crowded SD-WAN market, what’s more important is how enterprises make their decisions around which platform is primary.
Here are some of my thoughts on this:
- Managed service providers and communication service providers will play an important role in the SD-WAN decision. We’re seeing enterprises throw their hands up in the air over the large number of SD-WAN vendors to choose from and instead defer to existing service providers to wade through the crowded mess and pick the right ones. And many enterprises are looking to managed solutions that take away to complexity and pain of rolling out SD-WAN enterprise-wide, especially in cases where their corporations span regions and countries. The SD-WAN vendors that make their solution more amenable to service providers will come out the winner in this game — supporting true multi-tenancy, providing white-label portals or APIs that facilitate easy-building of custom portals and easier troubleshooting.
- Different vertical markets and different size organizations may favor one flavor versus the other. Verticals that are highly-regulated might favor a security-first approach, though micro-segmentation capabilities provided by the cloud networking/network virtualization vendors could make a compelling pitch. And smaller organizations that just need a highly cost-effective platform with security and just a couple of SD-WAN capabilities like cloud management, multi-link, better QoS, or local cloud-breakout might favor security vendors. By the way, there’s another discussion to be had around cost-efficiency of uCPE platforms versus traditional NGFW CPE, but we’ll save that for another day.
- Deployment architectures focused around lightweight CPEs and centralized network functions at the point-of-presence or regional cloud data center may be more neutral to NGFW deployments versus on-premises uCPE with rich functionality, which are more directly competitive with NGFW. We’ll see how this architectural approach plays out over time.
I’ll be watching this closely over the next 12 months as the SD-WAN market continues to flourish and incorporate adjacent markets. I’ll provide ongoing analysis to help readers cut-through the confusion in this highly exuberant yet challenging market.