IHS Markit recently found that during the fourth quarter of 2018, the SD-WAN market grew 26% from the previous quarter to reach $359 million. This number includes appliance, control, and management software.
This large market opportunity is pulling in vendors and providers from across disciplines, including both cloud and service providers.
But there’s one group that seems especially poised to take market share: network security vendors. In recent months, a number of network security vendors including Fortinet, Watchguard, and Barracuda have added some form of SD-WAN functionality to their hardware.
This makes sense. As with most business segments in the modern era, enterprises are becoming increasingly concerned with the security of their SD-WAN networks.
According to a recent Gartner survey (sponsored by Fortinet), 72% of respondents listed security as their top concern when it comes to their WAN. This was followed by network performance and cost. Gartner polled 203 respondents that participate in WAN decisions and have 25 or more WAN locations for this survey.
What’s really happening is SD-WAN is moving forward. Shin Umeda, VP at Dell’Oro, noted that as the scope of SD-WAN extends beyond controlling WAN paths, vendors have had to expand the definition as to what the market expects out of SD-WAN.
And as companies start to roll out the next iteration of their SD-WAN products, security will need to be top of mind. Whether this means security vendors spinning up SD-WAN, SD-WAN vendors adding security functionalities, or service providers service chaining security and SD-WAN together, security might determine the market winners.
Security Vendors Flip to SD-WAN
For the security vendors transitioning into SD-WAN, it’s a relatively easy move technology-wise — and even a necessary one market-wise.
“SD-WAN is a huge market opportunity that will snatch business away from established router and firewall vendors and so they have to react to not be replaced,” said Mike Fratto, senior analyst at 451 Research. SD-WAN gateways have evolved to a place where they can replace branch and firewalls.
“[Security] vendors need to respond to this threat with SD-WAN capabilities on their own. Partnering with a SD-WAN vendor is a short-term tactic to remain relevant, but long term, firewall and router vendors can’t give an inch lest they lose a mile,” Fratto added.
Umeda noted that adding an SD-WAN feature is just part of the security industry’s push toward a network- and software-based approach. “Most likely they have already moved in that direction, so adding SD-WAN functionality or moving toward SD-WAN is just another layer. So it’s kind of layering different software components to come up with a solution,” he said.
Watchguard, which added SD-WAN capabilities to its unified threat management (UTM) platform in December 2018, already had many features that are considered part of an SD-WAN. This included zero-touch deployment, secure VPN connectivity, and multiple WAN connections for hybrid WAN environments.
Fortinet, which added SD-WAN as a feature to its next-generation firewall last July, already deployed its hardware at the branch. So having a networking stack was a requirement, said Nirav Shah, senior director of network security products and solutions at Fortinet.
As for how successful they will be in this crowded market — Umeda says that depends. “It kind of boils down to install base, channel distribution and sales mechanisms, and then potentially partnerships, because depending on size, some vendors can’t do it by themselves.”
So what security vendors will be next? “All of them,” said Fratto.
It’s worth noting that nearly every SD-WAN vendor is starting to focus on security. This includes vendors adding security through partnerships, or in the case of some of the bigger vendors (like Juniper Networks and Cisco) integrating with their own existing security products, or even trying new approaches to make it more secure.
128 Technology takes a tunnel-less approach, which it believes will lead to a more secure SD-WAN. Citrix added new automated security features, including an integration with the zScaler cloud security platform. Cisco, last year, combined its SD-WAN with its security hardware and software. Juniper runs its SD-WAN on its Junos operating system, which provides routing, switching, and security. NEC recently debuted in a proof of concept an open source-based platform that combines security and SD-WAN features. VMware is evolving its Velocloud-based SD-WAN to operate as-a-service, which includes layering in security.
And that’s only naming a few.
Service Chaining VNFs
There has been some speculation that the next phase of SD-WAN, particularly for managed service providers, will include universal CPE (uCPE). This would allow providers to service chain multiple virtual network functions (VNFs) — including both security and SD-WAN — from third-party vendors to deliver multiple networking functions on a single piece of hardware.
While the uCPE market is still in its infancy, service providers are starting to work on it. Comcast wants to run multiple VNFs with its SD-WAN, the first of which will likely be virtual Layer 7 firewalls and UTM services, Jeff Lewis, VP of product management at Comcast Business, told SDxCentral.
And all of this harks back to enterprises wanting to consolidate appliances at the enterprise edge — the same reason that security vendors are adding in SD-WAN.