Professional Documents
Culture Documents
Sdwan 910 Sase Ztna For Dummies Ip 0920
Sdwan 910 Sase Ztna For Dummies Ip 0920
VMware Edition
Modern enterprises demand access to In the mid-2010s, software-defined
the latest and greatest business appli- WAN (SD-WAN) technology came to the
cations anywhere, anytime. Problem rescue. Acting as a kind of cloud-based
is, you may still use those tools over traffic cop for applications, SD-WAN
private, leased line architectures built in introduced a much smarter, more
the early 1990s. Why drive your newest efficient WAN model. As great as SD-WAN
high-powered sports car down a gravel is though, it’s optimized for connecting
road? In this paper, you’ll take a look at branches and certain home workers.
the older models and discover a better When it comes to the growing number
way to make sure Work From Anywhere of remote users (and devices, and
actually works from anywhere. services) outside the branch, businesses
once again must route everything
Back in the Old Days…
through the data center.
Routing every network connection
through a central data center made Now, the industry is taking SD-WAN to
sense when that data center actually the next level with secure access service
hosted all your business applications. edge (SASE, pronounced “sassy”) and
Today, most of them live in the cloud. zero trust network access (ZTNA)
So, branch traffic often takes the scenic solutions. SASE and ZTNA combine
route from data center, to cloud, SD-WAN efficiencies with a much
back to data center, and finally back more flexible, user-centric approach
to the user. Performance suffers. to securing remote workers and cloud
applications. We’re finally building a to get to most of their applications
secure connectivity model suited to the and data. Enterprises outfitted branches
world we live in today, instead of 30 with dual WAN uplinks, so those
years ago. applications could remain available
even if the primary circuit failed.
What’s Wrong with Current
Connectivity Models? MPLS links were still expensive, but this
To understand the urgent problems basic WAN model served businesses well
SASE and ZTNA solve, we need to for years. And, if it sounds familiar, it’s
review how we got here and why. because many still use it. Today, though,
Let’s take a trip down memory lane. the world has changed. The assumptions
underlying legacy WAN architectures—
The 90s called, and they want their that most users work from branches,
network architectures back that almost everything lives in a central
Back in the early days of the Internet, data center—no longer apply.
businesses used “heavy” branches,
hosting most applications and security Welcome to the cloud
onsite. This wasn’t exactly by choice. Hosting applications (buying servers,
Public Internet connections hadn’t yet installing and maintaining software,
reached every market, and those that scaling with demand) can be an
did weren’t very reliable. You could get expensive, time-consuming job for IT.
a TDM leased-line circuit, but they were One 2018 study conducted by Rackspace
expensive and restrictive in terms of found that for every dollar companies
bandwidth. (You could either aggregate spend on capital expenses to upgrade
multiple 1.5-Mbps T1 links or bump up data center infrastructure, they can
to a 45-Mbps T3.) Businesses had little expect to pay roughly $2 for managing,
choice but to build out branch software maintaining, and securing that infrastruc-
stacks like miniature, standalone versions ture. So, when cloud computing came
of the company headquarters. around in the mid-2000s, and businesses
could offload that effort to someone
In the 2000s, multiprotocol label else, many jumped at the chance.
switching (MPLS) hit the scene to offer
a lot more WAN circuit flexibility and First, tech giants provided software-as-
control. Branches got “lighter” as a-service (SaaS) options like Salesforce
businesses moved everything they and Microsoft Office 365. Suddenly, it
could to a centralized data center. Users didn’t matter where an application tech-
now connected back to the data center nically lived, employees could get to it
from any web browser. Businesses no Rise of the remote workforce
longer had to worry about maintaining
apps, either. SaaS providers could deal Applications aren’t the only thing to
with software updates, resiliency, and move out of the branch. As broad-
scalability. Businesses could now treat band became ubiquitous in the early
key applications like a utility. Turn them 2000s, work started moving out of the
on when you need them, pay for only office. Using virtual private networks
what you use. (VPNs), employees could now securely
Many companies found this to be a much connect to data center applications
simpler, more flexible IT model. They even when they were outside the
could launch new applications and corporate firewall, from anywhere.
services more quickly, with a fraction And they do. According to one 2019
of the effort. And, they could focus survey, remote work has grown by 400
their IT resources on things that really percent over the past decade. And that
mattered to their business, instead of was before COVID-19 forced millions to
the care and feeding of server farms. spend months working from home.
Over the last decade, companies have
been moving several IT workloads to Today, practically every business appre-
the cloud: ciates how important remote work
can be to business continuity, but the
• Computing
benefits don’t end there. By giving
• Storage employees the option to work where
• Test and development they choose, businesses say they can:
environments
• Better attract and retain talent
• Enterprise applications such as web
hosting, telephony, conferencing, • Improve employee morale
email, and customer relationship and job satisfaction
management (CRM) tools
• Increase productivity
In a recent Frost & Sullivan cloud
survey, 84 percent of respondents • Reduce environmental impact
now use or plan to implement public
cloud infrastructure-as-a-service (IaaS) • Lower operating costs
in the next two years, and 77 percent
use or plan to implement SaaS.
Yesterday’s WAN Can’t Keep Up •R
emote workers: Imagine an
employee traveling overseas,
These cloud and remote work trends trying to download the latest sales
are stretching early-1990s-era WAN presentation from a Box folder of
architectures to the breaking point. his/her international colleague. Box
Under the new status quo, applications may host a PoP in that country,
might be hosted from a cloud point-of- but the employee must connect to
presence (PoP) practically anywhere. SaaS applications through a VPN
But, to minimize the risks of connecting gateway back in the central data
over the Internet, many enterprises still center. Their download request
see a need to route all cloud application travels all the way to the company
traffic through a central data center. headquarters and back. That’s
This creates many challenges for busi- a long detour for that big file.
nesses and their IT and security teams.
This connectivity
Inefficient architectures drive higher model creates big
costs and hurt user experience bottlenecks in the
data center. Worse,
In yesterday’s WAN, most application it leads to major inefficiencies, as
traffic traveled back and forth from traffic gets “hairpinned” (or “trom-
branches to the data center. Very little boned”) back and forth, sometimes
traffic went between branches or out to over vast distances. Those extra
the Internet. Today, employees use roundtrips can introduce latency,
multiple cloud-based applications producing a poor experience for
running in many public and private users, especially for delay-sensitive
clouds. Branch traffic might be going voice and video applications. They
anywhere. This creates big inefficiencies for: also rack up much higher costs for
WAN capacity than businesses
•B
ranch employees: A user joining would otherwise need.
a Microsoft Teams videoconference
might have a Microsoft cloud PoP Static WAN architectures
available just a few miles from waste resources
their location, but the WAN still Even if businesses didn’t have to
routes all their traffic through the hairpin traffic, legacy WAN architec-
company’s central data center— tures would still waste resources.
even if it’s hundreds of miles away. Remember those dual WAN uplinks
branches used in case one circuit application may be using multiple
fails? Well, by default, that means services running in multiple public and
the business is typically paying for a private clouds, all in the same session.
backup link that sees minimal usage.
The risks get even higher for remote
In traditional WAN architec- workers. Even when enterprises try to
tures, the backup link only force remote workers to access cloud
activates if the primary fails, applications through the data center,
so it almost never gets used. employees find ways around it. To
These architectures also tend to be avoid the performance hit, some
very static. You can’t reroute traffic employees try to avoid using the VPN
without extensive manual and attempt to access the application
reprogramming. directly over the Internet—bypassing
data center defenses entirely.
Relying on old security models
in a world of new threats Antiquated concepts of trust
also add complexity
Habit and momentum aren’t the only
things keeping antiquated WAN archi- An “inside-versus-outside” trust model
tectures in place. Enterprises still keep may seem simple on its surface. In
firewalls, intrusion prevention systems practice, it adds a lot of complexity for
(IPS), VPN concentrators, and more in IT security teams. They must maintain
the data center. They don’t want to deal separate sets of security policies
with dozens or hundreds of instances for users, depending on where and
of those security tools at every branch. how they connect. They also must
So, they just make application traffic manage a patchwork of disparate
pass through centralized defenses. security tools for all the different
possible access scenarios.
Relying on centralized
security solutions worked fine In security, complexity equals
when the traditional concept risk. If you’re dealing with tens
of the network perimeter of thousands of firewall rules,
still applied—when trust was based on for example, it’s much easier
whether a user (or device, or application) for a misconfiguration somewhere to
was “inside” or “outside” the business. leave something important exposed.
Today, those lines have disappeared. But, when you’re forced to think about
A branch employee using a cloud security in terms of “inside” versus
“outside” the network perimeter technology uses all available links,
(even if that bears little resemblance all the time, in an “active-active”
to reality), you don’t have much choice. configuration. It continuously tracks
There’s no good way to implement a the health and status of all connec-
single, consistent policy based on the tions, sending traffic down the best
user, rather than their IP address. path available at that moment.
For Dummies is a trademark of John WiIey & Sons, Inc. VMware and the VMware logo are registered trademarks or trademarks ISBN: 978-1-119-77691-8
of VMware, Inc. in the United States and other jurisdictions.