Mais conteúdo relacionado Semelhante a Unravelling Managed SD-WAN Services (20) Unravelling Managed SD-WAN Services1. Fujitsu Proprietary and Confidential All Rights Reserved, ©2019 Fujitsu Network Communications
Ralph Santitoro
Head of SDN/NFV/SD-WAN Services, Fujitsu | ralph.santitoro@us.fujitsu.com
Distinguished Fellow and Director, MEF Forum | ralph@mef.net
February 20, 2019
SD-WAN Webinar Series:
Unravelling Managed SD-WAN Services
2. Fujitsu Proprietary and Confidential All Rights Reserved, ©2019 Fujitsu Network CommunicationsFujitsu Proprietary and Confidential All Rights Reserved, ©2019 Fujitsu Network Communications
What You Will Learn in this Webinar
Standard MEF 3.0 SD-WAN Service Components and Terminology
Will help you communicate and understand using industry standard terminology
SD-WAN Services are uniquely different than legacy WAN services
Understanding baseline capabilities will help you evaluate different SD-WAN
Service offerings
Importance and Role of each SD-WAN Service capability
Will help you understand the business benefits
Unravelling Managed SD-WAN Services
This Is Part of a Webinar Series Covering Different Topics about SD-WAN Services
2
3. Fujitsu Proprietary and Confidential All Rights Reserved, ©2019 Fujitsu Network CommunicationsFujitsu Proprietary and Confidential All Rights Reserved, ©2019 Fujitsu Network Communications
Concepts: MEF 3.0 SD-WAN Service Constructs*
Subscriber Network
SD-WAN UNI
SD-WAN Edge
Underlay Connectivity Service (UCS – aka Underlay WAN)
Tunnel Virtual Connection (TVC)
* From MEF 70 SD-WAN “Service Attributes and Service Description” Draft Standard (MEF Forum)
Unravelling Managed SD-WAN Services 3
4. Fujitsu Proprietary and Confidential All Rights Reserved, ©2019 Fujitsu Network CommunicationsFujitsu Proprietary and Confidential All Rights Reserved, ©2019 Fujitsu Network Communications
SD-WAN
Edge
SD-WAN
Edge
Internet
DSL
Modem
Cable
Modem
MPLS
MPLS
CE Router
MPLS
CE Router
SD-WAN
UNI
Underlay
Connectivity Services
MEF 3.0 SD-WAN Service Components
TVC 1
TVC 2
Subscriber
Network
Subscriber
Network
SD-WAN
UNI
Unravelling Managed SD-WAN Services 4
Internet
Breakout
5. Fujitsu Proprietary and Confidential All Rights Reserved, ©2019 Fujitsu Network CommunicationsFujitsu Proprietary and Confidential All Rights Reserved, ©2019 Fujitsu Network Communications
SD-WAN Services Are Over-the-Top (OTT) Services
SD-WAN Services operate over existing Underlay Connectivity
Services (UCS)
Examples of UCSs
• Public UCSs, e.g., Internet service delivered over DSL, HFC, PON, LTE, Fiber (DIA), etc.
• Private UCSs, e.g., MPLS, Carrier Ethernet, Optical Transport, etc.
Why is this important?
Enables service to operate over any Service Provider’s UCS
Provides faster service delivery (no need to purchase/activate a new UCS)
Enables SD-WAN to operate over a mixture of public and private UCSs
An SD-WAN Service Operates over Your Existing Underlay Connectivity Services
Unravelling Managed SD-WAN Services 5
6. Fujitsu Proprietary and Confidential All Rights Reserved, ©2019 Fujitsu Network Communications 6Fujitsu Proprietary and Confidential All Rights Reserved, ©2019 Fujitsu Network Communications
SD-WAN Service Application Identification and
Classification Criteria
Domain name
facebook.com
google.ru
Country
Iran
U.S.
UDP port number
TCP port number
SaaS Application
Office365
Salesforce
SD-WAN services must be Application-Aware
But what is an “Application” ?
An Application is anything you can classify to which you can apply Policies
Application classification based on one or more of the following criterion:
Granular Application Classification Is a Critical Requirement for an SD-WAN Service
IPv4 or IPv6 address/subnet
10.10.100.1/24
fe80::204:23ff:fe8:4ba2/128
IP protocol name
ICMP
FTP
Application Groups
Social Media
Gambling
Custom, User-defined
POS terminal identified
by IP subnet, TCP port
Unravelling Managed SD-WAN Services
7. Fujitsu Proprietary and Confidential All Rights Reserved, ©2019 Fujitsu Network CommunicationsFujitsu Proprietary and Confidential All Rights Reserved, ©2019 Fujitsu Network Communications
SD-WAN Policies
Policies are a set of criteria to apply actions
IF {criterion1, criterion2, …}, THEN {action(s)}
SD-WAN services must be able to apply granular policies
Network-wide Policies (applies to all sites)
Per-site Policies (applies unique policies at each site)
Application or Application Group Policies (applies to any classified App or App Group)
SD-WAN Services have different types of Policies
Security Policies
• Block all online storage sites (box.com, icloud.com, etc.)
QoS Policies
• Send VoIP calls over any TVC with Latency < 35ms and Loss < 1%
Application Importance Policies
• If Primary MPLS WAN fails, only send POS terminal, VoIP calls and Email over LTE Backup WAN
Unravelling Managed SD-WAN Services 7
8. Fujitsu Proprietary and Confidential All Rights Reserved, ©2019 Fujitsu Network Communications 8Fujitsu Proprietary and Confidential All Rights Reserved, ©2019 Fujitsu Network Communications
High Availability Dimensions of an SD-WAN Service
Access Network Type Diversity
Use Wireline and Wireless WANs
Unravelling Managed SD-WAN Services
Active-Active
WANs SD-WAN
Edge
WAN 1
WAN 2
Different
WAN Providers
ISP A
NSP B
SD-WAN
Edge WSP C
Different
Access Network
Types
Cable,
DSL, PON
LTE / 5GSD-WAN
Edge
SD-WAN Services Intrinsically Provide High Availability and Resiliency
WAN Provider Diversity
Use WANs from different providers
WAN Load Balancing
Application flows instantaneously forwarded to
alternate WAN in the event of a WAN failure
9. Fujitsu Proprietary and Confidential All Rights Reserved, ©2019 Fujitsu Network Communications 9Fujitsu Proprietary and Confidential All Rights Reserved, ©2019 Fujitsu Network Communications
MPLS VPN
Internet
Access
Internet
Access
MPLS VPN
Internet
Access
Internet
Access
SD-WAN TVCs
SD-WAN
Edge CPE
SD-WAN
Edge CPE
SD-WAN Services Increase Site-to-Site WAN Bandwidth
without Increasing Underlay WAN Bandwidth
Before SD-WAN Service
All internal site-to-site communications over MPLS
Internet access used to only connect to Internet
• not used for site-to-site connectivity
Internet BW 10-20X > MPLS BW
Must increase MPLS BW to increase site-to-site BW
After SD-WAN Service
Load-balance site-to-site traffic across MPLS and
Internet using secure SD-WAN TVCs
Forwarding choices based on Application Policies
Internet used for local breakout and site-to-site
Site-to-Site BW increased without adding any MPLS BW
10. Fujitsu Proprietary and Confidential All Rights Reserved, ©2019 Fujitsu Network CommunicationsFujitsu Proprietary and Confidential All Rights Reserved, ©2019 Fujitsu Network Communications
SD-WAN Service Information Security
Data Protection and Privacy
SD-WAN Services must secure data in transit and at rest
In Transit Data:
• 256-bit AES Encryption of TVCs across underlay WANs
At Rest Data:
• 256-bit AES Encryption of any Subscriber data stored on an SD-WAN Edge
Subscriber Data Privacy
SD-WAN Service Provider must not be able to read or modify Subscriber data
Important for Data Privacy regulations
• HIPAA (patient healthcare data privacy)
• EU GDPR (personal information privacy – EU requirement now, expected to be required globally)
• PCI DSS (payment card data protection)
Unravelling Managed SD-WAN Services 10
11. Fujitsu Proprietary and Confidential All Rights Reserved, ©2019 Fujitsu Network CommunicationsFujitsu Proprietary and Confidential All Rights Reserved, ©2019 Fujitsu Network Communications
SD-WAN Service Network Security
SD-WAN Edge Firewall
At a minimum, an SD-WAN Edge must have a firewall if it connects to an Internet WAN
For IP address and port address translation (NAT/PAT) and address/port blocking
Some SD-WAN Edges now support “Zone-based” Firewalls (ZFW)
ZFWs use Policies to restrict traffic to/from different LAN (ports/VLANs), UCSs (WANs) and TVCs
ZFWs ensures potential threats are contained to a particular zone and do not affect other zones
Mitigates Spoofing of IP Addresses from LAN zones
If one zone uses same IP address as another zone, SD-WAN Edge will detect spoofed IP address and block it
from traversing a different zone
Examples Zones where traffic is segregated to a unique LAN/VLAN, TVC or Local Internet Breakout
Guest Wi-Fi Network on LAN/VLAN Local Internet Breakout
Extranet / Partner TVC Engineering VLAN
POS Terminals on LAN/VLAN Data Center TVC and Printer on LAN/VLAN
Intranet LAN/VLAN Intranet TVC and Local Internet Breakout
Unravelling Managed SD-WAN Services
Firewall Zones Enable Secure Segmentation of Apps and Users over LANs/VLANs, WANs and TVCs
11
12. Fujitsu Proprietary and Confidential All Rights Reserved, ©2019 Fujitsu Network CommunicationsFujitsu Proprietary and Confidential All Rights Reserved, ©2019 Fujitsu Network Communications
SD-WAN Service Information Security
Secure Connectivity to Cloud Security Services
Cloud Security Service ideal for InfoSec scanner functions
Anti-Malware, Anti-Spam, Anti-Phishing, Vulnerability Scanning (for PCI DSS compliance)
Many Enterprises are migrating to Cloud Security for InfoSec
More optimal location to perform information scanning
Quarantine InfoSec threats before reaching site saves Internet access bandwidth and eliminate threat propagation
SD-WAN Edges should provide encrypted IPsec tunnel to Cloud Security Providers
To ensure no threat injection between Subscriber site and Cloud Security Service Provider
IPsec Tunnel over
Internet WAN
Cloud Security Services for Information Scanning Security Functions
Cloud Security
Service Provider
Internet site or
SaaS Provider
Anti-
Malware
SD-WAN
Edge
Local Internet
Breakout
TVC over WAN
to other sites
Unravelling Managed SD-WAN Services 12
13. Fujitsu Proprietary and Confidential All Rights Reserved, ©2019 Fujitsu Network CommunicationsFujitsu Proprietary and Confidential All Rights Reserved, ©2019 Fujitsu Network Communications
SD-WAN Service : Centralized Service Management
All SD-WAN Services must be centrally managed
Ensures consistency in policies and configuration changes
Service may be Fully-Managed or Co-Managed
Fully-Managed
Service Provider manages all aspects of the service
Subscriber can view network health and other metrics
Typically used by organizations with limited IT support staff
Co-Managed
SP manages many aspects of service but enables Subscriber to make service changes
• Create new QoS and Security Policies for different Applications
• Create custom application classification criterion
Typically used by organization with larger IT support staff
Unravelling Managed SD-WAN Services 13
14. Fujitsu Proprietary and Confidential All Rights Reserved, ©2019 Fujitsu Network CommunicationsFujitsu Proprietary and Confidential All Rights Reserved, ©2019 Fujitsu Network Communications
Unravelling SD-WAN Services
Key Takeaways
Not all “SD-WAN Services” are created equal
MEF 3.0 SD-WAN service definition standard is establishing the baseline
SD-WAN Services are uniquely different than legacy WAN services
Application-aware, Policy-driven, Highly Resilient
When evaluating SD-WAN Services, carefully review baseline capabilities
OTT, App Classification, Security, Policies, Multi-WAN, WAN bonding, etc.
Unravelling Managed SD-WAN Services 14
15. Fujitsu Proprietary and Confidential All Rights Reserved, ©2019 Fujitsu Network Communications
Ralph Santitoro
Head of SDN/NFV/SD-WAN Services, Fujitsu | ralph.santitoro@us.fujitsu.com
Distinguished Fellow and Director, MEF Forum | ralph@mef.net
February 20, 2019
SD-WAN Webinar Series:
Unravelling Managed SD-WAN Services