A press release from Silver Peak announces recent innovations for their SD-WAN product set. Enhancements to their EdgeConnect environment are Packet-iQ, a stateful firewall, firewall service chaining and Zscaler support. They have also included routing integration, allowing easier integration of the SD-WAN environment into larger enterprise infrastructures, using BGP.
Silver Peak have added a blog entry for application driven WAN Edge around this release, and it’s gained some visibility with both LightReading and SDxCentral pointing to the release. LightReading has also done a News Analysis piece. So let’s see what the noise is about…
Packet-iQ – choices from the first packet
One of the main challenges SD-WAN is the determination on the first packet to make a routing choice. This is a challenge as cloud applications use HTTP or HTTPS for connections, as do a lot of corporately hosted application portals. Selecting a path based on port information may make the wrong choice for the path. Selecting based on data such as SSL Certificate Common Names requires several packets to have passed, fixing the state of the connection through firewalls.
Deep Packet Inspection determinations the destination and a routing choice after the TCP session establishes and the first payload packets are sent (i.e. reading the GET URI, which allows differential behaviour even for connections via proxy servers).
Changing the path once the original SYN packet has been sent causes problems with the firewalls as the connection isn’t properly formed over the new route. In the past, it was easier to use IPSec to provide the links between VPN sites, and IPSec or GRE via a cloud web-services gateway (such as Zscaler) to avoid this challenge.
It looks like Silver Peak are using DNS queries and responses to track a range of IP addresses assigned to cloud services like www.office365.com. They then use this information to get a list of IP address ranges to pass the traffic directly to the Internet. This is more efficient than delivering it based on assumptions, and later have to move the connection with the risk of it breaking. It also avoids the initial packet backhaul to a core internet breakout point. This extra information gives Packet-iQ the capability to make that choice straight away, rather than wait for payload data. Making a local internet breakout more efficient and reliable
Stateful firewall and routing round out the updates
In addition, the use of a stateful firewall protects sites with connections inbound to a site only when they have been sent out first. This allows the use of the devices for local internet breakout without an external firewall requirement. Service chaining allows for firewalls using Checkpoint, Fortinet or Palo Alto within the network, or Zscaler for a cloud-based solution.
BGP provides a routing boundary at the site edge, ensuring that it easier to manage a large corporate network infrastructure, and to allow local internet breakout. This allows for ease of migration to a SD-WAN environment by establishing BGP peering with the previous network. It also helps in managing the routing propagation, particularly in larger and more complex sites. Most importantly it now allows direct connection to an MPLS network, with route exchange to the PE router without needing an intervening CE router. (To use this, you will need to have an Ethernet presentation for your circuits.)
These are not trivial things, and make the EdgeConnect solution a much more flexible environment for deployment and operation, reducing complexity and cost.
