kurtcms.org

Thinking. Writing. Philosophising.

Email Github LinkedIn

Competitive Analysis between VeloCloud SD-WAN with Zscaler Cloud Security and Cloudflare One SASE

Posted on December 20, 2021 — 10 Minutes Read

Version Purpose Date
1.0 Initial draft Sep 28, 2021
1.1 Cloudflare Anycast IPsec with a distributed SA as a de-facto vendor-neutral SD-WAN Gateway added Dec 20, 2021

One time at work I was analysing the emerging Secure Access Service Edge (SASE) architecture, initiated by Gartner, that describes the convergence of Software-Defined WAN (SD-WAN) and cloud security into an integrated product that is delivered as a service from the cloud. It is crucial to note that SASE is not a single technology, network protocol, nor is it an Internet Engineering Task Force (IETF) standard; it is rather a bundle of complementary network and security products that are integrated and delivered together to an enterprise customer as a single service. While the Gartner connotation comprises of a range of specific network and security components e.g. SD-WAN, Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), Firewall as a Service (FWaaS), and Zero Trust Network Access (ZTNA) etc., implementations by different technology vendors often vary to reflect their strengths and shortcomings. What follows will be a competitive analysis of the VMware VeloCloud SD-WAN and Zscaler Cloud Security products widely combined and adopted by telecommunications carriers as a SASE solutions, against the Cloudflare One.

In addition to the two common product components of SASE that will form the basis of the analysis namely:

  • Network as a Service (SD-WAN); and
  • Security as a Service,

Three extra elements will be studied as well for further insights:

  1. Professional Services;
  2. Product Development; and
  3. Go-To-Market.

As an abstract, as of December 20, 2021, it is revealed that:

  1. Desktop or mobile client devices are the new CPE in light of an increasingly distributed workforce accelerated by COVID-19 and will provide Cloudflare with software endpoint on client devices a distinct deployment advantage over hardware CPE by telecommunications carriers;

  2. The Cloudflare architectural design and principle centred around software-defined features permits a rapid time to market with the highest degree of economies of scale against the vendor-defined approach by telecommunications carriers;

  3. The Cloudflare Anycast IPsec with a distributed Security Association (SA) combines the widespread deployment and support of IPsec, as well as Cloudflare’s software-defined infrastructure and feature development approach for a seamless IPsec failover between servers at its PoP, and to provide a migration path or a de-facto vendor-neutral SD-WAN gateway for customer premises with existing hardware routers or SD-WAN CPE from an existing deployment; and

  4. The approach of vendor-defined solution prevents telecommunications carriers from accomplishing any technology monopoly, and the burden with MPLS Billed Revenue (BR) renders any commercial and distribution monopoly difficult if not impossible to attain.

See also:

Below is the in-depth analysis.

Product and Service Component     SASE by Telecommunications Carrier Cloudflare One Remark
Network as a Service (SD-WAN) First-/Last- Mile Endpoint Client Physical VeloCloud SD-WAN Edge (VCE) appliance or virtual VCE on an Universal Customer Premise Equipment (uCPE)
  1. Virtual software clients of either a daemon i.e. Cloudflare Tunnel for server or a desktop or mobile client i.e. Cloudflare WARP (a variant of WireGuard)
  2. Customer-provided, on-premise and IPsec-supported hardware routers or SD-WAN CPE by other vendors
Reference: 		Software endpont on client devices is more apt for a distributed workforce. A WireGuard-based client is best-of-breed in terms of performance.

Anycast IPsec with a distributed Security Association (SA) combines the widespread deployment and support of IPsec, as well as Cloudflare’s software-defined infrastructure and feature development approach to overcome the IKE server-client limitation of IPsec. In effect, it allows an IPsec client to send encrypted traffic to the closest server or any of the other servers at Cloudflare’s PoP should the closest one fail without reestablishing the IPsec tunnel and without the lengthy IKE handshaking. It provides also a migration path or a de-facto vendor-neutral SD-WAN gateway for customer premises with existing hardware routers or SD-WAN CPE from an existing deployment. This positions Cloudflare as a more direct competition with and renders it of a higher threat to telecommunications carriers.
Reference:
Logistics Customs Clearance and On-site Installation
  1. Logistics
    1. Lengthy and expensive logistics for a physical VCE with VMware VeloCloud distributor for most locations
    2. VMware Delivered Duty Paid (DDP) and Next Business Day (NBD) RMA for a physical VCE at a fixed cost courier service to selected locations
    3. Reasonable logistics for a virtual VCE on uCPE by regional and domestic service providers
  2. Customs Clearance
    1. Lengthy customs clearance for either physical or virtual VCE on uCPE that are classified with an Export Control Classification Number (ECCN) of 5A002 (a.1) by the Bureau of Industry and Security of the United States and is subject to stringent Export Control
  3. On-site Installation
    1. Expensive on-site installation for a physical VCE with VMware VeloCloud distributor for most locations
    2. Reasonable on-site installation cost with regional and domestic service providers for physical VCE and virtual VCE on uCPE
  1. Logistics
    1. Not required for software client nor for Customer-provided, on-premise and IPsec-supported hardware routers or SD-WAN CPE by other vendors
  2. Customs Clearance
    1. Likely not required for software client nor for Customer-provided, on-premise and IPsec-supported hardware routers or SD-WAN CPE by other vendors
  3. On-site Installation
    1. Not required for software client nor for Customer-provided, on-premise and IPsec-supported hardware routers or SD-WAN CPE by other vendors
 Software endpoint on client devices effectively renders the devices as uCPE and eliminates all issues with logistic, customs clearance and on-site installation.

Customer-provided, on-premise and IPsec-supported hardware routers or SD-WAN CPE by other vendors eliminate all issues with logistic, customs clearance and on-site installation as well.

Reconfigurations of the wide variety of hardware routers or SD-WAN CPE by other vendors may pose challenge with the one-off migration that may call for help from local system integrators.
Connectivity
  1. Internet
    1. Regional Autonomous System (AS) network with limited local routes for minimum latency for traffic to and from customer premise in limited and regional locations
  2. Private interconnection
    1. Local loop with a Customer Edge (CE) router or with the VCE as a CE
  1. Internet
    1. Within 50ms to 95% of the internet connected world
    2. Within 20ms to 80% of the internet connected world
    3. BGP Anycast to ensure connection to the closet Point of Presence (PoP)
  2. Private interconnection
    1. Cloudflare Network Interconnect
Reference: 		A carrier AS network is better connected to other AS networks. Yet Cloudflare seems to be ahead with regard to its local routes worldwide boosted by their mass-market CDN-driven network.
Reference:
Middle-Mile Coverage Often in the range of 20 to 30 instances of VeloCloud SD-WAN Gateways (VCG) PoP in 250 cities of 100+ countries
Reference: 		In-housed developed software on standardised generic x86 (ARM to come in the future shall it excess x86 in performance per Watt) with the architectural principle that every server can run every service has the advantage of immediate roll-out for any new service on all of its hardware servers deployed in PoP and allows for a maximum economies of scale.
Reference:
DDoS Protection Often not enabled for the VCG Network Capacity of 100Tbps
Reference: 		Unmetered DDoS mitigation with Cloudflare.
SD-WAN Overlay   VeloCloud Dynamic Multipath Optimisation (DMPO) with:
  1. Per-packet traffic steering (prevent application session drop even if one of the physical WAN disconnects)
  2. Negative Acknowledgment (NACK) to retransmit dropped TCP packet before the TCP protocol notices the packet drop and implements congestion control through the Congestion Window (CWND).
  3. Forward Error Correction (FEC) to remediate packet loss
  4. Jitter buffer to remediate jitter
Reference: 		Two types of technologies for forming a SD-WAN overlay depending on the type of the premise:
  1. Cloudflare Tunnel for data centre
  2. Cloudflare WARP (a variant of WireGuard) for desktop or mobile client
  3. Anycast IPsec with a distributed SA
 VeloCloud as a dedicated SD-WAN technology vendor has its in-housed developed SD-WAN overlay protocol, with advance packet steering and WAN anomaly mediation algorithms, as well as application-centric traffic and WAN monitoring, that are ahead of Cloudflare who relies on industry Virtual Private Network (VPN) tunnel implementations, whether it is with the new and performant WireGuard or the widely deployed and supported IPsec.
Network Monitoring and Orchestration   VeloCloud Orchestrator (VCO) portal and API with rich application-centric traffic history and WAN quality metrics Cloudflare for Teams portal and API with primitive traffic report
Security as a Service Feature
  • Anti-Malware
  • Intrusion Detection and Prevention Systems (IDS/IPS)
  • Secure Web Gateway (SWG)
  • Firewall as a Service (FWaaS)
  • SSL Inspection
  • Data Loss Prevention (DLP)
  • Remote Browser Isolation (RBI)
  • Cloud Sandboxing
  • Cloud Access Security Broker (CASB)
  • Zero-Trust Network Access (ZTNA)
 Zscaler Internet Access (ZIA) and Private Access (ZPA) as a security product component support all of these features Cloudflare Gateway and Access of Cloudflare for Teams support all of these features with either in-housed developed products or external partnerships
Reference: 		These are the most common and most expected Security as a Service features for most implementations of SASE. Supporting a feature is one thing, how well it is implemented to protect the user against a specific threat is another which will need to be qualified by empirical evaluation that mirrors real-world attack.
  Performance   Yet to be compared by a trusted independent agency Performance for the security features are the heart of the problem. Unfortunately there is no trusted independent evaluation done to compare the two of them yet. Being the market leader for Security as a Service, it is reasonable to assume that Zscaler outperforms or be at least on par as Cloudflare for most of these features.

The Cloudflare architectural principle permits it an unprecedented economies of scale which should reflect in performance and pricing however.
Professional Services Project Management   Professional project management by the Global Service and Operation team Guided onboarding with the Enterprise service plan
Reference: 		Professional services on par.
Proactive Service Monitoring   24×7 proactive service monitoring by the Global Service Operation Center Yes
Fault Reporting and Handling   24×7 service hotline for fault reporting with well defined response time and escalation process for fault handling 24×7 emergency hotline with the Enterprise service plan and a well defined response time for fault handling
Reference:
Service Level Agreement (SLA)   Service Availability Guarantee often depends on the Service Package subscribed 100% uptime and 10x to 25x reimbursement for the Enterprise service plan
Reference:
Product Development Time to Market   Feature validation, product documentation and numerous internal team briefings after the technology vendors release the solution Aggressive product roadmap with new features released every 3 month
Reference: 		Telecommunications carriers rely on technology vendors e.g. VMware VeloCloud and Zscaler for product development. In this sense, while its SASE service may be Software-Defined, the pace of the product development is Vendor-Defined.

This is in sharp contrast to Cloudflare who develops the software solution in-house on an aggressive roadmap with an agile development framework and partners with other non-competing technology vendors for features that are well defined in the market e.g. SSO with Okta that needs not disruption.
Technology Monopoly e.g. 10x Times Better   Vendor-Defined solution Software-Defined solution With the unprecedented economies of scale permitted by the Cloudflare architectural principle and in-house software development, it is possible for its price-performance to be 10x times better than the market.

On the other hand, telecommunications carriers rely on vendor for solution, with little to no differentiation on the technology, the only differentiations will have to come from commercial and distribution.
Go-To-Market Sales and Distribution   Telecommunications carriers often have a high level of recurring MPLS Billed Revenue (BR) that the protection and retainment of which would likely be the highest business priority. With the SD-WAN component of SASE deemed as a complement or replacement to MPLS, conflict may arise when the time comes to distributing the SASE solution to the same set of enterprise customers. No burden with MPLS BR Retaining the MPLS BR remains the top priority for most if not all of the telecommunications carriers and with the SD-WAN component of SASE deemed as a complement or replacement to MPLS there may be conflicting priority that telecommunications carriers will need to resolve.