kurtcms.org

Thinking. Writing. Philosophising.

Email Github LinkedIn

Competitive Analysis between VeloCloud SD-WAN with Zscaler Cloud Security, Megaport Virtual Edge and a Generic IPsec Gateway Option

Posted on February 24, 2022 — 15 Minutes Read

In light of the vendor-specificity of the various implementations of Software-Defined WAN (SD-WAN), that constitutes the network as a service component of the emerging Secure Access Service Edge (SASE) architecture, some platform provider such as Megaport attempts to overcome this challenge by supporting as many vendor implementations as it can on its platform, which is built on top of its software-defined infrastructure, that may be tapped into for a middle-mile, on-demand connectivity solution for an increasing number of enterprise networks that embraces the cloud as the new data centre for a distributed workforce. In doing so, Megaport as well as other platform providers leave the lifecycle management and service delivery for the SD-WAN appliance, physical or virtual, at the customer premises which constitute the first-mile of the enterprise networks and could be in the form of a brach location or on the desktop or mobile client devices in the case of a distributed workforce, either to the customer, or to an external service provider or system integrator commissioned by the customer. While this strategy allows Megaport and the other platform providers to focus its development and commercial resources on its bread and butter, and rely on the tried and trusted service provider and system integrator to handle the donkey work in the first-mile, it nonetheless introduces multiple parties with different points of contact and non-interlocking service demarcations and service level commitments that will at best be a headache to manage or at worse expose the enterprise to unexpected risk in the network. What follows will be a competitive analysis of the VMware VeloCloud SD-WAN and Zscaler Cloud Security products widely combined and adopted by telecommunications carriers as a SASE solutions, against the Megaport Virtual Edge (MVE) platform and a generic IPsec gateway option that is considered by some platform providers as a vendor-neutral solution to the various vendor implementations of SD-WAN.

The two building blocks of SASE will form a basis for the analysis:

  • Network as a Service (SD-WAN)
  • Security as a Service

Two extra elements will be studied as well for additional insights:

  1. Professional Services
  2. Product Development

Below are the premises of the analysis:

  1. The first-mile is considered to be a customer premise. For a leased colocation in a data centre, the type of connectivity may be adjusted accordingly e.g. a cross-connect if both ends of the connection is within the same facility with a direct cross-connection possible, the type of the Customer Premise Equipment (CPE) and the logistics, customs clearance and on-site installation for which hold however.

  2. The last-mile is considered to be the public clouds (IaaS) or web apps (SaaS). For interconnection between customer premises or a leased colocation in a data centre, the farst-mile holds for the last-mile.

As an abstract, as of Jan 24, 2022, it is revealed that:

  1. For Megaport Virtual Edge (MVE):

    1. As a platform where an enterprise customer or an external service provider or system integrator may leverage to create virtual SD-WAN appliance on-demand for accepting incoming connection and traffic to the platform from a SD-WAN appliance at a customer premise by the same SD-WAN vendor, the lifecycle management for the SD-WAN appliance at the customer premise is to be managed by the enterprise customer or an external service provider or system integrator commissioned by the customer.

    2. Likewise, service delivery for the SD-WAN appliance in the customer premise is to be managed by the enterprise customer or or an external service provider or system integrator commissioned by the customer. Considering most if not all of the SD-WAN vendors are US entities or are in one way or another subject to US Export Control, and that most if not all of the SD-WAN CPE are classified as 5A002 by the Export Control Classification Number (ECCN) given their cryptographic functions, the logistics and customs clearance for the SD-WAN CPE will require considerable effort and expertise that may be outside the capabilities of a typical enterprise.

    3. Its position, direction and strategy with regard to the security as a service component of a SASE solution is still to be announced.

  2. For a SASE solution with VMware VeloCloud SD-WAN and Zscaler Cloud Security widely adopted by telecommunications carriers:

    1. As a service provider, unlike MVE, service delivery and the lifecycle management for the SD-WAN appliance at the customer premise is provided by its field partners in its service regions worldwide.

    2. It provides first-mile connectivity management options and excels in professional services.

    3. The security as a service component with Zscaler Cloud Security has a clear direction.

    4. It nonetheless lacks, or lacks behind in its development of, an on-demand middle-mile connectivity platform for enterprise embracing the cloud as the new data centre for a distributed workforce.

    5. While the service coverage by the typical telecommunications carriers excels in breadth, MVE’s service coverage is stronger is depth.

  3. For a generic IPsec gateway option:

    1. It has the advantage of allowing an existing IPsec supported routing equipment available at the customer premise, or a software IPsec client on the desktop or mobile client devices for a distributed workforce, to be the endpoint client, the downside is while IPsec is an Internet Engineering Task Force (IETF) standard, compatibility between the various implementations by different routing equipment or software client vendors is of question at best or troublesome at worst.

    2. IPsec being an age-old point-to-point client-to-server tunnelling protocol is not by design cloud-native in the sense that the Security Associations (SAs) from the IKE handshake stays strictly with the IPsec server, physical or virtual. As such in the event of failure with the IPsec server, the IPsec connection will have to be re-established. An implementation of IPsec that overcomes the IKE server-client limitation of IPsec and that at the same time stays compatible with the generic IPsec client is developed by Cloudflare and is aptly named Anycase IPsec. Still, considering IPsec is an IETF standard, there is only so far one can go without breaking the compatibility with the generic implementation that is its key advantage.

  4. All in all, given that most if not all vendor implementations of SD-WAN is vendor specific in the sense that for example a VMware VeloCloud SD-WAN appliance will not and cannot connect with a Cisco Viptela SD-WAN appliance; a generic IPsec gateway option is vendor-neutral, with a pinch of salt given the questionable compatibility between the various implementations, at the cost of lacking advance SD-WAN features such as central network orchestration, application-aware routing and traffic reporting etc. that were spearheaded by the various SD-WAN vendors; MVE attempts to overcome the vendor-specificity of SD-WAN by supporting multiple vendor implementations notwithstanding that having multiple vendor-specific solutions is far from being a vendor-neutral one, at the cost of leaving the lifecycle management and service delivery for the SD-WAN appliance at the customer premise, which could be in the form of a brach location or on the desktop or mobile client devices in the case of a distributed workforce, to the customer or an external service provider or system integrator, by virtue of it not being a service provider which means that doing so for multiple SD-WAN vendors is well beyond its capabilities; telecommunications carrier as a service provider, provides lifecycle management and service delivery for the SD-WAN appliance at the customer premise, with full professional services and technical support, at the cost of dedicating to a few vendor-specific implementations of SD-WAN in light of limited IP and Customer Engineering resources.

See also:

Below is the in-depth analysis.

Product and Service Component     Generic IPsec Gateway Option Megaport Virtual Edge SASE by Telecommunications Carrier Remark
Network as a Service (SD-WAN) First-Mile e.g. Customer Premise of a Brach Location or on the Desktop or Mobile Client Devices Endpoint Client Existing, customer- or external Service Provider-/System Integrator- provided, operated, and managed physical appliance or virtual appliance on hardware platform with IPsec support. Customer- or external service provider-/system integrator- provided, operated, and managed physical appliance, virtual appliance on hardware platform or software client on client devices, of a make and model by one of the supported SD-WAN vendors: 
  1. Cisco Viptela
  2. Fortinet FortiGate
  3. Versa FlexVNF
  4. VMware VeloCloud
 Provided by the telecommunications carrier as part of the professional services.

Physical VeloCloud SD-WAN Edge (VCE) appliance or virtual VCE on an Universal Customer Premise Equipment (uCPE). 		The IPsec gateway option allows an existing IPsec supported routing equipment available at the customer premise, or a software IPsec client on the desktop or mobile client devices for a distributed workforce, to be taken advantage of for the endpoint client, the downside is while IPsec is an IETF standard, compatibility between the various implementations by different routing equipment or software client vendors is of question at best or troublesome at worst.

MVE and telecommunications carriers eliminate any compatibility issue by relying on a single vendor for all equipment in the same enterprise network.

MVE allows for different SD-WAN vendors for different enterprise SD-WAN networks (still one SD-WAN vendor for one enterprise SD-WAN network for these SD-WAN vendors are not interoperable in the sense that a VMware VeloCloud SD-WAN appliance will not and cannot connect with a Cisco Viptela SD-WAN appliance).

MVE does not provide lifecycle management for the SD-WAN appliance in the customer premise.

For a software client on a server or on a desktop or mobile client devices, please refer instead to the Competitive Analysis between VeloCloud SD-WAN with Zscaler Cloud Security and Cloudflare One SASE
for it is outside the scope of this analysis.

Reference:
Logistics, Customs Clearance and On-site Installation
  1. If it is an existing routing equipment available at the customer premise, then the logistics, customs clearance and on-site installation are already taken care of.
  2. If a new IPsec capable routing equipment is needed, then the logistics, customs clearance and on-site installation will either need to be provided by the customer or an external Service Provider/System Integrator.
 Customer- or external service provider-/system integrator- provided. Provided by the telecommunications carrier as part of the professional services. For MVE, considering most if not all of the SD-WAN vendors are US entities or are in one way or another subject to US Export Control, and that most if not all of the SD-WAN CPE are classified as 5A002 by the ECCN given their cryptographic functions, the logistics and customs clearance for the SD-WAN CPE will require considerable effort and expertise that may be outside the capabilities of a typical enterprise.

Reference:
Connectivity
  1. Internet
    1. If it is an existing internet, then no extra subscription is needed.
    2. If a new internet connection is required, the provisioning and installation will either need to be managed by the customer or an external service provider/system integrator with a connectivity provider.
  2. Private interconnection
    1. No or limited option for a private interconnection for network performance or service level assurance.
  1. Internet
    1. If it is an existing internet, then no extra subscription is needed.
    2. If a new internet connection is required, it can be provided by PCCW Global with our professional services
  2. Private interconnection
    1. Local loop as a private interconnection for network performance or service level assurance.
 Telecommunications carrier provides more first-mile connectivity options.
Last-Mile e.g. Public Cloud (IaaS) or Web App (SaaS) Endpoint Client Not Required for IaaS or SaaS Establishing connectivity with dynamic or static routing to public clouds differs by the cloud provider.

While it is possible to operate an instance of virtual SD-WAN appliance on IaaS to connect it with the rest of the customer network, most if not all of the recommended interconnection options provided by the IaaS do not require a virtual SD-WAN appliance on IaaS as an endpoint.

Reference:
Logistics, Customs Clearance and On-site Installation
Connectivity Not Available (for it depends on the provider whereas this here depicts a possible option to be taken on by a provider)
  1. IaaS
    1. Layer 2 Megaport Virtual Cross Connect (VXC) on-demand by self-service on the Megaport Portal with Layer 3 options provided by Megaport Cloud Router (MCR) or Megaport Virtual Edge (MVE).
  2. SaaS
    1. Internet breakout from MVE
Reference:
  1. IaaS
    1. Layer 2 and Layer 3 connectivity over the MPLS backbone network of the telecommunications carrier
  2. SaaS
    1. Internet breakout from VeloCloud SD-WAN Gateway (VCG)
 Last-mile connectivity option on par.
Middle-Mile Coverage
  1. No service availability in South America, Africa and the Middle East
  2. Limited availability in Central or Eastern Europe, and Southeast Asia
  3. Strong coverage in the US
Reference: 		Often in the range of 20 to 30 instances of VCG MVE’s service coverage is stronger in depth where telecommunications carrier often excels in breadth.
DDoS Protection Yes

Reference: 		Often not enabled for the VCG Whether or not the DDoS mitigation with MVE is metered is not specifically mentioned.
SD-WAN Overlay   IPsec Secure and performant vendor-specific overlay: 
  1. IPsec with Cisco Viptela
  2. Auto Discovery VPN (IPsec-based) with Fortinet FortiGate
  3. IPsec with Versa FlexVNF
  4. Dynamic Multipath Optimisation (DMPO) with VMware VeloCloud
 VeloCloud Dynamic Multipath Optimisation (DMPO) with:
  1. Per-packet traffic steering (prevent application session drop even if one of the physical WAN disconnects)
  2. Negative Acknowledgment (NACK) to retransmit dropped TCP packet before the TCP protocol notices the packet drop and implements congestion control through the Congestion Window (CWND).
  3. Forward Error Correction (FEC) to remediate packet loss
  4. Jitter buffer to remediate jitter
Reference: 		Despite IPsec being an IETF standard, compatibility between the various implementations by different routing equipment or software client vendors is of question at best or troublesome at worst.

IPsec being an age-old point-to-point client-to-server tunnelling protocol is not by design cloud-native in the sense that the Security Associations (SAs) from the IKE handshake stays strictly with the IPsec server, physical or virtual. As such in the event of failure with the IPsec server, the IPsec connection will have to be re-established. An implementation of IPsec that overcomes the IKE server-client limitation of IPsec and that at the same time stays compatible with the generic IPsec client is developed by Cloudflare and is aptly named Anycase IPsec. Still, considering IPsec is an IETF standard, there is only so far one can go without breaking the compatibility with the generic implementation that is its key advantage.

While some SD-WAN vendors base the encryption and encapsulation of the data and/or the management plane of their SD-WAN implementations on IPsec, to be able to orchestrate the Create, Read, Update, Delete (CRUD) of these encrypted tunnels within the data and/or management plane, vendor-specific algorithms are often added to render the SD-WAN equipment by these vendors non-interoperable.

Reference:
Network Monitoring and Orchestration   Not Available (for it depends on the provider whereas this here depicts a possible option to be taken on by a provider notwithstanding that IPsec by design does not have native monitoring and orchestration options) Customer- or external service provider-/system integrator- provided, operated, and managed vendor-specific SD-WAN management component. VeloCloud Orchestrator (VCO) portal and API provided, operated and managed by the telecommunications carrier with rich application-centric traffic history and WAN quality metrics MVE does not provide the management component for the SD-WAN network.
Security as a Service Feature
  • Anti-Malware
  • Intrusion Detection and Prevention Systems (IDS/IPS)
  • Secure Web Gateway (SWG)
  • Firewall as a Service (FWaaS)
  • SSL Inspection
  • Data Loss Prevention (DLP)
  • Remote Browser Isolation (RBI)
  • Cloud Sandboxing
  • Cloud Access Security Broker (CASB)
  • Zero-Trust Network Access (ZTNA)
 Not Available (for it depends on the provider whereas this here depicts a possible option to be taken on by a provider) Not Available Zscaler Internet Access (ZIA) and Private Access (ZPA) as the security as a service component supports all of these features Megaport’s position, direction and strategy with regard to the security as a service component of a SASE solution is still to be announced.
Professional Services Project Management   Not Available (as a self-service product) Not Available (as a self-service product)
Status of MVE can be monitored however on the Megaport Portal or through the Megaport API 		Professional project management by the Global Service and Operation team Telecommunications carrier excels in professional services.
Proactive Service Monitoring   24×7 proactive service monitoring by the Global Service Operation Center

Status of customer network can also be monitored on the VCO portal or through the VCO API 		 
Fault Reporting and Handling   Email based fault reporting with escalation process.

Reference: 		24×7 service hotline for fault reporting with well defined response time and escalation process for fault handling
Service Level Agreement (SLA)   Service Availability target of 99.995% with reimbursement of up to 1x Recurring Charge.

Reference: 		Service Availability Guarantee often depends on the Service Package subscribed
Product Development Technology Monopoly e.g. 10x Times Better   Unlikely for IPsec is an IETF standard and there is only so far one can go without breaking the compatibility with the generic implementation that is its key advantage. Vendor-defined SASE solution with an in-housed development automation platform Vendor-defined SASE solution Vendor-defined in the sense that the network and security as a service components are provided and to be defined by external technology vendors.

The automated platform on which the solution is delivered is nonetheless specific to Megaport.