[AusNOG] SDWAN Security

Matthew VK3EVL hitman at itglowz.com
Tue Jun 1 07:48:22 EST 2021


Very much a cynic here.
I’ve been told several times by several vendors how I should go to sdwan (over the current MPLS) because that’s what everyone is doing. I can usually finish them in one or two questions.
What about QoS, can you guarantee that?
Yes? How can you guarantee QoS over a public internet connection?

A few confused/concerned looks around the room.
Why do you need QoS is usually the next question.

I’m all for progress and SD everything, but it needs to be an improvement on what I have, not a step backwards and having my configured reliant on something outside my network.

The only other thing that bugs me about meraki (this may have changed) is you spend money on hardware, then you pay a subscription. If you stop paying the subscription, that hardware stops working, whilst the old 800 series keeps chugging away albeit without updates if you stop paying maintenance. I see this as a risk, if someone is late paying a bill, someone misses a remittance email, someone ticks the wrong box, the network is gone. Sure it can be rectified, but at what cost to lost productivity?

SDWan has its place but it isn’t an improvement on MPLS imho.


> On 31 May 2021, at 19:58, dusty <dusty.au at gmail.com> wrote:
> 
> 
> Heya,
> 
> How are those solutions more suited to swapping in for an MPLS network? Aren't they all just some flavour of vpn with a cloud frontend, and some neat fail over behaviours? 
> 
> I am in the unenviable positive of having to prove "why not meraki", rather than "what's the best option". Hopefully that comes later, but the meraki solution has some...investment...to overcome. 
> 
> And that can only be done with hard facts
> 
> 
>> On Mon, 31 May 2021, 7:22 pm Radek Tkaczyk, <radek at tkaczyk.id.au> wrote:
>> Hi Dusty,
>> 
>> I don’t think you will find that Cisco meraki is not a proper SDWAN solution. It’s just a glorified VPN with a cloud dashboard. If you call that SDWAN then SDWAN has been around for 30 years then.....
>> 
>> You need to be looking at proper SDWAN solutions like Velocloud(VMware), Cisco Viptella, Peplink, etc. These are proper SDWAN solutions that can replace an MPLS.
>> 
>> Sent from my iPhone
>> 
>>> On 31 May 2021, at 4:09 pm, Dale Shaw <dale.shaw+ausnog at gmail.com> wrote:
>>> 
>>> 
>>> Hi Dusty,
>>> 
>>> Full disclosure: I work for VMware (we have a SD-WAN offering) but I’ll keep it agnostic—
>>> 
>>>> On Mon, 31 May 2021 at 12:49 pm, dusty <dusty.au at gmail.com> wrote:
>>>> Hi Folks,
>>>> 
>>>> After a number of years being more managerial than technical, I find myself staring at a proposal to swap a perfectly good MPLS network with some Meraki shenanigans.
>>>> 
>>>> This, frankly, gives me the heebie jeebies.
>>>> 
>>>> I've done a bunch of poking around but, alas, it is remarkably difficult to locate reliable analyses of the actual security (or lack thereof) of these solutions - plenty of glossy marketing and whizzbang, not a lot of facts.
>>>> 
>>>> Can anyone point me in the direction of some decent whitepapers, blogs, etc about the relative merits of these things?
>>>> 
>>>> Thanks!
>>>> --dusty (in Brisbane)
>>> 
>>> (tl;dr: talk to your friendly vendor SE.)
>>> 
>>> What sort of collateral would you look for, to give warm fuzzies, if you were evaluating a traditional WAN routing platform?
>>> 
>>> You should be able to find security whitepapers and other technical documents that describe management and data plane security, use of crypto/PKI etc.
>>> 
>>> Vendors targeting enterprise customers should be putting their products through security evaluation frameworks such as Common Criteria — look for certification, in-flight or completed, against the Network Device collaborative Protection Profile (NDcPP) plus optional modules like VPN. Crypto libraries may be FIPS 140-2 [US centric] certified.  
>>> 
>>> For vendors offering things as-a-service, certifications and statements of conformance against other regulatory frameworks should be applicable (SOC, FedRAMP [again US centric], IRAP etc. may exist).
>>> 
>>> Cheers,
>>> Dale
>>> 
>>> _______________________________________________
>>> AusNOG mailing list
>>> AusNOG at lists.ausnog.net
>>> http://lists.ausnog.net/mailman/listinfo/ausnog
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20210601/4b3d57e8/attachment-0001.html>


More information about the AusNOG mailing list