Macnica was one of the first companies to deploy SD-WAN products in Japan.

Macnica sells various IT products domestically with the mission of "being the most trusted partner for our customers as the industry's top runner that continues to provide the world's latest technology." With regard to SD-WAN products, the company has been a pioneer in providing brands such as Viptela, Citrix, Cato, Aruba EdgeConnect SD-WAN, and Aruba.

Mr. Komatsu first mentioned the latest research results of IDC Japan regarding the SD-WAN market trend, saying, "The market, which was about 1.8 billion yen in 2018, will grow significantly to about 5.4 billion yen in 2019, and furthermore, by 2023 is expected to expand to 34.6 billion yen.This figure also shows that the SD-WAN market is booming."

Next, Mr. Komatsu raised four points about what can be done with SD-WAN.

The first is that router settings can be done with zero touch. Since the settings are automatically downloaded just by pointing the power supply, there is an advantage that it can be deployed without going to the base.

Second, the network can be centrally managed. From a single management console, you can centrally manage the location and operating status of each base router.

The third is that routing can be controlled at the application level. In the L3 network, routes were controlled by IP addresses, etc., but applications such as "Office 365" and "Cisco WebEX" can be recognized and routes can be distributed for each application.

The fourth is to be able to actively use the Internet. You can see the communication line and switch to a line in good condition, or use the WAN optimization function to speed up or stabilize communication. It is possible to improve the quality of the Internet line to a level close to that of a dedicated line.

Some issues cannot be addressed by WAN reinforcement or WAN speedup

Among these benefits, Mr. Komatsu focused on and explained route control at the application level.

"Our company holds monthly SD-WAN seminars in Tokyo and Osaka. In the questionnaire we conducted, we asked, 'What are the advantages of introducing SD-WAN?' The first was "connection to the cloud".Using cloud services such as Office 365, G Suite, and Box puts a load on the network, but many people believe that SD-WAN is an effective countermeasure. That's it." (Mr. Komatsu)

The countermeasure for connecting to the cloud with SD-WAN is the so-called "Internet breakout". In a conventional WAN configuration Internet connection, the Internet gateway was only in the data center, and all cloud communication was a backhaul (detour).

Therefore, when SaaS was introduced, the WAN bandwidth increased and the number of sessions increased, placing a heavy load on the equipment in the data center. In addition, there were issues such as poor user experience due to network delays at locations far from the exit of the Internet, and difficulty in unifying security policies.

In the past, these issues were dealt with by increasing WAN lines, introducing ADCs, increasing WAN speeds, and introducing dedicated lines such as ExpressRoute. That's where Internet breakouts come in.

"An Internet breakout is an SD-WAN that recognizes an application and connects only specific communications directly from a base to the Internet. There is no need to increase the speed of WAN lines, upgrade proxy servers or firewalls, and speed up the WAN. is also included in the functions, and there are high expectations for it as a particularly effective countermeasure against SaaS.” (Mr. Komatsu)

The point is fast packet problem, security, proxy configuration

According to Mr. Komatsu, there are three points to consider in Internet breakouts. "Fast Packet Problem", "Security" and "Proxy Configuration".

First of all, the first packet problem is that many SD-WAN products use the Deep Packet Inspection (DPI) engine to recognize the application, but due to the mechanism, the application cannot be recognized in the first packet sent. If the application cannot be recognized, not only will the first packet be communicated to the data center side, but even if the application is recognized from the second packet and an Internet breakout is attempted, the source IP will change, so the communication itself will not work. Internet breakout cannot be realized because there is no access or packets are dropped on the application side because they are regarded as unauthorized access.

“We have handled multiple SD-WAN products, but recognizing applications is a very difficult technology. Along with the first packet problem, major cloud services have hundreds to thousands of IP addresses every day. Since it is updated, it is necessary to automatically follow on the SD-WAN side, so it is difficult to achieve a "correct" Internet breakout with just the DPI mechanism." (Mr. Komatsu)

The second security concerns Internet breakouts, which access the Internet directly from bases.

“In the case of an Internet breakout limited to a specific SaaS, recognizing the correct app is also one of the security measures.In fact, there are also examples of direct access to SaaS without going through a UTM or proxy. ”(Mr. Komatsu)

The third proxy configuration is not suitable for Internet breakouts when the proxy is explicitly specified in a PAC file or the like. Therefore, it is effective to migrate from on-prem proxy to cloud proxy services such as Zscaler and Symantec WSS. “By using a cloud proxy, we are freed from the trouble of operating PACs, and the merits of introducing them are enormous, such as the realization of finer control and the ability to unify security policies globally.”

To address these issues, Macnica proposes selecting an SD-WAN product that supports ``DPI-independent application recognition mechanism,'' ``accurate application recognition,'' and ``cloud proxy.''

The strengths of the SD-WAN product "Aruba EdgeConnect SD-WAN" that lives in the cloud era

Macnica provides HPE Aruba's SD-WAN, which has the bold catchphrase "SD-WAN for Internet breakout." HPE Aruba has a 15-year track record as a WAN optimization/acceleration vendor, and provides SD-WAN products to more than 1,500 companies worldwide. Its unique feature is its accurate breakout using "Fast Packet iQ (patented technology)," which does not rely on DPI.

A system integrator said that by combining Aruba EdgeConnect SD-WAN with Symantec WSS, they were able to solve WAN-related issues while realizing a secure work style for realizing work style reform.

In addition, a certain Web service provider faced an increase in the number of sessions and pressure on the line bandwidth due to the introduction of Office 365, which hindered business operations. Therefore, we adopted Aruba EdgeConnect SD-WAN and migrated to a network environment where Internet breakout is possible.

“The point is that Internet breakout is achieved by placing Aruba EdgeConnect SD-WAN only under the existing router without installing an SD-WAN router on the opposite side. It takes time to review the WAN, but this configuration It can be implemented very easily.”

* It is said that there are many achievements for Internet breakout purpose.

“Over the past few years, the company-wide introduction of SaaS has exploded. An increasing number of companies are introducing Internet breakouts as a means of dealing with the increase in traffic and number of sessions that accompany the introduction of SaaS. We would like you to pay attention to the first packet problem, security, and proxy configuration, and introduce SD-WAN that can achieve the "correct" Internet breakout." (Mr. Komatsu)

Reprinted from: My Navi News