The pace of software-defined wide-area network (SD-WAN) deployments has experienced strong growth over the past four years. As a result, the SD-WAN has already become a strategic component of many communications service provider (CSP) networks.

One reason for SD-WAN growth is that the service richness of SD-WANs continues to evolve, such as with the integration of security services into those deployments. Increasingly, SD-WAN security services are becoming an important differentiator, playing a major role in the managed SD-WAN service provider selection process. As the SD-WAN security service portfolio continues to evolve, CSPs will continue to commercialize 5G networks that utilize an application-centric services model. Thus, SD-WAN security services will only expand in value and relevance.

In order to understand the business drivers and technical requirements, Heavy Reading launched the SD-WAN Security Market Leadership Study (MLS) with collaboration partners Amdocs, Fortinet, Lavelle Networks and Nuage Networks in Q4 2019. The survey attracted 90 qualified global respondents and documented SD-WAN security service use cases, implementation timelines, the impact of virtualization, automation and analytics, as well as technical requirements, including orchestration strategies.

Virtualization and the security bundle
A key opportunity associated with applying virtualization (via virtualized network functions [VNFs]) to managed SD-WAN security services is the ability to bundle them into flexible configurations to enhance service differentiation.

As captured in Figure 1, there is substantial interest in adopting this approach, in large part because it helps CSPs differentiate on many levels. It enables the delivery of tailored security services with multiple appearances supported by flexible security service bundles.

Examples of this broad services multiplicity approach can be seen in the range of "we have implemented" (10%-32%) responses, which provides a view of the number of security-based VNFs that have already been deployed. The "plan to implement in 12 months" (27%-40%) responses also indicate substantial interest. Based on these inputs, it is readily apparent that CSPs are strongly in favor of bundling VNFs. Of all the possibilities, the top three priorities are vFirewall (32% + 27%), intrusion prevention (25% + 30%), and DDoS detection & mitigation (24% + 33%).

However, there is considerable support for other services such as web filtering (40%), packet filtering (35%) and application control (30%) based on "plan to implement in 12 months" inputs. This support confirms that SD-WAN security service portfolio richness and multiplicity will drive strong services growth in the next 12 months.

Figure 1: SD-WAN VNF-Based Service Bundle Implementation Status

Question: Do you plan to support service bundles/offerings of virtual network functions with your SD-WAN service? (N=88). Source: Heavy Reading
Click here for a slightly larger image

Orchestrating security services: farewell to the status quo
A significant number of service providers are focused on introducing best-of-breed security services into their SD-WAN portfolio. One important consideration that must be addressed is how to orchestrate these security VNFs and bundle managed SD-WANs with value-added network and security services.

A key finding from the research in this regard is that CSPs' focus on integrating security services into their SD-WAN portfolio will also affect their network functions virtualization (NFV) orchestrator vendor selection strategies.

For example, as shown in Figure 2, more than a third of the respondents (34%) prefer to utilize a third-party open source orchestrator that is SD-WAN vendor-agnostic and can be deployed in multiple service environments. In second place (30%) is support for a third-party but proprietary NFV orchestrator. In third place is the "status quo" option of utilizing the SD-WAN orchestrator supplied by the SD-WAN vendor (25%).

In a multivendor environment of SD-WANs and various VNFs, the orchestration function is essential to the agility and flexibility of CSPs' service deployments. Heavy Reading believes that the number one ranking of the open source vendor-agnostic orchestration option versus the status quo vendor-supplied approach is significant. It confirms that CSPs have sharpened their focus on open solutions to minimize vendor lock-in and enable them to seamlessly orchestrate the rich security services portfolio their enterprise customers now demand.

Figure 2: Security NFV Orchestration Preferences

Question: What is your preferred approach for orchestrating security VNFs in an SD-WAN network? (N=89). Source: Heavy Reading
Click here for a slightly larger image.

Looking for more information?

This blog is sponsored by Amdocs.

— Jim Hodges, Chief Analyst – Cloud and Security, Heavy Reading