Over the past few months I’ve spent a lot of time working with and researching some of the top SD-WAN vendors in the market right now to continue developing CDW’s Professional Services. In this blog series, I’d like to share overviews of each solution, my thoughts and the strengths and areas for improvement that I think apply to each solution. The goal of this blog series is to focus on technical aspects of these solutions and to avoid marketing fluff.
I’ve written extensively about some of the key tenets of SD-WAN, the decision-making process and items to consider when deploying SD-WAN solutions. These blogs are linked below for convenience:
While the above blog posts cover SD-WAN from a vendor-neutral “food-for-thought” perspective, this series, in contrast, covers each vendor with a specific and technical lens. I covered Cisco SD-WAN, formerly Viptela, in my last post. This blog will look at another one of the top contenders: Silver Peak Systems.
Solution Overview: Silver Peak
Silver Peak provides a unified SD-WAN edge platform driven by a business-first networking model. Through the Silver Peak Orchestrator, a business can gain critical intelligence and insight into application performance, network security, efficiency and traffic categorization across the enterprise. This solution allows for an extremely agile approach to the allocation of network resources based on top-down business policies and user experience.
Combined with Orchestrator, the Edge Connect appliances provide a unified platform for SD-WAN, WAN optimization, routing, security integrations and service chaining, allowing for a true SD-WAN platform that can continually adapt to the ever-changing landscape demanded by the modern enterprise.
Solution Elements’ Functional Roles
Before we dive too far into the solution overview, I think it’s important to level set on the components of the solution, and their respective roles.
Unity Orchestrator: The Silver Peak Orchestrator manages, provisions and monitors the Silver Peak devices within a given network. Deployed as a virtual machine (VM) within the on-premises customer environment, as a cloud appliance or hosted as a Service by Silver Peak.
Unity Cloud Portal: The Cloud Portal is Silver Peak’s entry point on the internet that’s used for managing device licensing. The Cloud Portal facilitates the initial connection between the Orchestrator and an Edge Connect Appliance. All devices and Orchestrators are registered with the Cloud Portal.
Unity Edge Connect Appliance: The Edge Connect Appliances optimize and transport traffic between the sites in the network. Edge Connect Appliances can be installed as dedicated physical hardware, purchased through Silver Peak, that have a burnt-in serial number, or, as a virtual appliance running on a customer’s hypervisor that must be serialized upon installation.
Unity Boost WAN Optimization: Boost is an optional WAN optimization performance pack with additional investment that combines Silver Peak WAN optimization technologies such as TCP Acceleration Network Memory to create a unified high-performance solution.
With uniquely developed technologies discussed above in the “Solution Elements and Functional Role” section, Silver Peak provides enterprises with optimized WAN edge appliances that collapse a traditional infrastructure of a router, firewall, WAN optimization device and SD-WAN appliance into a single unit to provide a simple, agile and cost-effective platform. Silver Peak also provides additional feature licensing with a flexible adoption model that can be purchased and applied based on the feature sets and bandwidth needed to provide additional WAN optimization and network intelligence capabilities to the already robust platform.
Integration with Silver Peak’s Cloud Portal, which manages licensing and initial contact, allows administrators to perform Zero Touch Provisioning and Zero Touch Configuration of Edge Connect Appliances. Utilizing Orchestrator as a single configuration point, previously complex deployments such as proxying traffic to a service (ZScaler, for example) or maintaining an up-to-date database of software applications’ publicly reachable IP addresses (to facilitate optimized Software as a Service traffic) become simple and easy to deploy in a rapid manner to Edge Connects across the organization.
Silver Peak’s Unity Orchestrator provides centralized policy management, monitoring and reporting features for the SD-WAN platform. Orchestrator has three flexible deployment models: on-premises VM deployment, customer-hosted cloud deployment or a Silver Peak hosted as a Service deployment. Silver Peak’s hosted as a Service deployment method is fully managed and maintained by Silver Peak and requires zero additional CAPEX. This flexibility allows customers to deploy their Orchestrator in the fashion that best suits their business needs and is most sustainable for the long term.
Orchestrator provides customers with the ability to rapidly and centrally configure and monitor application quality of service and security policies for thousands of sites from a centralized dashboard with single-screen administration. This centralized orchestration contributes to overall ease of deployment and management and allows for an agile adoption with a lean and efficient network management team.
In addition to the centralized configuration capabilities of Orchestrator, a consumer is also presented with a single-pane dashboard for real-time monitoring, alerting and visibility into the network, as well as the availability to access a detailed historical backlog of reporting and analytics to further understand the business needs related to the SD-WAN fabric. This dashboard can be consumed in several formats to provide high-level geographic health overviews, granular analysis of live traffic flows, an overview of appliances connected to the network and more.
Business Intent Overlays
Business Intent Overlays, or BIOs, comprise the bulk of Silver Peak’s SD-WAN offering as they are used to create the overlay tunnels, as well as apply policy to traffic transiting the SD-WAN fabric. Business Intent Overlays specify how traffic of certain types is characterized and handled within the network, and these characteristics are used by Unity Orchestrator to dynamically build and destroy tunnels across the overlay based on the needs of the traffic. The figure below provides an example of how BIOs can be configured to meet organizational needs and how the dynamic tunnel creation can be utilized to provide maximum quality and efficiency regardless of the underlay transport in use.
Overlay tunnels created by the BIOs consist of bonded underlay tunnels, which are the IPSec tunnels created across the underlying transport (MPLS, internet, cellular, etc.). These overlay tunnels are created dynamically using labels built in Orchestrator to meet traffic requirements and to optimize routing and traffic flow between sites.
In addition to traffic optimization via the link bonding discussed above, Silver Peak SD-WAN also provides path conditioning via Forward Error Correction and Packet Order Correction. These two technologies allow Silver Peak Edge Connect Appliances to optimize traffic across the WAN by rebuilding packets that are lost or dropped during transmission (FEC) and caching and correctly ordering packets that have traversed different underlays and arrived out of order (POC). The figure below provides a visual depiction of Forward Error Correction and Packet Order Correction respectively.
UDP IPSec Tunnel Mechanisms
Silver Peak Edge Connect Appliances approach tunnel creation in a unique way. Traditional IPSec tunnels are built using Internet Key Exchange version 2 (IKEv2) and use a set of well-known User Datagram Protocol (UDP) ports for Layer 4 transit (UDP 500 and 4500). This presents a series of difficulties to enterprises, including:
- Secure scalability using PKI or PSK methods
- Operating with certain address translation constraints
- Rate limiting by carriers based on UDP port
- Blocking of traffic by nation-state firewalls
- Removal or blocking of stolen or retired devices
This list is not comprehensive but provides good insight into the shortcomings of traditional IPSec tunnel implementations. Silver Peak’s tunnels are built using an “IKE-less” method. This allows for increased flexibility, security and scalability when deploying across the enterprise. While this method of deployment is preferred and more effective for large organizations, Silver Peak does support traditional IKEv2 tunnels for interfacing with third-party devices. The following diagram illustrates this in more detail.
The IKE-less method of tunnel building depends on the concepts of port randomization and the Unity Orchestrator’s ability to provide directionally unique encryption keys that are cycled hourly and never repeated. The combination of these two technologies allows for easy retirement of lost or stolen devices as well as the ability to overcome difficulties caused by nation-state firewalls or carrier rate limiting.
Advanced Routing and Adaptive WAN Breakout
Silver Peak Edge Connect Appliances provide the ability to interface with non-Silver Peak devices in a wide variety of scenarios. On the WAN side of the Edge Connect Appliance, IPSec tunnels can be formed with third-party devices and cloud-based firewalls quickly and with ease. Edge Connect Appliances are also capable of peering with a service provider via External Border Gateway Protocol (EBGP) to facilitate ease of dynamic WAN-side routing. Edge Connect Appliances support both Open Shortest Path First (OSPF) and EBGP on the LAN side of the device to interface with the downstream internal infrastructure in the most efficient way possible. The next figure outlines some of these possibilities in a concise and visual manner.
In addition to Silver Peak’s routing features, Edge Connect Appliances, in conjunction with Orchestrator, can perform adaptive breakout of internet-bound traffic based on first packet classification, which Silver Peak refers to as “First-packet iQ.” Through the use of this adaptive breakout, enterprises gain the ability to intelligently steer apps, improve the overall response time of SaaS applications, save WAN bandwidth and reduce backhaul to the enterprise edge corporate firewalls.
This adaptive internet breakout references Silver Peak’s database of over 10,000 SaaS applications, 300 million web domains and hundreds of thousands of registered IP addresses across the internet. As the internet is an ever-changing entity, Silver Peak’s database, which is then pushed down to Orchestrators, is updated daily with new entries to provide the best and most up-to-date experience possible for consumers.
Unity Boost WAN Optimization
Unity Boost is a Silver Peak proprietary WAN optimization package that can be added to a Silver Peak deployment as a cost-add license package. Boost provides an enterprise with two additional WAN optimization features: data deduplication and protocol acceleration.
Data deduplication eliminates the overhead in bandwidth when identical packets are continuously being transmitted across a wide area network. For example, if a data backup of a server is transmitted across the WAN each night, an Edge Connect would have the ability to cache identical packets that are “to be transmitted” and send only unique or changed data packets. This reduces overhead across the WAN and can greatly increase the speed of large and repeated file transfers.
Protocol acceleration utilizes a combination of existing technologies and protocol tuners such as TCP window scaling, selective acknowledgement, route-trip latency and jitter measurements, and HighSpeed TCP (HSTCP) to accelerate user data traffic across the WAN in the most efficient way possible. The introduction of protocol acceleration can have positive impacts across an organization and on a variety of business functions including file sharing, bandwidth optimization and network efficiency.
Strengths and Areas for Improvement
CDW recently introduced services for Silver Peak, so I’m still building my full opinion on it based on how it performs in real customer environments. I’ve spent a considerable amount of time with it, putting it through the paces in our lab environment. Below are what I believe the strengths and weaknesses of the solution to be.
Strength 1. Intuitive User Interface. Most of the SD-WAN solutions solve the same business problems, with a unique feature or two. So, how the configuration, reporting, managing and troubleshooting are presented is critical. Silver Peak knocks this out of the park.
Visibility is a topic of interest that customers frequently bring up when I talk to them. All the solutions provide some level of visibility, but the way Silver Peak presents it is very consumable. One thing I specifically appreciate is the ability to see, at any given site, how the circuits are performing via a simple green, orange and red graph over time. In addition, you can see how the application performance is at that site, showing that even though you may have a circuit that isn’t performing, Silver Peak is still doing its job to keep the application healthy.
Silver Peak is extremely intuitive to work with. Some solutions have a robust feature-set but can be complex to implement and to operate. While other solutions are extremely easy to configure but lack features. Silver Peak nails both, providing robust features and is easy to configure.
Strength 2. Path Conditioning and Path Selection. Some solutions do one or the other well, but Silver Peak does both quite well. This allows the manufacturer to provide a solution that truly does take advantage of all circuits at a given site, even in less than ideal situations, while still providing the required service-level agreements (SLA) for your applications.
Strength 3. WAN Optimization. This is a big can of worms in the industry right now. Some solutions claim that it’s not needed anymore. With most traffic being encrypted, modern protocols being designed for the WAN and bandwidths increasing, this is a technology of the past.
The fact is that some organizations still have applications that will take advantage of WAN acceleration. If your organization has high latency, links features under the WAN optimization umbrella are still one of the only options to help alleviate this challenge.
Silver Peak started as a WAN optimization company. It cut its teeth building great optimization integrations, caching and deduplication algorithms, so it’s no surprise they dominate in this space.
Area for Improvement 1. Full Stack. Frankly, I wasn’t sure where to put this point, as an argument can be made for this to be both a strength and a weakness. While Silver Peak has numerous positive features, the fact that it doesn’t have full stack integrations like Cisco, Meraki or Aruba does not meet some customers’ requirements. These full stack integrations bring better end-to-end security, automation and management, an improvement over having multiple solutions. Other customers, however, are very focused on finding something dependable for a given solution (SD-WAN, in this case) and are extremely happy with Silver Peak’s focus at building the best SD-WAN solution they can.
Area for Improvement 2. On-Box Next-Gen Security Features. On-box security is something Silver Peak is lacking. The company seems to be taking the approach of focusing more on integration with cloud solutions. Many customers, especially those migrating to SaaS applications, are going to be fine with this approach, while there are others that want more robust on-box security capabilities. Silver Peak can do L3/L4 stateful firewalling and L7 firewalling for applications they can natively identify they lack on-box IPS/IPD, URL filtering and malware detection.
Area for Improvement 3. SaaS On-Ramp. While Silver Peak can identify SaaS applications and treat them differently (local DIA breakout, for example) the products do not have the ability to probe the SaaS apps directly and choose the best internet egress, like other solutions do.
I really like Silver Peak. The company strikes a great balance between simple to use and having robust technical capabilities. Below is a summary of use cases that generally make Silver Peak a top choice:
- Interested in a pure SD-WAN solution: Silver Peak focuses on doing SD-WAN well and it shows. The products also have solid third-party integrations.
- Easy-to-use interface with great visibility: This solution is extremely robust in the flexibility department with some of the easiest to consume visibility/reporting I’ve seen. It doesn’t take a CCIE-level engineer to make this solution work well.
- WAN Optimization: As discussed earlier, if you have a need for WAN optimization Silver Peak is amazing.
If you’re looking at SD-WAN, Silver Peak should be on your radar. The company’s product is amazing and only getting better with new features constantly being added.