Applying artificial intelligence and machine learning to the WAN might seem futuristic, but it's already happening with technology in which physical or virtual appliances deliver predictable application performance over any combination of transport services, including low-cost consumer broadband. Application-driven security policies enable direct internet breakout for trusted SaaS and web applications. Fully compatible with existing WAN infrastructure, the new tech provides a graceful migration to an SD-WAN and ultimately to the thin branch, simplifying the WAN architecture. Such a high-performance SD-WAN solution can improve business productivity and customer responsiveness while significantly lowering WAN OPEX and CAPEX. Traditional application classification engines utilise a combination of techniques, ranging from a simple lookup of TCP and/or UDP port numbers, to more sophisticated deep packet inspection (DPI) to glean information about a flow from its packet contents. DPI is useful when applications use ports unpredictably, or when you want to distinguish applications that are on the same port, same HTTP or HTTPS. For example, DPI might be used to extract the URL from an HTTP get request, or the server domain information from an HTTPS SSL establishment. However, both techniques require several packet exchanges between the client and server before the identifying information is transferred. This is acceptable for flow reporting or for traditional actions like QOS marking or even blocking a connection as the connection can be reset at the point the application is identified. However, SD-WAN brings a new foundational requirement to the table: granular internet breakout.
Driving a change
The rise of cloud applications and ever increasing internet traffic has driven IT to evaluate augmenting or replacing MPLS with internet access. One approach is to break-out all internet destined traffic locally at the branch. However, in most cases, enterprises require finer grained control, understanding that not all Internet traffic is equal. A typical branch will have flows destined to SaaS applications that the business relies on, flows to popular internet sites (employees doing home-from-work instead of work-from-home), as well as other flows to unknown or potentially nefarious destinations. Ideally, IT would like the ability to apply unique policies to each class of internet traffic. For SaaS applications, the policy could be to use the highest quality, most consistent path, which could be local breakout, or transport via MPLS and a carrier provisioned direct connection to the SaaS provider. For the home-from-work traffic, the best policy might be to break it out locally but direct it via a cloud-based firewall service like Zscaler. For unknown or potentially suspicious traffic that doesn't fit in either category above, the policy might be to backhaul it to a full security stack in the data center. Granular internet break-out policies sound like a great idea. In fact, we might assume that all SD-WAN vendors already do this. In reality, it's quite difficult to accomplish and for good reason. First, when IT masks a traffic steering decision, either to break traffic out locally from the branch, or to send it zScaler or the data center firewall, he/she needs to make the decision on the very first packet of the flow. Once the first packet is sent along a path, the user is committed to that path because with NAT each path has a unique apparent source IP address. There can be no change of mind mid-stream. Traditional DPI techniques won't cut it because the first packet of a typical connection is a TCP SYN that has no payload available for deep inspection. To address this challenge and enable granular internet break-out, certain vendors have developed a feature that utilises a multi-layered learning architecture.
This architecture encompasses learning locally in the individual edge devices (by snooping on DNS and learning from DPI results), learning at the enterprise level in the orchestrator (redistributing information learned by individual appliances – a bit like fleet learning for self-driving cars), and learning in aggregate with a cloud intelligence service – the best keep track of the first packet signatures of 10,000s of web services.
At each level, the new technology employs sophisticated machine learning techniques.
The Self-Driving WAN
Industry leaders are embarking on the journey to a self-driving WAN, but no-one is going to be complacent. There is a lot more innovation to be delivered in the drive towards an ultimate destination. Stay tuned.