Frequently Asked Questions

Find answers to the most Frequently Asked Questions (FAQs).

ICG International Blog

ICG shares valuable knowledge on business and technology.

Affordable MPLS Alternatives

After decades of use, enterprises are looking for MPLS alternatives. To be considered a viable alternative, a network must match MPLS’ service levels for predictability and consistency, while avoiding its pitfalls of cost, rigidity and capacity constraints. Although often used for WAN connectivity, the public Internet lacks the consistently low packet loss, jitter, and latency levels of MPLS. It can’t provide a predictable user experience for latency- and loss sensitive applications, such as Voice-over-IP (VoiP) and virtual desktops, particularly across global connections.

Affordable MPLS alternatives must enable an agile WAN, a consistent application experience on a global scale, and be delivered at a reasonable price. Deploying new sites, expanding capacity and gaining full control over network traffic, must be easier than with MPLS.

"Monthly costs dropped 25% and yet we still received 10x more bandwidth."
Willem-Jan Herckenrath, Manager ICT

Cloud-based MPLS Alternativewith built-in Global Backbone and Network Security

ICG Cloud Connect SD-WAN enables customers to augment and ultimately replace MPLS. Unlike Edge SD-WAN solutions that have a limited scope and persist the need for MPLS, ICG removes the dependency on MPLS. ICG further extends WAN transformation to eliminate branch security appliances, and natively support cloud applications and mobile users. With ICG, customers can maximize the benefits of transforming their WAN to reduce the cost, complexity, and risks of their IT infrastructure.

Edge SD-WAN Challenges

The Solution: Cloud-based SD-WAN

Edge SD-WAN architectures enable organizations to use multiple transports (MPLS and Internet) in branch locations, for WAN connectivity. However, they persist the dependency on MPLS for predictable delivery of latency- and loss-sensitive applications.

ICG provides a cloud-based SD-WAN with a built-in global backbone with integrated network security, delivered as a cloud service. With over 30 PoPs worldwide and interconnected with tier-1 global IP transit providers, ICG provides consistent and predictable global connectivity at an affordable price.

SLA-backed Transport

Persists the reliance on MPLS

Edge SD-WAN integrates Internet transport into an MPLS WAN. However, since the Internet can’t provide consistent and predictable latency on a global scale, MPLS is required for latency- and loss sensitive applications.

Full MPLS replacement

ICG has built a global, SLA-backed backbone that runs an integrated networking and security software stack. ICG PoPs are fully meshed over multiple tier-1 IP transit providers with SLA-backed latency and packet loss. With ICG customers can use high-quality last mile Internet to replace MPLS for cost savings without sacrificing security or quality of service.

Integrated Network Security

Complex and costly security integration

Edge SD-WAN solutions enable the use of Internet links for WAN transport and can provide direct Internet access at the branch. However, they do not include a full network security stack and require customers to either deploy additional security solutions at every location, backhaul traffic to a datacenter, or use cloud-based security services.

Built-in network security

ICG provides a full network security stack, including a next generation firewall, secure web gateway, anti-malware and IPS built into the SLA-backed backbone. There is no need to deploy branch security appliances, backhaul traffic, or introduce new security services. All policies are managed within ICG’s management application.

Supported Edges

Limited support for cloud infrastructure and mobile users

Edge SD-WAN solutions were designed with physical locations in mind. Typical WAN architectures treat cloud datacenters and mobile users as an afterthought.

Seamless support for physical, cloud and mobile resources

ICG Cloud Connect SD-WAN was built to connect all enterprise network elements including physical locations, cloud infrastructure, and mobile users. With ICG SD-WAN network security is available globally for traffic from all sources.

Considerations for a branch office firewall

What is branch office network security?

Organisations today work at scale, across multiple locations with branch offices, mobile users and regional hubs all requiring access to cloud services and corporate data. With a distributed workforce across so many locations, the need to maintain security across remote offices, users and corporate data arises.

Branch office network security is the challenge of protecting corporate data and users from  security threats such as malicious sites, malware, and ransomware by enforcing the right security controls to protect the organisation.

Challenges of branch network security

  • Bandwidth requirements, per user and application
  • Cloud applications such as Office 365, Google G Suite, Salesforce, and Zoom
  • Constant internet availability without interruptions
  • Lack of IT staff at remote offices to monitor and maintain network security
  • Maintaining quality of service across all sites, applications, and cloud services
  • Visibility of users, activity, and threats across all locations
  • Wide area networks interconnecting branch offices, regional hubs and data centers

Importance of branch network security

Branch office networks are typically the most neglected part of the network, whilst been the most important in terms of carrying out business transactions and generating profits for the company. Let's put that in perspective, the branch is often the least secure, yet most important in terms of generating an organisations revenue.

With organisations operating at scale, often IT staff are centralised in head quarters or regional hubs, whilst the branch office is supported remotely. The organisations data is centralised in systems at head quarters, in the data center or in the cloud. Therefore most of the effort is placed on securing these locations, as that's where the data is. Meanwhile branch offices with no local IT staff lack visibility of security vulnerabilities,

A compromised branch office could leak important confidential company or customer data, as is often the case with compromised point-of-sales systems notable in many major high profile cases or be used as a pawn in an advanced persistent security threat such as island hopping, where the attack starts from a compromised remote end-point and slowly makes it's way through to important central systems.

Therefore regardless of size, branch offices need enterprise-grade network security and a firewall alone is often not enough.

How to secure branch offices

Traditionally a firewall is placed at each location, requiring on-site deployment, policy configuration, on-going maintenance and monitoring. This is usually where things start to fall apart. Smaller organisations may overlook investing in branch network security at all, trusting that the basic router and firewall provided by their ISP combined with end-point security such as anti-virus is enough to protect them. Whilst as we've learned in larger organisations, all the resources are focused on protecting centralised data, so there is often little investment made in centralised policy control, monitoring and maintenance of the remote branch office locations.

The expectation from organisations is that securing branch offices, should be as simple as just deploying a firewall. Unfortunately, this is just not the reality, or is it? Enter SD-WAN, a new approach to managing wide area networks through zero-touch provisioning, centralised management and control. Gaining popularity for it's ability to help organisations reduce the cost of expensive MPLS leased lines, by moving to low-cost broadband internet connections, often load balanced across multiple low-cost connections for increased bandwidth and availability with quality of service controls to supplement the previous service levels offered by MPLS.

However SD-WAN doesn't solve the branch office security problem completely, due to a lack of security features, such as web filtering, intrusion prevention, anti-malware and protection against zero-day attacks. For this you will need to apply secure access service edge (SASE) as an integrated approach to delivering a secure branch office SD-WAN. Delivered as a service, a SASE SD-WAN solution provides complete security and control, centralised across all branch office locations for internet traffic and east-west communications across the WAN.

A SD-WAN solution with SASE built-in like the ICG SD-WAN leverages cloud to centrally enforce security policies and eliminate the need for IT to manually manage and maintain individual firewalls across many branch office locations.

Advantages of SD-WAN vs branch office firewall

  • Minimise hardware costs with less capital expense for acquiring, upgrading and replacing on-premise equipment.
  • Reduce management complexity by unified policy management across all sites, that can be easily customized as needed, saves hours of tweaking configurations and policies for each device.
  • Offered highly adaptive protection, unlike appliances that need to go through software updates, with security services that are seamlessly upgraded in the background with new capabilities. Develops and quickly deploys threat countermeasures to keep our defenses up-to-date.
  • ICG SD-WAN eliminates dedicated branch office equipment such as UTMs, Firewalls and WAN optimization appliances. ICG protects all connected locations and seamlessly scales to secure all traffic, without the need for unplanned hardware upgrades and resource-intensive software patches. ICG delivers continuous, up-to-date protection without any customer involvement.
  • Post pandemic, organisations have put a strong focus on enabling secure remote work, meaning investments in scaling a VPN gateway or next generation firewall. ICG SD-WAN scales VPN connections through the cloud with over 50 global PoPs, providing a low-latency VPN connection that's closest to your remote users.

Learn more about the ICG SD-WAN solution and visit our SD-WAN cost calculator to help guide your purchasing decision.

How to load balance multiple internet connections?

Internet load balancing or fail-over for multiple internet connections can seem like a tight rope walk. There are multiple ways to accomplish it, some with point products and others with routers and firewalls. Let's take a look at the options and alternatives.

Firstly, why do organisations look at multiple connections? Why not just have one single high bandwidth connection?

  1. It might not be possible to get high bandwidth connections in your service area. So you can aggregate the bandwidth of multiple lower bandwidth lines to achieve. E.g. a company looking for 300Mbps bandwidth, may only be able to get a maximum of 100Mbps in their coverage area. In order to overcome this limitation, the company combines multiple lines together to achieve 300Mbps with 3x 100Mbps connections.
  2. As an alternative to MPLS dedicated leased lines. MPLS often offers bandwidth in excess of standard business broadband and has SLAs around the service level and reliability of the connection.
  3. Redundancy. In Europe and Asia, specifically South East Asia, the reliability of business broadband, let alone MPLS can be highly questionable, often susceptible to intermittent outages, packet loss and sub-par bandwidth, where you're paying for 300Mbps, but only getting a maximum of 50Mbps. To overcome the reliance on a single ISP which can go down, bringing the business to a stand-still, organisations can leverage multiple connections to multiple ISPs, allowing not only for greater bandwidth, but a fail-over, in case on ISPs connection goes down. (productivity)
  4. Separate mission-critical business applications and data replication from web browsing and general internet traffic. By identifying application and web traffic and directing business apps down one path and web traffic down the other. So your employees internet access isn't slowed down by the latest batch job, data sync or application spike and your colleague who's downloading a multi-GB archive or torrenting the latest season of Game of Thrones, doesn't bring the corporate WAN to a standstill. - Your WAN should never be slowed down by employees torrenting or accessing data they shouldn't, a good firewall policy, combined with web filtering can make sure of this.

How to balance multiple internet connections?

What is SD-WAN?

What is SD-WAN?

Software Defined WAN (SD-WAN) is a new way to manage and optimise a Wide Area Network (WAN) or simply put, a new way to deliver secure business broadband internet connections, enabling global connections from HQ to branch offices, mobile and remote workers or staff working from home.

SD-WAN addresses the changing use of enterprise networks, away from centralised offices designed for all users to be in the office all the time, with a few remote workers, towards the growing trend of cloud computing and remote working. It is more flexible than MPLS (expensive leased line internet connections), and better at supporting a distributed and mobile remote workforce, it is also more reliable, scalable and secure than VPN-based WAN links.

As SD-WAN is an evolving category, there are a variety of vendor implementations, some which very basic repackaging of traditional WAN solutions, border-line marketing hype, adopting the term, without truly delivering on the promise of SD-WAN, and others are next-generation, blurring the role of traditional WAN security and MPLS over a broadband internet connection.

A good implementation offers a secure, feature rich alternative to MPLS or leased lines, with convergence of optimised routing to accelerate cloud traffic, replace standalone point devices like Firewalls, IPS, Anti-malware, URL filtering, WAN load balancers, and VPN devices. Delivering value-added services over the wire. What this means is, organisations no longer require maintenance of firewalls and other security items, as the security is maintained centrally throughout all connections and quality of service is greater than or equal to leased line at a fraction of the cost.

SD-WAN is implemented as a network of SD-WAN appliances connected by encrypted tunnels. Each SD-WAN appliance is connected to a set of network services, which can be a mix of multiple ISPs and existing MPLS, with monitoring of the current availability and performance of each of connection. Network traffic reaching an SD-WAN appliance is classified based upon application and prioritised using a set of centrally-managed priorities, before being sent out over the best available network link via dynamic path selection.

Simple SD-WAN Topology

SD-WAN makes it possible to replace MPLS, which is not only expensive, but lacks the real-time single-point of view and control for applications, connections, users, and security. SD-WAN allows security functionality to be distributed to the network edge, making it unnecessary to send all traffic through the enterprise datacenter for scanning before forwarding it to cloud services, a practice that degrades latency and performance. This is a significant change for organisations used to backhauling all internet traffic to the data center to apply global security and filtering policies.

By converging networking and security functionality, an SD-WAN can eliminate the need to deploy expensive point security products at branch locations. An SD-WAN with a large network of globally-distributed points-of-presence (PoPs) can provide high-performance, secure networking with centralized management and visibility.

ICG SD-WAN PoPs

What is SD-WAN

A History of SD-WAN

Software-defined WAN (SD-WAN) brings the abstraction of software-defined networking (SDN) to the WAN; however, it is only the latest in a series of transformations of WAN.

The very first stage of WAN, in the 1980s, used point-to-point (PPP) lines to connect different LANs. The price and efficiency of these connections were improved with the introduction of Frame Relay in the early 1990s. Instead of requiring a direct PPP connection between each pair of communicating parties, Frame Relay allowed connection to a “cloud” from a service provider, allowing shared last-mile link bandwidth and the use of less expensive router hardware.

The next stage was the introduction of Multiprotocol Label Switching (MPLS), which provided an IP-based means of carrying voice, video, and data on the same network. MPLS provides dependable network connections protected by SLAs but is expensive and slow to provision.

In 2013, SD-WAN emerged, showing the potential to be a viable and cost-effective alternative to MPLS – making it the logical next step in WAN technology. By abstracting away the entire network layer and routing traffic based upon a collection of centrally defined and managed policies, SD-WAN is able to optimize routing and prioritization of various types of application traffic. The flexibility provided by SD-WAN also allows it to better meet the needs of cloud and mobile users. As this type of use is becoming more common, it is unsurprising that many organizations are anticipated to adopt SD-WAN.

Learn more about the history of SD-WAN

The Evolution of SD-WAN

SD-WAN 1.0: Hungry for bandwidth

The first stage of SD-WAN evolution was focused on solving the issues of availability and last-mile bandwidth. New MPLS links are expensive and slow to provision, and the use of an Internet backup meant that the backup was only used in the case of an outage. Using link-bonding, an SD-WAN predecessor could combine multiple different types of connections at the link level, improving last-mile bandwidth.

SD-WAN 2.0: The rise of SD-WAN startups

The limitation of link bonding is that it only improved last-mile performance. Achieving improved performance throughout the WAN required routing awareness throughout the path. Early SD-WAN solutions offered virtualization failover/failback and application-aware routing. With application-aware routing, SD-WAN could move away from being fully reliant on MPLS links and optimally route traffic based upon the application type.

SD-WAN 3.0: Reaching out

The latest stage of SD-WAN evolution focuses on going beyond networking branch locations. As organizations increasingly move resources to the cloud, SD-WAN provides a solution for securely connecting these cloud deployments to the enterprise WAN.

Learn more about the evolution of SD-WAN

How does SD-WAN work?

Software-defined WAN (SD-WAN) is designed to solve many of the challenges associated with traditional WAN design. SD-WAN abstracts away the details of the networking layer, allowing the WAN to use a variety of different connection types interchangeably, including LTE, MPLS, and broadband Internet.  This abstraction can improve network bandwidth, performance, and redundancy and enables centralized management and orchestration.

SD-WAN works by creating a network of SD-WAN appliances connected by encrypted tunnels. Each site on the WAN has its own SD-WAN appliance, and all traffic flows through that appliance. Since all appliances are centrally managed, consistent networking policies can be enforced throughout the organization. When traffic enters an SD-WAN appliance, the appliance determines the type of application traffic and routes it to its destination based upon existing policies and the availability and performance of different network links.

Traditional SD-WAN is hardly perfect. Many SD-WANs do not include integrated security, so each branch location must deploy its own standalone security products. SD-WAN also includes the deployment of an SD-WAN appliance at each endpoint, which makes it difficult or impossible to use it for cloud and mobile traffic. Finally, SD-WAN often relies upon public Internet service, which can cause reliability concerns.  However, many of these problems are solved with secure access service edge (SASE) platforms.

How SD-WAN Works

Learn more about how SD-WAN works

SD-WAN Benefits

Designed to provide an alternative to traditional MPLS-based WAN, Software-defined WAN (SD-WAN) provides organizations with five major benefits when compared to MPLS.

Reduced WAN costs

MPLS bandwidth is expensive, and it can take weeks or months to provision a new MPLS link, compared to days with SD-WAN. Both in cost of operation and in lost business opportunity, MPLS is inferior to SD-WAN.

Enhanced WAN performance

MPLS is very effective at routing traffic between two static locations, but the growth of the cloud makes this less useful to businesses. SD-WAN’s policy-based routing allows traffic to be optimally sent through the network based upon the needs of the underlying application, resulting in increased application performance and better end user experience than traditional WAN architecture.

Improved WAN agility

SD-WAN also provides much more agile networking than MPLS. With SD-WAN architecture, the network layer is abstracted away, allowing the use of a variety of different transport mechanisms throughout the WAN.

Simplified WAN management

With MPLS, an organization may need to deploy a variety of standalone appliances to manage WAN optimization and security. With secure SD-WAN, these operations can be centralized, allowing organizations to scalably manage growing networks.

Increased WAN availability

Finally, SD-WAN technology can provide dramatic redundancy and availability improvements over MPLS. With MPLS, adding redundant links can be expensive. SD-WAN, on the other hand, can route traffic over a different transport mechanism in the case of an outage.

Learn more about how SD-WAN benefits digital transformation

How to connect multiple offices

WAN connections to branch offices have a variety of different constraints: they must be secure, reliable, affordable, and offer enterprise-level network performance. Several different solutions exist, but many of them have their issues.

A common solution to connecting branch locations is the use of VPNs over the public Internet. While these can provide the security that an organization may require, they are often difficult to set up and may not meet the organization’s needs. Mobile VPN clients are non-existent or clunky, and physical VPN appliances can be time-consuming to deploy and may not meet the needs of a mobile workforce. The dependence of VPN upon the public Internet means that VPNs may also not provide the reliability that the enterprise requires.

While MPLS provides more reliable, high-performance network connections, MPLS connections are slow to deploy, and MPLS bandwidth is expensive. The technology is also ill-suited to mobile and cloud users and lacks built-in security.

Cloud-based software-defined WAN (SD-WAN) provides a solution to the challenges of branch networking. Cloud-based points-of-presence (PoPs) connected by layer-1 network connections backed by SLAs provide high-performance, reliable, and affordable networking. The network of cloud-based PoPs makes it possible for users to connect from anywhere with minimal latency, and an integrated security stack provides security throughout the network.

Learn more about how to connect multiple branch offices

SD-WAN security

MPLS and appliance-based software-defined WAN (SD-WAN) can both provide an organization with the networking capabilities needed for a WAN. However, they often have significant security shortcomings. MPLS lacks any encryption of its circuits, and both MPLS and appliance-based SD-WAN may have no built-in security. As a result, many organizations using these systems deploy standalone security appliances at each location to provide the necessary cybersecurity protections.

However, this approach to WAN security can be complex, unscalable, and expensive since each new location requires another set of security appliances. Each of these appliances must be individually purchased, configured, monitored, and managed, which creates significant costs throughout their lifetimes. This approach also does not work for the cloud and mobile, where security appliances cannot be deployed on-site.

Cloud-based SD-WAN provides a solution to this problem. By placing points-of-presence (PoPs) in the cloud, they can achieve global coverage, allowing users to connect via a nearby PoP and use the SD-WAN with minimal latency impacts. These PoPs can also have integrated security functionality, removing the need to deploy standalone appliances at each location and enabling centralized networking and security visibility across the enterprise WAN. Networking and security integration can also improve performance since networking and security appliances can be optimized to interoperate with one another.

Learn more about the challenges of SD-WAN security

SD-WAN vs. MPLS vs. public internet

As global organizations become more common, the need to connect geographically-distributed LANs via a WAN becomes extremely important. In order to compete effectively, organizations need access to stable, high-performance WAN at an affordable price. Three options exist for providing this: the public Internet, MPLS, and software-defined WAN (SD-WAN).

The first option for an enterprise is to route internal traffic over the public Internet. The two primary advantages of this approach are quick setup and relatively low costs since broadband Internet is widely accessible and typically affordable. However, these advantages come at the cost of unstable performance, volatile latency, and a lack of end-to-end management.

MPLS is designed to provide high-performance and reliable network connections backed by SLAs guaranteeing latency, packet delivery, and availability. However, these high-performance connections are expensive and extremely slow to deploy (taking weeks or months). MPLS connections are also ill-suited to cloud computing since traffic must be pulled back to a centralized access point before being sent out to its destination.

SD-WAN provides the best of both worlds by abstracting away the details of the network infrastructure. By choosing the optimal route from a collection of public Internet connections and MPLS links, SD-WAN can balance performance and cost on a per-application basis. Cloud-based SD-WAN provides additional benefits, including integrated security, support for mobile and cloud users, and predictable latency and packet loss.

SD-WAN vs. MPLS vs. public internet

Learn more about SD-WAN vs. MPLS vs. broadband public internet

MPLS Alternative

MPLS, a common choice for enterprises that need high-speed, reliable network connections, provides guaranteed availability, packet loss, and latency backed by SLAs.

Yet while the technology is indeed mature and built for the enterprise, it also has its disadvantages. The guaranteed features of MPLS mean that MPLS bandwidth is expensive, not to mention that changing MPLS connections is difficult as new connections can take weeks or months to deploy. This affects the ability to set up new branch locations, expand bandwidth at existing locations, and other network changes.

Software-defined WAN (SD-WAN) is designed to provide an alternative to MPLS that addresses these challenges. SD-WAN, which consists of a network of SD-WAN appliances that are connected via tunnels over multiple transport media, abstracts away the network layer and optimally routes traffic over a variety of different data services depending on the type of application traffic. As a result, it can reduce the cost of networking and allows rapid deployment.

And yet, SD-WAN is not a perfect solution. Its reliance upon existing communications links means that MPLS may still be needed for certain applications, and SD-WAN appliances often do not have security built-in by default. Addressing these issues, and expanding coverage to mobile and cloud users, requires cloud-based SD-WAN.

When it comes to sizing your MPLS alternative, there can be a lot of confusion about "what you pay for" and "what you get". For example a 100Mbps MPLS line may only achieve 80Mbps effective bandwidth and a 1Gbps broadband connection may only achieve 250-500Mbps effective bandwidth. You can test your current internet speed with the ICG internet speed test.

Learn more about MPLS alternatives

SD-WAN redundancy vs MPLS redundancy

Redundancy is vital for the enterprise WAN. Network outages are a leading cause of downtime, so redundant network connections are needed to minimize downtime. Software-defined WAN (SD-WAN) is a viable alternative to MPLS for enterprise WAN, but reliability and redundancy can be an issue. However, if implemented properly, SD-WAN can offer better redundancy than MPLS.

MPLS is well-known for its middle-mile reliability. However, the same level of reliability is often not attainable for last-mile connections. MPLS bandwidth is expensive, so the price of last-mile redundancy can be prohibitive. As a result, downtime can be easily caused by events that terminate this last-mile connection. Last-mile redundancy requires dual-homed connections that are routed in different ways to different providers. Typically, MPLS network offers active-passive redundancy with failover based upon route or DNS convergence.

SD-WAN is designed to abstract away the network layer and allow traffic to be routed over multiple connections. Therefore, all SD-WAN connections are in active use at all times, with real-time availability and performance monitoring. This not only improves the bandwidth and reliability of WAN connectivity but also enables active-active redundancy. In the case of an outage in one transport method, data can seamlessly be routed via an alternative connection. Thus, in addition to providing high middle-mile redundancy, SD-WAN can also provide better last-mile redundancy than MPLS.

Learn more about SD-WAN vs. MPLS redundancy

SD-WAN vs VPN: How Do They Compare?

Redundancy is vital for the enterprise WAN. Network outages are a leading cause of downtime, so redundant network connections are needed to minimize downtime. Software-defined WAN (SD-WAN) is a viable alternative to MPLS for enterprise WAN, but reliability and redundancy can be an issue. However, if implemented properly, SD-WAN can offer better redundancy than MPLS.

MPLS is well-known for its middle-mile reliability. However, the same level of reliability is often not attainable for last-mile connections. MPLS bandwidth is expensive, so the price of last-mile redundancy can be prohibitive. As a result, downtime can be easily caused by events that terminate this last-mile connection. Last-mile redundancy requires dual-homed connections that are routed in different ways to different providers. Typically, MPLS offers active-passive redundancy with failover based upon route or DNS convergence.

SD-WAN is designed to abstract away the network layer and allow traffic to be routed over a variety of different connections. Therefore, all SD-WAN connections are in active use at all times, with real-time availability and performance monitoring. This not only improves the bandwidth and reliability of WAN connection but also enables active-active redundancy. In the case of an outage in one transport method, data can seamlessly be routed via an alternative connection. Thus, in addition to providing high middle-mile redundancy, SD-WAN can also provide better last-mile redundancy than MPLS.

SD-WAN vs VPN: How Do They Compare?

Learn more about SD-WAN vs. VPN comparison

SD-WAN as a Service

SD-WAN as a Service extends the core capabilities of traditional SD-WAN. It converges the WAN edge, a global backbone and a full network security stack into a unified cloud-native platform. Known as SASE (or the Secure Access Service Edge) it is built to optimally connect and secure all enterprise resources; physical locations, cloud datacenters, and the mobile workforce. By integrating SD-WAN into SASE, enterprises can gradually transform their WAN to address the full WAN transformation journey, without deploying multiple point solutions.

Learn more about SD-WAN as a Service

Last Mile Constraints

MPLS is well-known for middle-mile reliability; however, the same is not true for last-mile. The cost of MPLS bandwidth often makes deploying redundant last-mile connections cost-prohibitive, leading organizations to seek alternative solutions.

Two early methods for dealing with the last-mile reliability problem are the use of a backup Internet connection and link-bonding. While a backup Internet connection can help to deal with MPLS outages, the failover process is slow and often results in a loss of current connections. Link-bonding attempted to solve the problem of last-mile reliability by aggregating multiple different last-mile transport services. While this positively impacted last-mile bandwidth and reliability, it did nothing to help the middle-mile.

Software-defined WAN (SD-WAN) takes the concept of link-bonding a step further. By abstracting away the network details, SD-WAN is able to present a range of transport options as a single pipe to an application and perform traffic routing behind the scenes.

This allows SD-WAN to provide numerous advantages for an enterprise WAN. The last mile can be optimized using policy-based routing, hybrid WAN support, active/active links, packet loss mitigation, and QoS (upstream and downstream). With cloud-based SD-WAN, where the middle mile is composed of private Tier-1 backbones, it is also possible to perform middle-mile optimization, allowing SD-WAN to compete with MPLS with regard to middle-mile network reliability and performance.

Learn more about last mile constraints for SD-WAN

Use Cases

MPLS migration to SD-WAN

ICG enables customers to move away from expensive, rigid, and capacity-constrained MPLS networks to a combination of high-capacity broadband Internet links. Using ICG SD-WAN edge appliances, customers boost usable capacity and improve resiliency at a lower cost per megabit. Customers with a global footprint, leverage ICG affordable global private backbone to replace global MPLS and the unpredictable Internet. The ICG SD-WAN solution optimizes performance and maximizes the throughput to on-premises and cloud applications.

Optimized Global Connectivity

ICG SD-WAN uses a global private backbone with built-in WAN and cloud optimization to deliver an SLA-backed, predictable, and high-performance network experience everywhere. Customers who suffer from high latency and network inconsistency across their global locations use ICG to deliver a great user experience when accessing on-premises and cloud applications.

Secure Branch Office Internet Access

ICG provides a complete network security stack built into the SD-WAN solution. By connecting all branch locations to ICG secure SD-WAN, all traffic, both Internet-bound and WAN, is fully protected by ICG enterprise-grade, cloud-based security services. There is no need to backhaul Internet traffic to a data center or a regional hub, deploy branch network security appliances, or procure stand-alone cloud security solutions.

Cloud Acceleration and Control

ICG provides seamless acceleration of cloud traffic by routing all traffic from all edges to the ICG PoP closest to the cloud data center. Because ICG PoPs share the data center footprint of major cloud providers, the latency between ICG and these providers is essentially zero. Cloud application access optimization requires just a single application level rule that determines where cloud application traffic should egress the ICG SD-WAN. There is no need to install cloud appliances or setup hubs to reduce latency to the cloud or SaaS Cloud Apps.

Mobile Security and Optimization

ICG extends global networking and security capabilities down to a single user’s laptop, smartphone, or tablet. Mobile and remote users are no longer treated like second-class citizens of your network and security infrastructure. Using a ICG Client, or clientless browser access, users dynamically connect to the closest ICG PoP, and their traffic is optimally routed over the ICG global private backbone to on-premises or cloud applications. ICG security-as-a-service stack protects users against threats everywhere and enforces application access control. Unlike legacy VPN, the ICG SD-WAN solution scales globally to support 24×7 access for the entire workforce, creating a viable business continuity plan for working from home.

Working from Home

ICG seamlessly supports work-from-home for all employees, all the time. Customers rapidly connect their on-premises and cloud data centers to ICG SD-WAN and enable self-service provisioning of Clients to all users who require work-from-home or remote access. Unlike legacy VPN and SDP products that can’t scale to support the entire business, ICG global and cloud-scale platform is built to optimize traffic to all applications with a global private backbone, and continuously inspect traffic for threats and access control with the converged security stack.

Global Enterprises

ICG makes global connectivity affordable, reliable, and agile. Our global SLA-backed private backbone provides a consistent user experience at a fraction of the cost of legacy MPLS, and natively extends to cloud data centers, cloud applications and mobile users. With over 50 points of presence all over the world from the US to Europe, Asia Pacific and South East Asia, you can now achieve a secure global connectivity that meets your business needs within minutes. ICG security stack ensures the same enterprise-grade security is applied for all branches, users, and applications – everywhere.

Regional Enterprises

ICG gets your entire enterprise network connected and secured through a single cloud service. Whether it's across Australia, New Zealand, China, Indonesia, Malaysia, Philippines, Singapore, Thailand, Vietnam, Japan or Korea. Our edge SD-WAN and Security-as-a-Service help IT teams build reliable business networks across the region with ease. ICG helps you make the most of your Internet last mile by automatically building the WAN full mesh, enforcing QoS and path selection based on application and user awareness, optimizing access to cloud resources, making VPN users integral parts of your network, and enforcing the same enterprise-grade security on all locations, users, and applications. ICG SD-WAN can be managed by your IT team and ICG as a managed service provider via a single, user-friendly, web-based application.

Cloud-based Management

ICG SD-WAN services enable enterprise IT to access detailed, real-time and historical, network analytics and security events through a cloud-based management application. All policies including security, routing, and quality of service, can be directly configured by your IT team or ICG as a managed service. As a cloud service, ICG requires no customer involvement in updating or upgrading the underlying infrastructure, saving IT teams, precious resources previously needed for network management of multiple point solutions.

Managed Service

Customers who prefer “hands off” management, including plug-and-play pre-provisioned appliances for zero-touch deployments, monitoring of last-mile links, defining policy configurations, and monitoring the network for pervasive security threats. As a cloud service, ICG maintains the SD-WAN platform and all of its components, saving IT teams precious resources previously needed for maintaining multiple point solutions.

Get started with SD-WAN

ICG Cloud Connect SD-WAN service can be activated instantly to remote users and cloud data centers, with on-site deployments within 48-hours to almost anywhere in the world. Delivered as-a-service, replacing existing Routers, Firewalls, IPS, Load Balancers, URL Filtering, and VPN appliances. Reduce the cost of MPLS by ~50%. Improve internet speed. Optimize applications like Office 365, Teams, Zoom, and SAP. Remove the technical debt of procuring, managing, and securing the network.

Get started with a free proof of concept (PoC) today by live chat or WhatsApp.

Gartner Report 2021 Strategic Roadmap for SASE Convergence

In Gartner’s new report from March 25, Neil MacDonald, Nat Smith, Lawrence Orans, and Joe Skorupa provide invaluable insights with a clear message to enterprises: “SASE is a pragmatic and compelling model that can be partially or fully implemented today.” And, enterprises should build a strategy for replacing legacy point products with a converged SASE platform.

The migration to SASE will enable enterprises to successfully address the current and future networking and security challenges:

  • Shifting to cloud-delivered security to protect anywhere, anytime access to digital capabilities
  • Simplifying security management that has become complex due to multiple vendors, policies, and appliances  
  • Reducing cost with MPLS replacement and SD-WAN alternative projects  
  • Better utilizing resources and skills to overcome organizational silos and facilitate growth

Practical Advice to Follow

Gartner analyzes the gaps between the future and current state of SASE offerings, and provides a strategic roadmap, migration plan, and  advice on SASE adoption over the next five years. 

Short term recommendations:

  • Deploy ZTNA/SDP to replace legacy VPN for the remote workforce
  • Implement phase-out tactics for on-premises hardware in favor of SASE services
  • Reduce cost and complexity by leveraging converged offerings of SWGs, CASBs, and VPN
  • Initiate branch transformation projects to integrate cloud-based security services

Longer–term recommendations:

  • Consolidate SASE offerings to a single vendor or two explicitly partnered vendors
  • Implement ZTNA/SDP for all users, at all locations
  • Prefer SASE offerings that allow you to control privacy and compliance related matters
  • Create a sassy team of networking and security experts responsible for secure access across all edges

Strategic Assumptions to Consider

The report brings new statistics and understandings of market trends, naturally accelerated by the global crisis.

  • By 2024, 30% of enterprises will adopt cloud-delivered SWG, CASB, ZTNA, and FWaaS from the same vendor, up from 5% in 2020
  • By 2025, 60% of enterprises will have explicit strategies and timelines for SASE adoption, up from 10% in 2020
  • By 2023, to deliver flexible, cost-effective scalable bandwidth, 30% of enterprises will have only Internet WAN connectivity, up from 15% in 2020.

If you’re a looking at branch office firewalls, routers, or gateways this 25-minute Gartner report is a must-read! Download your complimentary copy below for a limited time.  

View the full report here  

How much does SD-WAN cost?

The many factors that go into a holistic WAN cost include the connectivity cost of bandwidth, security, firewalls, URL filtering, anti-malware, intrusion prevention systems (IPS), WAN optimization, and VPN.

When you start to stack up all these costs and make a comparison with MPLS the all-in cost of SD-WAN might surprise you. Many vendors are touting cost savings upward of 70, 80, even 90%. However we must be careful in interpreting this marketing, as it often fails to account for things like last-mile monitoring to ensure you get the bandwidth you pay for.

Some organisations might find they are paying for a 500Mbps internet connection and only getting 5Mbps for example. Link redundancy, as MPLS typically has a strict availability guarantee, it is recommended at least 2 internet links are provided from two seperate internet service providers to ensure availability in-line with that provided by former MPLS services.

As a general rule of thumb, it's possible to enable HQ and multiple branch locations for the same price as a single MPLS line with SD-WAN and comprehensive cloud based security. So yes, you can save costs, but it's just not a cost based argument, although the savings certainly do make a case for the CFO to review.

adding up the cost of mpls vs sd-wan
Adding up the cost of MPLS vs SD-WAN

The most popular locations in Asia Pacific requiring SD-WAN connections include: Australia, New Zealand, Singapore, Malaysia, Indonesia, Philippines, Thailand, and Vietnam. ICG has local points of presence in each of these locations as well as across the United States and Europe to enable the best level of service for your SD-WAN.

Get an estimate of your SD-WAN costs, using the ICG SD-WAN cost calculator based on the SASE SD-WAN as a service model.

Industry 4.0 – Talking About a Revolution

In an Industry 4.0 world, supply chains are completely visible and workflows are fully automated. Factories, machines, products, and processes are all smart; all connected; and all sharing data to better serve today’s sophisticated customers. This revolution is basically the digital transformation of manufacturing, with clear benefits that include better security, reduced cost, customer satisfaction, competitive differentiation, and more.

Industry 4.0 was first introduced in 2011, so why all the buzz 10 years later?

You guessed right, it’s none other than COVID-19 accelerating the revolution. According to Gartner, by 2024, following the pandemic, over 30% of manufacturers driving Industry 4.0 programs, will change their business models compared to 10% before the pandemic. This is because manufacturers will come out of the crisis knowing they must adapt to a changed environment, with different user preferences, new processes, and flexible workplace models.

And the pressure is on you to manage and control this new evolving environment.

Are you in a Position to Join the Revolution?

Gartner advises manufacturers to take into account disruptions such COVID-19 and “overcome impending crises with the least possible damage, and to be better prepared for any kind of downturn or even cyclical crises in the future.” Yet with today’s legacy WAN architecture, following this advice is easier said than done, and overcoming unexpected challenges with the “least possible damage” sounds like mission impossible (minus Tom Cruise and the happy ending).

Gaining business value through the ability to converge the digital and physical environments is the essence of Industry 4.0. However, the potential of this revolution can’t be realized with an outdated, fragmented network infrastructure.

Current networks were never designed to support the fundamental requirements of security, flexibility, availability, and resiliency Industry 4.0 demands. Too many manufacturers are stranded with legacy MPLS-based networks, and IT has no effective way to gain visibility across systems, locations, processes, and users; and extracting actionable data becomes close to impossible. Perhaps this is one of the reasons why Gartner predicted that by 2021 only half of all Industry 4.0 transformation initiatives would be successful.

The Cost of Being Left Behind

Let’s examine one of the essential requirements for leveraging Industry 4.0 – continuous availability. According to ITIC’s recent report, 8 out of 10 enterprises require a minimum of 99.99% uptime for their mission critical systems; and 2 out of 10 enterprises request at least 99.999% availability. These expectations may seem high, but in the context of Industry 4.0, they’re necessary and justified.

The business damage from downtime affects enterprises of all sizes and verticals. In 2020, 98% of enterprises indicated that the hourly cost of downtime was more than $100K; and for 34%, the cost reached $1M! Considering the volume of processes and systems manufacturing includes, just one hour of downtime entails significant loss to the business.

Any trouble with your network could translate into damage to production, loss of data, and negative impact on your brand reputation.

As smart manufacturing continues to evolve, manufacturers must adapt to, and keep up with, changes (both predicted and unpredicted). From IT’s perspective, this calls for a network that enables them to seamlessly and securely support new technologies as they’re introduced, alongside ensuring constant connectivity to everyone, everywhere. Without this, IT won’t be able to support Industry 4.0 projects and manufacturers will find themselves out of the game.

A Smart Factory Calls for a SASE Network

To empower manufacturers to emerge stronger from the global crisis and deliver on the promise of Industry 4.0 – a new (and smart) network is needed. A network that provides the underlying mission critical infrastructure that can support Industry 4.0 technologies. Fortunately, this network already exists. It’s called Secure Access Service Edge (SASE) and is considered by Gartner to be transformational and the future of network security.

SASE converges SD-WAN and network security into a single cloud service, delivering a uniform set of security and optimization capabilities, connecting all users, equipment, and locations. A SASE platform is cloud-native and its service is delivered through a global private backbone, supported by numerous distributed PoPs.

With SASE, IT can eliminate MPLS, deliver optimized performance, maintain a strong security posture, ensure 99.999% availability, and natively support new digital technologies.

How?

  • Global private backbone ensures IT can connect all enterprise resources over high-speed Internet without compromising on availability or network performance.
  • Enterprise-grade Security as a Service provides a consistent level of security across all edges, which is simple to manage even by small IT teams.
  • Built-in ZTNA/SDP guarantees employees continue working from remote without any compromise on performance and productivity; and even in crisis mode – business continues as usual.
  • Cloud-native integration helps migrate data and applications to the cloud with minimal risk and effort, while eliminating or avoiding the high cost of private cloud connections like Azure ExpressRoute or AWS Direct Connect.
A true SASE network will ensure you can respond better to business needs, deploy workplaces of any kind faster, and enable the Industry 4.0 transformation to support your modern global manufacturing business.

Pre or post COVID-19, the fourth industrial revolution touches upon enterprises of various types, sizes, and locations all sharing the same challenge: How to embrace new technologies that support both current and future needs, justifying their related investment. Manufacturers that succeed in leveraging the use of new technologies will be able to improve business operations, create new value, prevail the global crisis, and be ready for the unexpected; be ready for the new normal.

We’re in the midst of this revolution, and the question to be asked is not will your business be disrupted, but rather when will your business be disrupted, and how can you ensure your underlying network infrastructure is adequate to support the Industry 4.0 journey and create value for your company.

Rethinking Enterprise Remote Access VPN Solutions: Designing Scalable VPN Connectivity

Many companies turned to their existing VPN infrastructure, beefing up the terminating appliances in the datacenter with additional capacity to support hundreds or thousands of new work from home (WFH) users. In the early days of Coronavirus lockdowns, some countries saw a surge in VPN use that more than doubled the typical pre-pandemic demand. However, VPN infrastructure isn’t designed to support an entire workforce. As organizations contemplate an extended or even permanent switch to WFH, investing in a secure, scalable connectivity solution is essential.

Enterprise VPN Solutions are Not Designed for Distributed Workforces

VPNs are designed for point-to-point connectivity. Each secure connection between two points requires its own VPN link for routing traffic over an existing path. For people working from home, this path is going to be the public Internet. The VPN software creates a virtual private tunnel over which the user’s traffic goes from Point A (e.g., the home office or a remote work location) to Point B (usually a terminating appliance in a corporate datacenter). Each terminating appliance has a finite capacity for simultaneous users. VPN visibility is limited when companies deploy multiple disparate appliances.

Pre-pandemic, many organizations had sufficient VPN capacity to support between 10 and 20 percent of their workforce as short-duration remote users at any given time. This supported employees temporarily working from hotels and customer sites as well as from their homes. Once the pandemic restrictions forced people to isolate at home, companies saw their VPN usage shoot up to as much as 50 to 70 percent of the workforce. It was a real challenge to quickly scale capacity because the number of required VPN links for continuous connectivity scales exponentially with the number of remote sites.

Security is a considerable concern when VPNs are used. While the tunnel itself is encrypted, the traffic traveling within that tunnel is not inspected for malware or other threats. To maintain security, the traffic must be routed through a security stack at its terminus on the network. In addition to inefficient routing and increased network latency, this can result in having to purchase, deploy, monitor, and maintain security stacks at multiple sites to decentralize the security load. Simply put, providing security for VPN traffic is expensive and complex to manage.

Another issue with VPNs is that they provide overly broad access to the entire network without the option of controlling granular user access to specific resources. There is no scrutiny of the security posture of the connecting device, which could allow malware to enter the network. What’s more, stolen VPN credentials have been implicated in several high-profile data breaches. By using legitimate credentials and connecting through a VPN, attackers were able to infiltrate and move freely through targeted company networks.

Of further concern, VPNs themselves can harbor significant vulnerabilities, an issue we noted in a recent post. NIST’s Vulnerability Database has published over 100 new CVEs for VPNs since last January.

SASE Provides a Simpler, More Secure, Scalable Solution Compared to VPN Solutions

In mid-2019, Gartner introduced a new cloud-native architectural framework to deliver secure global connectivity to all locations and users. Gartner analysts named this architecture the Secure Access Service Edge (or SASE).

ICG's SASE platform is built as the core network and security infrastructure of the business, and not just as a remote access solution. It offers unprecedented levels of scalability, availability, and performance to all enterprise resources.

It so happens that SASE is an ideal VPN alternative. SASE offers scalable access, optimized connectivity, and integrated threat prevention that are needed to support continuous large-scale remote access. There are several ways that ICG's SASE platform outperforms a traditional VPN solution.

First, the SASE service seamlessly scales to support any number of end-users globally. There is no need to set up regional hubs or VPN concentrators. The SASE service is built on top of dozens of globally distributed Points of Presence (PoPs) to deliver a wide range of security and networking services, including remote access, close to all locations and users.

Second, availability is inherently designed into ICG's SASE service. Each resource – a location, a user, or a cloud – establishes a tunnel to the nearest SASE PoP. Each PoP is built from multiple redundant compute nodes for local resiliency, and multiple regional PoPs dynamically back up one another. The SASE tunnel management system automatically seeks an available PoP to deliver continuous service, so the customer doesn’t have to worry about high availability design and redundancy planning.

Third, SASE PoPs are interconnected with a private backbone and closely peer with cloud providers, to ensure optimal routing from each edge to each application. This is in contrast with the use of the public Internet to connect to users to the corporate network.

Fourth, since all traffic passes through a full network security stack built into the SASE service, multi-factor authentication, full access control, and threat prevention are applied. Because the SASE service is globally distributed, SASE avoids the trombone effect associated with forcing traffic to specific security choke points on the network. All processing is done within the PoP closest to the users while enforcing all corporate network and security policies.

And lastly, ICG's SASE platform employs Zero Trust Network Architecture in granting users access to the specific resources and applications they need to use. This granular-level is part of the identity-driven approach to network access that SASE demands.

SASE is Well-Suited to Remote Work

Enterprises that enable WFH using the ICG's SASE platform can scale quickly to any number of remote users without worry. The complexity of scaling is all hidden in the ICG PoPs, so there is no infrastructure for the organization to purchase, configure or deploy. Giving end users remote access is as simple as installing a client agent on the user’s device, or by providing clientless access to specific applications via a secure browser.

Security is decentralized, located at the PoPs, which reduces the load on infrastructure in the company’s datacenter. Routing and security are integrated at this network edge. Thus, security administrators can choose to inspect business traffic and ignore personal traffic at the PoP. Moreover, traffic can be routed directly and securely to cloud infrastructure from the PoP instead of forcing it to a central datacenter first. Further, admins have consistent visibility and control of all traffic throughout the enterprise WAN.

WFH Employees Have Secure and Productive Access to the Corporate Network

While some workers are venturing back to their offices, many more are still working from home—and may work from home permanently. The ICG SASE platform is the ideal way to give them access to their usual network environment without forcing them to go through insecure and inconvenient VPNs.

SASE vs. SD-WAN: Achieving Cloud-Native WAN Security

Now the spotlight is shifting to the next evolution of networking: the secure access service edge (SASE). Like SD-WAN, SASE is a technology designed to connect geographically dispersed branches and other endpoints to an enterprise’s data and application resources. While there is some overlap in what the two technologies offer – in fact, SD-WAN is a component of SASE – there are significant differences in capabilities, not the least of which is network security. If SD-WAN gained traction for its flexible connectivity options, then SASE will be defined by its ability to seamlessly deliver full security to every edge on the network.

Enterprises Need a Distributed Network Architecture

Every enterprise, regardless of industry or geography, has a need for secure, high-performance, and reliable networking. In a bygone era, a hub-and-spoke networking architecture centered around an on-premise data center would have met that need—but not so today. A distributed network architecture is critical to support the increasing use of cloud platforms, SaaS applications, and especially remote and mobile workers.

This last requirement is ever more important in a world still experiencing a global pandemic. And even as we eventually move to a post-Covid-19 era, there will be a significant need to support people who continue to work from home, either permanently or occasionally, as well as those who return to the office.

SD-WAN Is a Step in the Right Direction

SD-WAN is a software-based approach to building and managing networks that connect geographically dispersed offices. It uses a virtualized network overlay to connect and remotely manage branch offices, typically connecting them back to a central private network, though it also can connect users directly to the cloud.

SD-WAN provides optimal traffic routing over multiple transport media, including MPLS, broadband Ethernet, 4G LTE, DSL, or a combination thereof. However, SD-WAN appliances sit atop the underlying network infrastructure. This means the need for a reliable, well performing network backbone is left unaddressed by SD-WAN appliances alone.

In general, SD-WAN appliances are not security appliances. For example, to achieve the functionality of a Next-Generation Firewall (NGFW), you need to add a discrete appliance at the network edge. This only leads to complexity and higher costs as more security services are added as discrete appliances or virtual functions.

Another option is known as Secure SD-WAN, a solution which integrates a full security stack into an SD-WAN appliance. In this case, the solution’s effectiveness is limited by the deployment locations of the SD-WAN appliances, which are typically installed at each branch. Security is only applied for the traffic at the branch.

What’s more, in deployments covering multiple branches, each appliance needs to be maintained separately, which provides the potential for out-of-sync policies and out-of-date software.

Another shortcoming of SD-WAN is that by design, networking appliances are built for site-to-site connectivity. Securely connecting work-from-home or mobile users is left unaddressed by SD-WAN appliances. While SD-WAN delivers some important benefits, networking appliances alone are not a holistic solution. That’s where SASE comes in.

SASE Is the Future of Secure Enterprise Networking

SASE takes all the capabilities of Secure SD-WAN and moves them to a cloud-based solution, which effectively eliminates geographic limitations. But more than that, the SASE approach converges SD-WAN, a global private backbone, a full network security stack, and seamless support for cloud resources and mobile devices. It is an architectural transformation of enterprise networking and security that enables IT to provide a holistic, agile, and adaptable service to the digital business.

The ICG's SASE solution is built on a cloud-native and cloud-based architecture that is distributed globally across 60+ Points of Presence (PoPs). All the PoPs are interconnected with each other in a full mesh by multiple tier-1 carriers with SLAs on loss and latency, forming a high-performance private core network called the ICG Cloud. The global network connects and secures all edges—all locations, all users regardless of where they are, all clouds, and all applications.

ICG uses a full enterprise-grade network security stack natively built into the ICG Cloud to inspect all WAN and Internet traffic. Security layers include application-aware next-generation firewall-as-a-Service (FWaaS), secure web gateway with URL filtering (SWG), standard and next-generation anti-malware (NGAV), and managed IPS-as-a-Service (IPS).

ICG can further secure a customer’s network with a comprehensive Managed Threat Detection and Response (MDR) service to detect compromised endpoints. All security layers scale to decrypt and inspect all customer traffic without the need for sizing, patching, or upgrading of appliances and other point solutions. And because ICG runs a distributed, cloud-native architecture, all security functions are performed locally at every PoP, eliminating the latency legacy networks introduced by backhauling traffic for security inspection.

Importantly, in this age of work-from-home, ICG's SASE solution easily supports mobile and remote users. Giving end users remote access is as simple as installing a client agent on the user’s device, or by providing clientless access to specific applications via a secure browser. All security and network optimization policies that applied to users in the office instantly apply to them as remote users. Moreover, the platform can scale quickly to any number of remote users without worry.

For SASE, It Has to Be Cloud-Native Security

It wasn’t long ago that networking and enterprise security were different disciplines. Silos, if you will. But today, with users working everywhere, security and networking must always go together. The only way to protect users everywhere at scale without compromising performance is the cloud. Converging security and networking together into a genuine cloud service with a single-pass, cloud-native architecture is the only way to deliver high performance security and networking everywhere. That’s the power of SASE.

Get the free e-book Secure Access Service Edge for Dummies.

SD-WAN or SASE: Choose a platform rather than a product

What’s the alternative? Buy more VPN servers? That’s short-term thinking, and only effective until enterprises need to change again, and users move back to the office. Then IT’s left with an infrastructure investment sitting underutilized.

No, to support the new requirements of the post-pandemic era, enterprises need a new strategy, one that addresses the needs of an uncertain working environment.

A Platform Rather than a Product

The biggest challenge for this new strategy is that it’s not clear as to what those needs will be. Yes, we need to have large scale, high performance remote access today, but that was a problem for IT back in January and March last year. What are tomorrow’s challenges? That’s harder to foresee. And since you don’t yet know what problems will arise, you can’t possibly buy a product to prepare for tomorrow – unless, of course, you’re prepared to gamble with your budget.

What you can do, though, is put in place a solution that has ALL the capabilities you’ll need but only activate those needed today. When new work conditions present themselves, the right platform can adapt quickly. Such a platform should be agnostic of the last-mile technologies. It should be lean enough to run anywhere on any device, connecting any kind of location – a branch, datacenter, or cloud resource. And it should have the geographical footprint, security capabilities, and optimization technologies to securely connect users across the globe without comprising the user experience.

A decade ago, such a comprehensive, global platform wasn’t possible. Today, though, the necessary networking and security technologies have matured to the point that they can be converged together. The Internet is everywhere. Processing resources are ubiquitous in the cloud. And 90 percent of the capabilities of routers, firewalls, and now, SD-WAN are common across vendors. The real value then comes not in any one product but in the convergence of those capabilities together.

Yes, SD-WAN is one of the capabilities in such a platform, but SD-WAN alone is not the answer. SD-WAN appliances are products aimed at addressing a very particular problem – the limitations of MPLS and legacy networks. They won’t connect your mobile users or solve your long-term remote access challenges because SD-WAN solutions are built for the branch. They also don’t secure users or sites against malware. SD-WAN solutions also fail to provide the backbone for predictable, global performance. To address these and other gaps, you’ll need yet more hardware or software limiting IT agility, fragmenting visibility, and increasing costs.

Comprehensive Visibility and Management Remain Critical

As we tackle new challenges with point solutions, we risk creating greater management problems for ourselves. Add a new security solution – new type of firewall, a SWG, or IPS – and you have yet another product to manage and maintain. Your visibility into the network becomes fragmented if you have one console for SD-WAN and another for the firewall, or global backbone provider. And once your view is fragmented, troubleshooting becomes dramatically more complex.

Having all technologies in one platform allows for a single-pane-of-glass. IT managers can see networking and security events in one interface for all users – at home or in the office – accessing any resource – in the cloud or in a private datacenter. Such holistic insight improves all facets of network and security operations from planning to provisioning new resources to troubleshooting.

And management delivery should be flexible enough to meet enterprise requirements. With self-service, enterprises configure and troubleshoot the networks themselves, doing in seconds what otherwise required hours or days with legacy telcos. For additional assistance, co-management should be available allowing customers to rely on ongoing support from the provider or its partners without relinquishing control for overall management. Fully managed offloads responsibility for moves, adds, and changes onto provider.

Support Well, Run Fast

A company’s network is critical infrastructure. It is the lifeblood of the organization’s communications and, quite often, its operations. Therefore, the customer/provider relationship should be viewed by both sides as a true partnership where each one can only succeed with full support from the other.

Such a partnership can be hard to establish when a vendor just wants to sell a product and move on to the next opportunity. It requires companies to not only support customers well but also innovate fast. By owning the platform, providers can deliver new features independent of any supplier. It’s the kind of innovation we’ve seen in cloud services but not telcos and legacy carriers. It’s up to you, though, to find providers that live up to this vision.

Making the Technology Transition to SASE

SD-WAN is a sophisticated technology, but it’s meant for meeting the challenges of yesterday not to tomorrow. The Secure Access Service Edge (SASE) is a comprehensive platform that blends SD-WAN with security and remote access many other capabilities to meet whatever challenges you face today and, tomorrow.

Secure Remote Work: Deploying Zero Trust Access

Global Workplace Analytics estimates that 25-30% of the workforce will be working from home multiple days a week by the end of 2021. Others may never return to an official office, opting to remain a work-from-home (WFH) employee for good.

The suddenness of having to turn so many people into remote workers has put a real strain on network security. There was little, if any, time to develop and execute a secure remote access strategy that provides the same level of security protections that workers have in the office. This has introduced a range of cybersecurity risks and challenges, and a need for real Zero Trust Access solutions regardless of where people work.

Security Is Often a Weak Link of Remote Access

In April 2020, just as millions of office workers began their foray into WFH practices, Cato Networks conducted the “Enterprise Readiness to Support Widespread Work-from-Anywhere” survey pertaining to enterprise readiness to facilitate remote work. In sampling nearly 700 organizations, Cato found that nearly two-thirds of respondents (62%) have seen remote access traffic at least double since the outbreak, and more than a quarter (27%) have seen remote access traffic triple.

Of critical concern is how enterprises enforce security policies on their expanded remote workforces. The survey found that most respondents fail to employ at least one key measure needed for enterprise-grade security:

  • Multi-factor authentication (MFA) for validating user identity,
  • Intrusion Prevention for identifying network-based attacks, or
  • Antimalware for preventing threats posed by malicious content.

While MFA has become standard even among consumers, more than a third (37%) of respondents don’t use MFA when admitting remote users, instead relying on Single Sign On (SSO) or username and password. As for preventing attacks, more than half of respondents (55%) fail to employ Intrusion Prevention or antimalware. Even worse, 11% fail to inspect traffic altogether.

Used by 64% of the survey respondents, VPN servers are the dominant point solution to enable remote access. While VPNs provide traffic encryption and user authentication, they are a security risk because they grant access to the entire network without the option of controlling granular user access to specific resources. There is no scrutiny of the security posture of the connecting device, which could allow malware to enter the network. What’s more, stolen VPN credentials have been implicated in several high-profile data breaches. By using legitimate credentials and connecting through a VPN, attackers were able to infiltrate and move freely through targeted company networks.

VPNs Are Giving Way to Zero Trust Security

The tech industry is moving toward a much more secure user access model known as Zero Trust Network Access (ZTNA). It’s also called the software-defined perimeter (SDP). How ZTNA works is simple: deny everyone and everything access to a resource unless it is explicitly allowed. This approach enables tighter overall network security and micro-segmentation that can limit lateral movement in the event a breach occurs.

Last year, Gartner’s Market Guide for Zero Trust Network Access (ZTNA) projected that by 2023, 60% of enterprises will phase out VPN and use ZTNA instead. The main advantage of ZTNA is its granular control over who gains and maintains network access, to which specific resources, and from which end user device. Access is granted on a least-privilege basis according to security policies.

This granular-level control is also why Zero Trust Network Access complements the identity-driven approach to network access that SASE (Secure Access Service Edge) demands. With ZTNA built-in to a cloud-native network platform, SASE is capable of connecting the resources of the modern enterprises — sites, cloud applications, cloud datacenters, and yes, mobile and remote users — with just the right degree of access.

Security Integration Is Key to Effectively Enforcing Zero Trust Security Policies

Like VPNs, firewalls, and Intrusion Prevention solutions, there are point solutions for ZTNA on the market. In fact, many networks today are configured with an array of standalone security and remote access solutions. This lack of product integration is a real drawback for a number of reasons. First, it increases the probability of misconfigurations and inconsistent security policies. Second, it increases network latency as traffic must be inspected separately by each device. And finally, the lack of integration makes holistic threat detection all but impossible, as each appliance has its own data in its own format. Even if that data is aggregated by a SIEM, there is considerable work to normalize data and correlate events in time to stop threats before they can do their damage.

In addition, Zero Trust is only one part of a remote access solution. There are performance and ongoing security issues that aren’t addressed by ZTNA standalone offerings. This is where having ZTNA fully integrated into a SASE solution is most beneficial.

SASE converges Zero Trust Network Access, NGFW, and other security services along with network services such as SD-WAN, WAN optimization, and bandwidth aggregation into a cloud-native platform. This means that enterprises that leverage SASE architecture receive the benefits of Zero Trust Network Access, plus a full suite of converged network and security solutions that is both simple to manage and highly-scalable. The ICG SASE solution provides all this in a cloud-native platform.

ICG’s SASE Platform Simplifies Secure Remote Access for WFH

What does this mean for the remote access worker? The ICG SASE platform makes it very quick and easy to give highly secure access to any and all remote workers.

ICG provides the flexibility to choose how remote and mobile users securely connect to resources and applications. ICG Client is a lightweight application that can be set up in minutes and which automatically connects the remote user to the ICG Cloud. Clientless access allows optimized and secure access to select applications through a browser. Users simply navigate to an Application Portal – which is globally available from all of ICG's 57 PoPs – authenticate with the configured SSO and are instantly presented with their approved applications. Both approaches use integrated ZTNA to secure access to specific network resources.

A Zero Trust approach is essential for a secure remote workforce, and ICG SD-WAN allows an easy and effective implementation of ZTNA.

Thought SD-WAN Was What You Needed to Transform your Network? Think Again.

At the time this made sense, as SD-WAN brought important advantages:

  • Optimized bandwidth costs, by leveraging inexpensive services like Internet broadband whenever possible.
  • Improved cloud and Internet performance, by sending traffic directly to the Internet and not via distant datacenters.
  • Reduced overhead and complexity, by enabling centralized management and agile orchestration.

Indeed, SD-WAN presents an affordable solution for site-to-site connectivity and is the initial building block of WAN transformation. Nevertheless, a full digital transformation involves much more than branch connectivity. The modern digital business needs optimized access to cloud resources, reliable global connectivity, security for all enterprise edges, and particularly today – support for the mobile/remote workforce.

What COVID-19 Taught us About Work-from-Home Transition

COVID-19 has expedited the need to shift to a WFH (or work-from-anywhere) model. Transforming the network to enable secure remote access to all users, at all locations, is crucial for guaranteeing business continuity in today’s reality, and has become a top priority for IT teams worldwide.

To successfully address the sudden demand for remote access caused by the pandemic, IT needs to instantly support all employees, at the same time, without affecting user experience and enterprise security posture. This huge WFH challenge is dependent on these three criteria: global scalability, performance optimization, and converged security.

Is SD-WAN the Answer to the WFH Challenge?

Trying to solve remote access scalability with SD-WAN requires installing an SD-WAN device at each remote user’s home/office, which is inefficient, complicated, and all but scalable. And without a global private backbone, even the SD-WAN device is dependent on the performance of the public Internet, which is unpredictable, especially over global distances. Finally, allowing remote users to access the Internet without security measures increases the chance for breaches and malicious attacks.

It’s no wonder that ever since the COVID-19 outbreak, we’re hearing from more and more IT leaders that their SD-WAN can’t address their most pressing need – provide a secure and optimized WFH environment. Enterprises have come to realize that as a point solution, at the branch level, SD-WAN has only partially prepared their network for the digital transformation.

What can IT do now? Add more point products to support WFH? If you’re asking us, the answer is clearly no. More appliances and point solutions entail the cost and hassle of procurement, sizing, maintenance, and upgrades.

So, what then? SASE. Global scalability, optimized performance, and converged security, all together, can be found in Gartner’s new industry category Secure Access Service Edge (SASE). A true SASE platform converges SD-WAN and network security into a single, global cloud service; delivering on top of that, SWG, CASB, NGFW and software-defined perimeter (SDP)/zero trust network access (ZTNA).

What it Takes to Really Support Remote Users

If we were to boil down the topic to a key takeaway, this is it: A viable remote access solution must be a software-only, cloud-native solution. Let’s revisit the WFH criteria and apply them to SASE:

  • Global scalability – SASE’s cloud-native and globally distributed architecture supports optimized and secure access for an unlimited number of users, on any device, from any location, and without requiring additional infrastructure.
  • Performance optimization – A SASE platform includes a private backbone and built-in WAN optimization, avoiding the unpredictable Internet when connecting remote users to applications. This ensures that application performance from remote is the same as from the office.
  • Converged security – A SASE service provides a natively integrated, complete network security stack. All traffic passes through the SASE network, applying multi-factor authentication, continuous threat prevention, and granular application access policies for applications, both
    on-premises and in the cloud.

SASE – All you Need to Transform your Network

In its newly released Hype Cycle for Enterprise Networking, 2020, Gartner acknowledges that COVID-19 has “highlighted the need for business continuity plans that include flexible, anywhere, anytime, secure remote access, at scale.” Gartner advises to prioritize SASE use cases that drive measurable business value, such as the mobile and remote workforce.

SASE is what you need to successfully transform your network and provide enterprise-wide remote access. SASE offers a cloud-native, agile architecture with converged network and security that is globally distributed and supports all resources.

This is what turns SASE into the ultimate answer to the WFH challenge. With SASE you’ll be able to fully transform your business, deliver a secure, productive, work-from-anywhere environment, and support your enterprise with a network built for today and ready for the future.

Get the SASE for Dummies eBook.

WAN Optimization in the SD-WAN Era

WAN optimization has been with us for a long time. Born alongside expensive and capacity constrained WAN connectivity, such as MPLS, WAN optimization appliances allowed organizations to squeeze more bandwidth out of thin pipes through compression, and prioritize traffic of loss-sensitive applications such as remote desktops.

The dramatic changes in network traffic patterns, from inwards towards the data center to outwards towards the cloud, is challenging the base premise for dedicated WAN optimization appliances.

First, the growth of the Internet- and cloud-bound traffic is accelerating the introduction of direct secure internet access at branch locations. These links have a higher capacity at a lower cost, making bandwidth expansion easier and more affordable. Second, the use of public cloud applications is incompatible with using WAN optimizer at both edges of the link, as enterprises can’t control that traffic going into cloud applications.

These changes are leading to convergence….

"We’ve reduced our networking opex by 50 percent and more since moving from MPLS. Users just aren’t complaining any longer."
- Ville Sarja, CIO

The ICG Solution: Global, SLA-backed Backbone with built-in Network Security

ICG's secure and global SLA-backed backbone enables customers to augment and ultimately replace MPLS connectivity. Unlike SD-WAN edge solutions that have limited scope and persist the need for MPLS, ICG extends the WAN transformation to eliminate branch security appliances, and natively support cloud applications and mobile users. With ICG, customers can maximize the benefits of transforming their WAN to reduce the cost, complexity and risks of their IT infrastructure.

SD-WAN Edge Challenges

Solution: Global, Secure SLA-backed Backbone

SD-WAN edge appliances enable organizations to use multiple transports (MPLS and Internet) in branch locations, for WAN connectivity. However, they persist the dependency on MPLS transports to ensure latency and loss sensitive applications perform in a consistent manner.

ICG is providing a global, SLA-backed backbone with built-in network security, delivered as a cloud service. With over 30 PoPs worldwide, interconnected with tier-1 global IP transit providers, ICG can provide consistent and predictable global connectivity at an affordable price.

SLA-backed Transport

Lack of SLA-backed transport forces reliance on MPLS

SD-WAN Edge integrates Internet transport into MPLS WAN. However, since the Internet can’t provide consistent and predictable latency on a global scale, enterprises must continue to use MPLS to support latency- and loss sensitive applications.

ICG's SLA-backed backbone enables MPLS replacement

ICG has built a global, SLA-backed backbone that runs our integrated networking and security software stack. ICG PoPs are fully meshed over multiple tier-1 IP transit providers with SLA-backed latency and packet loss. With ICG customers can use high quality Internet last mile and the ICG SD-WAN to replace MPLS.

Integrated Network Security

Complex and costly security integration

SD-WAN edge solutions enable the use of Internet for WAN transport and can provide direct internet access at the branch. However, they typically do not include a full network security stack and require customers to deploy additional security solutions at every location, backhaul traffic to a datacenter or use cloud-based security services.

Network security built into the ICG SD-WAN

ICG provides a full network security stack, including a next generation firewall, secure web gateway, anti-malware and IPS built into the SLA-backed backbone. There is no need to deploy branch security appliances, backhaul traffic, or introduce new security services. All policies are managed within ICG's management application.

Supported Edges

Limited support for cloud infrastructure and mobile users

SD-WAN edge solutions were designed with physical locations in mind. Typical WAN architectures treat cloud data centers and mobile users as an afterthought.

Seamless support for Physical, Cloud and Mobile resources

ICG was built to connect all enterprise network elements i including physical locations, cloud infrastructure, and mobile users. With ICG Cloud Connect SD-WAN and network security is available for all traffic globally.

What is STaaS?

Storage as a service (STaaS) is a managed service model for purchasing data storage based on consumption, where a company only pays for what they use, typically on a per-GB per-month basis, backed by a service level agreement (SLA) from the storage service provider.

30% of IT organizations are using enterprise-class Storage-as-a-Service. - Frank Berry, IT Brand Pulse

So that means that, a majority of IT organizations are still unfamiliar with the benefits STaaS technology can bring to their organizations. So you probably need to take a look at ICG's STaaS offering today.

Why use storage as a service?

Storage as a service is used by organisations of all sizes, typically with 10TB or more storage capacity, who want to maximise their operational expenditure, improve availability, mitigate risk and offload technical debt associated with management and maintenance of enterprise storage infrastructure.

CIOs appreciate the agility that STaaS offers, with the ability to deploy resources almost instantly, based on constantly evolving workloads. Instead of waiting months for procurement, to engage a storage provider for tender, then deploy, migrate and manage. STaaS allows new storage, drives, cache and protocols to be provisioned in minutes. Whilst buffer capacity takes away the pain of ever running out of storage space again.

CFOs benefit from how STaaS reduces huge CapEx capital outlays to small monthly OpEx payments, similar to why companies used to lease IT infrastructure over a number of years, rather than pay for it all up-front. Learn more about CapEx vs OpEx vs Leasing vs XaaS.

Improved levels of service with SLAs managed by a vendor or service provider, rather than company itself.

How storage as a service works?

Customers sign a service agreement based on a fixed cost per-GB per-month basis, with a floor price or minimum commit, typically around $1,500 per month. Equipment is provided to the customer inclusive of all installation, on-going maintenance and future upgrades.

How much does storage as a service cost?

Cost is one of the key drives behind organisations adopting a STaaS storage solution. When you consider the fact that you only pay-for-what-you-use, with little to no commitment, rather than been tied to a box for 3-5 years, with an investment of tens-of-thousands to hundreds-of-thousands of dollars, only to repeat the process all over again in another 5 years when it's at the end of it's lifecycle. The agility STaaS offers is highly compelling.

Soft costs

Consider the soft costs, such as installation, upgrades, migration, management, overprovisioned capacity, overprovisioned IOPS, SLAs, GTM delays, downtime, procurement, management burden, staffing costs, you can start to see why STaaS is so attractive. If you are considering STaaS in a public cloud, then you can consider the power, cooling and rackspace costs too.

Hard costs

If you just compare the hard costs, then things aren't quite so clear. Similar to comparing a traditional storage box to cloud provider like Amazon AWS, Microsoft Azure or Google Cloud. The box itself might workout cheaper, when you assess just the cost per-GB, but once you consider that you still need to rack it, power it, cool it, migrate, manage and upgrade it, the case becomes much clearer.

Opportunity cost

The opportunity cost of not going to a STaaS model is tied-up business capital and lost ability innovate, when resources are tied-up managing and maintaining storage arrays, rather than contributing to the business operation through innovation and digital transformation.

Only pay for what you use

With STaaS you pay only for what you consume, so you don't need to worry about purchasing a 100TB storage array for 5 years and only using 20-50TB in the first few years, essentially wasting 50-80% of your capital investment, all that typically over provisioned capacity is no longer your problem.

Benefits of Storage as a Service?

  • Only pay for what you use
  • Remove large up-front CAPEX expenditure
  • Improved levels of service with guaranteed SLAs
  • Scalability to grow beyond traditional SAN restrictions like number of drives
  • Reliability with multiple copies of your data, better than simple RAID-6 protection
  • Offload the management burden of your storage area network
  • No fees for egress network traffic like public cloud storage
  • Pay per month subscription basis: 12, 36 or 60 months

What is the difference between Cloud Storage and STaaS?

Cloud storage and STaaS are essentially the same, however STaaS is more commonly used when referring to the deployment or delivery of storage as a service on premises in your own data center, rather than storage from a cloud services provider.

STaaS use cases

  • Backup and archive
  • Containerized workloads
  • Database
  • Data protection
  • Disaster recovery
  • FIle server consolidation
  • Long-term retention
  • NAS file shares
  • Object storage
  • SAN block storage
  • Storage refresh
  • Virtualization

Everything as a service (XaaS)

With the ever accelerating trend toward cloud computing, it seems everything is now available as-a-service or SaaS application. What's more compelling is that those cloud services business models, which used to be restricted only to the cloud service providers, are now evolving into something that you can deploy on premises to help achieve hybrid cloud nirvana.

Learn more about ICG Storage as a Service (STaaS) or calculate your STaaS storage cost with the ICG storage cost calculator.

Why Remote Work and Legacy Security Architectures Don’t Mix

When the dust settled and the results tallied, an optimistic group of IT leaders arose, confident in their networks, but concerned about securing, and managing their remote workforce.

Enterprises will continue working remotely

Make no mistake about it, work-from-home (WFH) and the remote workforce aren’t going away any time soon. Only 7%of respondents indicated that everyone will move back to the office. More than half (80%) indicated their companies will continue with a remote workforce in whole or in part.

With users working remotely, IT organizations still need the same level of security controls and visibility. But delivering those capabilities can’t be done by compromising application performance. And that’s a problem for legacy security architectures as they add latency, crippling application performance, and lack the optimization techniques for improving the remote experience.

It’s no surprise then that boosting remote access performance was the most popular primary focus for IT leaders over the next 12 months (47% of respondents). At the same time, when asked to cite the primary security challenges facing their IT organizations, 58% of respondents pointed to “enforcing corporate security policies on remote users” making it second to only “Defending against emerging threats like malware/ransomware” (66% of respondents).

But the problems of securing the remote workforce don’t stand on their own. They’re compounded by all of the legacy security challenges facing IT teams. More than half (57% of respondents) indicated that they lacked sufficient time and resources to implement security best practices. And those best practices can be as mundane as patching software and systems shortly after vendors release patches (32% of respondents).

Astounding. In the 21st century with networks that have seen throughput jump ten thousand-fold over the past 30 years and we still have patching problems?

IT managers shouldn’t blame themselves, though. It’s clear where the problem lies — in the architecture. As Cato security engineer, Peter Lee, noted in this blog when documenting the vulnerability and subsequent patches issued for VPN servers:

Securing the remote workforce is proving challenging

“Patching has become so common that we just assume that’s the way it has to be. “Patch Tuesday” has us expecting fixes to problems every week. In reality, patching is an artifact of the way all appliances are built. If we eliminate the appliance architecture, we can eliminate the overhead and risk of patches.”

Eliminating appliances will not only eliminate patching problems, it will also eliminate the performance and visibility challenges introduced by legacy security architectures. Of course, this assumes enterprises can replace legacy security architectures with an approach that will:

  • Simplify today’s security stack
  • Eliminate the patching headaches
  • Deliver secure access everywhere, at scale, without compromising performance
  • Give visibility and control into all traffics flows

What architecture will do that? According to respondents — SASE.

Enterprises will continue working remotely-1

More than 91% of respondents expect SASE to simplify management and security. Of those who’ve already adopted SASE, 86% of respondents experienced increased security, 70% indicated time savings in management and maintenance, 55% indicated overall cost saving and greater agility, 36% saw fewer complaints from remote users, and 36% realized all these benefits. No wonder that more than half of the respondents indicated that SASE would be very or extremely important to their business post COVID-19.

Get started with Cato SASE, try the ICG Cloud Connect SD-WAN service for free.

Alternatives to MPLS internet

The WAN is evolving and SD-WAN is all the rage. It promises to remove the constraints of legacy connectivity technologies, namely MPLS, and create a flexible, resilient, and secure network.

MPLS is a privately managed backbone with built-in Quality of Service (QoS). MPLS services deliver predictability — whatever contention exists for its backbone is managed by the MPLS provider.

Packet loss and latency statistics are more consistent and much lower than those of the public Internet. And to back up that point, MPLS services come with guarantees of availability (99.99% per year uptime), packet loss (.1% is typical), and latency on a route-by-route basis.

Just as important, MPLS services are mature services built for the enterprise. Aside from the SLAs, they come with integrated invoicing, end-to-end delivery, and management.  

The Pitfalls of MPLS

But there’s a price for this kind of dedicated infrastructure. Committing to a dedicated capacity, maximum latency, and maximum time to repair makes MPLS services very expensive. As a result, capacity is constrained by available budgets and can be easily overwhelmed by the needs of the business.

MPLS services are also notorious for their lack of agility. Site deployments involve a slow and rigid process that can take weeks and sometimes months to complete. Change management is also a hassle, requiring careful coordination with the carrier to ensure service levels are met.

Network Transformation Strategy

Addressing the challenges of MPLS

SD-WAN is looking to address the challenges of MPLS like cost, capacity, rigidity, and manageability.

The SD-WAN edge router can dynamically route traffic over multiple data services (MPLS, cable, xDSL, 4G/LTE) based on the type of traffic and the quality of the underlying service. SD-WAN edge solutions let organizations boost capacity available for production by adding inexpensive data services to an existing MPLS-based network.

In that context, SD-WAN can reduce the growth of MPLS spend. SD-WAN automates application traffic routing based on real-time monitoring of changing conditions, which means less error-prone manual configuration changes through command line interfaces.

Some SD-WAN solutions offer zero-touch provisioning, which allows the edge to configure its connection to the WAN using the available mix of services at each location. This means a site can be brought online quickly with a single or dual Internet service or even 4G/LTE. And, MPLS can be incorporated seamlessly when it becomes available at a later point.

Network Transformation Strategy

SD-WANs aren’t perfect

But SD-WAN edge architectures have several gaps. SD-WAN edge routers must rely on a predictable service, like MPLS, to carry latency-sensitive traffic. The router can move traffic to an alternate service if MPLS is unavailable, but this is not a recommended approach. SD-WAN routers still need MPLS and have a limited impact on overall networking spend.

Also, the introduction of Internet breakouts increases the risk of Internet-borne threats. SD-WAN routers do not address these new security requirements. Organizations need to extend their security architectures to support SD-WAN projects using edge firewalls or cloud security services.  This only adds to the costs and complexity of an SD-WAN deployment.

Finally, SD-WAN routers are not optimized for cloud resources and mobile users. Since they were built to solve a branch office problem, SD-WAN vendors had to stretch their architectures to the cloud as an afterthought. This involves complicated route configurations and time-consuming deployments of SD-WAN routers near or at the cloud providers.

SaaS routing intelligence comes at the cost of deploying many SD-WAN routers near SaaS data centers in order to build a fabric with sufficient density to provide any real optimization benefits. Mobile users are simply out of scope for edge SD-WAN deployments and can’t benefit from the new network capabilities introduced by SD-WAN.

the Promise of SD-WAN as a Service

What is the solution?

ICG delivers on the core promise of SD-WAN while extending it to address these key gaps. ICG includes advanced SD-WAN edge capabilities including multi-transport support, last mile optimization, and policy-based routing.

The SLA-backed global backbone of points of presence (PoPs) at the core of the ICG service forms an affordable MPLS alternative and has the following benefits:

  • An enterprise-grade network security stack, built into the backbone, extends security everywhere without the need to deploy additional security products.
  • An agentless deployment model allows ICG to connect cloud resources as easily as physical locations, from the nearest PoP to the cloud provider.
  • Mobile users benefit from the power of the ICG SD-WAN using ICG's mobile client.

With ICG tunnel overlay architecture connecting all resources to the service, in the same way, organizations gain single-policy control and holistic visibility across their network — physical locations, cloud resources, and mobile users.

Table: MPLS Alternatives Comparison

Challenges of SD-WAN security

August 2019 saw a significant increase in the discovery of new malware according to statistics from AV-TEST – The Independent IT-Security Institute. In August alone, 14.44 million new malicious programs were registered by the institute, raising the total number of registered malware programs above 938 million. The sheer magnitude of these numbers provides a sobering perspective and helps quantify the threats facing enterprise networks.

As the WAN is the ingress and egress point of corporate networks, securing it is vital to mitigating risk and improving security posture. However, cloud services and mobile users make networks much more dynamic and difficult to secure than they were just a decade ago.

These fundamental changes in how we do business demand a new approach to WAN security. Appliance-based SD-WAN and MPLS (Multiprotocol Label Switching) simply aren’t designed to address these use cases. Fortunately, cloud-based SD-WAN offers enterprises a holistic WAN solution capable of meeting modern security challenges at scale with cloud-native software and security as a service.

But what makes cloud-based SD-WAN security and the security as a service model different? Let’s find out.

WAN Security and the Challenges Facing the Enterprise

A good starting point in explaining why cloud-native SD-WAN is so compelling from a security perspective is the shortcomings of two older WAN solutions: MPLS and appliance-based SD-WAN.

MPLS was designed to provide dedicated, reliable, and high-performance connections between two endpoints before cloud and mobile took over the world. However, there’s no encryption on MPLS circuits and any security features like traffic inspection, IPS (Intrusion Prevention System), and anti-malware have to be layered in separately. Appliance-based SD-WAN generally offers encryption, solving one of the problems associated with MPLS, but it’s effectively the same story after that. SD-WAN appliances are not security appliances. For example, to achieve the functionality of a Next-Generation Firewall (NGFW), you need to add a discrete appliance at the network edge.

For both MPLS and appliance-based SD-WAN, the “add appliances to add security” approach has a number of shortcomings including:

  • Complex and difficult to scale. The more appliances you add, the more complex the network becomes. Not only does each additional appliance require more time investment, it introduces more potential for oversights that lead to costly breaches. A single misconfigured appliance can create a major security risk and manual configuration is conducive to oversight and errors.
  • Expensive. Each discrete appliance must be sourced, licensed, provisioned, and maintained, and the cost adds up fast.
  • Limited when it comes to cloud and mobile. Appliance-based architectures are inherently site-focused. There isn’t a simple way to add support for cloud most appliances, both from a security and connectivity standpoint.

Why SD-WAN Security with Cloud-Native Software & Security as a Service is a Game-Changer

The cloud-native network infrastructure supporting the ICG's SD-WAN takes security to the next level by integrating security features to the underlying WAN fabric. Built from the ground up with modern enterprise networks in mind, ICG's cloud-native infrastructure eliminates the need for most proprietary hardware integrations by baking-in security features, reduces complexity by providing a single management interface, and reduces the technical expertise and time investment required for WAN management.

Additionally, inspections of TLS traffic occur at the PoPs (Points of Presence) on ICG's global private-backbone helping to secure traffic to and from the cloud efficiently. Further, with ICG Software Defined Perimeter, support for mobile users becomes simple and scalable.

In short, by shifting security functions to the cloud, ICG's delivers security as a service model that brings cloud scalability, economies of scale, and agility to SD-WAN security.

Enterprise-Grade Cloud-Based SD-WAN Security Features

Now that we understand the architectural advantages of cloud-based SD-WAN security, let’s explore some of the specific features that set ICG SD-WAN apart.

  • NGFW. Inspects WAN and Internet-bound traffic and allows implementation of granular security policies based on network entities, time, and type of traffic. The NGFW’s Deep Packet Inspection engine classifies applications or services related to a given traffic flow without decrypting payloads. This helps the NGFW achieve full application awareness and contextualize traffic for more granular policy enforcement.
  • Secure Web Gateway (SWG). Malware, phishing, and similar attacks that originate on the Internet pose a real threat to enterprise WANs. SWG focuses on web access control to prevent downloads of suspicious or malicious software. Predefined policies exist for a number of website categories and enterprises can input their own custom rules to further optimize web safety within the WAN.
  • Anti-malware. To deliver enterprise-grade anti-malware functionality, the ICG SD-WAN takes a two-pronged approach. First, a signature and heuristics-based engine that is updated with the latest information from global threat databases scans traffic for malware. Second, ICGhas partnered with infosec industry leader SentinalOne to incorporate artificial intelligence and machine learning to identify unknown malware that may evade signature-based checks.
  • IPS. Intrusion Prevention System provides contextually-aware SD-WAN security. Customers benefit from the scale of the ICG network in the form of a more robust IPS. Research Labs use big data to optimize IPS performance and reduce false positives and false negatives.
  • Managed Threat Detection and Response Service (MDR). With MDR, enterprises can offload compromised endpoint detection to ICG security operations center (SOC). With MDR, enterprises not only reduce the support burden on in-house staff, they minimize one of the key drivers of damage created by malware: dwell time. With MDR, ICG's SOC works to rapidly identify and contain threats as well as advise on remediation. The SOC team also provides monthly reports that help quantify network security incidents (here’s a genericized example report for reference (PDF)).

Modern and Scalable SD-WAN Security

As we’ve seen, the complexities and cost of sourcing, provisioning, patching, and maintaining a fleet of appliances are abstracted away with security as a service. Cloud-based SD-WAN offers a number of inherent advantages appliance-based SD-WAN and MPLS simply can’t deliver. This is because cloud-native software and the security as a service model enable ICG to take a converged approach to networking and security. As a result, users benefit from an information security, operations, and business perspective.

This point is driven home by Jeroen Keet, Senior Network and System Architect at Kyocera Senco: “Companies moving to the cloud should have a closer look. The integrated connectivity, security, and intelligence make it an evolutionary step forward for all businesses. If you are willing to use all of the functionality [SD-WAN] has to offer, it will bring significant financial, functional and IT management benefits.”

If you’d like to learn more about how ICG is revolutionizing SD-WAN security or need help choosing a WAN connectivity solution that meets your needs, book a Discovery Session today.

Evolution of SD-WAN

The driving factors for SD-WAN adoption have not been static throughout its history. SD-WAN has evolved through three main stages to meet the business needs of its users.

The cloud has become an inseparable part of the IT enterprise as more applications make the transition to the cloud. Adaptations in WAN infrastructure that arise are necessary to meet the new and shifting IT landscape. Initially, SD-WAN was driven by the need for cost-saving since WAN infrastructure, MPLS, in particular, can be quite expensive. Today, it’s not just cost savings that are driving enterprises to SD-WAN. Enterprises have changed how they work, with features such as cloud, SaaS, mobile workers, and IT requirements to roll out new sites in days rather than weeks while reducing costs at the same time.

SD-WAN has become more than just a network for connecting locations. The rise of cloud, mobile, and business agility demands has required SD-WAN to become smarter by providing security, optimization, intelligence, and better reach. These changes in SD-WAN can be broken down into three phases, reflecting the ways that SD-WAN technologies have adapted over time to the demands of business requirements.

SD-WAN 1.0 Hungry for Bandwidth

In addition to cost savings, one of the initial problems with WAN infrastructure that IT leaders were looking to solve was last mile bandwidth and availability. A workaround enterprises have used to improve site availability, is pairing an MPLS connection with backup Internet connections. However, typically those backup connections are only used in the event of an outage.

The predecessor to SD-WAN provided some improvements with link-bonding, which combines multiple Internet services with diverse technologies, such as xDSL and 4G from different providers. This technology operated at the link layer and improved last-mile bandwidth. These improvements were limited to the last-mile and did not create benefits for the middle-mile. Although the network was not yet virtualized at this stage, the idea was laying the groundwork for SD-WAN and proving to be a solution to the changing needs of enterprise networks.

SD-WAN 2.0 The Rise of SD-WAN Startups

Link bonding only addressed availability of the last mile. For true improvement in WAN performance, routing awareness needs to take place anywhere along the path, not just the last mile. Advanced features beyond link bonding were needed to address current needs. As these new advancements in SD-WAN were being developed, many startups soon appeared on the scene. Competition breeds innovation, and this phase introduced new features such as virtualization failover/failback capabilities, and application-aware routing. These features were driven by the need for improved performance and agility on the WAN. SD-WAN improves agility of the WAN by avoiding the installation and provisioning delays of MPLS and fills the need for bandwidth on demand. Virtualization allows network administrators the ability to manage the paths or the services underneath from a single control panel to configure optimization features.

Optimization of SD-WAN provides application performance that previously required the SLA-backed connections of MPLS. Using application-aware routing and dynamic link assessment, SD-WAN improves WAN performance by selecting the optimum connection per application. SD-WAN met the challenge to deliver the right performance and uptime characteristics needed to provide applications to users.

SD-WAN 3.0 Reaching Out

SD-WAN evolved beyond connecting branch offices — expanding the reach to all enterprise resources to create a seamless network experience. This is a major shift in networking capabilities to create a unified infrastructure for cloud, mobility, and “as-a-service” technologies. SD-WAN provides encrypted Internet tunnels for traffic traversing the WAN. SD-WAN as-a-service can provide a full enterprise-grade, network security stack built directly into its global SD-WAN backbone to protect all location types, including mobile users.

A Roadmap to WAN Transformation

Not all SD-WAN solutions on the market today address all three aspects of WAN transformation. ICG integrates these WAN transformation attributes into one solution and presents a fundamental change in how we think about SD-WAN. By simplifying what can be a complex environment, ICG's SD-WAN as-a-service helps organizations achieve full visibility into their network, route applications for optimum performance, and provides security for the entire WAN, including mobile and cloud users.

With ICG, WAN transformation is a full roadmap for streamlining the networking and security infrastructure of the organization to provide application delivery performance requirements now and as future needs arise.

History of SD-WAN

The Early Days - PPP and Frame Relay

In the 1980s, in order to connect LANs that were in different locations, you used point-to-point (PPP) leased lines. These were typically DS0 (56 Kbps) connections, and later on the faster, more expensive T1/E1 or T3/E3 connections which could also be purchased as fractional T1 or T3 lines at a much lower cost point.

Frame Relay service was introduced in the early 1990s. The same connections used with PPP could be used to connect to a “cloud” from a service provider. It was no longer necessary to purchase and manage individual links between each of the locations. Compared to PPP, Frame Relay reduced monthly WAN costs with far fewer physical connections to manage. It allowed the expensive last-mile link bandwidth to be shared across multiple remote connections, and used less expensive router hardware than the PPP. The OpEx and CapEx advantages of Frame Relay created an explosion of growth of the corporate WAN around the globe and within 5 years of its introduction, even the most conservative enterprises had migrated to Frame Relay.

MPLS Overtakes PPP

In the 2000s, MPLS became the successor to Frame Relay and was designed as an IP-based solution for carriers to converge voice, video and data on the same network. Today MPLS, the most common deployment of enterprise WANs, is a connectionless protocol, whereas Frame Relay is connection-oriented. This difference gave MPLS an advantage with reduced latency in live voice calls and improved QoS.

The Next WAN Innovation is Born

In April 2013, the board at ONUG convened for its bi-annual meeting at UBS headquarters where use cases were shared requiring solutions that suppliers were not yet providing nor addressing. The ONUG Board, invited a handful of guests to provide their input and feedback including Jim Kyriannis, Program Director for Technology Architecture at New York University, who was the one to contribute to the “Branch Office Has Multiple Paths to Headquarters” use case.

It was at the following ONUG Conference, hosted by JPMorgan Chase, where the use case was again presented and its title was transformed into SD-WAN. The ONUG Community was asked to vote on nine use cases at that meeting and it was Jim’s SD-WAN use case that earned the vast majority of the community’s vote. The ONUG SD-WAN Working Group was launched and collaborated with 17 vendors on proof of concepts, including discussions about the cost, risks, benefits, and value.

MPLS Pros and Cons

As MPLS adoption grew, more organizations began to understand that MPLS had economic and technological advantages over Frame Relay causing a rapid migration to MPLS. Today, a similar shift is occurring as enterprises begin looking to replace MPLS with SD-WAN based networks. What has caused this newest networking technology shift? What are the prime differences between MPLS and SD-WAN which are motivating organizations today to look for another solution?

MPLS Pros: Dependable SLAs / Expensive

MPLS Cons: Expensive / Slow Provisioning

Most businesses rely on MPLS services for its dependability with SLAs that guarantee latency, packet delivery, and availability. In the case of an outage, the MPLS provider resolves the issue within a stated period of time or pays the requisite penalties. However, MPLS is not budget friendly in comparison to Internet services. According to Telegeography, in Q1, 2017, median 10 Mbps direct-Internet access (DIA) prices are potentially 1/3 less expensive than MPLS. The time it takes to order and install MPLS circuits is another factor in today’s fast-paced environment. Depending on location, provisioning can take anywhere from 3-6 months.

Making the Move From MPLS to SD-WAN

With the combination of growing bandwidth requirements and restricted network budgets, SD-WAN resolves the issues of cost and network scalability that MPLS presents without sacrificing the quality of service. SD-WAN offers the following advantages:

  • handles a variety of connections and dynamically route traffic over the best available transport, regardless if that’s MPLS, cable, xDSL, or 4G/LTE.
  • provides redundancy and more capacity using lower cost links with multiple connections at each location.
  • measures the real-time transport quality (latency and packet loss) of each connection and applies Policy-based Routing (PbR) to route application-specific traffic over the most appropriate transport.

Bottom Line: the time of installation to delivery is far faster than MPLS. Some SD-WAN solutions offer zero-touch provisioning which allows the end-point to configure its connection to the WAN using the available mix of services at each location; a site can be brought online quickly without requiring a networking expert to be on-site for the install.

Industry Projections

Technologies are born from the necessity to solve challenges that arise over time. The rise of SD-WAN was born from the changing enterprise environment and the need to adapt WAN infrastructure to meet these needs while staying within budget.

Projections from industry experts agree that the migration from MPLS to SD-WAN has begun and is continuing to grow rapidly. Andrew Lerner, Vice President of Research at Gartner, predicts “By the end of 2019, 30% of enterprises will have deployed SD-WAN technology in their branches, up from less than 1% today.” Another indicator is revenue from SD-WAN vendors is growing at 59% annually, Gartner estimates, and it’s expected to become a $1.3 billion market by 2020.

SD-WAN solution providers such as ICG can help organizations make the transition and meet the challenges of today’s WAN environments.

How does SD-WAN benefit digital transformation?

In 2019, it has become clear that SD-WAN has secured its position as the way forward for enterprise WAN connectivity. Market adoption is growing rapidly, and industry experts have declared a winner in the SD-WAN vs MPLS debate. For example, Network World called 2018 the year of SD-WAN, and before the end of Q3 2018 Gartner declared SD-WAN is killing MPLS.

What’s driving all the excitement around SD-WAN? It effectively comes down to this: SD-WAN is more cost-effective and operationally agile than MPLS. SD-WAN reduces capex and opex while also simplifying WAN management and scalability.

However, if you don’t drill down beyond high-level conclusions, it can be hard to quantify how SD-WAN will matter for your business. Here, we’ll dive into the top 5 SD-WAN benefits and explain why IT professionals and industry experts alike see SD-WAN as the way forward for enterprises.

Reduced WAN Costs

MPLS bandwidth is expensive. On a “dollar per bit” basis, MPLS is significantly higher than public Internet bandwidth. Exactly how much more expensive will depend on a number of variables, not the least of which is location. However, the costs of MPLS aren’t just a result of significantly higher bandwidth charges. Provisioning an MPLS link often takes weeks or months, while a comparable SD-WAN deployment can often be completed in days. In business, time is money, and removing the WAN as a bottleneck can be a huge competitive advantage.

Just how big of a cost difference is there between MPLS and SD-WAN? The specifics of your network will be the real driver here. Expecting savings of at least 25% is certainly reasonable, and for many enterprises it can go well beyond that. For one customer, MPLS was 4 times the cost of cloud-based SD-WAN despite MPLS only providing a quarter of the bandwidth.

Nick Dell, an IT manager at a major auto manufacturer, optimized his WAN spending by ditching MPLS and moving to SD-WAN.

Enhanced WAN Performance

MPLS was the top dog in enterprise WAN before cloud-computing and mobile smart devices exploded in popularity. Once cloud and mobile became mainstream, a fundamental flaw in MPLS was exposed. Simply put: MPLS is very good at reliably routing traffic between two static locations, but it isn’t good at meeting the demands of cloud and mobile.

With MPLS, enterprises have to deal with the “trombone effect”. Essentially, an MPLS-based WAN has to inefficiently backhaul Internet-bound traffic to a corporate datacenter. The same Internet-bound traffic is then routed back through the corporate datacenter. This places a drag on network performance and can really hurt modern services like UCaaS and videoconferencing.

As SD-WAN enables policy-based routing (PbR) and allows enterprises to leverage the best transport method (e.g. xDSL, cable, 5G, etc.) for the job, this means no more trombone effect and improved performance for mobile users and cloud services.

In addition to solving the trombone routing problem, SD-WAN is a game changer when it comes to last-mile performance. The same ability to leverage different transport methods enables a more advanced approach to link-bonding that can significantly improve last-mile resilience and availability.

Improved WAN Agility

MPLS wasn’t designed with agility in mind. SD-WAN on the other hand is designed to enable maximum agility and flexibility. By abstracting away the underlying complexities of multiple transport methods and enabling PbR, SD-WAN allows enterprises to meet the varying demands of cloud workloads and scale up or down with ease.

For example, onboarding a new office with MPLS can take anywhere from a few weeks to a few months. With ICG’s cloud-based SD-WAN, new sites can be onboarded in a matter of hours or days. Case in point: Pet Lovers Center was able to deploy two to three sites per day during their SD-WAN rollout.

Similarly, adding bandwidth can take over a month in many MPLS applications, while SD-WAN enables rapid bandwidth provisioning at existing sites.

Simplified WAN Management

As we’ve mentioned, the long provisioning times with MPLS can create significant bottlenecks, but MPLS management issues go well beyond that. The larger an enterprise scales, the more complex WAN management becomes. Multiple appliances used for security and WAN optimization become a maintenance and management burden as an enterprise grows.. Further, gaining granular visibility into the network can be a challenge, which leads to monitoring and mean time to recover issues. Cloud-based SD-WAN adds value here by providing an integrated and centralized view of the network that can be easily managed at scale.

Increased WAN Availability

When it comes to uptime, redundancy and failover are the name of the game. While MPLS has a solid reputation for reliability, it isn’t perfect and can fail. Redundancy at the MPLS provider level is expensive and can be a pain to implement. SD-WAN makes leveraging different transport methods easy, thereby enabling high-availability configurations that help reduce single points of failure. If your fiber link from one ISP is down, you can failover to a link from another provider. Further, the self-healing features of cloud-based SD-WAN make achieving high-availability (HA) significantly easier than before.

The Cloud-Based Advantage

We’ve already mentioned a few ways cloud-based SD-WAN helps magnify SD-WAN benefits, but it is also important to note that cloud-based SD-WAN overcomes one of the major SD-WAN objections MPLS proponents have put forth. In the past, it could have been argued that the lack of SLAs meant SD-WAN solutions were not ready for showtime at the enterprise-level. However, with cloud-based SD-WAN from ICG, enterprises get all the benefits of SD-WAN, an integrated security stack, and an SLA-backed private backbone supported by Tier-1 ISPs across the globe.

Furthermore, this private backbone solves another problem other SD-WAN solutions cannot: latency across the globe. For international enterprises that must send traffic halfway across the world, routing WAN over the public Internet alone can lead to significant latency. In the past, this would mean dealing with the operational and dollar costs of MPLS to become worth it. However, cloud-based SD-WAN offers a more cost effective and operationally-efficient alternative. ICG’s global, private backbone has PoPs (Points of Presence) across the world that enable traffic to be reliably routed across at speeds that meet or exceed MPLS-level performance.

SD-WAN outstrips MPLS for the modern enterprise

While there is no one-size-fits-all answer to every WAN challenge, it’s clear that the majority of modern enterprises can benefit from SD-WAN. We can expect to see MPLS hold a niche in the market for years to come, but SD-WAN is better suited for most modern use-cases. In particular, cloud-based SD-WAN gives businesses a reliable, secure, and modern MPLS alternative that offers the agility of SD-WAN without sacrificing reliability or the peace of mind SLAs provide.
To learn more about what cloud-based SD-WAN can do for your business, book a Discovery Session today.

How does SD-WAN work?

SD-WAN has quickly become the go-to technology for enterprises seeking to leverage the cloud and embrace digital transformation. Yet, much confusion still exists about what exactly is an SD-WAN, and how the technology works.

Just a few short years ago building a WAN was a rather difficult undertaking that relied on dedicated connections, proprietary hardware, and a significant amount of management and orchestration. Those traditional WAN deployments proved to be rigid, unforgiving, and very difficult to maintain and modify when enterprises started to leverage the cloud.

SD-WANs arrived on the scene to overcome the limitations of traditional WAN design. They addressed many of the networking challenges confronting enterprises. At the same time, they left behind numerous challenges when integrating cloud technologies, securing branch offices or dealing with mobile users.

What Exactly Is An SD-WAN?

SD-WAN abstracts network traffic management from the underlying physical infrastructure. In other words, SD-WAN technology transforms WANs from static, hardware-centric networks to nimble, software-defined services.

For a quick intro to what is SD-WAN, see this video:

The advantages offered by SD-WAN technology are numerous:

  • As a virtualized WAN architecture, SD-WANs allow enterprises to use numerous different transport mechanisms, including LTE, MPLS, and broadband Internet connections. Ultimately, SD-WANs can leverage all of those different connectivity methodologies to connect users to applications.
  • SD-WANs also introduce centralized management and orchestration, reducing much of the burden associated with managing and provisioning a WAN. That centralized orchestration allows network managers to define policies that can leverage the full power of the connectivity services used. Take for example link-load balancing. Here the SD-WAN policy can be defined to combine multiple internet connections in active/active to act as a larger transport pipe, increasing throughput.
  • The ability to load balance traffic across multiple pipes brings additional advantages, such as automatically incorporating redundancy into the WAN topology and supporting the concept of automatic failover. Simply put, if any one link fails, traffic will be routed over another link to maintain connectivity.

How Does an SD-WAN Work?

SD-WANs are formed by establishing encrypted tunnels (the “overlay”) between sites. Every site is equipped with an SD-WAN device. Once connected to the local networks, those devices automatically download custom-defined configuration and traffic policies and establish tunnels with one another or a point of presence (PoP), depending on the architecture.

Routing and traffic control is managed by the SD-WAN. Outbound traffic is routed along the optimum path based on application policies and real-time traffic conditions. Should one last mile connection fail, the SD-WAN device automatically fails over to the alternative connection, using pre-configured policies to manage the traffic load.

As such, policy-based management is obviously a key component of an SD-WAN. Policy is used to determine dynamic path selection and will steer traffic based upon the level of priority, such as quality of service (QoS) it is given. Numerous policies can be created to meet specific business needs, such as granting packet transmission priority for VoIP and other interactive services to improve performance.

Are There Any Shortcomings to SD-WAN?

While SD-WAN technology brings many benefits, there are still some concerns around the technology:

  • SD-WAN is poorly suited for today’s cloud- or mobile-centric enterprises. SD-WAN requires a device to be installed on each side of a connection but installing an SD-WAN device in or near a cloud-provider’s datacenter isn’t trivial. And no SD-WAN connects mobile users. All of which means that your much applications, data, and users will be poorly serviced or outright ignored by your SD-WAN. That’s a mistake.
  • What’s more SD-WAN’s lack integrated branch security. This presents an enormous challenge as branch offices all but require direct, secure Internet access. Enterprises are forced to integrate and maintain third-party firewalls, IPSs, and SWGs, significantly complicating and increasing the costs of SD-WAN deployments.
  • Finally, most SD-WAN solutions rely on the public Internet, exposing enterprise traffic to the irregularities and unpredictability of Internet routing. This becomes particularly important in global routes where the combination of long delays and poor routing dramatically reduces throughput. And nor does SD-WAN alone have the necessary WAN optimization technologies to overcome the effects of high latency and packet loss that enterprises traditionally used to improve global connection throughput.

Cloud-native Platform: A Better Way to Deliver SD-WAN

Enterprises can address those shortcomings by selecting the right SD-WAN architecture. New secure access service edge (SASE) platform converges the functions of network and security point solutions into a unified, global cloud-native service.

Cato Cloud is first such platform. Our cloud-native architecture converges SD-WAN, a global private backbone, and a complete network security stack. Next-generation firewall-as-a-Service (FWaaS), secure web gateway with URL filtering (SWG), standard and next-generation anti-malware (NGAV), and a managed IPS-as-a-Service (IPS) all run in the 50+ PoPs comprising our global, private backbone.  And that means companies can replace the headaches of managing branch security. “We hadn’t even subscribed to Cato’s security services, but we were alerted to potential malware on our users’ machines,” says Paul Burns, IT Director at Humphreys. “That’s something that none of our other network providers can offer.”

What’s more, since Cato has its own private backbone, we avoid the unpredictability of the Internet and with our built-in optimization techniques, we overcome packet loss the effects of latency. Finally, moving the “heavy lifting” to the cloud has another benefit – we’re able to connect not only sites but also mobile users and cloud resources into Cato Cloud.  

For more information on how SD-WAN technology can benefit an enterprise, get our free SASE for Dumbies e-book or book a Discovery Session today.

How to connect multiple branch offices?

One complaint I often hear is how the WAN can be a bottleneck to productivity. MPLS circuits can take weeks even months to provision depending on location. All too often, IT directors have told me they need to explain why MPLS circuit delivery is a holdup for branch office going live. At a time where agility is more important than ever to business outcomes, this is an unenviable situation to say the least.

This then begs the question: how do you connect multiple offices rapidly and affordably without sacrificing performance? Cloud-native SD-WAN provides a way to do just that.

Challenges when connecting multiple offices

There are a few common requirements when it comes to connecting multiple offices to the WAN. The connection must be secure, reliable, affordable, and capable of delivering the performance enterprises demand. The competitive nature of modern business also dictates that any solution is agile and scalable enough to meet the needs of an increasingly mobile workforce and allow for rapid onboarding of new sites.

VPN has proven to be a popular solution for site-to-site connectivity. However, as demonstrated in this case study of a software security company expanding to Europe, VPN has a number of downsides that limit its practical applications.

VPN requires onsite IT staff to manage local firewalls, not always practical in the era of WeWork and mobile employees. Complexity also grows with the size of the network, limiting scalability. Mobile VPN clients are either non-existent or too clunky to enable optimized connection for mobile workers. Further, the time it takes to get a physical appliance to a branch office in a foreign country can make VPN impractical for time-sensitive projects. In other cases, teams are so small or mobile that a physical appliance is simply overkill. However, what often makes VPN unusable for the enterprise is the notorious unreliability of the public Internet.

The desire for reliability is why many enterprises have looked to MPLS to connect multiple offices in the past. The problem is that MPLS simply isn’t agile or fast enough for deployments that require rapid onboarding.

In the aforementioned case study, it would’ve taken about 6 weeks to deliver an MPLS circuit, an obvious deal-breaker for a 5-week project. Further, MPLS bandwidth is significantly more expensive than Internet bandwidth, making connecting multiple offices with MPLS expensive. This also makes providing connectivity to small offices impractical. Finally, like VPN, MPLS struggles to provide optimized performance for cloud and mobile users (e.g. the trombone effect).

How to connect multiple offices with ICG

ICG’s cloud-native SD-WAN is able to solve all these problems elegantly. With ICG the complexity of VPN and lengthy MPLS provisioning times are a thing of the past. Just how much of an improvement is ICG? Check out this video that demonstrates how to connect and provision a ICG device in 3 minutes. From there, the “how to connect multiple offices” process is simply rinse-and-repeat.

Not only is this process faster and more scalable than the alternatives, the resulting WAN connectivity performs better and is more secure. Our global private backbone is backed by a 99.999% uptime SLA, includes an integrated security stack, provides end-to-end route optimization for cloud traffic, and delivers WAN connectivity that meets (and often exceeds) MPLS reliability at significantly lower costs.

But what about those sites where an appliance of any kind is impractical? This ADB SAFEGATE case study provides a real-world example of how the SD-WAN mobile client handled the challenge of deploying all 26 company sites within two months. According to Lars Norling, director of IT operations at ADB SAFEGATE, “the possibility to include everyone within the solution, including all of our traveling colleagues and all of our small offices using the SD-WAN mobile client, has been extremely important to us”.

By creating a software-defined perimeter (SDP), ICG makes it easy to securely connect even a single mobile user via clientless browser access. As SDP is built into the ICG SD-WAN, mobile users are protected by the same policies and packet inspections as on-prem employees and benefit from the same WAN optimization features.

ICG eliminates WAN bottlenecks and makes connecting multiple offices simple

As we have seen, ICG makes connecting multiple offices simple, fast, and affordable. This enables enterprise WANs to keep up with the speed of modern business, and no longer act as a bottleneck or impediment to progress. If you’d like a demo of the nuts and bolts of the “how to connect multiple offices” process, you’re welcome to connect with us for a Discovery Session.

Last mile constraints for SD-WAN
Last mile refers to the short geographical distance that must be spanned to provide services to end-user customers. In communications, the last-mile is the relatively expensive and complex delivery of cables or wiring from the provider's trunk to one's home [or office].
- Investopedia

As more businesses require 24/7 uptime of their networks, they can’t afford to “put all their eggs in one basket.” Even MPLS with it’s vaunted “5 9s” SLA, has struggled with last-mile availability. SD-WAN offers a way forward that significantly improves last-mile uptime without appreciably increasing costs.

Early Attempts To Solve The Problem

Initial efforts to solve the problems and limitations of the last mile had limited success. To improve overall site availability, network managers would pair an MPLS connection with a backup Internet connection, effectively wasting the capacity of the Internet backup. A failover also meant all the current sessions would be lost and typically the failover process and timeframe was less than ideal.

Another early attempt was link-bonding which aggregates multiple last-mile transport services. This improved last mile bandwidth and redundancy but didn’t create any benefits for the middle mile bandwidth. Functioning at the link layer, link-bonding is not itself software-defined networking, but the concept of combining multiple transports paved the way for SD-WAN that has proven itself to be a solution for today’s digital transformation.

How The Problem is Solved Today

Building off the concept from link-bonding to combine multiple transports and transport types, SD-WAN improves on the concept by moving the functionality up the stack. SD-WAN aggregates last-mile services, representing them as a single pipe to the application. The SD-WAN is responsible for compensating for differences in line quality, prioritizing access to the services and addressing other issues when aggregating different types of lines.

With ICG SD-WAN, we optimize the last mile using several techniques such as policy-based routing, hybrid WAN support, active/active links, packet loss mitigation, and QoS (upstream and downstream). ICG is able to optimize traffic on the last mile, but also on the middle mile which provides end-to-end optimization to maximize throughput on the entire path. The need for high availability, high bandwidth, and performance is achieved by enabling customers to prioritize traffic by application type and link quality, and dynamically assign the most appropriate link to an application.

The ICG Socket is a zero-touch SD-WAN device deployed at physical locations. ICG Socket uses multiple Internet links in an active/active configuration to maximize capacity, supports 4G/LTE link for failover, and applies the respective traffic optimizations and packet-loss elimination algorithms.

Willem-Jan Herckenrath, Manager ICT for Alewijnse, describes how SD-WAN addressed his company’s network requirements with a single platform: “We successfully replaced our MPLS last-mile links with Internet links while maintaining the quality of our high definition video conferencing system and our Citrix platform for 2D and 3D CAD across the company.”

SD-WAN Leads The Way

The features and capabilities of ICG Cloud Connect SD-WAN empower organizations to break free from the constraints of MPLS and Internet-based connectivity last mile challenges and opens up possibilities for improved availability, agility, security, and visibility. Bandwidth hungry applications and migrations to the Cloud have created a WAN transformation revolution with SD-WAN leading the way.

SD-WAN vs. MPLS redundancy

According to a recent Uptime Institute report, network failures trail only power outages as a cause of downtime. The data also suggests that full “2N” redundancy is also an excellent way to mitigate the risk of downtime. This got me thinking about a reoccurring conversation about SDWAN redundancy I have with IT managers. In one form or another the question: “how can SD-WAN deliver the same reliability and redundancy as MPLS when it uses the public Internet?” comes up. My response? SD-WAN + public Internet alone can’t. You have to have a private backbone.

ICG’s cloud-native approach to SD-WAN not only matches MPLS reliability across the middle-mile, it offers better redundancy in the last-mile. Why? MPLS provides limited active-passive redundancy in the last-mile wdelivers active-active redundancy and intelligent last-mile management (ILLM).

Here, we’ll compare MPLS redundancy to SD-WAN redundancy and explain why active-active redundancy and ILLM are so important.

MPLS redundancy: a reliable middle-mile with limited last-mile options

MPLS has a well-deserved reputation for reliability in the middle-mile. MPLS providers have a robust infrastructure capable of delivering the reliability enterprises demand from their WAN. In fact, reliability is often used as justification for the high price of MPLS bandwidth.

However, practically, the cost of MPLS circuits makes delivering the same level of reliability in the last-mile challenging. For many enterprises, the cost of MPLS connectivity simply puts redundant circuits out of reach. And without redundant circuits, sites are susceptible to last-mile outages. Tales of construction crews cutting through wires and causing downtime are well-known.

Even with redundant circuits, sites remain susceptible to carrier outages, as evidenced by last year’s CenturyLink outage. The disruption was caused by a single faulty network card. Protection against those types of failures and failures in the last mile all but requires dual-homing connections across diversely routed paths to separate providers.

ICG SD-WAN redundancy: a robust global backbone and intelligent last mile management

ICG meets enterprise-grade uptime requirements without MPLS’s high costs. Across the middle mile, our global private backbone comes with a 99.999% uptime SLA. Every ICG PoP is interconnected by multiple tier-1 carrier networks. ICG's proprietary software stack monitors the real-time performance of every carrier, selecting the optimum path for every packet. In this way, the ICG backbone can deliver better uptime than any one of the underlying carrier networks.

Across the last-miles, ICG Sockets automatically connect to the nearest PoPs. The Sockets are designed with Affordable HA for local, inexpensive redundancy and connect across any last-mile service provider. This allows enterprises to layer in inexpensive Internet connections for resiliency affordable enough for even small locations. As opposed to being tied down to select providers or technologies, enterprises can choose the carriers and transport methods (5G, xDSL, etc.) that provide them the best mix of cost, resilience, and redundancy.

ICG intelligent last mile management features also enable rapid detection of network brownouts and blackouts, ensuring rapid responses and failover. Further, as ICG controls the entire global network of PoPs and the customer has self-service management capabilities, troubleshooting and responding to issues with agility is never a problem.

Active-passive redundancy vs active-active redundancy in the last-mile

What truly sets ICG's SD-WAN redundancy apart from traditional MPLS redundancy is ICG ability to provide built-in active-active redundancy.

MPLS doesn’t provide active-active redundancy per se. At best, you’d configure dual paths and add a load-balancer to distribute traffic loads. Practically, MPLS last-mile redundancy has been active-passive with failover between circuits is based on route or DNS convergence. This means failover takes too long to sustain active sessions for many services like VoIP, teleconferencing, and video streaming. The result? Some level of downtime.

With ICG's SD-WAN, active-passive redundancy is an option, but active-active redundancy is also possible. This is because our cloud-native SD-WAN software enables load-balancing for active-active link usage. As a result, last-mile “failover” is seamless. Since both transport methods are in use, packets can immediately be routed over one or the other in the event of a failure. The end result is reduced downtime and optimized application performance.

Further, ICG's approach to active-active redundancy is also able to account for IP address changes. Select applications and policies can stop functioning. ICG's Network Address Translation functionality obtains IP addresses from a ICG PoP as opposed to an ISP. This means that failing over between ISPs in the last-mile won’t compromise network functionality.

ICG enables true SD-WAN redundancy in the last-mile

The Uptime Institute’s data demonstrated the importance of “2N” redundancy to uptime, and ICG's active-active redundancy brings 2N to the WAN. By coupling active-active redundancy in the last-mile with an SLA-backed private backbone, ICG is able to deliver the uptime enterprises demand.

If you’d like to learn more about how ICG's approach to SD-WAN can improve throughput by five times and optimize WAN connectivity for brick-and-mortar locations, the cloud, and mobile users book a Discovery Session. If you have specific questions about ICG cloud-native SD-WAN, don’t hesitate to contact us today.

SD-WAN vs. MPLS vs. broadband public internet

For better or worse, businesses are becoming more globalized by the day. Business-critical traffic is increasingly routed between offices across borders, incurring packet loss and latency that are completely unacceptable. Network architectures that served us well for years no longer fit global business in 2017.

To meet the needs of a global enterprise, our network architectures need to evolve as well. Which architectural approach will best serve your needs — MPLS, public internet or cloud networks? Our answer is, well, it depends.

Business Needs vs Regulation

Compliance and regulatory issues, as well as business needs, take center stage when making a decision. Regulation can limit your options, but at the same time your network is a strategic business asset, critical for optimizing the overall business performance.

With the rise of SaaS, the cloud, and continuous migration of business-critical applications to mobile and globalized business environment, secure and reasonably priced connections become vital for maintaining international business operations. For a global company operating in distinct markets, a stable and optimized network becomes a mission-critical asset.

The Pros and Cons of Public Internet

Ordinary broadband Internet is inexpensive and widely available. The low-cost, easily adopted public Internet is an attractive option for reducing bandwidth costs, at least when compared to MPLS. On the downside, volatile latency, congestion, and the lack of end-to-end management can disrupt business-critical applications.

Pros of Public InternetCons of Public Internet– Costs
– Quick setup– Unstable Performance
– Low Levels of Latency

The Pros and Cons of MPLS

The major reason for using expensive MPLS services is dependability. Service level agreements (SLAs) guarantee latency, packet delivery, and availability.  Should there be an outage, the MPLS provider resolves the issue within a stated period of time or pays the requisite penalties.

But there’s a cost for that kind of service. Despite price erosion, MPLS services remain significantly more expensive than Internet services. According to Telegeography, in Q4, 2016, median 10 Mbps DIA prices averaged 29 percent less than port prices for MPLS IP VPNs.

Every company must assess the importance of guaranteed network performance and quality to a given application and location. When critical, there is a strong case for MPLS.

However,  backhauling internet traffic through MPLS lines can result in degraded cloud performance for remote branches due to the “trombone effect” — when Internet traffic is pulled back to a centralized, Internet access point only to be sent back across the Internet to a destination near the sending user. When a portal is out-of-path or far away from the destination, latency increases and cloud performance is significantly degraded.

Pros of MPLS networks

– Low Latency
– Low Packet Loss
– Guaranteed Availability and Performance

Cons of MPLS networks

– Expensive
– Long Setup Times: Weeks or Even Months
– Degraded Cloud Performance

SD-WAN: Getting the Best of Both Worlds

Until recently, the only way to get predictable performance and reliable connectivity between distant corporate locations was by using expensive MPLS connections, even though inexpensive Internet services are widely available.

SD-WAN is redefining the WAN by creating a network that dynamically selects the most efficient transport service from an array of public Internet connections and MPLS links. It has two main benefits: cost efficiency and agility.

The SD-WAN aggregates several WAN connections into one software-defined network (SDN), using policies, application-aware routing, and dynamic link assessment, to select the optimum connection per application. Ultimately, the goal is to deliver just the right performance and uptime characteristics by taking advantage of the inexpensive public Internet.

Cloud-based SD-WAN: A Step Forward

Cloud-based SD-WAN offers advanced features, such as enhanced security, seamless cloud and support for mobile users, that result naturally from the use of cloud infrastructure. And by running over an SLA-based backbone, cloud-based SD-WAN delivers far more predictable latency and packet loss than the public Internet.

As a result, cloud-based SD-WAN can replace MPLS, enabling organizations to release resources once tied to WAN investments and create new capabilities.Typical use case for new cloud-based SD-WAN deployment is a global enterprise with business processes tightly integrated into the cloud.

Conclusion

Every company is different, and there is no silver bullet when it comes to enterprise networking. However, for global enterprises looking for efficiency and flexibility, cloud-based SD-WAN solves many issues presented by traditional approaches to enterprise networking. To learn more about SD-WAN, book a Discovery Session today.

SD-WAN vs. MPLS: Choose the best WAN solution for you

MPLS Pros and Cons

If you are an MPLS customer, you are familiar with the benefits and challenges of the technology. MPLS is a premium networking service with guarantees around dedicated capacity, maximum latency and packet loss, and link availability. However, the service that comes with these guarantees is very costly, forcing enterprises to deploy just enough MPLS capacity in order to reduce their monthly spend. Furthermore, to ensure service levels, MPLS services must be deployed to the customer premises, which creates substantial lag time until a new office can be up and running on the service. To meet service levels, carriers prefer their MPLS networks very stable, so changes and adjustments also tend to be slow.

The MPLS architecture and its guarantees are now under pressure. As business applications migrate to the cloud, demand for Internet capacity increases. In the past, companies backhauled Internet traffic across their MPLS backbone to a secured, Internet portal. The cost of that backhaul, from both capacity and latency standpoint, was manageable when Internet usage was minimal. This is now no longer the case. In addition, MPLS service guarantees were offered between enterprise locations, not the enterprise and the Internet, where the customer’s carrier ultimately lost control of the traffic to other carriers.

SD-WAN Edge Appliances: Not Quite the Answer

This is where SD-WAN comes to play. SD-WAN creates a superset of MPLS by incorporating the MPLS service into a virtual overlay including additional services, such as cable, xDSL and 4G/LTE. These services offer a different set of attributes than MPLS: more capacity for less cost, faster deployment but often less predictability. By routing traffic across the overlay based on application requirements and underlying service quality, SD-WAN can bypass some of the challenges of MPLS. Routing becomes more flexible and backhauling of Internet traffic can be reduced. Services can be aggregated to maximize capacity. Branches can be deployed more quickly, initially on Internet services and with MPLS brought into the overlay as needed.

SD-WAN has several key challenges when compared with traditional MPLS architectures. Customers need to secure Internet traffic at the branch location or in the cloud to benefit from backhaul elimination. SD-WAN using edge technology alone cannot replace MPLS, unless the customer is willing to relinquish the end-to-end latency and packet loss guarantees that come with MPLS. Cloud resources and mobile users are unaffected by the SD-WAN edge capabilities, which are designed for physical locations.

Some of these issues may not be critical in all cases. For example, regional customers that have stable and high-quality Internet connectivity may not see packet loss or latency as inhibitors to move off MPLS. Another example will be a move to cloud-based apps that makes MPLS less critical to ensure application service levels. In both cases, SD-WAN can help support the transition from a hybrid WAN (MPLS+Internet) to Internet-only WAN.

Cloud-Based SD-WAN: A New Approach

ICG has expanded the scope of SD-WAN into a cloud-based, global SD-WAN service that includes SLA-backed backbone, built-in security, and extension of the overlay to cloud resources and mobile users. This architecture enables enterprises to augment and ultimately replace their MPLS architectures, address new security requirements, and support their needs outside branch locations.

Ultimately, customers need to make a decision. Continue with the current MPLS architecture or deploy one of the flavors of SD-WAN we discussed above to augment or eliminate MPLS. In the table below we summarize the considerations to make this decision. We will compare MPLS, Edge SD-WAN (using edge routers and central management), and Cloud-based SD-WAN (using a private backbone with built-in Next Generation Firewall).

Comparison Table: SD-WAN vs MPLS

To learn more about SD-WAN vs. MPLS, and the way ICG SD-WAN can transform, streamline and simplify your network and security book a discovery session with one of our experts.

Related articles:

SD-WAN pros and cons

SD-WAN vs MPLS vs Public Internet

SD-WAN vs. VPN comparison

One thing I learned from BioIVT’s transition from Internet-based VPN (Virtual Private Network) to cloud-based SD-WAN is selecting the right networking solution for the use case can have tremendous business impact. In their case, time spent provisioning new locations was reduced by months.

Internet-based VPN, which is the use of IPsec tunnels (or similar encryption methods) and physical or virtual VPN appliances to securely connect multiple sites on a WAN over the public Internet, has been a staple on corporate WANs for years. By providing enterprises a means to reduce bandwidth costs, albeit, with some reliability and performance tradeoffs, Internet-based VPN has served as an alternative to MPLS (Multiprotocol Label Switching) for select WAN connectivity use cases.

While Internet-based VPN vs MPLS was the debate for some time, WAN technology has evolved in recent years. During that time, SD-WAN has emerged as an enterprise WAN connectivity solution that provides a combination of cost efficiency, agility, and cloud-friendliness that neither MPLS nor Internet-based VPN can match. Cloud-based SD-WAN, in particular, has proven to be a game-changer by adding reliability and baked-in security features to the mix.

With all the moving parts involved in making a decision, how can you determine if Internet-based VPN or SD-WAN makes sense for your organization’s use case? We’ll answer that question here.

SD-WAN vs VPN: Benefits and Limitations

When comparing WAN connectivity solutions, cost, performance, reliability, and configuration & maintenance are important to consider. Let’s see how the SD-WAN vs VPN debate stacks up in those categories.

SD-WAN vs VPN: Cost

Both Internet-based VPN and SD-WAN enable enterprises to leverage affordable public-Internet bandwidth. In small deployments, VPN can be an inexpensive solution for a few sites and simple WAN topology. For example, a simple site-to-site connection can be achieved using commodity servers and open source software like Openswan. However, as we saw with BioIVT, the complexity and bottlenecks created by the scaling VPN-based networks can outweigh upfront cost savings by a wide margin.

SD-WAN vs VPN: Performance

Internet-based VPN is inherently tied to the public Internet from a performance perspective. Beyond spikes in congestion impacting performance, traversing long geographical distances generally comes with significant latency on VPN-based WANs.  

Further, VPN lacks performance optimization features like dynamic path selection, QoS (Quality of Service), and application-aware routing that help ensure applications like VoIP and telepresence deliver the required levels of performance. SD-WAN delivers these features, and with cloud-based SD-WAN, latency over significant geographical distances becomes a non-issue. Cato’s SLA-backed global private backbone consists of over 45 PoPs (Points of Presence) around the world. As traffic is routed to the nearest PoP and over Cato’s high-speed backbone, the performance issues associated with the public Internet in the middle-mile are averted.

SD-WAN vs VPN: Reliability

Before the dust settled on the SD-WAN vs MPLS debate, a common argument against both appliance-based SD-WAN and VPN was the lack of an SLA with the public Internet. Enterprises demand predictable, reliable performance. VPN is still reliant upon the public-Internet, but Cato’s SLA-backed global backbone is connected by multiple Tier-1 providers across the globe. This enables the Cato Cloud to deliver predictable service and reliability at levels that meet or exceed MPLS.

SD-WAN vs VPN: Configuration & Maintenance

VPN configuration often entails extensive manual work. IPsec tunneling, IKE (Internet Key Exchange), and NAT-T (Network Address Translation Traversal) require a high level of expertise to configure securely and scale. As more and more sites are added to a WAN, maintaining the network becomes increasingly difficult. This, in turn, leads to performance issues and a disjointed WAN infrastructure.

Paysafe Financial Services experienced the issues associated with scaling VPN first-hand. After multiple mergers and acquisitions, Paysafe was left with a backbone made up of MPLS circuits and Internet-based VPN connections. To create a truly meshed network using Internet-based VPN, Paysafe would have required 210 VPN tunnels, a massive investment of time and resources. According to Stuart Gall, then Infrastructure Architect at Payscale, VPN, in particular, was a pain point on their WAN. In regards to their VPN connectivity, Gall said, “Invariably we’d have someone at a site needing connectivity to a different location, forcing a reprovisioning process. That could take weeks of work with approvals and all.”

The solution Paysafe found for their challenges? Cato Cloud. With Cato, Payscale was able to benefit from automatic, scalable, policy-based configurations and the scalability of a cloud-based service model. As a result, Paysafe was able to streamline WAN configurations and provisioning time and reduce latency by 45% when compared to VPN. Just how much faster was configuration with Cato? According to Gall, “Instead of spending weeks bringing up a new site on MPLS or even a VPN, Cato Socket deployment takes no more than 30 minutes — including unboxing.”

Additionally, while Paysafe adopted discrete security solutions before switching to Cato, the enterprise-grade security features built-in to the Cato network helped to ensure secure scalability without the need to configure additional security appliances like NGFWs (next-generation firewalls).

Decision Time

So, with all that in mind, how do you make a decision on SD-WAN vs VPN? If you’re a small enterprise that only needs to connect a handful of sites, an Internet-based VPN can make sense. However, for use cases where scalability, performance, reliability, and operational agility matter, cloud-based SD-WAN wins the day. Not only does this hold true when comparing features on paper, but Cato customers like Payscale and BioIVT also prove it in the real world.

If you’d like to learn more about what SD-WAN can do for your enterprise, book a Discovery Session today.

WAN Optimization vs. SD-WAN

In the process of adopting SD-WAN, customers often experience a substantial boost to overall usable capacity which relaxes the need for aggressive WAN optimization techniques. Although the benefits of SD-WAN are many, it does not completely cover all of the benefits provided by WAN optimization.

The Pros and Cons of WAN Optimization

The rise of WAN optimization began around 2004 and addressed three primary networking issues determining the end user experience when accessing data from across the WAN: bandwidth, latency, and packet loss.

Bandwidth limitations are addressed by minimizing the amount of data passed across the network. Typically this is done through compression and deduplication algorithms. To ensure applications don’t "hog" the capacity of a connection, WAN optimization appliances will also prioritize application traffic. This way applications that immediate access to the wire, such as voice call, for example, are guaranteed access even during heavy usage.

As the distance between end-users and their data grows, bandwidth gives away to latency and packet loss as the primary determinants of session capacity. Network delay, or latency, defines how long packets take to travel from one designated point to another. Latency is often measured to the destination and back what’s called the “round trip time” (RTT). Caching techniques and protocol-specific optimizations minimize latency by reducing the number of application-layer exchanges that are necessary across the network.

Packet loss occurs when network congestion or problems in the physical infrastructure cause packets to be lost during transmission. It’s expressed as a percentage of packets. As a rule of thumb, Internet connections frequently experience 1 percent packet loss. Packet loss will be addressed by some WAN optimization appliances using forward error correction (FEC) that allows receiving stations to automatically regenerate lost packets without requiring transmission.

(For a deeper explanation of the impact latency and loss have on capacity, and the benefits of ICG's optimization download our ebook "MPLS vs Internet vs SD-WAN Cloud Network".)

Packet re-transmission is a major source of latency for TCP sessions. TCP was designed to adapt to the underlying network conditions. At a high-level, TCP operation sends a group of packets (a “window”) before waiting for an acknowledgment of receipt from the destination. TCP gradually increases its window size to a maximum size. Packet loss causes the window sizes to be reduced, repeating the process all over. As a result, packet loss or significant delays in receiving acknowledgments will impair TCP performance.

SD-WAN and the “3 Cs”

Fast forward to the present to SD-WAN. Whereas WAN optimization improves the performance of an individual connection, SD-WAN improves the overall network. More specifically, SD-WAN addresses issues impairing MPLS networks:

  • Cost: SD-WAN uses lower cost Internet circuits instead of expensive MPLS circuits allowing organizations much more flexibility in how they design their networks.
  • Capacity and Performance: With the Internet, SD-WAN provides far more capacity at locations. By load-balancing connections, businesses can also easily to aggregate multiple low-cost Internet connections for even more capacity. SD-WAN routes traffic across the optimum connection based on application requirements and real-time loss and latency conditions.
  • Cloud access: MPLS is optimized for branch-to-datacenter traffic and not for branch-to-cloud. WAN optimization, a dual-sided technology, is limited in its ability to optimize cloud access where installing WAN optimization appliances is complex (for cloud datacenters) or technically not possible (for cloud applications).

SD-WAN on its own brings cost and performance benefits, but SD-WAN alone doesn’t solve all the inherent issues with WAN traffic. As Alec Pinkham notes, “SD-WAN has no ability to affect traffic once it leaves the endpoint location. Once the traffic is on the WAN, it will follow the rules of the WAN as defined by the providers. SD-WAN technology puts the packets on the currently best-performing WAN (or combination of WANs), but it does nothing to actually make those WANs work better.”

SD-WAN and WAN Optimization Working Together

To take advantage of the benefits of both SD-WAN and WAN optimization, organisations look for solutions such as ICG Cloud Connect SD-WAN service. This solution provides a global, SLA-backed backbone with built-in network security, delivered as a cloud service. ICG's multi-segment optimization optimizes WAN and cloud traffic in three segments: the last mile from the source location, the middle mile that connects all locations and the cloud, and the last mile to destination.

Read about SD-WAN vs. MPLS

ICG International Insights

ICG shares our latest analyst insights, and industry trends.

Smart Farming

Welcome to the world of Smart Farming, where technology meets agriculture. Smart Farming is a rapidly evolving field that combines emerging technologies such as the Internet of Things (IoT), Big Data, Robotics, Artificial Intelligence (AI), and other advanced technologies to improve agricultural productivity and efficiency.

Precision Farming is one of the primary objectives of Smart Farming, where data-driven decision making helps to optimize farming operations. By using data generated from various sources such as sensors, satellite imagery, and weather data, Precision Farming can help farmers make informed decisions about planting, harvesting, and managing their crops, leading to increased yields, reduced waste, and greater profitability.

Smart Farming is also essential in attracting young talent to the agriculture industry. By using robotics, sensors, and AI, hard labor on farms can be augmented or replaced, making the industry more attractive to the youth who have grown up with technology. This will increase productivity, reduce waste, and improve the overall quality of life for farmers.

Furthermore, Smart Farming provides complete situational awareness of the farm operations, from soil moisture to crop growth to livestock health, providing real-time insights and decision-making capabilities to farmers. This helps to optimize farming operations, reduce costs, and improve the overall efficiency of the agricultural supply chain.

The future of agribusiness lies in the hands of Smart Farming, with its ability to increase crop yields, reduce waste, attract young talent, and provide complete situational awareness of farm operations. As technology continues to advance, Smart Farming will continue to revolutionize the way we approach agriculture, making it more efficient, productive, and sustainable than ever before.

Smart Manufacturing

Smart manufacturing remains the key to enterprise survival in the face of the COVID-19 pandemic. Automated Guided Vehicles (AGV), robots, teleoperation, 3D printing and teleoperation have helped to optimised human capital, whilst enabling social distancing within manufacturing facilities. The global smart manufacturing market is expected to reach US$400 Billion in 2024, with 10.1% compounded annual growth from 2020-2024. Advancements in remote contact technologies are expected to make up the majority of this growth, adapting to higher levels of remote work.

Getting your organisation prepared for Smart Manufacturing requires a broad depth of understanding trends, process, industry and technology, along with the underpinnings of a well thought out Enterprise Resource Planning system.

ICG is helping manufactures to gear up for smart manufacutring. Learn how we can assist your organisation, with a complimentary discovery session.

Smart Logistics

The logistics industry is undergoing a radical transformation, driven by the introduction of smart technology and automation. Smart logistics, also known as digital logistics, is a new approach to managing and optimizing the supply chain. It uses advanced technologies such as artificial intelligence (AI), machine learning, robotics, the internet of things (IoT), and big data analytics to improve the efficiency and effectiveness of logistics operations.

Smart logistics promises to revolutionize the industry, making the supply chain more efficient, cost-effective and customer-oriented. With smart logistics, companies can better manage their inventory, reduce delivery times, and improve customer service.

Smart logistics solutions are designed to help companies streamline their operations and reduce costs. They automate the entire supply chain, from order placement to delivery, reducing the manual labour involved in managing the process. Smart logistics also helps companies track their inventory, optimise their routes and delivery times, and predict customer demand. This helps companies respond quickly to customer orders and deliver goods on time.

In addition, smart logistics solutions provide real-time visibility into the supply chain, allowing companies to monitor the entire process. From tracking orders to managing shipments, companies can gain insights into their operations.

Future of Work

The gig economy was growing linearly and will contiune it's upward trend as the economy recovers. Advances in artificial intelligence (AI) and robotics stand poised upend what's left of the conventional workplace.

WeWork has driven the trend in organisations adopting communal workspaces and again, this trend will only continue it's linear advance as we resurface from the pandemic.

Expectations for face-to-face and team meetings have suddenly surged into online meeting platforms such as Zoom, Microsoft Teams and Google Meet, further driving the acceptance of remote working.

Collaboration or "how-to" collaborate remotely, is a major challenge emerging for organisations.

ICG is helping organisations meet the challenges of this transformation, through implementation of new business processes and systems to cater for everything from e-attendance, real-time collaboration and document sharing, to HRMS, and payroll.

Smart Cities

Insights gained from that data are used to manage assets, resources and services efficiently; in return, that data is used improve the operations across the city. This includes data collected from citizens, devices, buildings and assets that is then processed and analyzed to monitor and manage traffic and transportation systems, power plants, utilities, water supply networks, waste, crime detection, information systems, schools, libraries, hospitals, and other community services.

The smart city concept integrates information and communication technology (ICT), and various physical devices connected to the IoT network to optimize the efficiency of city operations and services and connect to citizens. Smart city technology allows city officials to interact directly with both community and city infrastructure and to monitor what is happening in the city and how the city is evolving. ICT is used to enhance quality, performance and interactivity of urban services, to reduce costs and resource consumption and to increase contact between citizens and government. Smart city applications are developed to manage urban flows and allow for real-time responses. A smart city may therefore be more prepared to respond to challenges than one with a simple "transactional" relationship with its citizens. Yet, the term itself remains unclear to its specifics and therefore, open to many interpretations.

Major technological, economic and environmental changes have generated increased interest in smart cities, including climate change, economic restructuring, coronavirus, the move to online retail and entertainment, ageing populations, urban population growth and pressures on public finances.¹

Smart Retail

Smart Retail allows retailers to deliver services through web-based applications, mobile applications, and augmented reality applications in-store. This not only allows customers to get the most out of their shopping experience, but also allows retailers to maximize their store space and inventory. RFID technology can be used to track products both coming in and going out of the store, while kiosks and self-checkout terminals make the checkout process much more efficient.¹

In addition to increased efficiency, Smart Retail also offers customers personalization. Retailers are now able to cater to individual customer preferences, providing more relevant product information that is tailored to their needs. By offering personalized product information to customers, retailers are able to create more meaningful relationships with their customers and increase customer loyalty.

Overall, Smart Retail is changing the way retailers do business and the way customers shop. From increased efficiency to personalized product information, Smart Retail is transforming the retail industry and revolution.

Smart Engineering

Across the world, organizations are focusing on the right combination of advance technologies which will help them transform the core engineering operations to design and engineer new products more efficiently and make the maintenance of products more effective through engineering.

With our Smart Engineering services, ICG helps clients to build competitiveness and differentiation through adoption of next generation technologies for core product engineering. ICG has built significant capabilities in the new digital enablers like Immersive Technologies, Artificial Intelligence, Big Data and more to help organizations transform their business and seize the growth opportunities in the new digital era.

We focus on transformation across the entire engineering value chain through integrated or point solutions.

Artificial Intelligence

In the computing era, it was all about creating data, the intelligence era is about creating information, or rather creating insights from data to make real-time decisions.

Organizations are looking to AI as a way to automate processes, deliver new insights into the customer journey, and identify opportunities for new products.

Artificial intelligence (AI)

According to Wikipedia, artificial intelligence (AI) is the capability of machines to imitate intelligent human behavior, and perform tasks that normally require humans.¹

Machine learning (ML)  

Machine learning is a subset of AI that gives computers the ability to learn without being explicitly programmed. Computers use algorithms and statistical models to perform specific tasks, relying on patterns and inferences.²

Deep learning (DL)

Deep learning is a subset of ML that uses layers to progressively extract higher level features from the raw input. DL architectures have been applied to computer vision, natural language processing, image analysis, and more.³

ICG International Glossary

Learn industry terms and common customer challenges.

Active Directory (AD)

Active Directory (AD) is an enterprise identity service from Microsoft, which provides login authentication, single sign-on, multi-factor authentication, lightweight directory services (LDAP), certificate and rights management.

Active Directory is a component of Windows Server and is also available as a cloud service Azure Active Directory, which is growing in popularity due to the trend toward remote work, with the need to authenticate resources regardless of location.

Active Directory Domain Services (AD DS) often refered to as the Domain Controller, stores information on users, groups, applications and devices. AD DS verifies and controls rights to access resources like a file share or printer over the network.

Active Directory Federation Services (AD FS) authenticates user access across multiple applications, even on different networks.

Active Directory Rights Management (AD RMS) controls information rights and management, such as forwarding permissions and encryption in Outlook, file access and presentation mode rights in PowerPoint.

Advanced Threat Protection

Advanced threat protection delivered as a cloud service for adaptive and agile defense

Advanced Threat Protection is the collection of network security and related defenses deployed to address current and emerging threats. Often, it is not the advanced nature of the threat that is the real risk. IT organization are facing the daunting task of maintaining complex infrastructure as the basis of providing Advanced Threat Protection to their users. Following simple best practices like network segmentation, keeping software up to date, monitoring and detecting unauthorized cloud usage (“Shadow IT”), and deploying multi-factor authentication – to name a few – represent a real hurdle for IT leaders facing significant skill shortages.

Advanced Threat Protection that delivers a powerful set of defenses, in the form of self-maintaining cloud service, is essential to effective security. Customers should expect up-to-date, scalable and optimized infrastructure as the starting point to evaluating Advanced Threat Protection capabilities.

The ICG Solution: A cloud-based network with built-in Advanced Threat Protection

ICG is providing a range of advanced security services built into a global cloud network. The SD-WAN aggregates all enterprise traffic across data centers, branches, mobile users and cloud infrastructure into the cloud. It then applies multiple security engines to enforce a comprehensive security policy on both WAN and Internet-bound traffic, and all users, both fixed location and mobile.

The ICG Research Lab is analyzing cloud network traffic patterns to looks for anomalies and possible attacks on our infrastructure and on customers networks, and adapt our defenses as needed.

Benefits

  • Built-in network segmentation
    The cloud network is segmented by default preventing access between network resources (locations, users) unless specifically permitted.
  • Advanced malware protection
    ICG inspects all web sites access for malicious domains (phishing and malware delivery sites). It also performs aninspection on all WAN and internet traffic for malicious files.
  • Intrusion prevention system
    ICG performs deep packet inspection on all traffic for indicators of compromise or malicious patterns. Protocols validation, known CVEs, flagged domains and IPs, and advanced behavioral analysis is seamlessly performed in the ICG SD-WAN.
  • Network anomaly detection
    ICG enforces application aware policies on both WAN and Internet traffic across all network resources. Deep Packet Inspection is used to look for attack patterns within internal and external network activity.
  • Rapid threat adaptation
    ICG leverages the unprecedented visibility to the cloud network traffic to detect network anomalies and emerging threats. This enables quick adaptation of our Advanced Threat Protection to protect all customers.
  • Cross-domain event correlation
    ICG looks at network activity across multiple domains to identify complex attack patterns in real time.
  • Unrestricted scalability and self-maintaining service
    ICG can inspect any traffic mix (encrypted and unencrypted) and ensures capacity is available to provide subscribed services. Without the need to size, upgrade, patch or refresh appliances, customers are relieved of the ongoing grunt work of keeping their network security up to date against emerging threats and evolving business needs.

Backup as a Service (BaaS)

Backup as a Service (BaaS) is a managed service model for the delivery of backup and recovery services via an online service provider, rather than traditional on-site backups.

Backup as a service is often confused with cloud storage, where storage is provided as-a-service to function as a cloud based backup target. It should be noted that cloud storage is just a component or enabler of backup as a service, but cloud storage alone does not achieve the objectives of backup as a service.

Backup as a service is typically purchased on a consumption basis, where a company either only pays for what they backup, typically on a per-GB per-month basis.

Backup as a service is delivered as an online cloud backup service, which may be self-managed or managed by the service provider. There are circumstances where BaaS may be delivered on premises in your own office or data center and supported by the managed service provider.

Why use backup as a service?

Backup as a service is used by organisations of all sizes, typically with 1TB or more storage capacity, who want to maximise their operational expenditure, improve backup windows, mitigate risk and offload technical debt associated with management and maintenance of backup infrastructure.

How backup as a service works?

Customers sign a service agreement based on a fixed cost per-GB per-month basis, sometimes with a minimum commit of capacity or virtual machines (VMs). Often the BaaS service is provided to the customer with Backup Software included in the per-GB per-month pricing model, however there are cases where the customer may bring their own backup software such as Veeam, Veritas, Commvault or third-party backup software provided by the service provider.

In the event that the customer has opted for an on-premises deployment, equipment may be provided in the form of a local cloud gateway or full-scale cluster. In the case of a gateway, only a limited number of copies are stored on-site, where as for a full cluster, all long-term storage would be held on-premise. Equipment is provided to the customer inclusive of all installation, on-going maintenance and future upgrades.

Benefits of backup as a Service?

  • Only pay for what you use
  • Remove large up-front CAPEX expenditure
  • Improve backup windows with next-gen backup software and deduplication
  • Offload the management burden of your backup environment
  • Cost models vary from no commitment to minimum commitment, with subscription basis: 1, 12, 36 or 60 months
Fiber Channel

What is Fiber Channel (FC)

Fiber channel (FC) is a networking protocol, typically used in Storage Area Networks (SAN Storage). Fiber channel is used to transfer data at high speeds to a resource pool of servers with low latency. Fiber Channel Protocol (FCP) is the replacement to Small Computer System Interface (SCSI), which prior to 1997 used to dominate the storage connectivity scene. Modern advancements to SCSI include Serial Attached SCSI (SAS), used in the majority of storage area network backends and disk drives today. Visit TechTarget to learn more about the basics of SAN storage and choosing between Fiber Channel vs iSCSI.

History of Fiber Channel

Fiber Channel really started to take-off around the 2000 dot-com boom, when organizations were increasingly looking for higher speed access to shared data in SAN storage systems. As Fiber Channel is a lossless protocol, it doesn't introduce any latency through cables, routing and switching and it can travel vast distances up-to 10km on a single-mode fiber and typically 100-150m on multi-mode fiber.

  • 1Gbps FC - 1997
  • 2Gbps FC - 2001
  • 4Gbps FC - 2004
  • 8Gbps FC - 2005
  • 10Gbps FC - 2008
  • 16Gbps FC - 2011
  • 32Gbps FC - 2016
  • 64Gbps FC - 2019
  • 128Gbps FC - 2016
  • 256Gbps FC - 2019

Fiber Channel vs iSCSI

Around 2009 Internet Small Computer Systems Interface (iSCSI) started to take-off as an alternative to Fiber Channel. iSCSI is an Internet Protocol (IP) based networking technology for data storage. Carrying SCSI commands over the TCP/IP stack, rather than Fiber Channel. A long heated debate has ensued ever since regarding the pros and cons of each interface. Ultimately FC claims to be superior in performance and low latency, because of its lossless nature, whilst iSCSI claims to be superior for it's simplicity and familiarity that most IT engineers have with IP based networking. Read more on the Fiber Channel vs iSCSI debate over at the Storage Networking Industry Association (SNIA).

Firewall as a Service (FWaaS)

Firewall as a Service (FWaaS) is a new and revolutionary way of delivering firewall and other network security capabilities as a cloud service. Enterprises have always deployed next generation firewalls as appliances. While form factor varies between physical and virtual appliances, deployed on-premises or in the cloud, customers need to support the full appliance life cycle. Distributed locations need dedicated appliances that have to be sized and upgraded to accommodate business growth. Appliance software has to be patched and upgraded, and policy management must be done on an appliance basis.

FWaaS is a new type of a next-generation firewall. It doesn’t merely hide physical firewall appliances behind a “cloud duct tape”, but truly eliminates the appliance form factor, making network security (URL Filtering, IPS, AM, NG-AM, Analytics, MDR) available everywhere. In essence, the entire organization is connected to a single, logical global firewall with a unified application-aware security policy. Gartner has highlighted FWaaS as an emerging infrastructure protection technology with a high impact benefit rating.

The ICG Solution:  
Firewall as a Service Built into a SASE Platform

ICG Cloud Connect SD-WAN, the world’s first SASE platform, built on a global private cloud of 50+ PoPs, aggregates all enterprise traffic from data centers, branches, mobile users, and cloud infrastructure. It then enforces a comprehensive security policies and threat prevention on both WAN and Internet-bound traffic, across all users and applications.

ICG's FWaaS represents the next evolution in firewall technology that leverages advances in software and cloud technologies, to deliver a wide range of network security capabilities, on-demand, wherever businesses need it.

“When we learned about the solution, we liked the idea of simple and centralized management. We wouldn’t have to worry about the time-consuming process of patch management of on-premises firewalls.”
- Alf Dela Cruz, First Vice President, Head of IT Infrastructure and Cybersecurity, Standard Insurance

Challenge

Securing the Network in an Ever-Changing Business Environment

As enterprises expand their networks to include new resources, such as cloud infrastructure and mobile users, IT must extend security accordingly. However, relying on traditional appliance-based firewalls is no longer a viable solution. Firewall appliances don’t have a line of sight into these resources, forcing enterprises to backhaul mobile traffic through datacenter firewalls, adding latency due to the trombone effect. Alternatively, allowing direct access to the cloud leaves mobile users dependent on the unpredictable Internet performance. In addition, direct cloud access bypasses datacenter firewalls, requiring additional cloud security products to ensure enterprise-wide security.

ICG's Solution

Cloud-Native Security Delivered as a Service

FWaaS, delivered as an integral part of a full SASE platform, addresses the shortcomings of appliance-based firewalls. By leveraging the benefits of a cloud infrastructure, FWaaS provides the necessary scalability and elasticity to support today’s evolving business. In addition, it extends a full network security stack wherever needed, globally, and down to a single user. This eliminates the need to deploy additional point products, drastically reducing the cost and complexity of integrating, securing and managing remote locations, cloud applications and mobile users.

Traditional Firewalls vs. ICG FWaaS

Legacy

ICG

Capacity

Constrained

The level of protection a firewall appliance provides is limited to its physical capacity. Protecting increased traffic loads, for instance, entails additional processing and requires spending time and resources on forced upgrades. This capacity limitation often forces IT to choose cost efficiency over security, resulting in a low security posture.

Elastic

Delivered as a cloud service, FWaaS removes all appliance capacity concerns, and eliminates the hassle associated with upgrading multiple firewalls. With ICG's scalable and elastic cloud infrastructure, IT can protect all resources without legacy firewall capacity limitations and maintain an optimal security posture.

Management

Complicated and Time-Consuming

Appliance-based security inherently entails distributed deployments and disparate security policies. As a result, IT is forced to allocate valuable time and effort to manage the network life cycle; including manually sizing, deploying, configuring, patching and upgrading firewall appliances across multiple sites.

Streamlined and Simplified

ICG connects the entire organization to a single, logical global FWaaS with a unified application-aware security policy. Maintenance of the service is done by ICG, so IT can manage the business-specific security policy, without wasting time on manually handling multiple firewall appliances, their software, and their configuration.

Security Posture

Do It Yourself (DIY)

Managing optimal security posture is a big challenge. For example, appliance-based IPS requires heavy involvement from IT. As an IPS vendor distributes new signatures, IT must assess their relevance and impact on performance, then test them on live traffic for false positives and end user disruption, and finally, deploy them in full production mode. This resource impact causes many IT teams to essentially ignore IPS updates, weakening their network security posture.

Delivered as a Service

ICG uniquely delivers Firewall and IPS as a managed solution, freeing IT from the burden of security posture maintenance. ICG evaluates emerging threats and develops the rules to stop them. ICG then tests these rules in simulation mode on live traffic, ensuring enterprises aren’t impacted and eliminating false positives before rolling them out. As a result, threats are prevented and stopped without overloading IT.

Next Generation Firewall

The Next Generation Firewall (NGFW) appliance has been the cornerstone of network security for the past two decades. It applies deep packet inspection (DPI) and multiple security engines to inspect both inbound and outbound traffic and enforce a company’s security policy. The main characteristic of a NGFW is application awareness: the ability to detect and enforce policies on applications usage based on packet content rather than packet headers (source and destination IP addresses, ports, and protocols).

A cloud-based NGFW (also known as Firewall as a Service) delivers a powerful, application-aware, enterprise-grade, elastic and scalable solution without the challenges of legacy appliance-based solutions.

"Much easier to manage than a traditional firewall and the mobile client was much easier to deploy and configure than our existing approach."
- Todd Park,VP of Information Technology, W&W-AFCO Steel

Cloud-based Next Generation Firewall

ICG is providing a new kind of a Next Generation Firewall, one that is available everywhere the business does business without the need for discrete appliances. ICG aggregates all enterprise traffic across data centers, branches, mobile users, and cloud infrastructure into a cloud network with built-in Next Generation Firewall. ICG enforces application-aware corporate security policy for WAN- and Internet-bound traffic.

Appliance-based Next Generation Firewall Challenges

Solution: Cloud-based Next Generation Firewall

Application awareness adaptation

Slow application awareness adaptation

Next Generation Firewalls detect common network applications based on data flows using DPI. Application IDs that are discovered can then be used in firewall policies for more granular control. Customers must indicate to the firewall vendor when application traffic is not detected or classified and wait for an appropriate signature or patch.

Adaptable application awareness

ICG uses its cloud traffic visibility to quickly extend its detection of new applications without involving the customer. New application identification capabilities are immediately available to all customers.

Visibility

Fragmented location-bound visibility

Appliances are location-bound and can only inspect the traffic that flows through them. This is why appliance sprawl and backhauling are needed to get inspection and enforcement to where the traffic is.

Full visibility

As all WAN and Internet traffic goes through the ICG SD-WAN Cloud, there are no blind spots or need to deploy multiple appliances to cover all traffic.

Scalability

Capacity constrained security

Next Generation Firewalls apply various security engines to the traffic including IPS, anti-malware, URL filtering and more. Running these engines in parallel depends on appliance capacity. Smaller devices, such as UTMs, are limited in their security enforcement due to capacity constraints.

Unrestricted cloud scalability

ICG can inspect any encrypted and unencrypted traffic with all supported security services and no impact on performance. Customers avoid sizing exercises or forced upgrades. ICG ensures there’s capacity so customers receive the full range of security services.

Inspection

SSL inspection degradation

Next Generation Firewalls need to inspect encrypted (SSL) and unencrypted traffic at line speed. Encrypted traffic places a significant load on the appliance and often creates scalability and performance issues. As the share of SSL traffic increases, forced appliance upgrades often become a necessity.

Full traffic inspection

Cloud-based inspection scale to support all traffic without the need for unplanned or forced upgrades.

Manageability

Resource intensive appliance management

Distributed Next Generation Firewalls require an appliance at each location, with its own set of rules. Deviations from a policy template tend to happen over time and increases the likelihood of rules conflict and security exposure. Furthermore, each appliance life cycle has to be managed separately. Appliances must be bought, deployed, configured, patched, updated and ultimately replaced either due to an End of Life (EOL) or business growth.

Self-maintaining cloud service

Without the need to size, upgrade, patch or refresh appliances, customers are relieved of the ongoing grunt work of keeping network security current against emerging threats and evolving business needs.

How to Re-evaluate Your MPLS Service Provider

Read how you can cut costs, sustain the service levels your business needs, improve overall agility and flexibility, and get enterprise-grade security, by just offloading your MPLS with SD-WAN.

SD-WAN as a Service

SD-WAN is the initial building block of WAN transformation and the first step in overcoming MPLS cost and agility constraints. SD-WAN appliances are placed at the WAN edge, and are optimized to manage more WAN links to maximize bandwidth and overcoming last-mile brownouts and blackouts. Nevertheless, as a point solution, SD-WAN alone can’t address essential digital business needs such as global connectivity, network optimization, WAN and Internet security, cloud acceleration, and mobile access.

SD-WAN as a Service extends the core capabilities of traditional SD-WAN. It converges the WAN edge, a global backbone and a full network security stack into a unified cloud-native platform. Known as SASE (or the Secure Access Service Edge) it is built to optimally connect and secure all enterprise resources; physical locations, cloud datacenters, and the mobile workforce. By integrating SD-WAN into SASE, enterprises can gradually transform their WAN to address the full WAN transformation journey, without deploying multiple point solutions.

The Solution:
Converged, Cloud-Native Architecture

ICG's Cloud-Native SD-WAN is part of ICG's broader SASE platform. Converging networking and security into a single centrally managed cloud, ICG offers enterprises a holistic solution to support their business transformation and march confidently to the digital era.

ICG's architecture avoids proprietary hardware and converges all enterprise functions into a multitenant, cloud-native, software stack. ICG runs all functions; global routing, security, management, etc. in the cloud, creating a thin edge architecture and minimizing edge-compute requirements.

With its global private backbone supported by 50+ PoPs, ICG enables enterprises to maximize their WAN investment and gradually move to a full SASE solution, at the pace and scale fit for them.

“With a global backbone including, security, and mobility. What we see nowadays is that everyone looking at SD-WAN looks at security. The two go together. [SD-WAN] addresses both dimensions in one seamless solution"
- Lars Norling, Director IT Operations, ADB SAFEGATE

Challenge

Traditional SD-WAN fails to support the digital business needs

To support the digital transformation and future business needs, IT must enable secure connectivity across all edges at a global scale. With traditional SD-WAN, however, IT is left with the complexity of handling multiple point products, on top of remaining dependent on rigid and expensive MPLS links for delivering secure and well-performing connectivity.

Traditional SD-WAN fails to address network security requirements

The ICG Solution

Converged, cloud-native architecture built for the digital era

ICG converges traditional SD-WAN, a global private backbone, full network security stack, and seamless support for cloud and mobile, providing a holistic solution that goes beyond mere MPLS cost reduction. ICG eliminates the need for multiple point products, as well as the cost, complexity and risk associated with maintaining them.

Secure Global SD-WAN as a Service

Traditional Solutions vs. ICG SD-WAN

Legacy

ICG

Optimized Global Connectivity

No global latency control persists MPLS dependency

SD-WAN uses the public Internet where latency is unpredictable, hence enterprises still need to maintain some MPLS capacity to support latency-sensitive applications.

Replaces, not just augments, MPLS

ICG's private global backbone delivers built-in WAN optimization. Customers can move to a combination of high-quality Internet last mile and SD-WAN to augment and ultimately replace MPLS. ICG SD-WAN accelerates access to key cloud applications like Amazon AWS, Microsoft Azure and Office 365.

Secure Internet Access

No integrated network security capabilities

SD-WAN directs WAN traffic across encrypted Internet tunnels, providing only basic security for sending traffic over a public network. Yet, accessing websites and cloud applications directly from a remote office (without backhauling to a datacenter), requires a full network security stack including NGFW, URL filtering, anti-malware, IPS and more. This requires partnering with 3rd parties, complicating and fragmenting network and security policy management.

Cloud-based network security everywhere

ICG provides a full enterprise-grade, network security stack built directly into its global backbone. There is no need to backhaul traffic to specific choke points or introduce 3rd party security products and services chained together. All network and security policies are configured within ICG's cloud-based management application.

Cloud and Mobile Support

No support for cloud infrastructure and mobile users

SD-WAN solutions were designed to reduce spend on MPLS connectivity between physical locations. For legacy WAN architectures, cloud data center integration was an afterthought and mobile support was not a consideration. Yet, cloud and mobility represent an essential part of how business gets done today.

Seamless support for cloud infrastructure and mobile users

With ICG enterprises can easily connect all resources into the WAN, including physical locations, cloud applications, and fixed and mobile users. With ICG's cloud-native SD-WAN delivered as a service, networking and security capabilities are available everywhere and to all resources without the need to introduce point products.

Frequently Asked Questions

  • What is SD-WAN used for?
  • SD-WAN is used to reduce networking costs and improve resiliency and agility by connecting branch locations with affordable Internet connectivity and smart software. When combined with a global private backbone and cloud-based security stack, SD-WAN can extend secure and optimize access to cloud resources and mobile users.
  • What is the difference between WAN and SD WAN?
  • Why is SD WAN important?
  • Is SD WAN better than MPLS?
  • How secure is SD WAN?

Learn more about SD-WAN

Secure Access Service Edge (SASE)

Secure Access Service Edge (SASE) is a new enterprise networking technology category introduced by Gartner in 2019. SASE converges the functions of network and security point solutions into a unified, global cloud-native service. It is an architectural transformation of enterprise networking and security that enables IT to provide a holistic, agile and adaptable service to the digital business.

What makes SASE unique is its transformational impact across multiple IT domains.

Solving emerging business challenges with point solutions leads to technical silos that are complex and costly to own and manage. Complexity slows down IT and its response to these business needs. SASE changes this paradigm through a new networking and security platform that is identity-driven, cloud-native, globally distributed, and securely connects all edges (WAN, cloud, mobile, and IoT).

SASE Convergence of Network and Security

With SASE, enterprises can reduce the time to develop new products, deliver them to the market, and respond to changes in business conditions or the competitive landscape.

ICG SD-WAN is built on a proven SASE platform you can deploy today. Our cloud-native architecture converges SD-WAN, a global private backbone, a full network security stack, and seamless support for cloud resources and mobile devices.

Customers easily connect physical locations, cloud resources, and mobile users to the ICG SD-WAN service, and IT teams immediately benefit from the agility of a unified network and security service managed through a single, self-service console.

We got the functionality of SD-WAN, a global backbone, and security service for our sites and mobile users integrated together and at a fraction of the cost.

The Challenge

Point Solutions for Networking and Security are too Complex to Manage and Costly to Own

Current networking and security solutions are incompatible with the cloud-centric and mobile-first digital business. The network is rigid and static, and security is heavily fragmented across multiple domains. Together, networking and security are slowing down the business instead of enabling innovation and agility.

The Solution

Cloud-native Convergence of Networking and Security enables Simplicity, Agility, and Lower Costs

ICG is delivering the world’s first SASE platform, (and has been recognized by Gartner as a “Sample Vendor” in the SASE category of the “Hype Cycle for Enterprise Networking, 2019”) through a globally distributed cloud service that provides enterprise network and security capabilities to all edges.

Get the ICG SASE for Dummies eBook.

Secure Web Gateway

Cloud-based Secure Web Gateway protects users against Internet-borne threats.

Secure Web Gateway (SWG) protects users against phishing, malware and other Internet-borne threats. Unlike traditional firewalls, Secure Web Gateways are focused on layer 7 web traffic inspection, both inbound and outbound. As web security solutions, they apply no protection to WAN traffic, which is left to the corporate Next Generation Firewalls. In recent years, Secure Web Gateways appeared as cloud services. The cloud instances enable secure web and cloud access from anywhere – including outside the office by mobile users. The traffic coverage and solution form factor remain the key distinctions between Secure Web Gateways and Next Generation Firewalls who often provide a very similar level of security capabilities.
A converged, cloud-based network security solution converges the capabilities of a Next Generation Firewall (WAN and Internet traffic inspection) and the extended coverage for mobile users of Secure Web Gateways.
A converged approach eliminates the need to maintain policies across multiple point solutions and the appliance life cycle.

The ICG Solution:
Converged Network Security in the Cloud

ICG is providing a new kind of a network security stack that converges a Next Generation Firewall, Secure Web Gateway and Advanced Threat Protection in the cloud. All these capabilities are available everywhere without deploying discrete appliances and cloud-based services.
ICG SD-WAN aggregates all enterprise traffic including data centers, branches, mobile users, cloud infrastructure into a cloud network with built-in network security stack. ICG enforces comprehensive security policy on all traffic, both WAN- and Internet-bound and all users, both fixed location and mobile.

"The other provider’s service would have meant spending around 2x more than with the solution and still not get any of the security services offers.”
- Matthieu Cijsouw, IT Manager, Centrient Pharmaceuticals

Appliance-based Secure Web Gateway Challenges vs. Converged Network Security in the Cloud

Legacy

ICG

Visibility

Fragmented visibility

A Secure Web Gateway appliance needs to sit in the data path to be able to process enterprise traffic. An appliance is required at every location that accesses the Internet.

Full visibility

As all WAN and Internet traffic goes through ICG's SD-WAN there are no blind spots and no need to deploy multiple appliances, of different providers, to cover all traffic.

Scalability

Capacity constrained security

A Secure Web Gateway applies various security engines to the traffic including IPS, anti-malware, URL filtering and more. The ability to run these engines in parallel is subject to the appliance capacity. Smaller appliances, such as UTMs, are especially limited in their scalability, extensibility and inspection capabilities.

Unrestricted scalability

ICG can inspect any mix of encrypted and unencrypted traffic with all supported security services. Customers don’t have to go through sizing exercises or forced upgrades. ICG ensures capacity is available to provide customers the subscribed service.

Inspection

SSL inspection degredation

A Secure Web Gateway needs to inspect both encrypted (SSL) and unencrypted traffic at line speed. As the share of SSL traffic increases, forced appliance upgrades may become a necessity.

Full traffic inspection with no degredation

ICG can inspect all traffic, both encrypted and unencrypted with all supported security services and with no performance degradation. Inspection capacity is handled exclusively by ICG to ensure support for licensed capacity.

Manageability

Complex appliance management

A distributed environment requires multiple appliances at each location, each with its own set of rules. Each appliance life cycle has to be managed separately. It has to be bought, deployed, configured, patched, updated and ultimately replaced either due to an End of Life (EOL) or business growth.

Self-maintaining cloud service

Without the need to size, upgrade, patch or refresh appliances, customers are relieved of the on going grunt work of keeping their network security up to date against emerging threats and evolving business needs.

Software Defined Perimeter (SDP)

Software-defined perimeter (SDP), also known as Zero Trust Network Access (ZTNA), is a new approach for securing remote access to business applications both on-premises and in the cloud. SDP is an integral part of Gartner’s Secure Access Service Edge (SASE) framework.

Enterprises have long relied on virtual private networks (VPNs) to connect mobile or remote users to applications and other network resources. But, traditional VPNs are poorly suited for the shift to the cloud and to the increase in work-from-home users. VPNs rely on appliances, such as firewalls or VPN concentrators, forcing remote users’ traffic to specific physical locations. This architecture adds latency and creates capacity constraints. Once connected through a VPN, users are trusted with access to all resources on the network, increasing the risk of malware propagation and data breach. And, to reach the VPN gateways, users must rely on the unpredictable. Overall, legacy VPN architectures expose the enterprise to attacks and adversely impact the user experience, especially when accessing cloud applications.

ICG's Solution:
Optimized and Secure Remote Access (SDP) for Everyone and Everywhere

Cloud-native SDP delivers secure remote access as an integral part of a company’s global network and security infrastructure. A global, cloud-scale platform supports any number of remote users within their geographical regions. Performance improves with end-to-end optimized access to any application using a global private backbone. Risk is minimized before and after users access the network through strong authentication and continuous traffic inspection for threat prevention. Cloud-native SDP makes mobile access easy — easy to deploy, easy to use, and easy to secure.

“Mobile VPN is my secret BCP [business continuity plan] in my back pocket. If my global network goes down, I can be like Batman and whip this thing out.”
- Stuart Gail, Infrastructure Architect, Network and Systems Group

Challenge

Delivering a scalable, optimized, and secure access to all users and applications

Remote and mobile access to on premises and cloud applications is challenging legacy VPN appliance-based architectures. Cloud traffic is forced through chokepoints at physical locations adding latency. VPN concentrators are needed for global coverage, scale, and load balancing. And, unrestricted network access creates excessive security risk.

Challenges of SDP

ICG's SD-WAN Solution

ICG SDP enables global, cloud-scale, optimized and secure access to everyone

ICG provides an integrated client-based and clientless remote access solutions as part of the ICG SD-WAN. Users benefit from optimized and secure access to all applications on-premises and in the cloud while at home or on the road. ICG enforces strong authentication and granular access control as well as deep packet inspection of all traffic against threats. ICG's global cloud-scale platform seamlessly supports any number of users and applications globally.

ICG SD-WAN Architecture

Traditional Solutions vs. ICG SD-WAN

Legacy VPN

ICG

Massively Scalable Architecture

Non-scalable client/server architecture

Legacy VPN requires specialized hardware appliances and regional concentrators, to cover a global workforce. Because the architecture is appliance-based, it is subject to capacity constraints, especially with a sudden increase in work-from-home users.

Cloud-scale infrastructure supporting multi-gig traffic

SDP is an integral part of ICG Cloud Connect SD-WAN, a global, cloud-native architecture. ICG seamlessly scales to support optimized and secure access to any number of globally distributed users without requiring setting up any additional infrastructure.

Secure Access and Authentication

Unrestricted network access is a high risk

Legacy VPN provides secure access to whole networks. This expands the attack surface and enables excessive access that increases the risk of compromise and data breach.

Application-specific access reduces risk

ICG SD-WAN enforces multi-factor authentication and granular application access policies that restrict access to approved applications, on premise and in the cloud. The user never gets unrestricted access to the network layer.

Continuous Threat Prevention

Access only, no continuous threat prevention

Legacy VPN rarely includes continuous deep packet inspection (DPI) to protect against threats post authentication. This enables propagation of threats inside corporate networks that emanate from compromised endpoints.

Post access protection against threats

ICG provides continuous protection against threats, applying deep packet inspection (DPI) for threat prevention to all traffic regardless of source and destination. Protection is seamlessly extended to Internet access, as well as application access on-premises and in the cloud.

Optimal End-to-End Performance

No performance optimization

Legacy VPN requires mobile users to access resources across the public Internet. The increased latency and packet loss of public Internet routing undermines the user experience.

Built in global access optimization

With ICG remote users access resources, on-premises and in the cloud, through ICG's global private backbone which delivers a consistent and optimized user experience.

Business Continuity and Work from Home

VPN can't support all users all the Time

Legacy VPN is designed to enable access for a subset of users over short periods of time. It’s not designed for 24×7 access to all users that are needed in business continuity scenarios.

ICG's SD-WAN is built to deliver continuous access to everyone

ICG provides a globally distributed, cloud-scale platform to enable continuous access to all employees in the office, on the road, or at home.

Frequently Asked Questions

  • What is SDP?
  • Software-defined Perimeter (SDP) is a new application access technology. It provides enterprises with three key capabilities: strong authentication of users, application-specific access rights based on their profile, and continuous risk assessment throughout their session.
  • How is SDP related to Zero Trust?
  • How is SDP different from ZTNA?
  • How is SDP different from VPN?
  • What is the benefit of SDP as part of a SASE?

Learn more about SD-WAN Secure Remote Access

Storage as a Service (STaaS)

Storage as a service (STaaS) is a managed service model for purchasing data storage based on consumption, where a company only pays for what they use, typically on a per-GB per-month basis.

Storage as a service can be delivered on premises in your own office, data center or the public cloud.

STaaS is available for all protocols (block, file and object) and all disk types (all-flash, hybrid, hdd).

Why use storage as a service?

Storage as a service is used by organisations of all sizes, typically with 10TB or more storage capacity, who want to maximise their operational expenditure, improve availability, mitigate risk and offload technical debt associated with management and maintenance of storage infrastructure.

How storage as a service works?

Customers sign a service agreement based on a fixed cost per-GB per-month basis, with a floor price or minimum commit, typically around $1,500 per month. Equipment is provided to the customer inclusive of all installation, on-going maintenance and future upgrades.

Benefits of storage as a service?

  • Only pay for what you use
  • Remove large up-front CAPEX expenditure
  • Improved levels of service with guaranteed SLAs
  • Offload the management burden of your storage area network
  • Subscription basis: 12, 36 or 60 months

Learn more about ICG Cloud Storage as a Service (STaaS) or go deeper into the topic with the ICG blog What is STaaS?

UC and UCaaS Optimization

Unified Communications (UC) and UC as a Service (UCaaS) enhance team collaboration with a mix of real-time communication and messaging tools, namely voice, video conferencing, and screen-sharing.

While beneficial to the business, UC’s networking requirements challenge WAN transformation initiatives. Voice and video require minimal latency and packet loss. Outages and slow-downs in the network become readily apparent to anyone in the middle of a voice or video call.
Moving UC to the cloud with UC-as-a-Service (UCaaS), such as RingCentral, 8×8, Fuze, and Skype, poses further complications, requiring predictable, low-latency cloud access from any branch location.

Broadband Internet connections, such as DSL and cable, provide the affordable bandwidth and rapid-deployment needed by WAN transformation initiatives. But alone they fail to address all of the factors that can degrade the Quality of Experience (QoE) of UC and UCaaS.

A global SD-WAN service with converged security provides the reach, performance, and protection enterprises require for UC and UCaaS.

ICG SD-WAN is the perfect complement to any UC or UCaaS deployment. SD-WAN improves uptime and eliminates the common causes of packet loss and latency that undermine UC and UCaaS QoE.

Appliance-based SD-WAN challenges

Solution: Global, Secure SD-WAN as a Service

Last-Mile Prioritization, Packet Loss and Availability

Appliance-based SD-WANs only prioritize upstream traffic. They typically include Active/Active Protection for aggregating capacity and blackouts protection. Policy-based Routing (PbR) selects the optimum path for UC sessions. Packet mitigation techniques may be available.

ICG QoS prioritizes upstream and downstream last-mile access. Active/Active Protection and PbR aggregate capacity, protect against not only blackouts but also brownouts and select the optimum path. Packet Duplication and Fast Packet Recovery mitigate last-mile packet loss.

Middle-Mile Optimization

SD-WAN appliances rely on the unpredictable Internet. They cannot compensate for the latency from poor Internet routing or the packet loss caused by congested peering points.

ICG avoids Internet problems by using the ICG SD-WAN network, a private, global, network of PoPs built on top of multiple SLA-backed tier-1 carriers. Optimized routing algorithms direct UC traffic across the paths with the least latency and packet loss.

UCaaS Access

SD-WAN appliances do not provide UCaaS access out-of-the-box. Organizations must first identify the location of their UCaaS provider and somehow deploy an appliance near the provider’s premises.

ICG natively supports UCaaS and cloud datacenters (IaaS) without additional configuration, complexity, or point solutions. ICG intelligently drops UCaaS traffic at the ICG Point of Presence (PoP) closest to the UCaaS instance across the globe to minimize latency and packet loss.

Security

SD-WAN appliances require additional security appliance and services to protect against network attacks and Internet threats.

ICG's converged security stack protects UC components against network attacks and Internet-borne threats without the need for dedicated appliances or additional security services.

SD-WAN and UCaaS: How to Guarantee Your Win (Video)

SD-WAN can reduce your WAN costs but will it keep that voice calls clear? Find out in our next webinar, as noted unified communications and collaboration expert, Irwin Lazar, will examine the SD-WAN considerations for maximizing your UC/UCaaS experience.

Wide Area Network (WAN)

Wide Area Network (WAN) is a communications network that spans a wide geographic area across cities, countries or regions. Connecting multiple Local Area Networks (LANs) from headquarters to branch offices, data centers and the cloud.

Traditional WAN was implemented via expensive MPLS leased lines from telecommunications providers, connecting multiple LANs together with routing policies to direct network traffic between locations.

Software-defined WAN (SD-WAN) is a modern approach to seamlessly connect locations over lower cost broadband internet rather than expensive MPLS leased lines.

SD-WAN has evolved to encompass elements of security and control usually associated with standalone point solutions like Firewalls, IPS, VPN, and URL Filtering. Gartner recently created a new category Secure Access Service Edge (SASE), which differentiates basic SD-WAN functionality of replacing MPLS with broadband internet, to that of delivering a wide area network service with all the security built-in.

SASE combines network security functions (such as SWG, CASB, FWaaS and ZTNA), with WAN capabilities (i.e. SDWAN) to support the dynamic secure access needs of organizations. - Gartner

ICG International Services

ICG as a service offerings cover Backup, Cloud NAS, IT Operations, SD-WAN, and Storage.

Cloud Backup

Leave behind the cost and complexity of solutions that aren’t built to scale or only work for one workload, on-premise or in the cloud. Save time and money, whilst getting data protection that’s secure, scalable and always available.

No hardware, no software

Delivered as-a-service means leaving behind on-premises infrastructure, hardware refresh cycles and time consuming software maintenance.

Infinitely scalable

Built in the cloud, new capacity can be added to your subscription on the fly without any changes to your backup settings. No need to purchase and install new appliances or software.

No maintenance windows

ICG maintains the data protection solution, not the customer; our platform is always up to date with the latest features.

Simplicity

An intuitive interface and customer experience, deployed in as little as 15 minutes. No backup target to install, tune or maintain.

Intelligence

Smarter in how we store your data (global deduplication, automated long term retention), and more intelligence about your data (ransomware monitoring, analytics and more).

Control

Stay in control of your data, with policy-based management, federated search and advanced security that ensures only you can access your data.

Better customer experience

ICG Cloud Backup enterprise data protection solution empowers your organization with more intelligence about your data, while improving the efficiency of your IT teams. ICG Cloud Backup combines an unprecedented set of capabilities in one user experience.

Lower TCO up to 50%

Leave behind the cost and complexity of onsite hardware, software and infrastructure, while expanding your disaster recovery capabilities at no additional cost.

Accelerate backup performance

ICG Cloud Backup can expand compute resources dynamically to meet even the most demanding timelines for backup windows.

Unlimited scalability, on-demand

The cloud is infinitely scalable, and capacity can be added on-demand without the need to provision new devices, or change your backup settings.

Beyond backup, do more with your data

A unified view of your backup data allows you to easily respond to eDiscovery, manage Legal Hold, or analyze your data to drive business decisions.

Cloud Connect

New to SD-WAN technology? Check out our blog, what is SD-WAN and considerations for a branch office firewall.

Optimized Connectivity

ICG uses a global private backbone with built-in optimization to deliver an SLA-backed, predictable, and high-performance network experience anywhere. Customers who suffer from high latency and network inconsistency across their branch offices use ICG to deliver a great user experience, whether accessing applications on-premises or in the cloud.

Test your internet speed with the ICG internet speed test.

Secure Branch Internet Access

ICG provides complete network security. By connecting all branch locations, both Internet-bound and WAN traffic, is fully protected by enterprise-grade, cloud-based security services. There is no need to backhaul Internet traffic to a regional hub or deploy branch network security appliances like Firewalls, IPS, and VPNs. — Yes, that's right, no more firewalls to procure, deploy, patch, manage, and upgrade. No backhauling traffic. It's all done in the cloud.

Cloud Acceleration

ICG provides seamless acceleration of cloud traffic by routing traffic from each edge location to the PoP closest to the cloud datacenter. Because our PoPs share the datacenter footprint of major cloud providers, the latency to these providers is essentially zero. Cloud application access optimization requires just a single application level rule that determines where cloud application traffic should egress.

ICG Cloud Connect PoPs


Mobile Security and Optimization

ICG extends global networking and security capabilities down to the individual user’s laptop and smartphone. Mobile and remote users no longer need to suffer from poor service. Using our client, or clientless browser access, users can dynamically connect to the closest PoP, and their traffic is optimally routed over the global private backbone to on-premises or cloud applications.

Share Files Securely Anywhere

ICG secure remote file sharing allows you to enable your staff D: drive and file shares to be cached locally on their device, syncing only compressed delta changes across the WAN. Local cache allows offline access, whilst file locking ensures consistency, free from version conflict of multiple users accessing the same data. Backup is built-in, so you'll never have to backup your NAS or File Server again. You can host on-prem for compliance or in the cloud for efficiency.

Working from Home

ICG seamlessly supports working from home for all your employees. Customers can rapidly connect their on-premises and cloud datacenters and enable self-service provisioning of VPN clients to all users who require work-from-home or remote access. Continuously inspecting traffic for threats and access control, ICG has created a viable business continuity plan for working-from-home, that's ready to go.

SD-WAN Architecture
ICG Cloud Connect SD-WAN Architecture

Why SD-WAN? Why now?

Over the years, there has been a shift away from the traditional office toward remote work. A sales guy would go out for the day, jump on the corporate VPN in a cafe between meetings, when he needed corporate applications, mail or file shares, then disconnect until later in the evening when he would get back home or to the hotel. That was some of the users, some of the time. Now with the unprecedented shift toward remote work due to pandemic, the situation is now most of the users, most of the time.

All that expensive MPLS bandwidth is going to waste, as most users are now accessing the WAN via the internet, placing unforeseen load on VPN concentrators, rather than inter-branch MPLS connectivity, they are also accessing more and more apps in the cloud, directly over the internet.

Why keep paying for expensive MPLS bandwidth?

You can adopt an SD-WAN service from ICG, paid with OPEX, not CAPEX, that delivers the same kind of SLA you expect from MPLS, with potentially higher bandwidth, at a lower cost, in a way that is more agile to scale for spikes of VPN users via low latency local PoPs and does away with the need to procure and maintain, branch firewalls, link load balancers, url filtering, secure web gateways, and wan optimizers. All of this functionality is built-in to the service and new policies can be rolled out globally in a few clicks via the cloud console.

What about file sharing over the VPN?

ICG address the final pain of remote work, file sharing. Typically plagued by slow protocols, not designed to scale over remote connections. ICG lifts the burden of maintaining file servers and backups, with built-in versioning, data protection, and encryption, at the same time enabling a file sharing experience that seems and performs like a local D: drive to the end user, even if they're offline.

So how much does SD-WAN cost?

We've prepared an online SD-WAN price calculator to guide you.

“Digital transformation and adoption of mobile, cloud and edge deployment models fundamentally change network traffic patterns, rendering existing network and security models obsolete” - Gartner
Cloud Desktop

Windows Virtual Desktop is a comprehensive desktop and app virtualization service running in the cloud. It’s the only virtual desktop infrastructure (VDI) that delivers simplified management, multi-session Windows 10, optimizations for Microsoft 365 Apps for enterprise, and support for Remote Desktop Services (RDS) environments. Deploy and scale your Windows desktops and apps on Azure in minutes, and get built-in security and compliance features.

Deploy and scale in minutes

Quickly virtualize and deploy modern and legacy desktop apps to the cloud in minutes with unified management in the Azure portal.

Enable optimizations for Microsoft 365 Apps for enterprise

Deliver the best Microsoft 365 Apps for enterprise experience, with multi-session virtual desktop scenarios to provide the most productive virtualized experience for your users.

Migrate from Citrix or Windows Server

Migrate your Remote Desktop Services (RDS) environment with simplified management and deployment experience on Azure.

More secure, productive virtual desktop experience on Azure with Microsoft 365

Deploy a complete, intelligent solution that enhances creativity and collaboration for everyone. Shift to Microsoft 365 and get Office 365, Windows 10, and Enterprise Mobility + Security.

Cloud File Server

ICG Cloud File Server leverages cloud-based storage or on-premise object storage for compliance, with the functionality you expect from an on-premises hardware NAS – only better, with cloud-native design for scale, optimized with bandwidth control for remote work, and end-to-end encrypted for ultimate security.

Filespaces

A Filespace is a shared global namespace that acts like any other high-performance network-attached storage (NAS) even though the data is hosted in the cloud. Designed to address the business needs around storing large data sets on and off-premise and accessing them over distance, distributed teams get secure, on-demand access to digital assets, and can collaborate on files, in the cloud, from anywhere.  

Solving the problem of distance and latency

ICG solves the problem of distance and latency in cloud environments by reducing the traffic between applications and remote storage. By dramatically boosting responsiveness we enable file data to be delivered efficiently and streamed on-demand. Performance is further optimized by sophisticated data prefetching based on a proprietary, adaptive algorithm; parallel TCP streams; local write-back caching; and in-line compression.

Additionally, we offer advanced file capabilities like direct read/write access from the cloud, immutable snapshots, user access control, and global file locking.

cloud nas overview

ICG's SaaS approach improves scalability, reliability, and data durability while enhancing team collaboration and productivity. Customers benefit from time, cost savings, tighter control over data storage, security, and device and sovereignty mandates.

cloud nas service outline

File Sync & Share

File synchronization is another term for automatic file copying, which was a clever way to overcome the past’s unreliable and intermittent connections. These technologies replicate and synchronize files to present what looks like a distributed file system, one that requires complete replicas on all participating nodes. Due to this constant replication, file synchronization puts significant demands on network and storage resources. File synchronization has thus limited its applicability to smaller data sets typically in the GB to low TB range.

No synchronization, streams on-demand

ICG does away with synchronization and streams data on-demand directly from the cloud as needed by the application. The single source of truth is kept in the cloud. Frequently accessed data is cached locally to deliver the best of both worlds in terms of performance and flexibility when accessing TB to PB range volumes.

Cloud Storage Gateways

ICG does away with synchronization and streams data on-demand directly from the cloud as needed by the application. The single source of truth is kept in the cloud. Frequently accessed data is cached locally to deliver the best of both worlds in terms of performance and flexibility when accessing TB to PB range volumes.

No gateways required, streams to the object-store

ICG eliminates the need for gateways, as it streams data directly from and to the underlying object-store. It untethers computing devices from their location and allows the same uniform experience, whether in or outside the office, on-premise or in the cloud.

ICG's SaaS, cloud-first approach significantly expands the use cases for cloud file systems, provides much better integration with the host operating system, and eliminates CAPEX.

A Modern Approach to Global File System Design

ICG has reimagined the file system built for the cloud to provide a truly innovative alternative to today’s prevailing architectures. Engineered for enterprises seeking a scalable, reliable file service with best-in-class security and zero operational overhead, ICG revolutionizes the use of object storage for modern cloud-computing environments by transforming the cloud into a local storage tier.

Direct read/write access from the cloud

Desktop and server applications can read or write portions of large files without the need to download or upload them in their entirety from the object-store.

Data streamed on-demand

Data bits are streamed on-demand to and from the cloud. Using NLE tools like Adobe Premiere or DaVinci Resolve workflows can remain the same since data in the cloud is accessed no differently than on a local disk.

Immutable Snapshots

Zero overhead

ICG is based on an advanced log-structured design, which allows the entire Filespace to be instantly preserved at any point in time without incurring any performance overhead.

Restore prior versions

These snapshots allow users to restore prior versions of either individual files or revert the entire Filespace to an earlier point. In addition, snapshots do not require a complete copy of all the data, but only what’s changed between two snapshots, resulting in very efficient space utilization.

Scheduling

Snapshot scheduling can be done in increments of minutes, hours, days, weeks, months, and/or years with retention for each tier individually configured.

Ransomware protection

Since the snapshots are immutable (read-only), they become one’s last line of defense against ransomware-type attacks. Even if companies have implemented seemingly rock-solid backup and DR plans, the ransomware encryption of all backup data has placed many organizations in the situation of having to pay a significant ransom to get their data back.

User access control

Easily shared

Filespaces can be easily shared across a large number of connected devices or users. Multiple users can concurrently access the same Filespace with each user having specific read-only, read-write, or no access at all to individual folders.

Fully encrypted

All data is encrypted at AES 256 inflight and at rest. Each Filespace entry has its own encryption key. Users have guaranteed access only to folders shared with them and cannot decrypt other parts of the Filespace. User access control is truly agnostic to the OS in where the same user permissions are equivalent across Windows, Linux, and macOS.

Global file locking

ICG's global file locking gives applications the native support required for serializing access across multiple users. Teams can concurrently collaborate on shared projects, in the cloud from any location. Architects collaborating on a shared Autodesk Revit model can now work seamlessly as if they are collocated, without sacrificing performance.

Persistent caching and prefetching

ICG utilizes the local storage on each device to cache the most frequently accessed data and employs sophisticated prefetching techniques to dramatically improve the overall performance when accessing data remotely. Not to be confused with similar technologies that download entire files into a cache. ICG only uses the cache for frequently accessed bits of data, not entire files.

Cloud IT Operations

ICG offers a holistic approach to IT operations. Helping organisations take control of infrastructure through advanced remote management services, from core infrastructure like networks, servers and storage to edge devices, desktops, laptops, wide area networks for branch office connectivity and remote work.

IT Operations Portal

IT Operations portal is your single pane of glass, to view support tickets, knowledge base, and reporting.

Network Discovery

Network discovery periodically scans your network to update your asset inventory, monitor device health, and keep track of what devices are in the environment, identifying new or rouge devices.

Patch Management

Patch Management automates the scheduling of periodic patch updates and allows on-demand patching of zero-day vulnerabilities for a single machine or group of machines.

Remote Assist

Remote assist enables technicians to access servers and computers remotely in any location.

Warranty Lookups

Warranty lookups keep track of warranty expirations, identify expired devices and ensure your equipment always maintains current support.

Cloud Networks

ICG offers secure, enterprise-grade connectivity to improve productivity, and increase efficiency. Leveraging an industry leading wired and wireless network portfolio, ICG makes it easy to roll out new networks or regain control of existing ones.

Optimize Network Connections

Users waiting for files to transfer? A local network can easily be bottlenecked by aging switches, old cabling or dated architecture. ICG will optimse your network ensuring users aren't waiting forever, just to transfer a few hundred MB file.

Ensure Stability

ICG ensures your network is stable and your employees remain productive, between desks, floors, and meetings rooms.

Enable Wireless Freedom

Gain the freedom from being desk bound, move between locations, without plugging in cables or "searching for that blue cord".

Secure Guest WiFi

Customize the logo, welcome message, registration, duration, terms and conditions to give your guests professional wireless access, without compromising your network security.

Start with a complimentary Discovery Session and Network Assessment from ICG's experts today.

Cloud Security

Managed in the cloud and powered by the industry's most comprehensive vulnerability scanning technology, with the ability to predict which security issues to remediate first. ICG offers you a complete end-to-end vulnerability management solution.

Discover Threats

Active scanning, agents, passive monitoring, cloud connectors and CMDB integrations provide unified visibility and a continuous view of all of your assets—both known and previously unknown.

Assess Vulnerabilities

With coverage for more than 55,000 vulnerabilities, ICG leverages the industry’s most extensive CVE and security configuration support to help you understand all of your exposures.

Prioritize Remediation

Combine vulnerability data, threat intelligence and data science for easy-to-understand risk scores to quickly assess risk and know which vulnerabilities to fix first.

Streamline Compliance Reporting

Stay compliant with immediate visibility into your compliance posture. Easily demonstrate adherence with predefined checks against industry standards and regulatory mandates.

Start with a Cyber Security Maturity Assessment (CSMA) from ICG's experts today.

Cloud Storage

ICG Storage as a Service (STaaS)

Get the enterprise-grade features you expect from a modern storage system: snapshots, high-availability, mirroring, dedicated resources, security, and more. Pay only for what you use with Storage as a Service (STaaS).

ICG STaaS is available on premises, or in the cloud, pay-as-you-go, and only pay for what you use, without the need to send your data to the cloud, but still benefit from the OPEX pay-as-you-go model you have come to expect from the cloud. You can have primary storage on-premise, with replication and backup in the cloud, or keep it all on premise and still only pay for what you use.

ICG STaaS provides all the advanced features you expect from enterprise storage, including Flash, Snaps, Replication, Block SAN, File NAS, S3 Object, IP and Fiber Channel, with the convenience and flexibility of ICG's pay-as-you-go, managed service. You choose the capacity and performance requirements, then we ship you the gear, and manage it, via a combination of AI and ICG's expert engineers. Scale up and down at anytime and only pay for what you use. — How much does STaaS cost?

STaaS vs the Competition

STaaS vs the Competition

Any data type. Any protocol.

Block, file, and object storage. NFS, CIFS, FC, iSCSI and S3 protocols. Create a storage solution tailored to your needs, in the cloud or on premises. Scale up and down on demand, with a highly available, multi-controller solution, that supports all protocols, with no need for dedicated block, file or object arrays and you can change your protocol support at any time on-the-fly.

Virtual Private Storage Arrays

Virtual Private Storage Arrays provide file, block and object services that transparently scale-up and scale-out, to optimize for dynamic requirements.

Scale up by adding compute, memory, or capacity resources to existing VPSAs. Scale out by adding new VPSAs to your on-premise ICG STaaS service.

Leverage a VPSA cluster for multiple mixed workloads from high performance databases, to virtualization, file sharing, and long-term backup retention. Pay only for what you use on a monthly basis.

Block Fiber Channel support is great for VMs and Databases, native CIFS SMB is great for consolidating Windows File Servers and NAS appliances, whilst Object Storage is a great for backups such as Veeam Scale-Out Backup Repository (SOBR). A single VPSA cluster can mix resources for File, Block and Object, without requiring physical nodes for each protocol.

All Virtual Private Storage Arrays eliminate single points-of-failure and are provisioned with dedicated resources to ensure high availability and predictable performance while maximizing privacy and security.

All-Flash VPSAs

ICG All-Flash VPSAs are ideal for applications and use cases that demand very high sustained performance at a compelling price point. Unlike storage offerings from leading cloud service providers, ICG All-Flash VPSAs put the control, benefits, and economics of combining all-flash performance with data reduction directly into the hands of users.

Hybrid VPSAs

Hybrid VPSAs provide large scale hard disk-based capacity with 10TB and 14TB drives. Optionally, Hybrid VPSAs can utilize solid state disks (SSDs) as an adjustable “flash cache” to accelerate storage performance. Flash and HDD hybrid configurations deliver an optimum balance of performance and economics for many applications. Maximize capacity and tune performance to align with application requirements.

Get an overview of the ICG VPSA architecture that enables on-premise Storage as a Service (STaaS).

Enterprise-class SAN & NAS features.

ICG STaaS offers enterprise-class features, including snapshots, replication, multi-zone high availability, online volume migration, thin provisioning, NFS and CIFS, with support for hidden shares for greater control over network access. Active Drectory integration means you can manage the NAS volumes from ICG STaaS just like any Windows File Server.

storage management dashboard

Adjust, optimize, control. Web management interface.

Adjust your storage mix and protocols as needed, using a GUI and REST API. Adjust processor performance, the quantity and types of drives (SSD, SAS, NL-SAS), and the level of data protection (RAID 1, 5, 6, 10) at any time. Graphical performance logging allows you to oversee and optimize application performance.

hdd, ssd, nvme

Choose your drive types, flash cache or all-flash.

ICG STaaS allows you to select your drive type mix from SSD, SAS, NL-SAS, NVMe Cache and RAID levels to fit your requirements. You can go all-in with all-flash, select a hybrid mix with flash cache or build a cold tier for backup and archive with NL-SAS.

secure encrypted

Dedicated resources. Secure encryption.

ICG STaaS is built with security in mind. Your data is stored on dedicated hardware on your premises or in the cloud, and protected with in-flight and at-rest encryption. You manage your security and encryption keys, so only you control access to your data.

Data Protection

Learn how ICG STaaS enables data protection with snapshots, replication and high availability.

24/7

Expert Management 24/7

Free your IT team from ongoing maintenance. ICG delivers 24/7 live proactive monitoring, notifications and support, with seamless non-disruptive hardware and software upgrades, backed by our 100%-uptime SLA.

CapEx vs Lease vs Cloud vs STaaS

Pay-as-you-go pricing.

ICG delivers all the power of enterprise storage without the complexity. Free resources for strategic initiatives with fully-managed, pay-only-for-what-you-use model that reduces your costs and management burden. Get more for less. No big up-front costs. No commitments required. No more storage upgrade, replace, or migration. Use ICG for an hour, a month, a year, or forever, and get the same low-cost, high-touch service.

Learn more about ICG Storage as a Service (STaaS), start with a complimentary Discovery Session and Storage Assessment from ICG's experts.

Contact ICG International Helpdesk

Contact our experts 24 hours a day, 7 days a week.