• SASE

How SASE can help you move securely from the PSN

How SASE can help you move securely from the PSN

Watch our free, one hour recorded webinar below and learn more about SASE and how it can help you move securely from the PSN.

 

Here's a transcript of the webinar:

 

Chris Howarth:

That's great. Thank you guys. I think what we'll do is we will just give it one or two minutes for the rest of the registrants to join. It looks like actually there's more coming through, I think. Yeah. That's correct. So first and foremost, thank you to all those that can join actually on time, much appreciated. We'll just give it one or two more minutes if that's okay. Morning, Mark. Thanks for the message. Good to hear from you. The usual cutoff time is 10:33, so we've got about another 90 seconds or something. Okay guys. Without further ado, I think we will crack on. So Neil, if you're okay to share the slides, please, that will be great.

 

Neil Camden:

There we go.

 

Chris Howarth:

Cool. So let's get straight in there. So as you can see, the topic of today's webinar is how SASE can help you move securely from the PSN. In terms first and foremost, of introductions, my name is Chris Howarth, and I am the local government specialist at VMware for the Northern region. My colleague, who unfortunately can't make it today because he's only been at VMware for two months and he's actually going through lots and lots of virtual online training. But his name is Glen McMichael, so he's a Local government specialist based down South. Both of us come from public sector backgrounds with vast experience across public sector, but specifically into local government.

 

Chris Howarth:

So after this, if you've got any questions, please reach out to either of us or via Breeze Networks, and we will, of course, be happy to help you. We've of course, got Neil Camden, who is the solutions architect, at Breeze Networks, but I will let Neil talk a bit more about himself and obviously Breeze Networks at the same time. Just before we move on to the next slide, I also wanted to make a point about VMware's strategy into local governments. So some of you may or may not be aware, but local government hasn't necessarily been a big focus for VMware in the past, and that is absolutely changing.

 

Chris Howarth:

So I've been at VMware now seven months and I'm already building out a strategy in terms of what we are going to be doing in 2021, and our SASE and SD-WAN solution is one of the solutions which is a big part of that, many councils still knows as those traditional virtualized products such as vSphere, vSensor, and one of the big jobs that we have on our hands is to educate our customers in terms of our portfolio and how wide that is.

 

Chris Howarth:

One other thing that we're doing is working closely with Socitm, so for some of you that are attending the webinar today, you may well have been invited by Socitm, because they have been helping us drive attendance to this. Next year we will be attending 10 regional Socitm events, where we will be headline speaking at many of those, again, based on the fact that we want to get the message out there on exactly what VMware does, but we also want to understand what resonates of those solutions into local government, so that we can help you and support you as much as possible moving forward, especially during these difficult times. We know local government are always on the austerity measures and always have budget restraints, but definitely more so than this time.

 

Chris Howarth:

So I just wanted to cover that off initially before we now move on to the next slide, where we cover the agenda for today's webinar. So, this part of the slide for myself is very simple, and it's just basically going through the bullet points. So first and foremost, why move from the PSN? I think you've maybe just moved ahead one slide there, Neil, if that's okay. Thanks for that. And one thing that Neil will be covering is what exactly is SASE, also SD-WAN, which we've seen more and more often here is actually part of SASE, And it's just linking those two together and understanding that.

 

Chris Howarth:

Security is a big part of everybody now, especially in terms of councils. We all know, and I won't name the actual council, but we know the one in the London borough recently, which was hacked, and I understand is still weeks down the line undergoing problems. Now, as part of VMware's whole portfolio, we have something called intrinsic security, which means that security is actually baked into every single one of our products, rather than just having one single security product, which we do have, we have security that's baked into every single product, and we call that intrinsic security, and that's also part of SASE as well. And finally, Neil will be covering Secure User Access as part of SASE.

 

Chris Howarth:

And so that just now leads us nicely on to the next slide, and this slide mainly covers... It covers SD-WAN as our VMware solution, but before getting on to that, the reason why VMware have such a vast portfolio now is because over the last number of years, whether it's five, six or seven years, but particularly in the last two or three years, we have made some really, really clever acquisitions, and one of those has been our SD-WAN solution.

 

Chris Howarth:

Now, one thing that we don't make a big point of, is actually talking about brand names and technology names, but our SD-WAN solution is called VeloCloud, and in the Gartner magic quadrant there, you will see that VMware is in the top right hand corner as the leader, as part of this solution. So as you can see at the top of the slide, VMware's solution is positioned as a leader in the 2020 Gartner magic quadrant for WAN Edge infrastructure. So he's got a lot of credibility, and again, kudos to VMware for identifying that product and making an acquisition for it. In terms of those three things to cover off, it's recognised as a leader, as I've said, but not only just for now, but for the third consecutive year, and it's positioned highest in its ability to execute, and it's placed furthest for completeness of vision.

 

Chris Howarth:

There's lots of small print there, which we've had to include just because Gartner have made us do that, and so we're not going to cover that, but hopefully that gives you some confidence in the actual solution itself. And that's my easy bit done, and so now I'll hand over to what's most important and what most of you are probably most interested in, which is the technical aspects of this webinar, and on that I will hand over to yourself, Neil.

 

Neil Camden:

Thank you, Chris. Yeah. So I'm Neil Camden, solutions architect here at Breeze Networks. As Chris says, we're one of the leading UK VMware SD-WAN VeloCloud partners, rolled out a lot of VMware SD-WAN solutions already in the UK, in public sector, private sector globally as well. We're essentially a managed service provider, but we pride ourselves in being incredibly flexible. We can provide a fully managed service, co-managed service for complete self-service solutions. We're not precious about keeping ownership of all of that management, and some of this SASE and SD-WAN technology that we going to talk about enables us to do that in a really nice, easy way. We're an independent connectivity aggregator, and that's important as we'll see later on. It means that we can provide the underlying physical connectivity for your network from pretty much any network provider out there.

 

Neil Camden:

We can go to the big boys to get your BT's, your Verizon's, your Virgin's, and we can use the old bespoke, local or band companies. When we meet the 4G, 5G providers, we can mix and match and ensure we put the best connectivity in into a network for your sites and the technologies and the applications that you're using. I say, we've delivered these solutions to many, many public sector customers already. So why move from the PSN? The PSN is... It's been in place for awhile. A lot of you will be on it, possibly all of you. We're not here to bash the PSN. Pretty much all of us within Breeze have come from some sort of public sector background and providing things like this WAN network and working with GDS and working on PSN solutions. So it's absolutely still a fit for purpose technology out there, and a lot of you will be using it, and a lot of you will be having no issues with it.

 

Neil Camden:

There were some technical reasons why the PSN is starting to look a little bit outdated. GDS themselves is suggesting that the PSN could close as early as 2023. They've been recommending for a while that you use public cloud services where you can, and I'm sure the majority of you will moved your exchange servers out from your data centres of using Microsoft 365, Azure, AWS, Google Cloud, all these ways of running your apps have gone for quite a while now. What GDS are now recommending is that you start using the internet to reach those public cloud services and reduce your reliance on the PSN. That's possible because the quality of internet is now so much better than it was just a few years ago, particularly in the UK. We are a very robust internet infrastructure in the UK.

 

Neil Camden:

Some of the other rollouts of fibre down in places like Cornwall have provided excellent connectivity where it just wasn't available in the past. And if you combine that with some of the security aspects of SDN-WANs and SASE solutions, for example, we can run very modern, efficient encryption over the top of IPSec links and over TLS connections. So, a VMware SD-WAN solution can be demonstrably secure, and that's important. You can make a solution secure, but it's important you can demonstrate you're secure for compliance and for governance, which you guys will all be familiar with, I'm sure.

 

Neil Camden:

An example, the VMware solution already fulfils the NCSC's foundation encryption profile and the VMware product guys are working very closely with the NCSC to get it to support the PRIME profile, which is the next iteration of encryption making it even more secure, and very soon that's going to be available as well. So it enables people like some of the police services and the Blue Light Services to run these solutions, and as Breeze, we've deployed into a very major central government department, several local governments, and let's say some Blue Light Services. We're not allowed to share the names here on this public for, but we absolutely have case studies, we have references, we have CIOs and directors within some of these organisations who are more than happy to talk to people on a one-to-one basis if you want to understand some of the challenges that people have overcome to get to where they are now running, in one case, thousands of edge devices on a VMware SD-WAN.

 

Neil Camden:

So compliance, really important. The nice thing about being on PSN and one of the selling points of PSN is, it's all bundled up together and the PSN and GDS and NCSC all do a lot of the governance and the due diligence on there to be able to deliver you a solution that is compliant. And that's one of the really nice things about PSN. When you move off the PSN, it becomes the customer's responsibility to be compliant and to have that security in place and to demonstrate you're putting in place. Between customers, asset Breeze and VMware, we work altogether with the NCSC, with GDS to ensure that what we're doing is compliant. Things like NCSC's Cloud security principles we adhere to. I noticed in the last few weeks, months, they've updated their zero trust principles framework from alpha to beta, so they're thinking about modern ways of networking, zero trust networking, which is a fairly modern concept, which we'll come onto in a minute.

 

Neil Camden:

So we're all working together to ensure that as Breeze and VM-ware, we can deliver you a compliance solution. Some of the badges you'd expect to see from us are ISO 27001. As Breeze, we have our cyber essential stamp, VMware Cyber Essentials Plus, SOC 2, PCI, all the sort of badges you'd expect to be there, and we can quite happily and confidently run things like a PCI network alongside customer and public networks, keeping it all secure and compliant.

 

Neil Camden:

I'm going to try and keep this whole presentation fairly high-level and out of the technical wits, but just the nature of what we're talking about means we have to go into a little bit of technical details. I've just got a couple of slides explaining how we got here, how the PSN has been working, where it's going now and why it may not be quite fit for purpose anymore. So PSN is essentially a large MPLS network provided by just a handful of MPLS providers who will work together to provide a secure private network. The traditional way is all your sites are connected to that private network, when you're active in a private data centre, everything's kept private, secure, and trusted. It's sort of a castle-and-moat model. Everything within your perimeter, you trust, everything outside is untrusted.

 

Neil Camden:

You have a central firewall, when you need to break out the internet, you'd go for that central firewall. And that's the way things have worked for a long time. What's happened over the last few years? Applications are starting to move out into the Cloud. The Cloud first strategy has helped that to work, and let's say a lot of you, if not all of you will be using some sort of Cloud application these days. So you find you're accessing applications that are outside of that trusted boundary of your network. Internet connectivity is a lot cheaper and sometimes a lot more available than MPLS connectivity. So if you're accessing applications that are on the internet, it makes sense sometimes to break out locally from your branches to get to those internet sites where there's internet hosting apps.

 

Neil Camden:

That's great, but it does require a firewall at each site. So just becomes a little bit more complex, a little bit harder to manage multiple vendors potentially, and a complex network. All still fit for purpose, all still works, and it's probably what a lot of you guys are doing now. Maybe using your MPLS network as a primary failing over to a secondary internet connection, which works, but maybe not the best use of the connectivity that you've got in place.

 

Neil Camden:

What's happening now, and even more so accelerated in the last few months through the coronavirus pandemic, is now your users are moving out of your offices. A lot of people are being sent home to work from home, there's people working from other department buildings, sharing going on amongst public sector departments. We found that with the austerity, people are starting to share services so different councils may share services with each other. So you're accessing even more things that are off of your network, and your users that are accessing them are often off the network as well. And these aren't just users at home going in and getting email every now and again, sometimes entire call centres are staffed from homeworkers. So having that connectivity from home becomes even more important. It needs to be secure, it needs to be good quality to run unified comms applications and voice.

 

Neil Camden:

So what you've got now, you've got users who are on the internet, accessing applications that are on the internet, but in order to keep those two ends secure, you're having to back all that traffic back through your central firewalls and then back out again. So again, technically it works, but it's just becomes inefficient, harder to manage, and these centralised models really just start to not make sense anymore. So hopefully that all rings true for everyone, and I'd imagine this is the sort of infrastructure you guys have. And for some people who'll be working great still, and some of you will be struggling with scaling this sort of infrastructure, but these changes that have happened so quickly.

 

Neil Camden:

So, SASE or SASE, what is it? So it's a term defined by Gartner about year ago, late 2019, and it's Secure Access Service Edge. Converges cloud networking and cloud security to deliver flexibility, agility, security, and scale for enterprises of all sizes. What does that really mean? What we found is networking and security starting on the outside of this diagram have evolved inwards to the middle. Private WANs on the networking side, have evolved into SD-WANs and cloud connectivity, firewalls and stacks of applications and appliances in your data centres have evolved into cloud firewalls, data loss prevention, CASB, all these cloud services, everything now being delivered as a service.

 

Neil Camden:

And what Gartner identified is that some of the networking as-a-service offerings were jarring a bit with some of the securities or service as-a-service offerings. They're talking different languages, they're trying to do different things, not talking the same language, and it's becoming very complicated for the end users to digest what's out there. So what SASE aims to do is to bring together that networking as-a-service and the security as-a-service and offer this SASE service, which incorporates all of those in one. So it's not a technology, it's not a silver bullet that's going to fix everything, it's a way of bringing in various different functions and services and products together in a framework that makes sense and where everyone can talk the same language. It allows people to build APIs between systems and things like that just to make everything very, very cohesive.

 

Neil Camden:

There's a few components that make up SASE. Essentially SD-WAN, security and Secure User Access. So I'll talk through those in a few sections here. The majority of this is going to be about SD-WAN, and again, apologies if it gets a bit too technical, it is a technical subject. I'm going to try and keep it as high-level as possible. As an architect, I tend to get down into the technical weeds a bit too easily, so I'll try and keep it light for you. So what SD-WAN is, is software defined WAN. It's essentially a legacy network, you'd buy an MPLS network from a provider and you'd have a router on the end of that, and that router is a piece of hardware that does routing. That's all it does. It has software built into it, maybe a Cisco device, maybe a Juniper device. It has software that just does routing, very bespoke software proprietary for that company has to be in that hardware. SD-WAN splits that software function from the hardware function and allows you to put in a flexible hardware, and then run the same software on top of multiple different types of hardware.

 

Neil Camden:

So your edge device, whereas it was previously a router, could now be an edge appliance, which effectively looks like a router and is a router, plugs into your network with be that broadband or MPLS, or even 4G, 5G mobile, and then the software that runs on top of that is detached from the hardware. What that means is that you can run hardware appliance, you can run a virtual appliance in a virtual server, you can run a PC as a router, you can use an AMI to build a cloud edge device in AWS, and you get a consistent software and consistent architecture across all of these edge devices. That's essentially what an SD-WAN is.

 

Neil Camden:

One of the major benefits and features of that, is that age flexibility, age device, flexibility. You also end up with a single central orchestrator, which is the central point, from which all the configuration is sent out, because it's a standardised software on every edge device. You can have a single config or a config per site type and you press go, and that configure is sent out to all of the sites that need that configuration. It allows for zero touch provisioning. You don't need to send an engineer out to configure a router on site, you can send a brand new out of the box router to a site, plug it in, and it will get self configured from the central orchestrator. So it makes management and implementation much simpler. If you need to make a config change across your entire infrastructure, you can. It take seconds rather than potentially days, and that works for networking, routing and also security and use of VPN, which we'll come onto in a minute.

 

Neil Camden:

One of the other big benefits of an SD-WAN, which is often overlooked is the ability to split the overlay network from the underlay network. Those are terms that we use a lot at Breeze. The underlay network is how you physically connect your sites. It could be a broadband, could be a leased line, it could be an MPLS network, could be the PSN, it could be a mobile connectivity, but what you can do is you can plug in your edge devices or run your edge devices if they're a virtual device on top of any underlay network you like. So what that means is you get a massive amount of flexibility in what your underlay network is.

 

Neil Camden:

As an example, you could put an SD-WAN network on top of a PSN network. It makes it very easy for things like proof of concepts, makes it very easy for the implementation of these networks, because we can overlay a new SD-WAN on top of a network and slowly pull out the MPLS connectivity from underneath and replace it with cheaper broadband, for example, as, as MPLS comes to end of contract, there may be some sites that need to stay on MPLS because they need that quality of connection. And they need [cause 00:23:46] and they need guaranteed SLAs across the link and that’s fine and SD-WAN will work fine. And the technology allows for that underlay to be completely separate.

 

Neil Camden:

Some of the largest service providers won't, so be careful if you buy an SD-WAN from a large service provider, you may get an SD-WAN, but the underlay will be entirely their infrastructure. And that's fine, it'll work, but it doesn't give you that flexibility of choosing different underlay vendors, and in our experience, that's what gives an SD-WAN solution the flexibility and the agility, and also enables a lot of the cost savings, which we'll come onto in a couple of slides along.

 

Neil Camden:

So pretty much any SD-WAN will give you all those benefits. You end up with an encrypted overlay network between all your sites, as we said it's intrinsically secure. Most SD-WAN vendors will provide an intrinsically secure SD-WAN. All the connectivity between all your edges will be encrypted normally with some sort of TLS, SSL type encryption. One of the USP's of VMware SD-WAN is VMware have this infrastructure across the globe of about 2500 cloud gateways.

 

Neil Camden:

And what these are, these are virtual points of present all over the world, often in large internet exchange data centres, places like Equinix, places like the London Internet Exchange, the AWS and the Azure data centres. So what it means is that when you break out of the SD-WAN from your branches, you can break out as close to those cloud providers as possible, and that's one of the recommendations that Microsoft have, for example, that you break out of your network as close to the front door of Microsoft 365 as you can, using these VMware gateways, we can route your traffic to the gateway that's nearest to Microsoft and then break out, so you only have a very little last mile to get to Microsoft.

 

Neil Camden:

So you're effectively accessing Microsoft or AWS services over the internet, you're getting the benefit of things like dynamic multi-path optimization, which is a VMware term for choosing which applications use, which routes and which circuits. So in the old days where you had active standby links and SD-WAN will understand all of the links you have in place, and that are available to it, all the applications that you have on been use on your network and will pass certain applications over certain routes, so you may have a UC application that has to have a certain latency. The edge devices will constantly check the application and see what the performance of that application is through to its end point. If that drops below a certain latency, for example, you swing that perfect over and use a different circuit. So it's very dynamic, it's application-based routing as opposed to site-based we're using, which is the old way of working.

 

Neil Camden:

Hope that all makes sense. That's probably the most technical slide we've got here, and just another way of showing that is this is what an end solution might look like. You've got your data centre, you've got your cloud data centres, Office 365 all plugged in, you've got branches, some that may be on MPLS, some that may be on internet, they've got homeworkers that are connected via internet, and if you've got key homeworkers running on a call centre, for example, it might make sense to put a small VMware SD-WAN appliance on their site, like a little small home router, to give them that same quality of connectivity as if they're in the office.

 

Neil Camden:

You can have an abundance of internet providers connecting in. It doesn't matter what their underlay connection is, the overlay network is going to give you the quality of applications that you would expect from an MPLS provider. Like I said, be careful, this isn't a silver bullet, if you've got an appalling quality single internet connection underlying it, the SD-WAN isn't necessarily going to be able to fix that. If you've got an area that has no connectivity, it's not going to be able to fix that. So be careful with some of the marketing you read out there, suggest you can rip out all your MPLS networks and replace with SD-WAN. That might be true, but in our experience, MPLS still has a place in the underlay network, we just think it's important that you pick and choose that MPLS for where it's needed rather than just blink it everywhere.

 

Neil Camden:

Just a quick mention one slide here of Microsoft. So VMware wanted just a handful of SD-WAN partners that are working closely with Microsoft on their connectivity principles. If you were at Microsoft house, you probably be aware of these. Essentially what Microsoft wants you to do is identify the Microsoft 365 traffic on your network and egress it out of your network as close to Microsoft as you can. Like I was explaining what the VMware cloud gateways allow you to do is to do that, and all controlled, again, from that central controller, there are things like APIs between the Microsoft controllers and the VMware controllers, so your SD-WAN network will automatically learn what your VNets are within your Azure data centre, for example, and that routing gets populated into your SD-WAN. So there's a lot of synergy there between the various technologies, and it's really important that you choose a vendor who is part of this Microsoft connectivity partnership, because without that, you won't necessarily get the optimal performance of your Microsoft apps.

 

Neil Camden:

So just to summarise the benefits on SD-WAN, there are four main benefits that you'll see for most SD-WANs. Improved performance, again, you have to configure and design the network properly to get improved performance. If you've got a well-designed well-run MPLS network, you'll be getting good performance anyway. To get improved performance out of an SD-WAN, you need to make sure you're identifying all the applications that are in use, and that's something that we would do with you as part of the implementation and the design, what applications have been used, which applications are critical to you, which ones can fail over to the internet, which ones perhaps for security or governance, aren't allowed to go the internet, and based on where your applications are, you prioritise them and you prioritise the parts they can use. And if it's done properly, absolutely you'll get improved performance for all of your apps.

 

Neil Camden:

Central management. I mentioned you get this central orchestrator, which allows you to manage everything outwards, almost zero touch provision, absolutely minimises the amount of support and the engineering you need out on site with physical routers. If a router dies, you send a new router out and it's all done centrally. I said that data flows back into the orchestrator for you to see and monitor and manage what's going on, so it allows us as Breeze to give access, for example, to the end customer, to run your own reports, to see real time reporting, to get real time alerts on what's going on in SD-WAN. We believe absolutely in transparency and using that central management for the customer's benefit, and not just our benefit.

 

Neil Camden:

Some of the bigger providers, let's say, will sell you an SD-WAN, but then your only access to see what's going on on that SD-WAN will be through their own portal. And so, we give access to the VMware orchestrator. We let you do all your own reporting, all your own management. If you want to run your own configuration changes, we'll allow that and we'll build a contract and a solution that allows you to do however much or little management of an SD-WAN as you want. We'll run the whole thing for you if you want, we'll instal it and let you run it, if you want to do it that way as well, and we've done them both ways within public sector in the last year.

 

Neil Camden:

Increased security. Again, as Chris said, it's intrinsic to the VMware product. The way we integrate with third party Cloud partners, everything's encrypted, and so we're dealing a lot with the NCSC in ensuring the product adheres to all the encryption protocols have been placed, so absolutely secure, and also secure apps to your edge users.Once you have users with laptops and with clients coming in it improves the security to them as well. The SASE extends that even further, which we'll come onto that in a few slides time.

 

Neil Camden:

Reduced costs like I've alluded to and SD-WAN absolutely can help you reduce your costs. It won't automatically do it. Requires thought, careful design, but our belief is that the way you reduce your cost is by getting rid of those large edge devices and those large long-term contracts where the provider's trying to get a good ROI on all their core infrastructure they put in place. That's where the cost savings come. Ultimately, if your applications are running more efficiently, you're going to be saving costs in terms of the time you use and the efficiency of your end users, all that softer costs as well.

 

Neil Camden:

Couple more benefits that you don't often see on [inaudible 00:32:12]most of the slides. These are ones that us as Breeze think are really important. I think I've highlighted the benefits of having an agnostic underlay layer, that frees you up to be really agile as to the design of your network, and also allow you to make those cost savings, and integration, the ability to integrate with office 365, Microsoft 365, Azure, other local government partners and services, and also makes the implementation much, much more simpler because we can overlay it all on top of whatever network you have even bring your own network. If you came to Breeze and said, "We want to run an SD-WAN, but we have to keep this underlying network in place", we're fine with that as a model. Anything counts and anything goes in terms of putting the parts of this solution together.

 

Neil Camden:

So on to security. Security is an interesting one. So there is inherent security in an SD-WAN, I think we've covered. Save the details of that for another day, if you want to get into a bit more detail. Every organisation will have some sort of firewall technology, and traditionally that's in the centre of your network. It may maybe a Cisco firewall, maybe checkpoint, Fortinet, Palo Alto, these guys often centralised or more these days being virtualized and even being moved up to the Cloud.

 

Neil Camden:

But the way you can build that firewall function into an SD-WAN, simplest way is it's built into the SD-WAN edge already. So because these edge devices are running software, the routing software was there from day one. They also have built in a stateful firewall software. So very simply we can configure stateful firewall rules on all your edge devices and control what people are allowed to get to from each edge site, each branch site, what they're not allowed to get, to protect them from incoming nasties, and again, all controlled centrally from that controller, so you don't have a separate security vendor to your network.

 

Neil Camden:

It's very cohesive. All comes together really, really simple to operate, and the reporting that comes back is all in that same central single pane of glass. So you can see, who's trying to get to websites they shouldn't be going to et cetera, et cetera. It's a fundamental firewall feature, but it's there if you just need the basics. If you've invested in something like Checkpoint, Palo Alto or Fortinet, those guys also provide their firewall functionality as a software package. So we can build that into the edge devices and what's called NFV, Network Function Virtualization, because it's just running a software, so you can build it in there as well. So if you're looking for an SD-WAN solution, but you've got four years left on a firewall vendor, we can incorporate that into an SD-WAN solution.

 

Neil Camden:

The more modern way of providing security is to use Cloud security providers. So Zscalers, iBoss, Symantec, you may have heard of these guys, some of you maybe using them, the way that works is, that old castle-and-moat idea. Everything that you have inside your network is trusted, the same theory as that, but your trusted network becomes your SD-WAN. Everything within the SD-WAN is controlled by you, you know the applications that are running and you know where everyone is when you want to break out of your SD-WAN, you send your traffic that's destined for the internet to one of these guys, they run it through all of their various engines for IDS, IPS, software, remote browser integration and all clever things that can be done, CASB, all the suite of security products that are out there, and they run those for you and off to the internet, and it comes back in.

 

Neil Camden:

So VMware, for example, partner very closely with Zscaler, and there's a great partnership there there's APIs that work between the two solutions, and that's where some of the SASE stuff has come from to bring vendors like that together, which leads on to the natural evolution of that is a SASE solution, where your SD-WAN vendor provides those cloud security products, and we're coming to the point with VMware now. I think it's on the roadmap for Q1 for next year where those cloud services CASB, IBS, sandboxing in the cloud. Your cloud firewalls can all be done within the VMware cloud without breaking out of that single environment, which again gives you that single pane of glass to see what's going on in your network, and in your security model.

 

Neil Camden:

Another aspect of security is network segmentation. A bit of a boring one. There's just one quick slide, but it's important. People have been running VLANS forever, keeping all their different departments in separate VLANS to keep them secure from each other, keep them logically separate, and historically you'd need to run an MPLS to be able to keep those secure across the WAN. The technology such as the VRFs that allow you to run those, VLANS effectively across from one side or the other. And those sites those networks in VLANS and VRFs, never touch each other. They kept completely separate. And that hasn't been possible to do that. Of course, the internet in the past, once you get on the internet, everything mixes together. You can put IPSec tunnels in, but it becomes very hard work, very high, overhead, difficult to manage.

 

Neil Camden:

The way the market's gone in the last few years is instead of segmentation, it's going to micro-segmentation, which essentially is every application has its own channel and even sub-applications. In fact Facebook is one segment, Facebook posting is another segment. So you can really break down into tiny little segments, that it becomes, rather than segmentation it's called ZTNA, so Zero Trust Network Access, essentially you know where your applications are, you know where your users are and you define carefully which users are allowed to access which applications. And it gives you a very, very granular control of how the traffic goes across the network. That sort of technology has been around for a while and things like VMware's NSX products, which to then, they're virtual networking, they're virtual firewall platform, what's happened now is that that technology is moved out into the SD-WAN

 

Neil Camden:

So now an SD-WAN overlay, which is already secure, allows you to micro-segment all your traffic across it. So you can have PCI applications that only people within finance can see. For example, you can have time of day rules, business rules in place, so that if it's after 10 o'clock at night, you wouldn't want your finance people accessing PCI because that's not their working hours. You may have people allowed to access a finance database, but if they're on a public wifi network, they're not allowed to. So very, very granular rules as to how you can segment your network, arguably more in depth, more granular and easier to use now than it was on MPLS. But it's only recently that technology in the SD-WAN and the SASE technology that's really allowing that to work.

 

Neil Camden:

Last part of SASE solution is Secure User Access. Effectively what you probably know as VPN or user VPN access, the legacy way of doing it is you build a VPN concentrator that may be a server, may be a firewall, you may have a pair of them, you may have a distributor, they tend to be in your data centres and your users have a VPN client, and they come back into your network. That's being changed now, terminology to Zero Trust Network Access, same as in the previous slide. So you know exactly who your users are, what time of day it is, what they're trying to access, how many times did they have they tried to access it. This granularity is now built in and it's become much more evolved than just a VPN access.

 

Neil Camden:

So let's say you've put in a nice secure VMware SD-WAN solution, stop there, where your branches are all fully meshed together, you can access all your data centres and your Cloud environment all securely by these Cloud gateways. How do you bring your remote users in, whether they're working from home, working in a coffee shop or in another department? I say, the traditional way, is you bring them into your data centre into a concentrator. And I know from talking to one of our public sector customers in Scotland, he was saying that they've had to do that. They had to pump up their hardware, they had to buy new licences, they had to put new bandwidth in, but they were able to take that big influx of home users over the last few months because of COVID, and they were quite proud of the fact that they've managed to flex their environment to do that, but it had taken a lot of effort and a lot of time.

 

Neil Camden:

The more modern way of doing that is you build your concentrators in the Cloud. We build it in Azure, AWS or Google, you've got that infinite bandwidth in theory, you've got infinite compute power, you can automatically flex up and down to the size it's needed. So that fixes that problem of scalability. What it does mean is you're still pulling everyone back to a central location to then potentially break back out to wherever they need to go, so it's not optimal

 

Neil Camden:

Where VM-ware SASE solution, the Secure User Access comes in there. Where we've got these gateways in the middle of the network that were already being used for the SD-WAN, you can allow your users to remotely connect in via client or even client list, it's coming soon, into a local gateway. So they are not going into a single location. They're not going into a single server or a pair of servers. They will go into a VM-ware owned and managed infrastructure. So that scaled by VMware, you don't have to worry about whether those gateways have the right amount of scaling or size or bandwidth, and once those users are on the network, they are effectively part of that security, when they have the same business rules, they can have the same security, the network recognises the same applications that those users are using, and in effects we become a seamless part of an SD-WAN solution.

 

Neil Camden:

So just back to what is SASE to pull that all together. I've showed you in this slide already. Hopefully now you can see where the different parts of this come together. Yeah. Your SD-WAN, your cloud security functions and your user access all coming together. Traditionally you'd buy those three functions potentially from three different vendors, three different service providers would have a concentrator might be a Cisco concentrator, might be a server, might be a Microsoft server. Your network might be the anything VMware, [peak 00:42:15] Cisco, whatever, and then your security service would come from someone else. SASE brings that all together and allows you to buy all those services from a single provider. Just to show the way that VMware do that, where I've talked about these cloud gateways that were in place and have been in place for quite a while now for the SD-WAN, what VMware have done is they've built out those [pops 00:42:37] in those gateways to run all these functions.

 

Neil Camden:

So VMware has been running SD-WAN for many, many years under the VeloCloud name, so that bottom left part of the picture has been in place for quite a long time and is well used. And we use it and our customers using it two and 2500 pops out there that are in use for the SD-WAN aspect. What they've done is built in the Secure Access Service, which they've also been running for years as an on-prem service on VMware servers. They've moved that into these controllers, and also the cloud security and the NSX firewalling functionality. So all these security and networking functionalities that we've talked through today, are all in these gateways. So it allows VMware to provide a SASE solution from existing infrastructure. That's being expanded and evolving.

 

Neil Camden:

What you'll find is in the world of SASE, there are network only vendors that are coming to SASE and trying to incorporate security, which is really hard to do, but can be done. And it's often done through partnerships, some of which work really well and some don't. You have a lot of security vendors that are coming into SASE and trying to incorporate a, a network solution, network offering, and that's really hard to do because you can't just build a network overnight, where VMware, maybe a few steps ahead of a lot of the vendors out there, is it? This infrastructure is already in place and well used and trusted by lots and lots of customers already. So a couple of these functions, some of the cloud security things like the CASB, the IDs/IPS, so early next year roadmap, but they're still going to be considered to be ahead of a lot of the other vendors out there that you find, particularly their security guys. They're struggling to build some sort of network infrastructure behind what they do as security.

 

Neil Camden:

Just a slide from VMware showing I guess, the reach of their infrastructure already. There in the sort of data centres you'd expect them to be in, everything fully accredited and managed by VMware. You don't have to worry about that at all. They're global many, many regions, availability zones, lots of these are built with an AWS, some of them with Azure, some of them with Equinix and I think are over 2500 of these gateways in place now. Now for you guys, we're being based in the UK, you may say, "Well, that's all well and good. How does that help me in the UK, or even lower than that", in down into little small reasons. "If I'm in Cornwall, how does that help me having all these data centres all over the world", but what it does allow us to do, what VMware allow the likes of Breeze to do is to build a hosted service provider gateway.

 

Neil Camden:

So we could, for example, design a solution where we build these gateways in your environment. In and around Cornwall, in and around Manchester, in and around Glasgow, for example, so all your users are using local connectivity, and they're not being [inaudible 00:45:24] all the way down to London or if it's Dublin, or even to Manchester. You can keep that very local. I believe VMware pretty much unique in that ability. Certainly others are talking about doing it, but because this gateway product and service has been there for awhile and now allows them to evolve into these more local builds and allow partners such as Breeze to build these ourselves. Really, really useful for local government and keeping everything local or compliance if you don't want to get your traffic to go out of your specific geographic area.

 

Neil Camden:

I'll just finish off with benefits of SASE solution from VMware. They're fairly similar to the benefits we saw on SD-WAN. Everything's built cloud first, so scalable, flexible, all the stuff you read about Cloud, migrating workloads to cloud easily. Everything that these guys have built is on the cloud app. It's not been evolved from on-prem and moved up. It's cloud from day one, so ultimately scalable, intrinsically secure as Chris says, we've covered that, it is secure, it's trusted, secure, and demonstrably secure. The application assurance. The SD-WAN combined with some of the security functions, you can demonstrate that you're delivering the applications to the right people as efficiently as possible, and in a secure way, and SD-WAN isn't simple, you may read in some marketing that throw away all your network, bring in an SD-WAN it simplifies everything. It doesn't.

 

Neil Camden:

And SD-WAN can still be very complicated. It can be very complex. You can have maybe even more complex because you have multiple vendors, multiple connectivity types going on in different site types. As Breeze, we can help manage that for you and give you single SLS on the overall solution, but in terms of operational simplicity, running that whole infrastructure becomes much simpler. We can do it in a much simpler way, allows us to offer you really get SLS. We can hand that over to you and let you run it in any way you want to as well. Really important to get that transparency and that visibility of what's going on in the network that you paid for. You don't get that from some of the traditional big MPLS vendors and, and some of the PSN vendors.

 

Neil Camden:

Reduced cost and greater agility, the last two. I think I've mentioned a few times, you get that agility and you get those cost savings if you're clever about how you split the overlay on the underlay and you choose your connectivity vendors carefully. And that's one of the things where we're happy to work with you on the design phase. If you've got local providers that you want to work with for broadband, for example, we'll happily liaise with them and put in whatever the best connectivity is for you in each of your sites, by best that's best technically, best commercially, and by doing that properly generally will use costs. It might be 10%, It might be 50%, all depends on what you're paying at the moment, and it's actually how much bloat you've got in your network at the moment that you don't really need.

 

Neil Camden:

The fact this is all cloud-based makes it very agile and it's very much a fit for purpose now, solution that can grow or shrink with the company as you grow and shrink, and over the next few years, I think, with the COVID and the, the austerity measures, I think there's going to be a lot of growing and shrinking in a lot of your environments. We're not by your choice. Okay. So that is the end of the presentation, on to some Q&A. Let me just check my notes and see if we've got anything that's coming.

 

Chris Howarth:

Just before that, Neil, I just want to make a quick point, that obviously, as VMware, we do have the ability to reach out and have partnerships with other organisations at large managed service providers, which traditionally have done one legacy rollouts, MPLS, and that type of thing. And we've found that with those sorts of large money service providers, they tend not to care too much about the customer. The reason why we've engaged with Breeze networks even though they might be a bit of a smaller organisation, is that, that is actually beneficial to the customer, because to become really ingrained in what the customer actually wants and wants to achieve, whilst we can't talk about some of the good case studies that they've worn in both central government and in Blue Lights, they are perfect examples of why Breeze networks are our first choice when it comes to deploying SD-WAN SASE. So I just wanted to make that point for those out there as well.

 

Neil Camden:

Thank you, Chris. Nice to hear. [crosstalk 00:50:16]

 

Matthew Lea:

So Neil, I've been collating some of the questions. Hello everyone, Matthew Lea, I'm the CTO at breeze network. So I thought I would just come on at the end to answer some of the questions that have been coming in through the chat. So thank you for asking those questions. There's five or six questions here so I'll just run through them if I think we've got time. Yes, we've got time. So the first question here is can you maximise your ROI without understanding the application flows, given that the cost difference between WAN and internet is minimal? So that is correct, the price point in the UK between MPLS is is smaller in the UK than you would find on some of our global deployments, which is why we didn't major this presentation on cost savings, although it's something that can be achieved.

 

Matthew Lea:

One of the other VMware product sets that we use to do this is called vRealize Log Insight, and that technology basically allows us to put in sensors and, and do a pre network audit, and it could give you a view of before after SD-WAN, and estimate those cost savings by breaking out to the internet and stuff. So that's something that we can do, a network audit if people are interested.

Matthew Lea:

There's another question here. So to be clear, there isn't just MPLS or internet, these networks are far more integrated, is the hybrid model going to be discussed? So I think in this presentation, we tried to keep it very high-level. There's a lot of detail that we can go into on use cases, but this is around connecting to things that are what we would call legacy or MPLS sites. So there's a few options around that. We can break traffic out directly into the underlay, and we compare with BGP with a traditional service provider and send the traffic natively. That way, we can use business rules to match PSN traffic or other traffic, and we can encrypt that and back haul it back to a hub and break the traffic out onto the PSN or other third parties that way, or we can integrate the gateways into IPSec tunnels into other third parties.

 

Matthew Lea:

So, yeah, there's a lot of different ways we can do it and we can use business policies to mandate certain traffic is treated in certain ways, So an example would be traffic that matches PSN and IP addresses is restricted to only use certain links, for example.

 

Matthew Lea:

Can customers see the end to end availability of the service and also the discreet access technologies? How do I know where the underlay network is impacting availability of my overlay network? So when we connect up the SD-WAN, some of the clever auto-discovery stuff that VMware VeloCloud can do is it can auto-detect the the carrier, it can detect the bandwidth available, so it will do speed tests, and then it will continuously monitor each underlay between either SD-WAN edge to SD-WAN edge or SD-WAN edge to cloud gateway. So we can view different paths, and that information is available, so I can see what is my latency, jitter packet loss between branch A and data centre B, or to the internet, or between branch to branch. And that information is all recorded, and you can see how each line's performing and then after all of the SD-WAN enhancements, how the overall services, which is what we're interested to.

 

Matthew Lea:

Some of the other exciting things that are coming down the road is ENI Edge Network Intelligence. So VMware made another very clever acquisition of Nyansa, which is a client base sort of network monitoring tool, and it's probably a whole new webinar to go into the functions of that, but essentially, yes, it can do monitor user performance and baseline and using machine learning. Look what normal looks like, and look for deviations from normal which can help with application monitoring, but also change management. So if you make a change on the network, you can see how that would be impacted.

 

Matthew Lea:

Question. Is they're a cloud gateway in the UK? Yes, there's gateways in London, and we can roll out regional gateways, as I think Neil was explaining in local data centres or cloud providers to meet that. Are you working with NCSC on the forthcoming codes of practise resulting from TSR and TSF? So, excuse me. VMware has recently migrated, to FIPs 140-T compliant NSX IP set libraries. So there's been some significant enhancements from, from version three to version four. We can probably discuss more details on that if required, but VMware's security and product teams are meeting regularly with NCSC and roadmapping and working to ensure that the IP set libraries are our prime compliant going forward. I think that's all the questions that haven't been answered. So Neil crack over to you just to round off, I think.

 

Neil Camden:

Yeah. Thank you, one question I'm not sure if you've seen it, it's about how you procure? Are we on any other networks, services, frameworks which yeah, wanted to discuss in detail at a later stage, I think we were on G-Cloud 12. We can do the various different, network services, frameworks, plenty ways we can procure through us. And we appreciate that for a lot of people, this is just a new technology and you can't just switch off your PSN overnight put in an SD-WAN, and it can be a very long process, more than happy to enter into a tender processes with people and RFI, RFP processes, all of that. What we're hoping is that maybe seeing this presentation will just in the back of your mind when your contacts come up and things come up for tender you'll think a little bit about the SASE and SD-WAN solutions that we're offering, and maybe look at how that fits into the tender post-test.

 

Neil Camden:

Okay. Well, that's done, I think. Thank you very much for your time, everyone. We will be making recording of this presentation available after this. I think we'll be sending our emails to everyone to explain where that is. So you can go back and look at this and share it with others. And I think as Chris mentioned at the start, we'll also provide a link to the actual slides. So if you were taking screenshots or trying to frantically write things down, you don't need to. We'll give you access to that, the whole thing. So thank you very much for your time. Enjoy your day.

 

Chris Howarth:

Thanks very much, everybody. Speak to you soon.

 


Read a real-world SD-WAN use case

Book a call

Keen to find out how we can help your business
Get in touch with one of our friendly experts today.