Rethinking the WAN: Zero Trust network access can play a bigger role

The WAN as initially conceived was about one simple job: the WAN was the network that “connects my sites to each other.” That is, the network connecting users in corporate sites to corporate IT resources in other corporate sites or perhaps colocation facilities. It was all inside-to-inside traffic.

Over the past decade so much has changed that, just before COVID-19 work-from-home mandates took hold, only about 37% of a typical WAN’s traffic was still inside-to-inside, according to Nemertes’ “Next Generation Networks Research Study 2020-2021”. The rest touched the outside world, either originating there as with remote work against data-center systems or terminating there as with SaaS use from a company site or both as with VPNing into the network only to head back out to a SaaS app.

In light of this, it is worth rethinking what we mean by WAN.  The core concept of “the network I run that connects my sites to each other” puts network teams in the wrong frame of mind from the start. Thinking of the WAN instead as “the network I control that interconnects users and services that are not in the same place” shifts attention away from a physical infrastructure—the network—and toward a logical one—network services—and away from company locations to users, wherever they are.

The pandemic inspired many frantic efforts to ramp up access for workers not on-site. These efforts ranged from straightforward scale-up of existing VPNs, to rapid adoption of cloud-based Zero Trust network access (ZTNA) or enterprise-managed software-defined perimeter (SDP), to deployment of SOHO appliances or even per-laptop software agents to extend software-defined WANs (SD-WAN) into home offices.

Some SDP and ZTNA adopters Nemertes has interviewed, having weathered the pandemic and shifted attention back to issues of WAN maintenance and often-stalled SD-WAN deployments, realized something important: ZTNA/SDP isn’t just for work-from-home support. SDP and some ZTNA solutions can protect access to company resources from any location.

Of course, providing secure access to remote resources is one of the core reasons for a WAN to exist in the first place. If legacy dedicated WAN connectivity can be handed off to an SDP or ZTNA client on a laptop, using the internet to connect, what other functions of the WAN are left to justify its existence? Reliability/performance and optimizations are the two most important.

Performance and reliability: While even a symmetrical business-class internet link can’t match all the performance guarantees of an MPLS service, such links are providing steadily more reliable services over time. And, they still tend to cost far less than MPLS links of similar capacity, so more bandwidth can be acquired.

Optimizations: These range from legacy WAN acceleration to current SD-WAN optimization and prioritization schemes. However, many of the applications needing the most acceleration for wide-area use have evolved, and their current protocols are far less chatty and so, far less susceptible to performance issues across long distances. And when there are not a lot of folks sharing a connection, there’s less call for prioritization.

Thinking through these factors and looking at their networks, these ZTNA/SDP users asked themselves: For all these small sites we have, do we even need private connectivity anymore? And they found their way to the answer: No. They have proceeded to stop SD-WAN deployments to these sites, and to cease using MPLS at them, instead committing to larger and sometimes more internet pipes.

Now, they rely on their SDP or ZTNA solution for those working from work in these small company offices as opposed to working from home. They are finding the reliability not much changed; performance as good or better because so much is about access to cloud services and the major providers have highly optimized access edges of their own; user satisfaction up thanks to one experience, any location; and costs down significantly.

Of course, this isn’t a solution for every site at every company, and the larger the site the more likely it is that simple, shared internet access is not going to be enough. The impact of internet performance issues might be too high, the contention for capacity too intense, to get by without SD-WAN-style redundancies and optimizations.

However, companies with a number of small locations have a new option: Secure access over bare internet without scaling up legacy VPN infrastructure or deploying new SD-WAN infrastructure.

The take-away is that these options for access, management, coupled with all the changes in context—the shift to cloud resources, the shift to work-from-anywhere—mean that IT needs to reconsider what the WAN is, what it is for, and how best to meet those needs sustainably.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.