SDWAN Vendor Series 2019 - Versa Networks
Updated: Jul 1, 2019
Versa provides a multi-services software stack and provides CPE based solutions that operate on white and grey boxes as well as cloud provider virtual images. Versa Network's Cloud IP platform provides dynamic, application-aware network overlays between sites that Versa term as the Software Defined Secure Branch (SDSB). The Cloud IP platform is targeted for the Service Provider/Managed Service Provider delivered on a multi-tenant platform with the core components of the Versa platform comprising Versa Director, Versa Controller, Versa Analytics and Versa FlexVNF. (Virtual Network Function)
Versa Director's function is VNF orchestration and management. Versa VNFs are licensed and include routing, advanced SD-WAN, Carrier Grade NAT (CGNAT), VPN, and Next Generation Firewall. These in addition to Versa VNFs include support for 3rd party VNFs such as firewall, WAN optimizations appliances. VNFs are integrated through service chaining and provide flexibility of functions at a location allowing a provider to deliver a organisations preferred firewall or WAN optimization vendor solutions. Versa has worked with leading providers such as Fortinet, Palo Alto and Riverbed for integration with the Versa Director.
The Versa Controller provides control plane function and tunnel overlay management with "route reflector" type capability which, in addition to BGP address families specific to the Versa platform, allows Cloud IP to scale the biggest of enterprise networks.
Evaluation and Assessment
There are a few approaches to on-boarding a Versa appliance. Since Versa provide software to run on white/grey boxes there is a staging requirement. This will typically be as part of a providers managed service and the linking of Versa to service provider platforms for appliance identification and authorization. Versa utilize PKI as part of the process to ensure that the appliance is aligned to the correct organisations tenancy. The acceptance of a device from a customer administrator can be completed using 2-factor authentication to ensure the CPE validity, where an email is sent to the administrator of the SDWAN. The SDWAN administrator then has the option to email or SMS the local site contact to finalize the device on-boarding. The SMS contains a code that the local contact enters for template provisioning, whereas the email has embedded information in relation to the base configuration to be applied with local connectivity to the appliance.
Configurations with device group templates plus site specific parameters are provided to the appliance and applied using NETCONF. Although there are different approaches, the process is reasonably straight forward and a few of the steps are transparent to the customer.
Versa's BGP capability allows it to connect seamlessly with MPLS networks as well as the Internet. Each Versa appliance, by default, will function as a hub device ensuring migration to SDWAN does not introduce any connectivity and performance impact, with support for underlay and overlay architectures.
Versa high availability allows for active/active configuration where application traffic can be locally steered based on business policy to WAN circuit, LTE connected to CPE setup in a HA mode. This is where you see one of the key benefits of your investment, providing access to all transport and equipment rather than active/standby. On the LAN side for a direct connected LAN, VRRP is implemented and VRRP groups allow flexibility in controlling traffic from the LAN to a specific gateway. the approach. For a LAN not directly connected to the Versa nodes, both OSPF and BGP will interface and provide routing with the local network.
The Versa implementation of Network address translation provides all the flexibility you can possibly imagine. NAT is part of the base license configuration where your organisation can take advantage of carrier grade NAT (CGNAT) right out of the box, This includes many-to-one, one-to-one in addition to NAT pools. These can also be internal NAT requirements with private-to-private addressing as well as part of outbound communication to the Internet with private-to-public.
Connectivity to 3rd party equipment can be implemented using BGP and OSPF or IPsec for tunneled connectivity. This includes router, firewall and also cloud provider gateway such AWS and Azure. A Versa solution can also be delivered in a mixed vendor environment using on board VNF configuration that provides service chaining. This may be useful where an organisation already standardizes on a specific firewall vendor, for example Fortinet for security controls rather than using the Versa advanced security license. Decoupling the software from the underlying hardware is a good approach by Versa providing organizations with choices of the control, configuration and monitoring of Versa with 3rd party VNFs as part of the Versa Director platform. This capability may be one of the reasons that Riverbed and Versa has entered into an OEM agreement.
With per flow the traffic is steered over the same transport for a source/destination (S/D) combination and Versa has provided the capability to perform per packet steering allowing S/D combinations to utilize bandwidth across multiple transports thereby increasing the available capacity to individual communications. Versa call this striping.
Internet transport can at times be unpredictable in the delay, loss characteristics. To enhance the performance and utilization of commodity broadband services Versa provide mechanisms to ensure the user experience isn't impacted. This is achieved using a combination of techniques such as packet duplication, periodically sending duplicate packets when loss is being exhibited. Another technique is forward error correction (FEC) where Versa will add a hash packet that is used by the receiving SDWAN location to recover from errors that may have been introduced during packet transport.
The following provides a good overview of both the FEC and packet duplication.
Quality of Service (QoS) and path performance characteristics can be combined to ensure that a path meets the minimum service expectations from administratively controlled latency, loss and jitter values. Traffic is steered and from links that do not meet the performance or changes during a normal communication.
Scaling of overlay tunnels and the dissemination of information relating to tunnels is an important factor when delivering SDWAN at scale. Versa address the scaling by utilizing IKE from branch to controller to disseminate the security associations (SA) information to branch sites and this removes the n^2 issue with IKE sessions for large scale deployments.
Beyond basic firewall capability, many SD-WAN providers require integration with cloud security platforms such as Z-Scaler. Rather than provide a cloud based security platform, Versa on the other hand implement a more distributed security solution. Versa provide out of the box layer 4 firewall security with application awareness, and if you are looking for next generation UTM type security, then this is activated with a license. The license is activated on a per node basis and provides some flexibility around the security architecture. An organisation can license all sites with the advanced security license or implement a more regional based security architecture where small sites connect to security services via a regional hub location.
The security licensing approach is as follows:
State based Firewall
"Out of the box":
• Zone Protection
• DDoS (Distributed Denial of Service)
• Stateful Firewall
• Application Visibility
• CGNAT (Carrier Grade Network Address Translation)
• IPSec VPN
Next Generation Firewall
• Includes all the state based firewall features plus
• Application Control
• URL Reputation and Filtering
• SSL Inspection
Unified Threat Management (UTM)
• Includes all the Next Generation Firewall features plus
• Intrusion Detection and Prevention System
Each Versa node also has the ability to segment an organisations environment with the use of VRF technology and separate overlay tunnels. This is useful when looking at guest access versus corporate access or where there are specific functions such as PCI controls required. This allows for an end to end, encrypted, segmented overlay where traffic from one segment function operates in isolation of another segment. The extent of security is out outside the scope of this article but there are no disappointments with the Versa ICSA Labs Certified Firewall
Simplicity and Visibility
It is all about templates when working with the Versa platform. Templates for all the functional components helps with the consistency and flexibility of implementation and ongoing administration and management. Configuration of templates is implemented with an intuitive Workflow
Versa provides a comprehensive array of management and monitoring views with a drill down capability for more detailed information. This is provided from Versa Analytics which enables base-lining, correlation and predictive analysis for network, application usage and security events. At the time of assessment, the visibility from the base SD-WAN platform is probably the most comprehensive in the market. The following provides a diagrammatic representation of the analytics engine.
From visualizing the topology, with details of connection information...
...to application level view with drill down per flow views, Versa provides the visibility that network administrators want.
Versa Network's SD-WAN is a detailed and comprehensive solution suitable for large enterprises and telecommunication providers offering managed SDWAN services. Whereas Cato Networks provide the main SD-WAN and Security functions from Cato Cloud Platforms distributed across the globe, Versa distribute the functionality to the edge devices with a licensed service model. Versa is a software company offering customer choice in hardware options with VNF functions from both Versa and 3rd party VNF providers increasing choice and preference for the customer. Due to the comprehensive list of configurable items the platform is geared for the more experienced administrators but that is easily overcome with platform familiarity.
References: Images and media courtesy of Versa-Networks. Retrieved from https://www.versa-networks.com/