The MEF 3.0 PoC (115) will be of great interest to service providers that want to offer advanced managed SD-WAN services based on MEF 70 to enterprise customers using cloud services from branches with Internet access.

Fortinet, TCTS, and Spirent, have joined together to demonstrate the use case of secure Local Internet Breakout connecting to O365 and Azure from branch offices. To gain further insight on this project, Daniel Bar-Lev spoke with Nicolas Thomas, from Fortinet to understand this MEF 3.0 PoC.


DBL: Nicolas, please explain the setup for us.

NT: What we have done is, firstly, to create an SD-WAN service with Fortinet's Fortigate as the SD-WAN Edge (MEF 70) at a branch office. We've automated the configuration of the Fortigate with a Local Internet Breakout to enable the branch to connect out via the Internet securely.

Secondly, TCTS has configured multiple IPsec tunnels from this SD-WAN Edge using Azure vWAN and ExpressRoute to provide the branch users with access to O365 and Azure cloud. Note that this does not require a VM in the public cloud.

Finally, Spirent has introduced its security testing technology in and out of the SD-WAN Edge to test the protection of the SD-WAN-managed traffic (breakout or internal).

DBL: For whom is this MEF 3.0 PoC aimed?

NT: Primarily, companies planning to, or currently, offering managed SD-WAN services. We're showing how they can use the combination of Fortinet, TCTS, and Spirent, to offer very attractive managed SD-WAN services, security as a service, and security assurance, quickly and effectively.

DBL: Why is a combination needed?

NT: Obviously, SD-WAN managed service providers can use our solutions separately or in combination. What we are seeing is that, often, Tier 1 service providers are going to use Fortinet solutions directly to develop and deliver SD-WAN services for their enterprise customers. However, there are many potential Tier 2 and smaller managed SD-WAN service providers that would prefer to get a white label SD-WAN solution that includes secure and robust access to cloud applications like O365, which they can then enhance and offer under their own brand. TCTS is using the combination of Fortinet products and its cloud access solutions to create an off-the-shelf offering for service providers.

DBL: Where does the security assurance from Spirent fit in? Why does the Fortinet security need to be tested?

NT: SD-WAN services are dynamic, and enterprise customers want to adjust and configure them in real-time, including protection of the traffic over the Local Internet Breakout at specific branches. What Spirent provides is an additional level of security assurance to ensure that, if and when the enterprise customer reconfigures their service, they haven't inadvertently introduced vulnerabilities into the SD-WAN service.

This managed security assurance service ensures the security layer is accurate, continuously improved, and configuration mistakes are spotted quickly.

DBL: In short, this MEF 3.0 PoC shows service providers how they can offer a premium SD-WAN + SECaaS service?

NT: Yes, but it is worth expanding on that. The challenge for the enterprise is that their data is becoming increasingly distributed. It used to be that all the enterprise data was located in secure locations within the full control of the enterprise. Protecting that data was primarily about ringfencing those locations with firewall technology. Today, critically important enterprise data is distributed or decentralized—for example in public and private clouds.

Protecting the enterprise data in all these locations requires a wide range of technologies that are based in the cloud. Gartner recently coined the term ‘SASE’ pronounced ‘sassy,’ which stands for ‘Secure Access Service Edge.’ SASE describes ensuring secure access to corporate data scattered across SaaS and cloud providers and, eventually, IoT applications. The MEF 3.0 PoC demonstrates treating the provisioning of secure access in an SD-WAN service context to applications in the public cloud, with continuous security assessment, as a managed service in its own right.

DBL: How does this tie back to MEF 3.0 standards work?

NT: MEF is now developing the working draft of MEF 88 (Protection of Application Flows over SD-WAN) with myself as co-editor. MEF 88 aims to provide the basis for managed SECaaS offerings from service providers. What we are learning in MEF 3.0 PoC (115) will be introduced into that work and may also seed new work on standardized testing of SECaaS. This is only the beginning.

MEF 3.0 PoC (115) – Security Assurance in SD-WAN Application Flows (“The Protectors”), will be showcasing at MEF19 18-20 November 2019 in Los Angeles.

Nicolas Nicolas

Nicolas Thomas
SDN/APIs Strategist, Fortinet

Other Posts
Kelly Hoople
Director Product Development - Cox Business
Created: 2019-11-11

A substantial portion of today’s $60B Carrier Services’ market includes wholesale services supplied by one operator to another in order extend the service footprint beyond the retail service provider’s network reach. For many years, one of the challenges for the data connectivity services industry has been the lack of visibility into the performance of a Carrier Ethernet service in the sections running over wholesale partners’ networks. When a Carrier Ethernet service spanning networks from multiple operators starts to experience exceptions to the Service Level Agreement between the Service Provider and the enterprise subscriber, identifying the location of the source of the problem has been a highly manual process resulting in very slow responses with minimal information to customer concerns about performance.

MEF has defined standards for Carrier Ethernet Fault Management (MEF 30.1) and Carrier Ethernet Performance Monitoring (MEF 35.1), based on Y.1731, which have been in wide use by operators within their own respective domains for many years. However, when it comes to automated access to relevant information based on MEF 30.1 and MEF 35.1, the picture has been far less positive—that is until now. MEF 3.0 PoC (117), ‘MEF SOAM for High Value Multi-Operator Carrier Ethernet Services,’ led by Comcast and Cox with the collaboration of Ciena and Nokia, shows how the MEF’s LSO (Lifecycle Service Orchestration) federation paradigm for orchestrating services spanning multiple operator domains—used in conjunction with well-established Service OAM mechanisms defined by MEF—provides a great deal of value, both to service providers and their enterprise customers. To gain further insight into multi-Operator SOAM for Carrier Ethernet, Daniel Bar-Lev, VP Strategic Programs at MEF, discussed the topic with Kelly Hoople, Director Product Development at Cox Business.

Rosemary Cochran
Principal & Co-Founder - Vertical Systems Group
Created: 2019-10-21

Service providers throughout the world are ready to implement the newly standardized MEF 3.0 LSO Sonata APIs to automate the manual processes required for inter-provider business connections. Initial implementations of Sonata APIs are focused on helping to streamline how customers order Carrier Ethernet services, which includes verifying service availability and price quoting. Ultimately, the goal for investing in MEF LSO Sonata is ‘frictionless commerce’ across all market players.