CRN Exclusive: Versa Networks CEO Aims To Trump Security Vendors Using NFV To Deliver Software-Defined Security

Watch Out, Security Leaders

One of the hottest network and security startups, Versa Networks, is utilizing the telecom industry's network function virtualization (NFV) technology to create what executives say is the first true software-defined security solution.

"We're trying to bring the innovative NFV concept from the telecom side to the software-defined security side," said Versa CEO Kumar Mehta, a former top engineer at Juniper Networks, in an interview with CRN. "I have not seen another vendor that has taken this software-defined focus, applying it to both security and networking, like the WAN. … Some security guys are basically contacting us."

The Santa Clara, Calif.-based startup Tuesday revealed enhancements to its SD-security Versa VNF (virtualized network function) by adding DNS security and secure Web gateway. Versa VNF already includes next-generation firewall, anti-virus, intrusion prevention and content filtering. According to the company, Versa is using NFV to make branch security solutions for enterprises and service providers completely software-defined.

Here, CRN takes a deep dive with Mehta into SD security, white box networking, NFV and the "rich" opportunities for solution providers.

Explain your approach to software-defined security.

We've taken this telecom innovation known as NFV and applied it to the branch network and security. You can start with SD-WAN [wide-area network], then on top of that, you can [add] security with a single pane of glass, and convert all those siloed security appliances' software packaged into software-defined security. We then unfold that using the NFV technology.

We have the SD-WAN technology and we are overlaying that with the SD security, so that you can manage not one branch, but thousands of branches with a similar policy, and have an easy-to-manage, centrally provisioned security infrastructure.

What makes your software-defined security different?

I have not seen another vendor that has taken this software-defined focus, applying it to both security and networking, like the WAN, like we are.

Vendors have not crossed over unless you're a conglomerate like Cisco, and you're doing that with a bunch of different business units and growing it into a product like a router. But a purpose-built [solution] that's software-defined across both the sectors, I have not seen anyone [do] to date. I haven't seen security guys do it at all. They virtualized the hardware, but software-defining it and then mixing it with networking, I haven't seen one instance.

In fact, some security guys are basically contacting us.

Security vendors are coming to you?

Without mentioning any vendors, we've been contacted by some security vendors to leverage our software-defining on the WAN and the network side, but we're playing in both worlds right now going forward.

NFV is shaking up a whole range of things in telecom -- it's now moving to security. … No one has done the SD security yet. This is software-defining security because you can glue together different components.

How are you stacking up against competitors as far as "software-defined" is concerned?

We're trying to bring the innovative NFV concept from the telecom side to the SD security side. Some other vendors have virtualized, [saying], "I have a firewall and hardware. I divorced the hardware from the software. I'm virtualized." That's great. You can run on an x86, but you still have a siloed point-packaged piece of software just like you did in hardware. It just means now you can use someone else's hardware.

NFV is really what's making it software-defined. Scale out, scale in, automatically chain different services, multitenant -- all those things would be software-defined, not just "I virtualized it" like what other vendors are saying.

Why should channel partners jump in on this?

With the software-defined component, it really lets partners raise up and get a system-integration play there, because given this is all a Lego set of these virtualized network functions, partners can design to their customers' exact needs.

So ... now they become an Accenture-like system integrator, compared to in the past, where they just sold XYZ firewall vendors' boxes, and maybe plugged them in. Now, partners can strategically design this whole new SD security architecture.

How can a solution provider gain the most profits here?

Partners can say, "I'll get you the x86, the Versa software-defined security, I'll package it all together and deploy it for you and I can even manage it for you. Not as a carrier-managed service, but I can manage for you on-prem, Mr. Enterprise." They can move these different pieces around, design the whole thing for a customer.

Partners can say, "I can help you, Mr. Enterprise, deploy the same cutting edge [NFV] technology that Verizon is deploying and I'm also increasing your cybersecurity footprint. I'm beefing up your security. I'm giving you telco-level innovation and I can do that and crank up my professional services margins and my strategy value versus just pushing boxes. And I can help you scale up just like Amazon can in minutes."

So the partner becomes very strategic both initially and ongoing as they help them operate it.

How big of an impact do you think NFV will have here?

What I really found out is that enterprises have not yet adopted the NFV technology in droves, and it's going to happen quickly moving forward.

Also, instead of having all these siloed appliances, … what's going to happen is that on the white box in the branch, the customers are going to demand more and more, both in connectivity and security function, managed on a single pane of glass. That's where we come in.

Why will enterprise demand increase?

Because that's where the innovation needs to be for enterprise. For them to have the agility to change the policy at will and have it deployed in minutes. Also it brings down the cost, and they won't need to hire some security personnel on the branch to manage these devices -- that's where we will bring in the new value for the enterprise.

On top of that, enterprises are focusing on SD-WAN going on broadband and trying to save on the connectivity cost. What happens with that connectivity is, you need to protect that branch with the layered security, which is software-defined. That's where we bring in the SD security using the NFV solution from the telecom space.

Are branch offices changing?

The branch has not changed in the last 20 years, and it is the same set of branches with different kind of hardware as far as security is concerned. Each is doing one function and also maybe different siloed software packages on it. So it's very complex to manage and also very risk-prone in the sense that there could be configuration error and things like that.

So the SMB cannot even afford such a complex security infrastructure in the branch, which has been going on for the last 20 years. There is no agility in the branch itself. The problem we're seeing is most branches are not offering enough layers or depth of security -- and SD security is the solution.

You mentioned white box networking before. Do you think white box networking adoption rates will continue to increase?

Looking at the branch -- you had proprietary hardware, which was, you ran a router doing the connectivity function and then you had a security function being done by two or three boxes doing different things. Now what happens on an x86-based white box, you can not only do the connectivity function, but all of the security functions, on the branch itself. Those white boxes are pretty straightforward design.

The customers is going to ask, "Does it give me the same performance I'm used to?" The answer is emphatically, "Yes. And more."

They'll also ask, "Does it come at a lower price than what I'm used to?" The answer is a much, much lower price. Third is, "Can I mix and match different folks' solutions on that white box if I wanted to?" The answer is emphatically, "Yes." So clearly,[that] gives you a huge value prop on the branch side.

What about on the security side?

Let's say you wanted to deploy all your security either on the hub side or maybe the communication hub. I'm talking to a big oil and natural gas company and they have about 18 communications hubs across the world. There are looking at buying nine or 10 boxes from different vendors doing different things on the security side. Today what you could do is put all of them on x86-based white boxes and mix and match functions or buy all functions from one vendor and bring your TCO down by up to 80 percent.

How does service chaining help?

Lets say you already have NG firewall as well as DNS security and now you want to turn on secure Web gateway. You should be able to turn it on in less than a minute using the service chaining technology. Our whole SD solution helps you do that. You can scale out and scale in, in terms of the amount of processing you have to do. We allow for service chaining with third-party security devices and software.