Traditional WAN solutions no longer meet the needs of the modern enterprise. The rapid growth of cloud computing and increased use of mobile devices leave network leaders looking for an alternative solution.
Software-defined WAN (SD-WAN) promises network performance and latency that rival the best traditional WAN solutions. When it comes to security though, appliance-based SD-WAN leaves traditional solutions in the dust, and cloud-based SD-WAN goes a step further, offering enterprise-level network performance and security.
Table of Contents
Security Challenges of Traditional WAN
Traditional WANs are built through a combination of multiprotocol label switching (MPLS) links and Internet-based virtual private networks (VPNs). Each of these solutions has its pros and cons. MPLS provides high-performance, reliable networking but at a high cost. Internet-based VPNs are cheaper and have built-in encryption but have performance and reliability issues due to their dependence upon the public Internet.
Beyond these tradeoffs, traditional WAN solutions also have security issues. Neither MPLS nor Internet-based VPN solutions have integrated security. As a result, organizations must layer additional, standalone security appliances on top of networking infrastructure to secure their WAN.
Yet even then, visibility into network traffic is limited. Over 92% of organizations are using public clouds, and the use of mobile devices in the enterprise is growing rapidly. Organizations using traditional WAN must make the difficult decision of routing all cloud and mobile traffic through the enterprise network for inspection, which significantly degrades network performance, or to accept the loss of visibility and the ability to inspect traffic flowing over transport media outside of the organization’s control.
Pros and Cons of Appliance-Based SD-WAN
An organization’s ability to secure traditional WANs is primarily limited by a lack of integration among multiple different transport media. The mess of MPLS links and Internet-based VPNs makes it difficult to achieve full network visibility and degrades network performance due to the reliance upon manual processes in failover scenarios.
SD-WAN provides a solution to these issues. By abstracting away the network layer and presenting an array of transport media as a single pipe, SD-WAN can optimize network usage based upon the availability and performance of a particular transport medium and the type of application traffic to be carried.
Most SD-WAN solutions are implemented as standalone appliances that handle the network-layer abstraction that makes SD-WAN so effective. While some SD-WAN solutions provide integrated security, in many cases, security in appliance-based SD-WAN is performed similarly to that of traditional WAN solutions. Multiple different security appliances – including a next-generation firewall (NGFW), secure web gateway (SWG), and unified threat management (UTM) solution at a minimum – are layered on top of the SD-WAN appliance to provide the necessary security protections.
The main shortcoming of appliance-based SD-WAN solutions, from both a networking and security perspective, is that they can be difficult and expensive to scale. All traffic that travels over an SD-WAN must enter via a point-of-presence (PoP) containing an SD-WAN appliance. Network performance and latency requirements mean that the distance that traffic has to travel from source to entry PoP and from exit PoP to the destination must be minimized.
In traditional enterprise network environments, this is not a problem since an SD-WAN appliance can be placed at the network perimeter. However, enterprise networks are evolving. The rapid adoption of cloud computing and mobile devices means that these users require nearby PoPs as well. Deploying SD-WAN appliances in each of the average organization’s five clouds and in a globally-distributed net of PoPs is much more difficult.
The security of appliance-based SD-WAN networks comes down to the tradeoff between coverage, performance, and expense. An organization can choose to surrender visibility of cloud and mobile traffic, force it to pass through the enterprise headquarters network for inspection, or invest in the deployment of SD-WAN appliances throughout their infrastructure.
Next-Level Security with Cloud-Based SD-WAN
Despite the limitations of appliance-based SD-WAN, it is possible to deploy SD-WAN with both enterprise-grade performance and security. However, this requires moving beyond appliance-based SD-WAN to cloud-based SD-WAN. In the past, physical appliances were the only option for deploying SD-WAN functionality; however, this is no longer the case. Now, cloud-native SD-WAN solutions are available, which make high-performance, secure global WANs a reality.
A defining feature of cloud-based SD-WAN is security integration out-of-the-box. Any secure network using SD-WAN will require, at the minimum, NGFW, SWG, and UAM solutions. Since deploying these as standalone appliances can be difficult in the cloud, cloud-based SD-WAN solutions include security functionality baked into the SD-WAN networking solution.
This security integration also improves the efficiency and effectiveness of the organization’s security team. Instead of a variety of different dashboards for an array of standalone security products, cloud-based SD-WAN provides a single dashboard with full visibility into an organization’s networking and security architecture. As a result, the security team can more quickly identify and remediate potential incidents, supported by managed detection and response (MDR) services.
Cloud-based SD-WAN also improves WAN security by providing a high-performance WAN with global reach. Cloud-based SD-WAN PoPs can be deployed throughout the world and connected by high-performance, dedicated network links. As a result, forcing cloud and mobile traffic to travel over the WAN, allowing TLS decryption and deep packet security inspections, has minimal impact on network performance and latency.
Appliance-based SD-WAN represents a significant improvement over traditional WAN due to consolidated visibility and, in some cases, the integration of security functionality into SD-WAN appliances. Cloud-based SD-WAN takes WAN security a step further by providing full security integration in a high-performance network capable of serving all of an organization’s WAN users, including mobile and the cloud.
Featured image source: Freepik