SD-WANs Enable Scalable Local Internet Breakout but Pose Security Risk

istock 1137735863

SD-WAN streamlines how application traffic is routed from the branch, making it easier to create local internet breakout and allowing users to access cloud services directly from the branch. In an ideal SD-WAN scenario, every remote location and device has its own local internet breakout and corresponding security services. Yet, reality looks a lot different for many companies. 

This is something network professionals have wanted to enable for decades. The problem was that setting up local internet breakout using traditional routers was not trivial and required a tremendous amount of engineering work so most businesses, except for the ones that had high levels of technical talent shied away. The shift to cloud and edge computing has made local internet breakout almost mandatory today, so businesses have turned to SD-WAN as a simpler path to enable it. As this happens, organizations need to understand the security risks. 

Using broadband internet services to quickly send enterprise application traffic has many benefits, but it’s also risky since it exposes users and their local networks to the untrusted public internet. As previously mentioned in another post, EMA’s WAN Transformation research found companies that exclusively relied on the native security features in their SD-WAN devices were 1.3 times more likely to have a data breach, compared to those who supplemented their SD-WAN with additional layers of security. 

Local internet breakout is a modern approach to the SD-WAN; it provides application awareness and automation that cannot be achieved with traditional routers. However, security shouldn’t be an afterthought when deploying it. Not all local internet breakout solutions can administer application-specific security policies in real-time or keep up with SaaS/IaaS changes and updates.

In order to deliver the highest SaaS and IaaS performance, there are several local internet breakout requirements that must be addressed:

  • Application-driven security policies must be supported for all apps running over broadband internet
  • Performance must be optimized without compromising security
  • Security must be enforced with an integrated firewall to safeguard the branch from potential threats
  • Service chaining to next generation firewalls or cloud-delivered security services must be automated

When security enforcement is positioned close to branch locations, local internet breakout can provide enterprises with the desired application performance and protection.

That’s where moving security to the cloud comes in. Cloud-hosted security services help enterprises centralize the entire security stack in the cloud instead of deploying costly security appliances at each branch location. A cloud-hosted security stack, like Zscaler or Check Point, includes next-gen firewall services, as well as intrusion detection and prevention, URL filtering, antivirus protection, sandboxing, and much more.

By shifting away from a hub-and-spoke architecture to a cloud-enabled architecture, enterprises can reduce cost and complexity, offer a better user experience, simplify their operations, and deploy new services faster—all without compromising security. 

Learn more about how we can help with secure local internet breakout with SD -WAN at


Copyright © 2019 IDG Communications, Inc.