• United States

The 4 SD-WAN architectures for network security

Oct 23, 20173 mins
Network SecuritySD-WANTechnology Industry

SD-WAN’s future lies in security.

man with online security key
Credit: Thinkstock

SD-WAN might have begun as a networking technology, but the SD-WAN’s future lies in security. Integrating branch security features into SD-WAN, allow leaner, simpler remote office deployments.  To those ends, security vendors have introduced SD-WAN capabilities — and SD-WAN vendors add security capabilities.

1. SD-WAN appliances with basic firewalling

Many SD-WAN vendors deliver basic firewalling capabilities in their SD-WAN appliances. These firewalls are roughly equivalent to the stateful firewalls you might see in a branch office router. Capabilities will include policy-based filtering and blocking applications based on port or IP addresses. Examples include Cisco (Viptela), Silver Peak and Velocloud.

Basic stateful firewalling might be sufficient for connecting locations to the Internet for SaaS, but not for providing broader Internet access. For that, you’ll need layer 4 to layer 7 control capabilities such as —  next generation firewall (NGFW), intrusion prevention system (IPS), URL filtering and more.

2. SD-WAN appliance with advanced firewall

Some SD-WAN vendors are including advanced security capabilities within their appliances. Organization gain one physical device to deploy, but they are still left managing separate security and networking domains. It’s precisely that kind of fragmentation that has obscured IT visibility and control. There’s also the question about the appliance form factor.

Appliances come with their lifecycle carrying significant OPEX cost involved with testing, deploying, maintaining, and managing the appliance. The limited resources of an appliances can often force unexpected hardware upgrades as traffic levels jump or when enabling compute-intensive features, such as IPS or SSL intercept. Appliances are also limited to protecting the sites they secure. They do nothing for protecting mobile users, unless they VPN back to the site, which often introduces performance problems.  

3. Firewall appliances with SD-WAN

At the same time, several security vendors have announced SD-WAN capabilities for their NGFW appliances.  These include Barracuda, Fortinet and Cisco Meraki, according to a recent Gartner report.

With SD-WAN-enabled firewall appliances, security is far better than the basic firewalls included in SD-WAN appliances. However, organizations are still limited by the constraints of appliances. More importantly, while many of these appliances appear good on paper, they lack the maturity of seasoned SD-WAN offering.

SD-WAN should be able to switch to a secondary connection in seconds and, ideally, sub-second, which is fast enough to maintain session state. It’s a fundamental difference between SD-WAN and basic IP routing that can take 40 seconds to converge on an alternate IP connection. However, some security vendors offering SD-WAN capabilities, such as Cisco Meraki, can take as much as 300 seconds to switch between connections.

Collecting performance metrics is also important for SD-WAN edge appliances. It allows them to select the optimum path for a given application and is one of the fundamental differences from link aggregators. However, some security solutions, such as Fortinet SD-WAN 5.6, lack path metrics. [Note: Fortinet is currently upgrading its SD-WAN and is expected to address this and other SD-WAN issues in its next release.]

4. Secure SD-WAN as a service

Instead, several vendors are eliminating appliances by shifting SD-WAN, and in some cases, security capabilities. Cato Networks is the best example of this approach, providing a fully integrated security and SD-WAN service. (The Cato Cloud also runs over its own backbone, eliminating Internet backbone problems.)

Other SD-WAN services are providing pieces of the secure SD-WAN. Aryaka, for example, offers basic firewall capabilities, with its SD-WAN service, but fails to provide L4 to L7 controls, such as NGFW, IPS, URL filtering and antivirus. The same is true with Bigleaf Networks.


In 2007, Steve Garson started SD-WAN-Experts (at that point called MPLS-Experts) to help U.S. companies communicate with their Chinese and Indian manufacturing facilities. Two clients were rolling out their ERP systems in China and found that their new networks were impeding operations, an unexpected and undesirable problem. A quick examination identified their VPN over Internet as the root cause of the unacceptable performance they were experiencing.

SD-WAN-Experts helped them install a high quality MPLS network to eliminate the packet loss and reduce the latency that is found on the internet. This led to quickly realizing that many other U.S. companies were having the same problem; or they were using less manageable frame relay or point-to-point circuits. Thus, was born this specialized practice in consulting to companies on the procurement and roll-out of Wide Area Networks (WANs). SD-WAN-Experts now serves companies worldwide with global facilities, large retail chains, as well as small domestic companies, and has even designed government emergency communication networks for an entire state.

The opinions expressed in this blog are those of Steve Garson and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.