The 4 SD-WAN architectures for network security

SD-WAN might have begun as a networking technology, but the SD-WAN’s future lies in security. Integrating branch security features into SD-WAN, allow leaner, simpler remote office deployments.  To those ends, security vendors have introduced SD-WAN capabilities — and SD-WAN vendors add security capabilities.

1. SD-WAN appliances with basic firewalling

Many SD-WAN vendors deliver basic firewalling capabilities in their SD-WAN appliances. These firewalls are roughly equivalent to the stateful firewalls you might see in a branch office router. Capabilities will include policy-based filtering and blocking applications based on port or IP addresses. Examples include Cisco (Viptela), Silver Peak and Velocloud.

Basic stateful firewalling might be sufficient for connecting locations to the Internet for SaaS, but not for providing broader Internet access. For that, you’ll need layer 4 to layer 7 control capabilities such as —  next generation firewall (NGFW), intrusion prevention system (IPS), URL filtering and more.

2. SD-WAN appliance with advanced firewall

Some SD-WAN vendors are including advanced security capabilities within their appliances. Organization gain one physical device to deploy, but they are still left managing separate security and networking domains. It’s precisely that kind of fragmentation that has obscured IT visibility and control. There’s also the question about the appliance form factor.

Appliances come with their lifecycle carrying significant OPEX cost involved with testing, deploying, maintaining, and managing the appliance. The limited resources of an appliances can often force unexpected hardware upgrades as traffic levels jump or when enabling compute-intensive features, such as IPS or SSL intercept. Appliances are also limited to protecting the sites they secure. They do nothing for protecting mobile users, unless they VPN back to the site, which often introduces performance problems.  

3. Firewall appliances with SD-WAN

At the same time, several security vendors have announced SD-WAN capabilities for their NGFW appliances.  These include Barracuda, Fortinet and Cisco Meraki, according to a recent Gartner report.

With SD-WAN-enabled firewall appliances, security is far better than the basic firewalls included in SD-WAN appliances. However, organizations are still limited by the constraints of appliances. More importantly, while many of these appliances appear good on paper, they lack the maturity of seasoned SD-WAN offering.

SD-WAN should be able to switch to a secondary connection in seconds and, ideally, sub-second, which is fast enough to maintain session state. It’s a fundamental difference between SD-WAN and basic IP routing that can take 40 seconds to converge on an alternate IP connection. However, some security vendors offering SD-WAN capabilities, such as Cisco Meraki, can take as much as 300 seconds to switch between connections.

Collecting performance metrics is also important for SD-WAN edge appliances. It allows them to select the optimum path for a given application and is one of the fundamental differences from link aggregators. However, some security solutions, such as Fortinet SD-WAN 5.6, lack path metrics. [Note: Fortinet is currently upgrading its SD-WAN and is expected to address this and other SD-WAN issues in its next release.]

4. Secure SD-WAN as a service

Instead, several vendors are eliminating appliances by shifting SD-WAN, and in some cases, security capabilities. Cato Networks is the best example of this approach, providing a fully integrated security and SD-WAN service. (The Cato Cloud also runs over its own backbone, eliminating Internet backbone problems.)

Other SD-WAN services are providing pieces of the secure SD-WAN. Aryaka, for example, offers basic firewall capabilities, with its SD-WAN service, but fails to provide L4 to L7 controls, such as NGFW, IPS, URL filtering and antivirus. The same is true with Bigleaf Networks.