SD-WAN might have begun as a networking technology, but the SD-WAN\u2019s future lies in security. Integrating branch security features into SD-WAN, allow leaner, simpler remote office deployments. \u00a0To those ends, security vendors have introduced SD-WAN capabilities \u2014 and SD-WAN vendors add security capabilities.\n1. SD-WAN appliances with basic firewalling\nMany SD-WAN vendors deliver basic firewalling capabilities in their SD-WAN appliances. These firewalls are roughly equivalent to the stateful firewalls you might see in a branch office router. Capabilities will include policy-based filtering and blocking applications based on port or IP addresses. Examples include Cisco (Viptela), Silver Peak and Velocloud.\nBasic stateful firewalling might be sufficient for connecting locations to the Internet for SaaS, but not for providing broader Internet access. For that, you\u2019ll need layer 4 to layer 7 control capabilities such as \u2014 \u00a0next generation firewall (NGFW), intrusion prevention system (IPS), URL filtering and more.\n2. SD-WAN appliance with advanced firewall\nSome SD-WAN vendors are including advanced security capabilities within their appliances. Organization gain one physical device to deploy, but they are still left managing separate security and networking domains. It\u2019s precisely that kind of fragmentation that has obscured IT visibility and control. There\u2019s also the question about the appliance form factor.\nAppliances come with their lifecycle carrying significant OPEX cost involved with testing, deploying, maintaining, and managing the appliance. The limited resources of an appliances can often force unexpected hardware upgrades as traffic levels jump or when enabling compute-intensive features, such as IPS or SSL intercept. Appliances are also limited to protecting the sites they secure. They do nothing for protecting mobile users, unless they VPN back to the site, which often introduces performance problems. \u00a0\n3. Firewall appliances with SD-WAN\nAt the same time, several security vendors have announced SD-WAN capabilities for their NGFW appliances. \u00a0These include Barracuda, Fortinet and Cisco Meraki, according to a recent Gartner report.\nWith SD-WAN-enabled firewall appliances, security is far better than the basic firewalls included in SD-WAN appliances. However, organizations are still limited by the constraints of appliances. More importantly, while many of these appliances appear good on paper, they lack the maturity of seasoned SD-WAN offering.\nSD-WAN should be able to switch to a secondary connection in seconds and, ideally, sub-second, which is fast enough to maintain session state. It\u2019s a fundamental difference between SD-WAN and basic IP routing that can take 40 seconds to converge on an alternate IP connection. However, some security vendors offering SD-WAN capabilities, such as Cisco Meraki, can take as much as 300 seconds to switch between connections.\nCollecting performance metrics is also important for SD-WAN edge appliances. It allows them to select the optimum path for a given application and is one of the fundamental differences from link aggregators. However, some security solutions, such as Fortinet SD-WAN 5.6, lack path metrics. [Note: Fortinet is currently upgrading its SD-WAN and is expected to address this and other SD-WAN issues in its next release.]\n4. Secure SD-WAN as a service\nInstead, several vendors are eliminating appliances by shifting SD-WAN, and in some cases, security capabilities. Cato Networks is the best example of this approach, providing a fully integrated security and SD-WAN service. (The Cato Cloud also runs over its own backbone, eliminating Internet backbone problems.)\nOther SD-WAN services are providing pieces of the secure SD-WAN. Aryaka, for example, offers basic firewall capabilities, with its SD-WAN service, but fails to provide L4 to L7 controls, such as NGFW, IPS, URL filtering and antivirus. The same is true with Bigleaf Networks.