3 generations of secure SD-WAN services

You simply can’t take advantage of all that SD-WAN has to offer without giving branch offices local Internet access and you can’t give them local Internet access without securing them. SD-WAN for all its strengths does not provide robust edge security. Yes, data is encrypted in transit. And, yes, some SD-WAN appliances come with basic stateful firewalling capabilities. But with attacks coming at layer-7, branches require a next-generation firewall (NGFW) and updated IPS/IDS capabilities to protect locations —  not a basic firewall. For all intents and purposes, branch SD-WAN needs layer-7 security, which is why you see so many SD-WAN vendors striking partnerships with security vendors or some building security into their appliances.

Now, once you’re talking about secure SD-WAN at the branch, providing that as service makes an awful lot of sense. Companies spend an inordinate amount of time deploying, sizing and maintaining their security infrastructure. And in the race to be cost competitive, security vendors have to right-size their appliances. The flip side of which is that increases in traffic loads or enabling compute-intensive features, such as SSL intercept, often force companies into appliance upgrades. And unlike IT teams, security teams are in a constant race against attackers. When a security vendor issues a patch against the latest threat the time to deploy is crucial. All of which adds burden to an overloaded IT team. Outsourcing all of that to a provider is just a smart move.

Which leads to three types of secure SD-WAN services.

Generation no. 1: multiple physical appliances

In the first case, service providers integrate multiple physical appliances to deliver the service. You’ve offloaded the burden of managing, running and sizing the various boxes. This is not like a cloud service where the capital and operational costs can be neatly amortized across various customers. You’re still paying for those boxes and the necessary integration, only now it’s being done through the service provider over a three-year contract. It also means that to troubleshoot you still need to jump between different consoles of each product.

Generation no. 2: multiple virtual appliances

The second choice? The provider does some integration running the multiple applications as VNFs or virtual appliances on a common hardware. Those VNFs and appliances still need to be sized and deployed correctly but that’s made simpler in software. Of course, the appliance is still limited in capacity with all that this entails. Some service providers will include appliance upgrades in the contract — at a price. Depending on the implementation, the provider may also do some integration work, allowing more seamless troubleshooting and management through one console. Open Systems comes to mind here. Other providers seem to only offer third-party firewall as a VNF, though Versa Networks has integrated some NextGen firewall functionality into its core product, as well as VNF for third-party apps.

Generation no. 3: cloud services

The final and the perhaps most progressive approach is to rethink networking and security and bring them together into a cloud service, much like Amazon has done for AWS. Look at Cato Networks as an example.

Break down the functions of infrastructure appliances and you find that there’s quite a bit of overlap in how they work. They certainly share the lower layers — TCP/IP and down — but even above that many are doing deep packet inspection, many have policies that need to be set, and more. As we commoditize our networking and security functions, it’s making less sense to keep those functions distinct, doing them over and over in each appliance, and much more sense to perform them once in one location. We’d save resources, decrease costs and improve visibility into our networks.

And move this security/networking stack into the cloud and you address the cost issues around appliances. There are no more scaling issues as the cloud is elastic so that eliminates the hardware upgrades. Patching has to be done by the provider but only once for all functions and all customers. And the capital and operational costs truly are amortized across all service customers allowing for a very affordable service. Without going into details, I can tell you that cases where such an approach is taken, it has been more than half the cost of a secure SD-WAN service delivered by a carrier.

Is it all roses? Well, no. Like anything there are tradeoffs. You’d lose some choice, relying on one company for your SD-WAN and security functions. In edge-cases, relying on proprietary functions that’s a problem.

But in most cases, where networking and security has been commoditized, how much choice do we really need? The value of Ethernet switches today, for example, isn’t in the switch functioning itself in most cases, but in the packaging. The same, in some cases, with SD-WAN and security functions. Pulling commoditized security and networking functions into a single, software stack has its own value, significant value actually.