During its inception, we had the early adopters and pure SD-WAN players. Soon it became obvious that something was missing, and that missing component was \u201csecurity.\u201d However, security vendors have highlighted the importance of security from the very beginning.\nToday, the market seems to be moving in the direction where the security vendors are focusing on delivering SD-WAN features around pervasive security. The Magic Quadrant for WAN Edge Infrastructure has made a substantial prediction. It states, \u201cBy 2024, 50% of new firewall purchases in distributed enterprises will utilize SD-WAN features with the growing adoption of cloud-based services, up from less than 20% today.\u201d\nNowadays we have security vendors like Forcepoint, SonicWall and Barracuda that follow the pattern of Fortinet. The vendors offer a built-in security stack to the WAN edge architecture for distributed enterprise use cases.\nIntroducing secure SD-WAN\nPronouncedly, secure SD-WAN includes the best-of-breed next-generation firewall security, SD-WAN, advanced routing, and WAN optimization to deliver a security-driven WAN edge. It combines the SD-WAN feature and security features together.\u00a0\u00a0\nThe secure SD-WAN solution can be placed fully in the branch and the cloud or a hybrid approach can be adopted. For those who don\u2019t want to put everything in the cloud, a hybrid approach could be more viable.\nTo me, it is quite interesting seeing how the queries are coming into the analysts and how customers are giving attention to this field. Markedly, Gartner estimates that Fortinet has more than 21,000 WAN edge customers. That\u2019s a considerable user base and makes a compelling case, especially when strong and built-in security capabilities are the key requirements.\nAdding security to networking\nIt is definitely easier for a security company to add new networking features than for an SD-WAN company to add 20 years of advanced security features. We can safely assume that no SD-WAN vendor is going to become a security vendor.\nAs the market developed, in due course, some features had to be renamed: when we talk about application identification, encryption, path monitoring, routing protocols and WAN link load balancing. Fundamentally, all of these advanced routing features are not new and specific to SD-WAN. These are not overnight successes and have been in the market even before the market existed.\nHowever, in some scenarios, maybe you have to implement a proprietary routing protocol across the WAN. In this case, yes, of course, you require a new device. But for most of the part, a comprehensive firewall at the edge will suffice.\nThe firewall at the WAN edge\nFirewalls are evolving into network security platforms, thereby offering SD-WAN capabilities. The Magic Quadrant for Network Firewalls states \u201cThe SMB multifunction firewall market grew 10.1% in 2018, with SD-WAN adoption being a strong driver.\u201d\nWhen you think about it, you will realize that the firewall has been acting as a router for a long time. Essentially, the firewall can provide all the routing protocols to facilitate private WAN, internet and internal routing. This functionality is usually provided by a basic device that just does the routing. However, now we are witnessing the replacement of these by an edge appliance with firewalls.\nFirewalls have resided in the networks for decades. Their role has not just been confined to doing the firewalling but also participating in the routed networks. Time and again, they have been providing a routed WAN edge device.\nIssues with legacy security design\nHow do you integrate security with SD-WAN? Primarily, the common design involves the integration of multiple security point solutions. Now, let\u2019s learn about the aftermath of these point solutions.\nComplexity\nThe point solution only addresses one issue and requires a considerable amount of integration with others. Because of this, they are often service-chained together. Each part must be carefully integrated with the other.\nYou must continuously add solutions to the stack, which is likely to result in management overhead and increased complexity. Not to mention the challenges with NOC and SOC team integration. Contrarily, the original selling point for SD-WAN was to reduce complexity and not intensify it.\nIf we examine security in the world of SD-WAN; the way it has been geared up at the moment is provided in parts that actually increase complexity. It\u2019s like building a house with individual pieces when you actually just want to buy a house.\nIf you analyze, you will find that many SD-WANs are merely bringing in security technologies from other vendors, joined together to sell them to the customers.\nAssociated costs\nHaving multiple point solutions often from different vendors dispersed around the network is expensive. There\u2019s never a fixed price. Some security vendors may charge on usage models which you may not have the quantity for yet. So, how do you effectively plan for this when you have multiples?\u00a0\nAs the costs keep adding up, the security professionals may decide to trade-off certain point solutions due to the associated costs. We know now this is not an effective risk management strategy. Ideally, in terms of security, you don't do something when it is needed; you do it before it is needed. This means threat intelligence is the key, which is often overlooked by many SD-WAN vendors.\nIt\u2019s far more critical from both technical and cost perspective to bring each of the security point solution functionalities together under one hood. And to do this, someone that specializes in security from day one would fit the bill. This is why there has been a move to provide SD-WAN features along with advanced security into one comprehensive integrated platform.\nSecure SD-WAN is what combines both network and security into one integrated platform. This leads to no more complex management, licensing issues, high costs or unnecessary service chaining.\nSD-WAN is not about features\nThere is a lot of noise in the SD-WAN market about the features. Let\u2019s face it \u2018features really don\u2019t draw much value to create market separation\u2019. Practically, the value proposition for SD-WAN is not about the feature. Everyone is doing a good job in classifying applications and sending them across the best path. Let\u2019s understand the true value proposition for SD-WAN.\nPerformance and scalability\nWhen it comes to SD-WAN, the bell to ring is often application steering, but if you don\u2019t have, for example, the deep TLS1.3 inspection with solid performance, how can you get accurate identification and make sure your branch is secure? Not enough people are talking about this.\nFor this, we need custom SD-WAN-specific application-specific integrated circuits (ASICs). This offers an incredible advantage for the high resource intensive encryption\/decryption and overlay scalability.\nWith IPSec, there are intensive encrypting operations that consume a lot of CPU and RAM. Therefore, a purpose-built SD-WAN ASIC is built just to do that so it consumes less CPU and RAM per tunnel.\nIn general, the scalability stops at 1,000 or 1,500. With the proper ASIC, this number can be scaled to over 100,000, which may be useful for some hub site designs. By using the ASIC, you can run the networking stack and security stack in the same appliance, making a very efficient and cost-effective solution.\nThe importance of threat intelligence\nThe next-generation firewall is in the datasheets for many SD-WAN vendors. However, what about the threat detection and threat prevention? A big piece missing from the many SD-WAN vendors is threat intelligence in alliance with threat research. The threat landscape is evolving, so too should the security solution to keep in line with today\u2019s and tomorrow's threats.\nThreat prevention has core features from layer 4 to layer 7 such as IPS, content filtering, deep SSL inspection, and anti-malware. Furthermore, we also have a threat detection piece. Nowadays, you can no longer rely on detecting known threats, you have to detect unknown threats too. So having a stack of both prevention and detection features is very important. With the two features glued together, we can have experienced security research and analyst teams. It is significant to observe whether the SD-WAN vendor has its own threat intelligence.\nFor this, we really do need the security company pedigree. The core value for any security vendor comes with their level of intelligence research. This is what creates market separation, not SD-WAN features.\nHowever, there is another step, which is to confirm if the proposed features have been validated by 3rd parties such as NSS labs. NSS Labs has evaluated some of these security vendors for their SD-WAN leading products on areas such as the quality of experience (QoE) of VoIP and video, performance (WAN impairments and HA), the total cost of ownership (TCO) along with security effectiveness.\nAlso, we must question how often does the \u2018SD-WAN device providing firewalling\u2019 gets updated with the latest threat information. Is this process carried a few times per day or per week? Some SD-WAN solutions market them as a secure SD-WAN vendor, but if we go back to the point of building effective security, we need a solid threat intelligence team. Do startups have enough manpower to do that? A networking vendor simply can\u2019t jump into this space. Some SD-WANs add stateful packet filters and call this security.\nLet\u2019s be honest, a next-generation firewall can be used by anyone. However, the importance of the breadth of the features, the intelligence they provide and the recognition in the market play a huge role. This is what builds trust in the next-generation firewall in the branch and ensures that the best security posture remains the best.\nWhen you\u2019re looking for secure SD-WAN vendors, highlight these questions and examine how old their security stack is. Also, assess if they have an experienced threat intelligence team.\nThe market is moving towards a secure SD-WAN solution. The industry analysis and the rise of the customer base have a great impact in today\u2019s time. It is not the case that people are recognizing security vendors as strong SD-WAN players.\nHowever, recognizing the market demands secure SD-WAN in one integrated comprehensive platform.