SD-WAN has the ability to redefine how organizations manage the communications between physical sites and cloud hosted systems, possibly connecting one of the largest barriers to cloud computing.
Traditionally organizations have utilized a mixture of IPSEC VPN tunnels and ISP managed MPLS networks to connect the sites and users to the application data sources that run the business. MPLS networks are increasingly seen as overly expensive, while traditional IPSEC VPN networks are seen as underperforming and difficult to manage. Poor design of either leads to a poor user experience, increased costs, and decreased business performance.
SD-WAN has entered the market with the promise to increase application performance and availability while at the same time reducing costs.
The first question we get is... What is SD-WAN? Here is the Wikipedia answer:
SD-WAN is an acronym for software-defined networking in a wide area network (WAN). An SD-WAN simplifies the management and operation of a WAN by decoupling (separating) the networking hardware from its control mechanism. This concept is similar to how software-defined networking implements virtualization technology to improve data center management and operation.
A key application of an SD-WAN is to allow companies to build higher-performance WANs using lower-cost and commercially available Internet access, enabling businesses to partially or wholly replace more expensive private WAN connection technologies such as MPLS.
American Marketing Research firm Gartner predicted in 2015 that by the end of 2019 30% of enterprises will deploy SD-WAN technology in their branches.
This is typically accomplished by creating a highly managed full-mesh VPN structure over each of the available WAN connections. This can include consumer grade and wireless (4G, 5G, fixed wireless, satellite).
- Service Level Agreement (SLA) for Enterprise applications
- Deliver on lower cost enterprise grade WAN connections
- Lower cost of delivery through global management
- Deployment time – speed of business
Over the last few years we have seen several new vendors and products enter the market, and a few products rebranded and relaunched as SD-WAN solutions. As with most technologies, especially in the era of software-defined and converged infrastructure, firms are trying to develop a grouping that accurately defines the core features of the solution and separate the value-added features.
The functional basic key features found in all SD-WAN systems are:
- Application level performance steering with latency mitigation
- Fast deployment over existing/commodity WAN links
- Enhance network security and visibility
The SD-WAN products can be differentiated by their features or capabilities, but this still does not seem to lend to an understanding of what the product is, how it is deployed, and what it will accomplish. Gartner has created a SD-WAN classification based on the underlying product architecture:
- SD-WAN with embedded firewall
- Firewall with embedded SD-WAN
- SD-WAN with 3rd party Next Generation Firewall
- SD-WAN with cloud based security
With the traditional MPLS network we are dependent on the MPLS network provider (ISP) to provide end-to-end security between the physical sites, and a centralized firewall to provide perimeter security.
With typical SD-WAN deployments organizations are leveraging Direct Internet Access (DIA) WAN connections to each site and relying on the SD-WAN product for additional functions:
- Securing traffic between sites
- Routing traffic between sites
- Providing perimeter security for each site
By the nature of both the physical location in the network, and the type of Internet connections being utilized, most SD-WAN devices are acting as the defacto physical perimeter firewall for each local site. This leaves a potential security gap if the SD-WAN device is not designed as a perimeter firewall. This leaves only one of Gartner’s four SD-WAN classifications as a valid architecture for most deployments.
Here is an excerpt from a Gartner White Paper dealing with this issue:
Yet, SD-WAN does not come without its challenges. The most prevalent ones include:
- While moving to direct Internet access for cloud services improves productivity, it simultaneously raises more security concerns at distributed enterprise locations
- 90% of SD-WAN vendors are not traditional security vendors, and thus there are serious gaps with many of their solutions.
Although SD-WAN may have started as a networking technology, the future of SD-WAN lies in balanced security and advanced WAN capabilities.
LANAIR Group believes that utilizing firewalls with embedded SD-WAN solutions is the correct solution for most organizations. It is out believe that Fortinet is the best in class SD-WAN product.
Fortinet has been recognized by NSS Labs as one of only four recommended SD-WAN products, and the only product from a security vendor. The Fortinet SD-WAN solution is built into every physical and virtual Fortigate firewall.
Fortinet is the only NGFW vendor to provide native SD-WAN along with integrated advanced threat protection. Fortinet, has received the “Recommended” rating for the first ever test conducted by NSS Labs for Software-Defined Wide Area Networking. Fortinet delivered excellent quality of experience for voice and video, high VPN throughput and best price/performance.
FortiGate SD-WAN replaces separate WAN routers, WAN optimization, and security devices with a single solution that is application-aware, offers automatic WAN path control and multi-broadband support. It improves application performance, reduces WAN Operating expenses and minimizes management complexity.
Please watch the demo of the Fortinet SD-WAN solution: