SD-WAN: Use Cases and Best Security Practices

Ben Ferguson

SD-WAN. The most hyped up WAN technology of 2018. And quite possibly the biggest “me too” in telecom right now.

You’ll find plenty of sales people who’ll tell you that they can cut your WAN costs by 70+% while supercharging your throughput and optimizing virtually every possible application you may be running on your IT stack.

But before you buy into all the hoopla, I think it’s time to set the record straight on what SD-WAN actually is. Additionally, you need to know what its prime use cases are, how to create a secure SD-WAN solution for yourself, and of course, expose its limitations.

Moving from Hub-Centric to Cloud-Centric

Let’s start off with the best use case of SD-WAN: a cloud-centric network.

Back in the day (or really just a couple years ago), we the IT community required a secure technology that connected remote sites over the fewest number of hops back to our core data center or centers. We needed a mesh topology for instantaneous failover to check off the fault tolerance box. Bandwidth was expensive, so we needed to be able to chop up traffic and tag real time and mission critical applications with Class of Service (CoS) tags to make sure our users could function productively. MPLS fit the bill well for this, and it was completely private.  In-flight traffic encryption was more of a preference, not a necessity.

Along comes the decreasing price of bandwidth, ubiquitous fiber access and the mass adoption of the cloud. Customers were moving all of their compute and storage to the cloud in droves for the cost savings and increased IT agility that was promised by the cloud. All of a sudden, that hub-and-spoke network didn’t work for cloud-centric organizations, and a new solution was needed.

Enter: SD-WAN.

SD-WAN allowed companies to maintain hub-and-spoke topologies with their site-to-site communications (i.e. VOIP, point to point video, legacy apps in a data center, etc) over encrypted tunnels, but it also allowed customers to get faster access to internet, SaaS and Cloud applications over low-cost, high-bandwidth internet circuits. They could further increase fault tolerance with SD WAN by getting primary and secondary circuits with seamless active-active configurations.

For customers with Hybrid Cloud topologies, many SD-WAN solutions could run over both private and public networks via transport abstraction. I will be covering that in great detail in a future blog (stay tuned!).

In the traditional hub-and-spoke model, all internet traffic would run through centralized firewalls. Those firewalls make it easy to set company-wide access policies in a few clicks, in a few places. Now, with SD WAN and the ingress/egress points of the network going from few to many, we now have to address proper security best practices.

SD-WAN with Integrated Security

In addition to standard end-to-end encryption, many SD-WAN vendors offer integrated firewalls with their SD-WAN appliances. They also offer partnerships with companies like Fortinet and/or Palo Alto. The best of these offer advanced new generation firewalls (NGFW).  NGFW operate on the higher levels of the stack (levels 4 to 7). While this is a valid way to secure the WAN, it does have a few downsides.

First, the security configuration generally has to be managed yourself, adding to the workload of in-house IT personnel. Also, being hardware-based, there is also the possibility that future service needs will require a physical upgrade, increasing Opex or Capex expenditure and limiting scalability.

In order to maximize protection of the firewall, mobile users have to connect to the office. This can complicate network management and also lead to connectivity or user experience issues. The common result is mobile users taking easier but far less secure route of creating their own SaaS accounts with increasingly powerful consumer-grade applications.

Next Gen Firewalls with Integrated SD-WAN

In contrast to the above, some NGFW vendors include SD-WAN capabilities as part their firewall appliances. This offers enhanced security but can also adversely affect connection switching speed. Unlike advanced SD-WAN appliances which can deliver sub-second switching, NGFWs often perform poorly on this front. For example, they may lack functions such as path metrics for quickly determining the best connection.

Furthermore, NGFWs still experience the same hardware-based restrictions that come with deploying, maintaining, testing and managing SD-WAN edge appliances.

Managed SD-WAN with embedded NGFW delivered as a Service

Call me biased, but when it comes to the new fully managed SD-WAN solutions with embedded NGFW delivered as a service, we’re welcoming it with open arms. Why? Because these options resolve the necessity for your in-house IT department to manage your SD WAN or security services. Instead, your chosen vendor will take care of the technical side of things in accordance with an SLA, for a monthly fee.

One potential downside to this strategy, though, is the lack of enterprise control. Deciding to trust a third party with a mission-critical service should always be treated with due caution. We recommend a co-managed model with clearly defined roles, responsibilities, change management processes and SLAs.\

Making the Best Decision For Your Business

As with all IT procurement decisions, your final decision will depend on many enterprise-specific factors. Fortunately, you can partner with a vendor-independent SD-WAN consulting company to audit your current infrastructure. Comparing it with your company goals will help you make a smart, secure and cost-effective choice.

The reality is, security of your SD-WAN architecture is far too important delegate to your in-house IT department. Bringing in a consulting company that specializes in SD-WAN architecture is the best way to ensure that you’re making the most-informed decision for your network as possible.

Tags: , , , , , , , , , , , , , , , , ,