SD-WAN and Cybersecurity: Two Sides of the Same Coin

Software-defined wide area networking, or SD-WAN, is the next frontier for the network edge. Multiple analysts report that the SD-WAN market is in the billions of dollars, with an annual growth rate in the 25% to 35% range. Managed service providers and carriers globally are increasingly deploying managed SD-WAN services to reach new markets. Almost all networking and security vendors have SD-WAN offerings, complicating the decision when choosing an SD-WAN solution.

Security and WAN connectivity decisions have become a collaborative decision between the security and networking teams. Prior to this, enterprise networking teams were responsible for setting up connectivity to major company locations, while connections to branches and remote offices fell to the enterprise WAN manager. In the meantime, dedicated security teams were tasked with procuring, deploying, and managing firewalls.

Over time, the selection of an SD-WAN solution has become a mutual decision made by the security and networking teams. Further, for most organizations, SD-WAN and security have become closely enmeshed decisions. This interdependency can be viewed in a couple of ways.

Security as the foundation for SD-WAN

First, we’ll focus on the perspective of cybersecurity as the foundation for SD-WAN. Almost without exception, enterprises (even small- and medium-sized businesses) have next-gen firewalls (NGFW) at the network edge – doing otherwise would leave the front door wide open for attackers. Many NGFWs now offer built-in SD-WAN features that include these benefits:

• Improved visibility and management — Broad perspectives across network assets allow easy monitoring for potential threats and fast troubleshooting. Zero-touch provisioning (ZTP) and centralized management dashboards enable large deployments.
• Enhanced resiliency — SD-WANs handle multiple broadband connections with secure overlays that go beyond basic VPNs. This allows enterprises to use lower-cost broadband options rather than expensive MPLS lines. Multiple links, including 4G and 5G mobile links, and intelligent failover helps ensure high availability for home offices and remote branches. SD-WAN’s secure overlays can extend connectivity into multiple locations – including virtual machines hosted in public clouds.
• Better productivity — By leveraging the application- and content-aware inspection engines on NGFWs, SD-WAN can improve the overall quality of experience for end users. By giving priority access to business applications, for example, rather than video downloads or bulk file transfers, the employee’s work experience can be enhanced.

SD-WAN is a natural extension of NGFWs that can leverage these devices’ content/context awareness and deep packet inspection. The same classification engines used by NGFWs to drive security decisions can also determine the best links to send traffic over. These engines can also guide queueing priorities, which in turn enables fine-grained quality-of-service (QoS) controls.

SD-WAN as the foundation for next-gen cybersecurity

The other perspective views SD-WAN as the foundation for next-generation cybersecurity. Centralized cloud management is key to enabling incremental updates of these new features. Further, flexible policy-driven routing enables service chaining of new security features in the cloud rather than building these features into the SD-WAN customer premises equipment (CPE). For example, cloud-based services for advanced malware detection, secure web gateways, cloud-access security brokers, and other security features can be enabled via the SD-WAN platform, seamlessly bringing these and other next-gen security functions across the enterprise.

The coordination between the cloud-based SD-WAN service and the on-premises SD-WAN CPE allows new security applications to benefit from both the convenience and proximity of an on-site device and the near-infinitely scalable computing power of the cloud.

The power of cloud plus CPE

While advanced security services require significant computing power (like AI and machine learning identification of threats), they can run efficiently and more cost-effectively in the cloud and take advantage of economies of scale. Local and rapid enforcement at the branch can be coordinated via centralized controllers using the cloud-based AI/ML engines to discern good traffic from potential threats.

Other new services that are more practical to run locally, like zero-trust access controls on the branch network, can be pushed down from the cloud SD-WAN controller, loaded, and executed on the on-premises CPE.

As SD-WAN evolves, it can further develop into Gartner’s SASE category. This natural path for security devices (from NGFW to SD-WAN to SASE) allows enterprises to gain benefit from each stage of the journey as the technology reaches maturity. It’s a path that we see out in the real world across all vendor routes for enterprises: systems integrators, VARs, networking and security manufacturers, and managed service providers. From our perspective, it’s a relatively painless path to embark on for many enterprises looking to modernize their WANs.

To learn more about SD-WAN, view our white paper.