3 generations of secure SD-WAN services


You simply can’t take advantage of all that SD-WAN has to offer without giving branch offices local Internet access and you can’t give them local Internet access without securing them. SD-WAN for all its strengths does not provide robust edge security. Yes, data is encrypted in transit. And, yes, some SD-WAN appliances come with basic stateful firewalling capabilities. But with attacks coming at layer-7, branches require a next-generation firewall (NGFW) and updated IPS/IDS capabilities to protect locations —  not a basic firewall. For all intents and purposes, branch SD-WAN needs layer-7 security, which is why you see so many SD-WAN vendors striking partnerships with security vendors or some building security into their appliances.

Now, once you’re talking about secure SD-WAN at the branch, providing that as service makes an awful lot of sense. Companies spend an inordinate amount of time deploying, sizing and maintaining their security infrastructure. And in the race to be cost competitive, security vendors have to right-size their appliances. The flip side of which is that increases in traffic loads or enabling compute-intensive features, such as SSL intercept, often force companies into appliance upgrades. And unlike IT teams, security teams are in a constant race against attackers. When a security vendor issues a patch against the latest threat the time to deploy is crucial. All of which adds burden to an overloaded IT team. Outsourcing all of that to a provider is just a smart move.

Which leads to three types of secure SD-WAN services.

Generation no. 1: multiple physical appliances

In the first case, service providers integrate multiple physical appliances to deliver the service. You’ve offloaded the burden of managing, running and sizing the various boxes. This is not like a cloud service where the capital and operational costs can be neatly amortized across various customers. You’re still paying for those boxes and the necessary integration, only now it’s being done through the service provider over a three-year contract. It also means that to troubleshoot you still need to jump between different consoles of each product.

Leave a Reply

Your email address will not be published. Required fields are marked *