Select Page

Aug 29, 2021

SD-WAN and Next-Gen Security – Natural Bedfellows


Software-Defined Wide Area Networking (SD-WAN) represents the modernization of the enterprise edge. Regardless of which SD-WAN market or analyst report we look at, SD-WAN is a multi-billion-dollar market, with compounded annual growth rates (CAGR) of between 25-35%. Carriers and vendors worldwide continue to roll out managed SD-WAN services. Major security and networking vendors all have SD-WAN (and now Secure Access Services Edge or SASE) solutions in their portfolio — organic or acquired.

In our engagements with global carriers and conversations with enterprises, it’s clear that today’s security and WAN connectivity decisions are a joint determination between networking and security teams. Previously, networking teams at enterprises focused on establishing connectivity to various company locations — procuring and provisioning fixed-line access to remote offices was the job of the network WAN manager. Meanwhile, separate security teams managed the firewall procurement, deployment, and management. Fast forward a decade, and now SD-WAN selection is a joint decision made by security and networking. This same pattern is repeated across other domains, including the data center and campus.

For enterprises, SD-WAN and security are intertwined decisions, and we see two views of this relationship.

Security as a Foundation for SD-WAN

First, having security as the foundation for SD-WAN. All enterprises today (even small and medium businesses) have firewall appliances at their edge locations. These firewalls, or next-generation firewalls (NGFW), are a huge industry in their own right. Many of these NGFWs now benefit from having built-in SD-WAN features that enable:

  • Improved management and visibility — Zero-touch provisioning (ZTP) and centralized management dashboards facilitate large deployments, easy monitoring, and fast troubleshooting.
  • Better resiliency — SD-WANs provide capable multi-link handling and secure overlays that go beyond basic VPNs. This allows the enterprise to use multiple lower-cost broadband options instead of expensive MPLS fixed lines. Multi-link coupled with 4G LTE or 5G mobile links and intelligent failover policies ensure high uptime across home offices and remote branches. Secure overlays provide enterprise connectivity reach into multiple locations, including virtual machines located in public clouds.
  • Enhanced productivity — Leveraging the content and application-aware inspection engines on security devices, the SD-WAN function can improve the quality-of-experience for the enterprise user. Prioritizing access for CRM, ERP, or web conferencing applications over video downloads or bulk file transfers can help enhance an employee’s work experience.

SD-WAN is a natural extension of the NGFW and can leverage these devices’ deep packet inspection and content/context-awareness. The same classification engines used to drive security decisions can also determine which links to send traffic over. They can inform queueing priorities to enable fine-grained quality-of-service (QoS) controls.

SD-WAN as a Foundation for Security

The second view revolves around SD-WAN as the foundation for next-generation security features. Once NGFWs evolve into SD-WAN security solutions, the SD-WAN platform lays the groundwork for new capabilities. The centralized cloud management enables the incremental update of new features. Flexible policy-driven routing can enable service chaining of new security features in the cloud without having to build these features into the SD-WAN customer premises equipment (CPE). For example, cloud-based services for advanced malware detection, secure web gateways, cloud-access security brokers, and other security features can be enabled via the SD-WAN platform, seamlessly bringing these and other next-gen security functions to enterprises.

This coordination between a cloud-based service and the on-premises SD-WAN CPE allows new security applications to benefit from both the convenience and proximity of an on-site device and the near-infinite scalable computing power of the cloud.

The Power of Cloud + CPE

When new security services require significant computing power (e.g., AI and machine learning-based behavioral detection to identify malicious applications or covert attackers), they can run efficiently and more cost-effectively in the cloud — taking advantage of economies of scale. Local and rapid enforcement at the branch can be coordinated via the centralized controllers using the cloud-based AI/ML inferencing engines to sort out good traffic from bad.

Other new services that make sense to run locally, like enabling zero-trust access controls on the branch local area network (LAN), can be pushed down from the cloud controller, loaded, and executed on the on-premises CPE (the evolution of the NGFW appliance).

As the SD-WAN platform evolves, it starts taking on the additional capabilities that further evolve it into Gartner’s SASE category. This natural path of evolution for branch security devices: NGFW to SD-WAN to SASE, allows enterprises to benefit from each stage of the journey as the technology hits the mainstream. It’s a path that we see out in the real world across all paths to market for enterprises: system integrators, VARs, networking and security vendors, managed service providers (including carriers). From our perspective, it’s a relatively painless path to embark on for many enterprises looking to modernize their WANs.

About the Author

Portrait of Roy Chua Roy Chua is founder and principal at AvidThink, an independent research and advisory service formed in 2018 out of SDxCentral’s research arm. Roy was previously co-founder at SDxCentral where he ran both the research and product teams. Roy was formerly a management consultant working with both Fortune 500 and startup technology companies on go-to-market and product consulting. As an early proponent of the software-defined infrastructure movement, Roy is a frequent speaker at events in the telco and cloud space and a regular contributor to leading technology publications. A graduate of UC Berkeley’s electrical engineering and computer science program and MIT’s Sloan School of Business, Chua has 20+ years of experience in telco and enterprise cloud computing, networking and security, including founding several Silicon Valley startups.