SD-WAN

What is SD-WAN?

Unlike SD-WAN, the conventional router-centric model distributes the control function across all devices in the network and simply routes traffic based on TCP/IP addresses and ACLs. This traditional model is rigid, complex, inefficient, and not cloud-friendly and results in poor user experience. 

SD-WAN works by continuously evaluating the performance of all available network links and intelligently routing traffic based on real-time conditions and business policies. For example, it can prioritize a VoIP call over a low-priority software update or steer sensitive data through a secure MPLS link while routing bulk traffic over broadband. 

The key mechanisms include: 

• Application-aware routing: Identifies applications on the first packet and applies QoS (Quality of Service) rules to ensure performance and reliability. 

• Dynamic path selection: Chooses the optimal path for each application flow based on link metrics like latency, jitter, and packet loss. 

• Forward Error Correction: Enhances link quality by correcting packet loss and smoothing out performance issues over unreliable connections. 

• Tunnel bonding: Combines multiple WAN links into a single logical connection to improve throughput and resilience. 

Traffic is encapsulated within secure tunnels (typically IPsec) to ensure confidentiality and integrity, even over public networks. Advanced secure SD-WAN also supports segmentation of traffic based on user, application, or device roles to prevent lateral movement and maintain security boundaries.

Times have changed, and enterprises are using the cloud and subscribing to software-as-a-service (SaaS). While users traditionally connected back to the corporate data center to access business applications, they are now better served by accessing many of those same applications in the cloud. 

As a result, the traditional WAN is no longer suitable mainly because backhauling all traffic—including that destined to the cloud—from branch offices to the headquarters introduces latency and impairs application performance. SD-WAN provides WAN simplification, lower costs, bandwidth efficiency and a seamless on-ramp to the cloud with significant application performance especially for critical applications without sacrificing security and data privacy. Better application performance improves business productivity, customer satisfaction, and ultimately profitability. Consistent security reduces business risk.

• Improved performance: Routes applications via optimal paths and eliminates backhauling to the data center 

• Enhanced security: Many SD-WAN solutions include encryption, firewalls, and advanced security features. They tightly integrate with SSE to form a SASE architecture  

• Cloud-centric: optimizes and secure cloud access from branch locations 

• Cost savings: Reduces dependency on costly MPLS circuits by leveraging cheaper internet links. 

• Simplified management: Centralized control makes it easier to configure and monitor the network.

• Not all SD-WANs are created equal: Many SD-WAN solutions are basic SD-WAN solutions or “just good enough” solutions. These solutions lack the intelligence, security, performance, and scale needed to ensure a secure network experience and build a robust SASE architecture. And remember, without a fast, secure, and high performing network, enterprise digital transformation and cybersecurity initiatives can stall. So, what is a secure business-driven secure SD-WAN and why is basic SD-WAN not good enough? 
• Consistent Quality of Experience (QoEx). A key benefit of an advanced SD-WAN solution is the ability to actively use multiple forms of WAN transport simultaneously. A basic solution can direct traffic on an application basis down a single path, and if that path fails or is underperforming, it can dynamically redirect to a better performing link. However, with many basic solutions, failover times around outages are measured in tens of seconds or longer, often resulting in annoying application interruption. A business-driven SD-WAN intelligently monitors and manages all underlay transport services. It can overcome the challenges of packet loss, latency and jitter to deliver the highest levels of application performance and QoEx to users, even when WAN transport services are impaired. Unlike a basic SD-WAN, a business-driven SD-WAN handles a total transport outage seamlessly and provides sub-second failover that averts interrupting business-critical applications such as voice and video communications. It continuously adapts to changes in the network, automatically adapting in real time to any changes that could impact application performance, including network congestion, brownouts and transport outage conditions.  
• Built-in security. A secure business-driven SD-WAN includes a next-generation firewall to efficiently secure branch locations. Key capabilities include intrusion detection and prevention (IDS/IPS) and end-to-end segmentation. Other advanced SD-WANs can protect organizations against DDoS attacks. The integration of a next-generation firewall enables organizations to easily replace legacy branch firewalls, reducing the hardware footprint. Additionally, security policies are centrally managed eliminating the need to have IT trained personnel locally and avoiding misconfigurations.  
• Role-based segmentation. While basic SD-WANs provide the equivalent of a VPN service, a secure business-driven SD-WAN provides more comprehensive, end-to-end role-based segmentation. By adding user and device identity and role-based policy, advanced secure SD-WANs are able to provide fine-grained segmentation and enforce zero trust. A secure SD-WAN then creates end-to-end zones, from the LAN to the WAN, across any combination of users, devices, application groups and virtual overlays, propagating security policies to all remote sites. Based on the least privilege access principle, it ensures that users and IoT devices only communicate with destinations consistent with their role in the business, while reducing unauthorized access and limiting the scope of incidents. 
• Multi-cloud networking. Advanced SD-WANs can be deployed in a public cloud such as AWS, Azure and Google Cloud to optimize connections between branch locations and the cloud using all the SD-WAN benefits. If a brownout or blackout occurs, the remaining link(s) continue to carry traffic so that users don’t notice any disruption to voice calls, audio and video conferences, or any other application. Ruggedized first mile between the branch and the public cloud delivers better network performance, reliability, and quality. 
• Ideally, enterprise customers need to shift to a secure business-driven secure SD-WAN platform that unifies SD-WAN, firewall, segmentation, routing, WAN optimization and visibility and control functions, all in a single, centrally managed platform.