Secure SD‑WAN
What is secure SD‑WAN?

A secure SD‑WAN accelerates the journey to SASE (Secure Access Service Edge). It combines advanced SD‑WAN capabilities such as tunnel bonding, dynamic path selection, and zero-touch provisioning with next-generation firewall features including IDS/IPS and DDoS protection. It seamlessly integrates with cloud-delivered security services (Security Service Edge or SSE) and enforces consistent network and security policy across branch locations.

Smiling man wearing headphones and working at computer desk in modern office.
  • Secure SD‑WAN explained
  • How does a secure SD‑WAN work?
  • How a secure SD‑WAN enforces end-to-end security policy
  • Why should I consider a secure SD‑WAN?
  • What are the benefits of secure SD‑WAN?
Secure SD‑WAN explained

Secure SD‑WAN explained

Over the years, branch offices and remote locations have accumulated a sprawl of network and security equipment. This equipment is difficult to maintain but also, it has not been designed for the cloud. With traditional router-centric WAN architectures, traffic must be sent to the corporate data center for security inspection, which significantly impacts application performance. Additionally, security policy is inconsistent across branch locations, exposing the whole organization to potential security breaches.

Not only does a secure SD‑WAN allow organizations to retire traditional routers but also to replace legacy branch firewalls.

A secure SD‑WAN includes advanced SD‑WAN and security capabilities that enable organizations to reduce device footprint, enforce consistent policy across branches. It also improves application performance by selecting the best path and automatically steering the traffic to the cloud. It provides the security functions necessary at the branch and complements SSE that supports other security functions like ZTNA, SWG and CASB.

How does a secure SD‑WAN work?

How does a secure SD‑WAN work?

Secure SD‑WAN solutions provide advanced security functions to protect branch locations. They:

  • Secure communications across the entire SD‑WAN fabric by building IPsec tunnels using AES 256-bit encryption
  • Include next-generation firewall functions such as deep packet inspection, intrusion prevention and DDoS protection
  • Segment the traffic based on role and identity
  • Enforce policy for both WAN-specific functions and security policies
  • Log security events to help quickly identify and respond to incidents

A secure SD‑WAN also tightly integrates with SSE services to form a SASE architecture, securing remote users who access sensitive data in the cloud through untrusted links. This integration adds capabilities such as Zero Trust Network Access (ZTNA), Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), Firewall as a Service (FWaaS), Remote Browser Isolation (RBI) and sandboxing.

In addition to security features, a secure SD‑WAN can seamlessly combine heterogeneous links such as MPLS, internet, and 5G through tunnel bonding, increasing network bandwidth and providing redundancy. If a brownout or blackout occurs, the remaining link(s) continue to carry traffic providing dependency and reliability.

Organizations can even replace expensive MPLS connections with internet-only links as the solution provides techniques such as Forward Error Correction (FEC) rebuilding lost packets at destination to reduce jitter and packet loss often found in internet links. It also overcomes latency effects due to geographical distance with WAN optimization through TCP acceleration and data reduction techniques.

A secure SD‑WAN also routes traffic based on business intent and not TCP/IP addresses and generally includes a built-in router that supports OSPF and BGP protocols. As workloads move to the cloud, a secure SD‑WAN enables organizations to intelligently steer traffic to the cloud based on application type without backhauling the traffic to the data center. For example, trusted cloud applications such as Microsoft 365 or Workday can be directly sent to the cloud while in-house legacy application traffic is sent to the data center. Advanced SD‑WAN uses zero-touch provisioning to automatically distribute configuration updates to hundreds or thousands of branches in minutes while minimizing errors.

How a secure SD‑WAN enforces end-to-end security policy

How a secure SD‑WAN enforces end-to-end security policy

In traditional environments, branch firewalls are manually configured requiring endless hours of programming across tens to hundreds to thousands of sites resulting in inconsistent security policies across the WAN. With a secure SD‑WAN, security policies are centrally configured and pushed to thousands of locations in a couple of minutes, minimizing errors and enforcing consistent policies.

A secure SD‑WAN provides end-to-end network segmentation spanning the LAN and the WAN and even into the cloud. Security policies are defined on a zone-by-zone basis limiting connectivity with other zones in compliance with predefined security policies, regulatory mandates, and business intent. For example, a policy could allow only outgoing traffic, or allow incoming traffic only from approved applications and services or block all traffic from less secure zones. The use of a secure SD‑WAN greatly simplifies operations and essentially operates as a single logical firewall across the entire fabric.

Secure SD-WAN fabric diagram.
Why should I consider a secure SD‑WAN?

Why should I consider a secure SD‑WAN?

  • Retire traditional branch firewalls and routers
    Advanced secure SD‑WAN solutions that include next-generation firewall capabilities with role-based access control, fine-grained segmentation, IDS/IPS, and DDoS protection, can enable organizations to seamlessly replace legacy branch firewalls. They can also secure untrusted links with IPsec tunnels and seamlessly enforce policies at the branch and across the WAN through centralized orchestration. Additionally, a secure SD‑WAN enables organizations to replace legacy branch routers based on built-in business-driven routing capabilities.
  • Simplify branch architecture
    By integrating multiple capabilities including SD‑WAN, routing, WAN optimization, and firewall, a secure SD‑WAN helps branch offices save hardware footprint and power consumption by consolidating branch network and security functions in one solution. A secure SD‑WAN can also be installed as a virtual appliance saving even more equipment footprint and energy. The solution can be easily deployed across thousands of sites with zero-touch provisioning from a single console, improving IT efficiency and streamlining management.
  • Support a cloud-first architecture
    A secure SD‑WAN intelligently steers traffic to the cloud and eliminates the need for backhauling traffic, improving application performance. Based on first packet identification, trusted SaaS and web traffic can be sent directly to the internet while unknown or untrusted web traffic can be service chained to SSE cloud services.
  • Secure IoT devices
    A secure SD‑WAN implements zero-trust network segmentation to secure IoT devices that are unable to run security agents, and therefore go beyond SASE. It uses identity-based access control security framework, segmenting traffic so that users and IoT devices can only reach network destinations consistent with their role in the business.
What are the benefits of secure SD‑WAN?

What are the benefits of secure SD‑WAN?

  • Increase IT efficiency
    A secure SD‑WAN supports all necessary networking and security functions and helps remove equipment sprawl in branches. With this solution, organizations can move to a thin branch model, streamlining network and security management.
  • Enhance flexibility
    A secure SD‑WAN enables flexibility when implementing security controls and networking functions at the branch. The solution can be easily and quickly deployed.
  • Reduce business risk
    A secure SD‑WAN provides security across the entire SD‑WAN fabric spanning the WAN and the LAN with end-to-end micro-segmentation capabilities. It helps organizations comply to regulatory frameworks such as HIPAA, PCI DSS, SOX, or NIST CSF.

HPE Aruba Networking EdgeConnect SD‑WAN

Enable data access wherever it lives with a secure SD‑WAN SASE solution that produces both the connectivity and security necessary for hybrid cloud.

Related topics

SSE (Security Service Edge)