SD-WAN and the 4 Types of Security Architectures

SASE Secure Access Service Edge

SD-WAN Security continues to be a hot topic and one that I receive many questions about. Vendors claims around security might sound alike but their offerings can be split into four types.

  • SD-WAN appliances with basic firewalling
  • SD-WAN appliance with advanced firewalls
  • Firewall appliances with SD-WAN capabilities
  • Secure SD-WAN as a Service

Let’s take a look at each one, their strengths, and their weaknesses.

SD-WAN Appliances with Basic Firewall

Many SD-WAN vendors deliver basic firewalling capabilities in their SD-WAN appliances. These firewalls are roughly equivalent to the stateful firewalls you might see in a branch office router. Capabilities will include policy-based filtering and blocking applications based on port or IP addresses. Examples include Cisco (Viptela), Silver Peak and Velocloud.

Basic stateful firewalls might be sufficient as phase 1 connectivity for connecting location across the Internet to specific SaaS IPs, but not for broader Internet access. For that, you’ll need capabilities such as—  next-generation firewall (NGFW), intrusion prevention system (IPS), URL filtering and more. It’s for that reason that SD-WAN appliance vendors have partnered with third-party security providers, such as Zscaler and Palo Alto, emphasizing the ability to direct traffic from across the SD-WAN to the security resources using service insertion and service chaining.

Security is improved over the basic firewalls included in their SD-WAN appliances using the third-party partners. Organizations then avoid the deployment and operational challenges of a security appliance at the branch.   Care must be still be taken that site-to-Internet and site-to-site traffic are secured. (Zscaler is only widely used for the former.) Companies are also left deploying and managing two entities — the SD-WAN and the firewall (appliance or service), requiring two different GUIs

SD-WAN Appliances with Advanced Firewall

To those ends, some vendors are including NGFW capabilities within their SD-WAN appliances. Some vendors are selecting and repackaging specific third-party NGFWs in their appliances. Open Systems, for example, claims to repackage best-of-breed, third-party services as part of its Managed Secure SD-WAN appliance. Its Mission Control Network Security service includes a distributed, enterprise-grade firewall; CASB, endpoint detection and response, network security monitoring; distributed network intrusion prevention, and WiFi security.

Other vendors are able to run third-party virtual network functions (VNFs) within their appliance. Versa Networks claims its  SD-Branch solution provides a full set of integrated networking (routing, SD-WAN, Ethernet, Wi-Fi) and security (NG firewall, secure web gateway, AV, IPS) functions. The virtual customer premises equipment (vCPE) can also run third-party VNFs.

Organizations gain one physical device to deploy, but they are still left managing separate security and networking domains, though its through a single GUI. It’s precisely that kind of fragmentation that has obscured IT visibility and control.

There’s also the question about the appliance form factor. Appliances come with their lifecycle carrying significant OPEX cost involved with testing, deploying, maintaining, and managing the appliance, unless you have a managed services agreement that includes appliance upgrades. The limited resources of an appliance can often force unexpected hardware upgrades as traffic levels jump or when enabling compute-intensive features, such as IPS or SSL intercept. Appliances are also limited to protecting the sites they secure. They do nothing for protecting mobile users unless they VPN back to the LAN, which often introduces performance problems, depending on the solution.

Firewall Appliances with SD-WAN

At the same time, several security vendors have announced SD-WAN capabilities for their NGFW appliances.  These include Barracuda, Fortinet, and Cisco Meraki, according to the Gartner report.

With SD-WAN-enabled firewall appliances, security is far better than the basic firewalls included in SD-WAN appliances. However, organizations are still limited by the constraints of appliances. More importantly, while many of these appliances appear good on paper, they lack the maturity of a seasoned SD-WAN offering.

SD-WAN should be able to switch to a secondary connection in seconds and, ideally, sub-second, which is fast enough to maintain session state. It’s a fundamental difference between SD-WAN and basic IP routing that can take 40 seconds to converge on an alternate IP connection. However, some security vendors offering SD-WAN capabilities, such as Cisco Meraki, can take as much as 300 seconds to switch between connections. For that reason, in our lexicon, we don’t consider them SD-WAN.

Meraki Fail-over Time

Collecting performance metrics is also important for SD-WAN edge appliances. It allows them to select the optimum path for a given application and is one of the fundamental differences from link aggregators. However, some security solutions lack path metrics. Fortinet SD-WAN 5.6 was one example, which was expected to be fixed in FortiOS 6.0.

Secure SD-WAN as a Service

Instead, several vendors are eliminating appliances by shifting SD-WAN, and in some cases, security capabilities. Cato Networks is the best example of this approach, providing a fully integrated security and SD-WAN service. (The Cato Cloud also runs over its own backbone, eliminating Internet backbone problems.)

Other services are pieces of the secure SD-WAN as a service approach. Aryaka, offers basic firewall capabilities, with its SD-WAN service, but fails to provide L4 to L7 controls, such as NGFW, IPS, URL filtering, and antivirus without utilizing a partner.

In both cases, vendors can continue to work with legacy firewalls but for organizations that want to realize the full benefits of the approach, they must be willing to transition their networking and security architecture to a new vendor.

The Right Approach for Your SD-WAN

It would be too easy to say that there’s one right approach to SD-WAN security. Each architecture has its strengths and weaknesses. The key is aligning those strengths to your needs. If we can help you, know where to reach me.

Share this post