Enterprises often need to spin up new network services, but doing so can be difficult. While SD-WAN in general makes this task easier, the real magic happens when you use service insertion and service chaining.

What Are Service Insertion and Chaining?

Service insertion allows the SD-WAN appliance to use predefined policies to identify and steer selected traffic to and from a device (the service). Service chaining is extends service insertion to multiple devices. If insertion allows you to block traffic, service chaining allows you to take that traffic through a set of services, such as to a firewall and then IPS (Intrusion Prevention System) .

The most common application of service insertion and chaining is security. Branch traffic is directed back to the IPS and firewall in the enterprise hub location before being sent onto the Internet.  However, any service can be shared in this way. One case which demonstrates the importance of service insertion involved an engineering firm with 11 US sites and 3 Asia Pacific sites (Hong Kong, Singapore, and Tokyo). The firm struggled with moving very large CAD images between the different regions’ offices.

On their own, each of the regions had plenty of latency and bandwidth. However, getting the images across the Pacific was an issue. Though WAN would have solved the problem easily, the company didn’t want to deploy WAN optimization at each of their branch offices.

Service insertion allowed us to solve the problem more affordably. Instead of equipping each of the company’s sites with WAN optimization, we equipped only two sites – one in San Francisco, and the other in Tokyo. We then steered the Tokyo-bound traffic to the San Francisco location. After arriving in Tokyo from San Francisco,  each individual flow was directed to its intended destination.

Flip the scenario

Now that we’ve seen what service insertion and service chaining can do, let’s take a look at what happens in their absence.

When a company without service insertion and service chaining wants to construct a secure perimeter around its data center or Amazon Web Services (AWS) implementation, they’ll usually introduce an IPS and firewall. This ensures that if one location suffers a security breach such as a denial of service attack or a malware outbreak, mitigating the effect is simple, requiring no extra re-engineering work.

However, bringing an entire security stack to each location is expensive, and can cost tens of thousands of dollars for each branch. In addition, the fragmentation caused by spreading security data across so many appliances can affect visibility into the security domain. Worse, it requires patching, upgrading, and monitoring the various appliances.

That’s why it’s a much better idea to flip the scenario. Use a secure cloud, like that which is offered by Cato Networks, or rely on service insertion/chaining.  Security appliances and services can be deployed in a few regional locations, and service insertion and chaining can bring traffic to the security stack. This method limits the number of security appliances which must be purchased, maintained, and monitored.

Service insertion and service chaining are powerful tools which can effectively expand the utility and agility of your network. Though often considered a tool for large companies, any organization will benefit from the control service chaining and service insertion offer.