What is SD-WAN?

Software-defined WAN (SD-WAN) technology applies software-defined networking (SDN) concepts for the purpose of distributing network traffic throughout a wide area network (WAN).

SD-WANs work automatically, using predefined policies to identify the most effective route for application traffic passing from branch offices to headquarters, the cloud, and the Internet. There is rarely any need to configure your routers manually in branch locations.

A centralized controller manages the SD-WAN, sending policy information to all connected devices. Information technology (IT) teams can program network edge devices remotely, using low-touch or zero-touch provisioning.

Quantum SD-WAN SD-WAN demo

What is SD-WAN?

SD-WAN Use Cases

SD-WAN technology typically creates a transport-agnostic virtual overlay. This is achieved by abstracting underlying public or private WAN connections, such as Internet broadband, fiber, long-term evolution (LTE), wireless, or multiprotocol label switching (MPLS). An SD-WAN overlay helps organizations to continue using their own existing WAN links. SD-WAN technology centralizes control of the network, reducing costs and providing real-time application traffic management over existing links.

The most common SD-WAN use cases fall into the following categories:

  • Geographic expansion—when a company expands into a new geographical region, or executes a merger or acquisition, it can use the existing network services at the new location, leveraging SD-WAN to manage new and old locations using one unified policy and control interface.
  • Making better use of WAN capacity—using a dual connectivity strategy combining public and private network services. SD-WAN can use public Internet services to offload some private network traffic, reserving private network capacity for applications that are business critical or need low latency.
  • Improving WAN resilience—creating a hybrid network environment with multiple network connections to the same site, operating in an active/active configuration. Under normal circumstances, traffic can be balanced between services, but if one connection is lost, traffic can fail over to another service.
  • Cloud migration—enabling digital transformation, by migrating various applications to the cloud. SD-WAN supports application-based routing, so each application can use the wide area service that best suits its needs, whether it is deployed in the cloud or on-premises.

SD-WAN Benefits

Uncoupling WAN architecture from high-cost, demanding MPLS setups is one of the greatest benefits that SD-WAN can offer. MPLS is notoriously expensive – far more so than typical internet connectivity – with average prices topping 4 figures per month.

The eye-watering price is a result of the very limited number of vendors that provide MPLS, and the difficulty for new competitors to break into the space.

The other reason that organizations may be looking to avoid or move away from MLPS is cloud transformation.

As organizations increasingly rely on cloud-based resources, MPLS’ hub and spoke models can begin to introduce inefficiencies. Since all MPLS traffic must be routed via the central headquarters, these hub requirements can become choke points for data otherwise flowing between a cloud-based database and the end user requesting it.

SD-WAN avoids much of this by removing the necessity of MPLS providers. 

Centralized Management

Rather than routing all traffic to a central point, SD-WANs instead apply a centralized control system. This allows a Security Operations Center (SOC) to manage networking policies across the entirety of an organization’s networks.

  • This ensures consistent security rules, traffic prioritization, and performance optimizations, reducing the complexity of manually configuring each site individually.

Greater Cost Efficiency

Unlike traditional WANs that rely on expensive MPLS circuits, SD-WAN can utilize a far broader wealth of protocols and approaches like broadband, LTE, and other cost-effective connections.

  • This can reduce infrastructure cost while maintaining robust connectivity.

Enhanced Flexibility and Scalability

Since SD-WAN is software-driven, businesses can quickly scale their network by adding new locations without extensive hardware installations.

  • Since there’s no underlying reliance on a single MPLS provider, either, SD-WAN is essentially transport-agnostic, able to route all types of traffic that an organization may need.
  • This flexibility also refers to the cloud-based management tools that allow IT teams to configure and deploy network changes remotely.

Improved Performance

SD-WAN continuously monitors network conditions and dynamically routes traffic based on real-time performance metrics.

  • This could include switching critical applications to the best available connection, or modifying traffic routes according to their contexts like issuing greater resources for video streaming at a time when many employees are jumping on calls.

Reliability

Traditional WANs depend on a single connection, leading to failures if that link goes down. SD-WAN, however, leverages multiple connections simultaneously, automatically rerouting traffic if one link fails.

SD-WAN Architecture

SD-WAN uses an abstracted network architecture composed of two separate parts:

  • A control plane—operated from a central location, meaning that IT staff can manage WAN resources remotely without being on-premises
  • A forwarding plane—manages traffic flows, dynamically configuring network resources according to policies set by the control plane

An SD-WAN architecture consists of the following components:

  • Edge—this consists of network equipment deployed in the cloud, in on-premises data centers, or in branch offices.
  • Controller—provides centralized management and enables operators to visualize and monitor the network and set policies.
  • Orchestrator—a virtualized network administration component, which monitors traffic and enforces policies and protocols as defined by the controller.

SD-WAN Concepts

SD-WAN implementations leverage a wide range of technologies, including:

Controller

A centralized controller that manages SD-WAN deployments. The controller enforces security and routing policies, as well as monitors the virtual overlay, any software updates, and provides reports and alerts.

Software-defined networking (SDN)

Enables key components in the architecture, including the virtual overlay, the centralized controller, and link abstraction.

Wide area network (WAN)

Responsible for connecting geographically separated facilities or multiple LANs, using either wireless or wired connections.

Virtual network functions (VNFs)

First-party or third-party network functions, such as caching tasks and firewalls. VNFs are typically used for the purpose of reducing the amount of physical appliances or to increase flexibility and interoperability.

Commodity bandwidth

SD-WAN technology can leverage multiple bandwidth connections and assign traffic to any specific link. This provides users with more control and enables cost savings, by moving traffic from traditional costly MPLS lines to low cost commodity bandwidth connections.

Last-mile technology

SD-WAN technology can improve existing last-mile connections through the use of more than one transport link or by simultaneously using multiple links.

What is the Difference Between WAN and SD-WAN?

WAN is a staple of corporate infrastructure: to easily explain this network layout, let’s start at the bottom of the network chain.

  • Connecting local devices is a local area network (LAN), which relies on a router to link each device and ferry network packets to their intended destination.
  • LAN networks are limited to a range of up to 2 km, however — so while they’re useful for individual offices, they can’t connect one branch to another.

Enter the WAN

This is where a WAN steps in: while each office has their own LAN, these LANs are connected to one national or global WAN.

  • When first scaling this up, organizations have typically decided on a similar approach to LANs: by implementing physical router and manual port configurations.
  • Also, they generally don’t rely on the same packet forwarding process that a LAN does.

When sending data from a LAN to a public network:

  • The router first determines where the packet needs to get to according to its routing table, and the packet’s own headers
  • The device consults its internal routing table, and – should the receiving device not be found in that LAN – it forwards the packet to the next network.
  • This network’s router then essentially repeats the same process, and on and on until the packet finally arrives at its intended network, and delivered to the IP address listed in the header.

WAN Scalability and Latency Challenges

  • Office branches can be numerous and very far apart.
  • It’s easy to see how relying solely on this approach could introduce an unmanageable amount of latency.

The Role of MPLS

To beat this, Multiprotocol Label Switching (MPLS) was used:

  • MPLS directs WAN traffic along predetermined paths using specialized routers.
  • MPLS is the high-speed railway of network infrastructure: it needs specific routers and dedicated leased lines — all of which add to the cost of setting up a WAN.

However:

  • MPLS comes with drawbacks.
  • Not all WANs require its state-of-the-art setups and high costs.

SD-WAN vs MPLS

Traditionally, the control plane and data plane were closely integrated within proprietary hardware appliances. SD-WANs decouple these layers by shifting the control plane to a software-based system, allowing routing decisions to be made in software running on standard, non-proprietary hardware instead of specialized network routers.

Put concisely, SD-WAN connects LANs using software.

  • Each individual network has a SD-WAN appliance installed, which individually manages all incoming and outgoing traffic.
  • When traffic reaches an SD-WAN appliance, it identifies the type of application data and directs it to the appropriate destination based on predefined policies, as well as the performance and availability of various network connections.
  • To ensure adequate in-transit security, most SD-WAN setups also encrypt the data being transferred

Let’s look at the key differences between traditional WAN and SD-WAN solutions.

WAN SD-WAN
Load balancing and disaster recovery available, but can be complex to deploy Load balancing and disaster recovery built in with fast or zero-touch deployment
Configuration changes take time and require manual configuration work, which is error prone Real-time configuration changes, automated to prevent human error
Requires edge devices to be configured one by one, does not allow blanket application of policies Uses virtual overlays—can replicate policies instantly across large numbers of edge devices
Limited to one connectivity option—legacy MPLS lines Can make optimal use of multiple connectivity options—MPLS and SDN-managed broadband lines
Relies on VPNs, which work well with a single IP backbone, but cannot coexist with high throughput workloads like voice and video Able to steer traffic for different types of applications, conserving bandwidth for the applications that need it most
Requires manual tuning Detects network conditions automatically and can dynamically optimize the WAN

SD-WAN Best Practices

Use Public Internet Selectively

SD-WAN can use public Internet connections for all middle mile transmissions, and while this can be extremely cost effective, it is not advised. There is no way to know which links traffic will go through, raising security and performance concerns.

Whenever possible, especially for sensitive or mission critical communication, prefer to transmit SD-WAN traffic over private networks. Some SD-WAN providers let you use their own secure global network. Reserve public Internet capacity for non-critical and non-sensitive workloads, or failover scenarios when the private network is down.

Communicate the Deployment Process to Stakeholders

When embarking on an SD-WAN project, educate stakeholders about the deployment process and explain that SD-WAN is an addition to existing network infrastructure. Executives should not view SD-WAN as a simple drop-in replacement for traditional network technology.

Make it clear that you need to keep the existing technology and integrate it with new SD-WAN investments. A better understanding of the technical background and deployment methods will give you better leadership support.

Test the SD-WAN Service

SD-WAN solutions may offer automation and zero touch deployment, but you need to verify that it works as expected. Testing is often overlooked, but it is a critical part of an SD-WAN project. Ensure you test extensively before, during, and after implementation. A typical SD-WAN project involves testing over 3-6 months, focusing on quality of service (QoS), scalability, availability and failover, and reliability of management tools.

SD-WAN Security and SASE

The SD-WAN model operates using a distributed network fabric, which typically does not include the security and access controls needed to protect enterprise networks in the cloud.

To address this problem, Gartner proposed a new network security model called secure access service edge (SASE). SASE combines WAN functionality with security features such as:

The combination of these security capabilities, built for a cloud environment, makes it possible to ensure SD-WAN networks are secure.

SASE solutions provide mobile users and branch offices with secure connectivity and consistent security. They provide a centralized view of the entire network, allowing administrators and security teams to identify users, devices and endpoints across a globally-distributed SD-WAN, enforce access and security policies, and provide consistent security capabilities across multiple geographical locations and multiple cloud providers.

SD-WAN with Check Point

Check Point’s Quantum SD-WAN explicitly addresses the security shortcomings of WAN by integrating robust threat prevention directly into its architecture. Deployed at the branch level as a software blade within Quantum Security Gateways, it offers comprehensive protection against:

  • Zero day exploits
  • Phishing attempts
  • Ransomware attacks

This integration ensures that branch offices maintain the highest security standards, while still ensuring the highest network performance.

Beyond security, Quantum SD-WAN enhances connectivity by optimizing traffic flow for different apps: with inbuilt settings for over 10,000 enterprise applications, it’s able to quickly deliver optimized performance. The solution continuously monitors internet connectivity metrics, such as:

  • Latency
  • Jitter
  • Packet loss

So it can dynamically select the best path for traffic.

Sub-second failover capabilities are offered to ensure uninterrupted services, even during times of connection instability. Marry security and performance with Quantum SD-WAN and explore the comprehensive solution with a demo.

If you’re looking for a more complete overhaul toward SD-WAN, on the other hand, check out Checkpoint Harmony SASE: its full-mesh architecture offers a global private backbone that implements zero-trust security at every connection.