Software-defined WAN (SD-WAN) technology applies software-defined networking (SDN) concepts for the purpose of distributing network traffic throughout a wide area network (WAN). SD-WANs work automatically, using predefined policies to identify the most effective route for application traffic passing from branch offices to headquarters, the cloud, and the Internet. There is rarely any need to configure your routers manually in branch locations. A centralized controller manages the SD-WAN, sending policy information to all connected devices. Information technology (IT) teams can program network edge devices remotely, using low-touch or zero-touch provisioning.
SD-WAN technology typically creates a transport-agnostic virtual overlay. This is achieved by abstracting underlying public or private WAN connections, such as Internet broadband, fiber, long-term evolution (LTE), wireless, or multiprotocol label switching (MPLS). An SD-WAN overlay helps organizations to continue using their own existing WAN links. SD-WAN technology centralizes control of the network, reducing costs and providing real-time application traffic management over existing links.
The most common SD-WAN use cases fall into the following categories:
SD-WAN uses an abstracted network architecture composed of two separate parts:
An SD-WAN architecture consists of the following components:
SD-WAN implementations leverage a wide range of technologies, including:
A centralized controller that manages SD-WAN deployments. The controller enforces security and routing policies, as well as monitors the virtual overlay, any software updates, and provides reports and alerts.
Software-defined networking (SDN)
Enables key components in the architecture, including the virtual overlay, the centralized controller, and link abstraction.
Wide area network (WAN)
Responsible for connecting geographically separated facilities or multiple LANs, using either wireless or wired connections.
Virtual network functions (VNFs)
First-party or third-party network functions, such as caching tasks and firewalls. VNFs are typically used for the purpose of reducing the amount of physical appliances or to increase flexibility and interoperability.
SD-WAN technology can leverage multiple bandwidth connections and assign traffic to any specific link. This provides users with more control and enables cost savings, by moving traffic from traditional costly MPLS lines to low cost commodity bandwidth connections.
SD-WAN technology can improve existing last-mile connections through the use of more than one transport link or by simultaneously using multiple links.
Let’s look at the key differences between traditional WAN and SD-WAN solutions.
|Load balancing and disaster recovery available, but can be complex to deploy||Load balancing and disaster recovery built in with fast or zero-touch deployment|
|Configuration changes take time and require manual configuration work, which is error prone||Real-time configuration changes, automated to prevent human error|
|Requires edge devices to be configured one by one, does not allow blanket application of policies||Uses virtual overlays—can replicate policies instantly across large numbers of edge devices|
|Limited to one connectivity option—legacy MPLS lines||Can make optimal use of multiple connectivity options—MPLS and SDN-managed broadband lines|
|Relies on VPNs, which work well with a single IP backbone, but cannot coexist with high throughput workloads like voice and video||Able to steer traffic for different types of applications, conserving bandwidth for the applications that need it most|
|Requires manual tuning||Detects network conditions automatically and can dynamically optimize the WAN|
SD-WAN can use public Internet connections for all middle mile transmissions, and while this can be extremely cost effective, it is not advised. There is no way to know which links traffic will go through, raising security and performance concerns.
Whenever possible, especially for sensitive or mission critical communication, prefer to transmit SD-WAN traffic over private networks. Some SD-WAN providers let you use their own secure global network. Reserve public Internet capacity for non-critical and non-sensitive workloads, or failover scenarios when the private network is down.
When embarking on an SD-WAN project, educate stakeholders about the deployment process and explain that SD-WAN is an addition to existing network infrastructure. Executives should not view SD-WAN as a simple drop-in replacement for traditional network technology.
Make it clear that you need to keep the existing technology and integrate it with new SD-WAN investments. A better understanding of the technical background and deployment methods will give you better leadership support.
SD-WAN solutions may offer automation and zero touch deployment, but you need to verify that it works as expected. Testing is often overlooked, but it is a critical part of an SD-WAN project. Ensure you test extensively before, during, and after implementation. A typical SD-WAN project involves testing over 3-6 months, focusing on quality of service (QoS), scalability, availability and failover, and reliability of management tools.
The SD-WAN model operates using a distributed network fabric, which typically does not include the security and access controls needed to protect enterprise networks in the cloud.
To address this problem, Gartner proposed a new network security model called secure access service edge (SASE). SASE combines WAN functionality with security features such as:
The combination of these security capabilities, built for a cloud environment, makes it possible to ensure SD-WAN networks are secure.
SASE solutions provide mobile users and branch offices with secure connectivity and consistent security. They provide a centralized view of the entire network, allowing administrators and security teams to identify users, devices and endpoints across a globally-distributed SD-WAN, enforce access and security policies, and provide consistent security capabilities across multiple geographical locations and multiple cloud providers.
Prior to SD-WAN remote office connections were backhauled to the corporate data center where they were protected using the corporate network security stack. With the advent of SD-WAN, cloud and Internet connections connected directly to the Internet expose WAN users to sophisticated attacks.
Firewall as a Service and Secure Access Service Edge (SASE) solutions protect SD-WAN connections to cloud applications and the Internet. To learn more about Check Point’s SASE solutions and how they can improve your organization’s WAN security, contact us. You’re also welcome to request a demonstration to see Check Point’s SASE solution in action.