什麼是SD-WAN

Software-defined WAN (SD-WAN) technology applies software-defined networking (SDN) concepts for the purpose of distributing network traffic throughout a wide area network (WAN).

SD-WANs work automatically, using predefined policies to identify the most effective route for application traffic passing from branch offices to headquarters, the cloud, and the Internet. There is rarely any need to configure your routers manually in branch locations.

A centralized controller manages the SD-WAN, sending policy information to all connected devices. Information technology (IT) teams can program network edge devices remotely, using low-touch or zero-touch provisioning.

Quantum SD-WAN SD-WAN demo

什麼是SD-WAN

軟體定義廣域網路用例

軟體定義廣域網路技術通常會建立與傳輸無關的虛擬覆蓋。這是透過抽象化底層公用或私人 WAN 連線來實現的,例如網際網路寬頻、光纖、長期演進技術、無線或多協定標籤交換 ( MPLS )。軟體定義廣域網路覆蓋可協助組織繼續使用自己現有的 WAN 連結。軟體定義廣域網路技術集中控制網路,降低成本並在現有連結上提供即時應用流量管理。

最常見的軟體定義廣域網路用例分為以下幾類:

  • 地理擴張-當公司擴張到新的地理區域,或進行合併或收購時,可以使用新地點的現有網路服務,利用軟體定義廣域網,透過統一的策略和控制介面來管理新舊地點。
  • 更好地利用 WAN 容量——使用結合公共和專用網路服務的雙連接策略。軟體定義廣域網路可以使用公共網際網路服務來卸載一些專用網路流量,為業務關鍵或需要低延遲的應用程式保留專用網路容量。
  • 提高 WAN 彈性— 建立一個混合網路環境,其中多個網路連接到同一站點,並以主動/主動配置運作。在正常情況下,流量可以平衡服務之間,但如果一個連接中斷,流量可能會失敗轉到另一個服務。
  • 雲端遷移-透過將各種應用程式遷移到雲端來實現數位轉型。軟體定義廣域網路支援基於應用程式的路由,因此每個應用程式都可以使用最適合其需求的廣域服務,無論是部署在雲端還是本地。

SD-WAN Benefits

Uncoupling WAN architecture from high-cost, demanding MPLS setups is one of the greatest benefits that SD-WAN can offer. MPLS is notoriously expensive – far more so than typical internet connectivity – with average prices topping 4 figures per month.

The eye-watering price is a result of the very limited number of vendors that provide MPLS, and the difficulty for new competitors to break into the space.

The other reason that organizations may be looking to avoid or move away from MLPS is cloud transformation.

As organizations increasingly rely on cloud-based resources, MPLS’ hub and spoke models can begin to introduce inefficiencies. Since all MPLS traffic must be routed via the central headquarters, these hub requirements can become choke points for data otherwise flowing between a cloud-based database and the end user requesting it.

SD-WAN avoids much of this by removing the necessity of MPLS providers. 

集中管理

Rather than routing all traffic to a central point, SD-WANs instead apply a centralized control system. This allows a Security Operations Center (SOC) to manage networking policies across the entirety of an organization’s networks.

  • This ensures consistent security rules, traffic prioritization, and performance optimizations, reducing the complexity of manually configuring each site individually.

Greater Cost Efficiency

Unlike traditional WANs that rely on expensive MPLS circuits, SD-WAN can utilize a far broader wealth of protocols and approaches like broadband, LTE, and other cost-effective connections.

  • This can reduce infrastructure cost while maintaining robust connectivity.

Enhanced Flexibility and Scalability

Since SD-WAN is software-driven, businesses can quickly scale their network by adding new locations without extensive hardware installations.

  • Since there’s no underlying reliance on a single MPLS provider, either, SD-WAN is essentially transport-agnostic, able to route all types of traffic that an organization may need.
  • This flexibility also refers to the cloud-based management tools that allow IT teams to configure and deploy network changes remotely.

Improved Performance

SD-WAN continuously monitors network conditions and dynamically routes traffic based on real-time performance metrics.

  • This could include switching critical applications to the best available connection, or modifying traffic routes according to their contexts like issuing greater resources for video streaming at a time when many employees are jumping on calls.

Reliability

Traditional WANs depend on a single connection, leading to failures if that link goes down. SD-WAN, however, leverages multiple connections simultaneously, automatically rerouting traffic if one link fails.

SD-WAN架構

軟體定義廣域網路使用由兩個獨立部分組成的抽象網路架構:

  • 控制平面-從中央位置操作,這意味著 IT 人員可以遠端管理 WAN 資源,而無需在內部部署
  • 轉送平面-管理流量,根據控制平面設定的策略動態配置網路資源

軟體定義廣域網路架構由下列元件組成:

  • 邊緣-由部署在雲端、本地資料中心或分公司的網路設備所組成。
  • 控制器-提供集中管理,使操作員能夠視覺化和監控網路並設定策略。
  • Orchestrator — 虛擬化網路管理元件,用於監控流量並執行控制器定義的策略和協定。

軟體定義廣域網路概念

軟體定義廣域網路的實施利用了廣泛的技術,包括:

控制器

管理軟體定義廣域網路部署的集中控制器。控制器執行安全性和路由原則,並監控虛擬覆疊、任何軟體更新,並提供報告和警示。

軟體定義網路 (SDN)

啟用架構中的關鍵元件,包括虛擬覆疊、集中控制器和連結抽象。

廣域網路 (廣域網)

負責使用無線或有線連接,連接地理分隔的設施或多個 LAN。

虛擬網路功能 (外幣基金)

第一方或第三方網路功能,例如快取任務和防火牆。VNF 通常用於減少實體設備數量或增加靈活性和互通性。

商品頻寬

軟體定義廣域網路技術可以利用多個頻寬連線並將流量分配到任何特定連結。通過將流量從傳統昂貴的 MPLS 線轉移到低成本商品頻寬連接,從而為使用者提供更多的控制權並節省成本。

最後一哩技術

軟體定義廣域網路技術可以透過使用多個運輸鏈路或同時使用多個鏈路來改善現有的最後一英里連接。

WAN 和軟體定義廣域網路有什麼差別?

WAN is a staple of corporate infrastructure: to easily explain this network layout, let’s start at the bottom of the network chain.

  • Connecting local devices is a local area network (LAN), which relies on a router to link each device and ferry network packets to their intended destination.
  • LAN networks are limited to a range of up to 2 km, however — so while they’re useful for individual offices, they can’t connect one branch to another.

Enter the WAN

This is where a WAN steps in: while each office has their own LAN, these LANs are connected to one national or global WAN.

  • When first scaling this up, organizations have typically decided on a similar approach to LANs: by implementing physical router and manual port configurations.
  • Also, they generally don’t rely on the same packet forwarding process that a LAN does.

When sending data from a LAN to a public network:

  • The router first determines where the packet needs to get to according to its routing table, and the packet’s own headers
  • The device consults its internal routing table, and – should the receiving device not be found in that LAN – it forwards the packet to the next network.
  • This network’s router then essentially repeats the same process, and on and on until the packet finally arrives at its intended network, and delivered to the IP address listed in the header.

WAN Scalability and Latency Challenges

  • Office branches can be numerous and very far apart.
  • It’s easy to see how relying solely on this approach could introduce an unmanageable amount of latency.

The Role of MPLS

To beat this, Multiprotocol Label Switching (MPLS) was used:

  • MPLS directs WAN traffic along predetermined paths using specialized routers.
  • MPLS is the high-speed railway of network infrastructure: it needs specific routers and dedicated leased lines — all of which add to the cost of setting up a WAN.

However:

  • MPLS comes with drawbacks.
  • Not all WANs require its state-of-the-art setups and high costs.

SD-WAN vs MPLS

Traditionally, the control plane and data plane were closely integrated within proprietary hardware appliances. SD-WANs decouple these layers by shifting the control plane to a software-based system, allowing routing decisions to be made in software running on standard, non-proprietary hardware instead of specialized network routers.

Put concisely, SD-WAN connects LANs using software.

  • Each individual network has a SD-WAN appliance installed, which individually manages all incoming and outgoing traffic.
  • When traffic reaches an SD-WAN appliance, it identifies the type of application data and directs it to the appropriate destination based on predefined policies, as well as the performance and availability of various network connections.
  • To ensure adequate in-transit security, most SD-WAN setups also encrypt the data being transferred

讓我們來看看傳統 WAN 和軟體定義廣域網路解決方案之間的主要差異。

廣域網路 軟體定義廣域網路
提供負載平衡和災難復原,但部署可能很複雜 透過快速或零接觸部署內建負載平衡和災難復原
組態變更需要時間,需要手動配置工作,這很容易發生錯誤 即時組態變更,自動化以防止人為錯誤
需要對邊緣裝置進行一一配置,不允許策略的一攬子應用程式 使用虛擬覆蓋-可以跨大量邊緣裝置立即複製策略
僅限於一個連線選項 —— 傳統的 MPLS 線 可以最佳利用多種連線選項 — MPLS 和 SDN 管理的寬頻線路
依賴 VPN,它們可以搭配單一 IP 骨幹運作良好,但無法與語音和視頻等高輸送量工作負載共存 能夠引導不同類型應用程式的流量,為最需要的應用程式節省頻寬
需要手動調整 自動偵測網路狀況並動態優化WAN

軟體定義廣域網路最佳實踐

選擇性地使用公共互聯網

軟體定義廣域網路可以使用公共網路連線進行所有中英里傳輸,雖然這可能非常具有成本效益,但不建議這樣做。無法知道流量將通過哪些鏈接,從而引起安全性和性能的問題。

只要有可能,尤其是對於敏感或關鍵任務通信,更願意透過專用網路傳輸軟體定義的廣域網路流量。一些軟體定義廣域網路供應商允許您使用他們自己的安全全球網路。為非關鍵和非敏感工作負載或專用網路關閉時的故障轉移場景保留公共網路容量。

向利害關係人傳達部署流程

當著手軟體定義廣域網路專案時,對利害關係人進行有關部署流程的教育,並解釋軟體定義廣域網路是現有網路基礎設施的補充。高階主管不應將軟體定義廣域網路視為傳統網路技術的簡單替代品。

明確說明您需要保留現有技術並將其與新的軟體定義廣域網路投資整合。更了解技術背景和部署方法將為您提供更好的領導支援。

測試軟體定義廣域網路服務

軟體定義廣域網路解決方案可能提供自動化和零接觸部署,但您需要驗證它是否如預期運作。測試經常被忽視,但它是軟體定義廣域網路專案的關鍵部分。確保您在實施之前,期間和實施後進行廣泛測試。 典型的軟體定義廣域網路專案需要進行 3-6 個月的測試,重點在於服務品質 (QoS) 、可擴展性、可用性和故障轉移以及管理工具的可靠性。

軟體定義廣域網路安全性與SASE

軟體定義廣域網路模型使用分散式網路結構運行,通常不包括保護雲端企業網路所需的安全性和存取控制。

為了解決這個問題,Gartner提出了一個新的網路安全模型,稱為安全存取服務邊緣(SASE) 。SASE 將 WAN 功能與安全性功能相結合,例如:

這些專為雲端環境所建構的安全功能的組合可以確保軟體定義廣域網路網路的安全性。

SASE 解決方案為移動用戶和分公司提供安全的連接和一致的安全性。 它們提供整個網路的集中視圖,讓管理員和安全團隊跨全球分散式軟體定義廣域網路識別使用者、裝置和端點,實施存取和安全策略,並跨多個地理位置和多個雲端提供一致的安全功能提供商。

軟體定義廣域網路與Check Point

Check Point’s Quantum SD-WAN explicitly addresses the security shortcomings of WAN by integrating robust threat prevention directly into its architecture. Deployed at the branch level as a software blade within Quantum Security Gateways, it offers comprehensive protection against:

  • Zero day exploits
  • Phishing attempts
  • Ransomware attacks

This integration ensures that branch offices maintain the highest security standards, while still ensuring the highest network performance.

Beyond security, Quantum SD-WAN enhances connectivity by optimizing traffic flow for different apps: with inbuilt settings for over 10,000 enterprise applications, it’s able to quickly deliver optimized performance. The solution continuously monitors internet connectivity metrics, such as:

  • Latency
  • Jitter
  • 封包丟失

So it can dynamically select the best path for traffic.

Sub-second failover capabilities are offered to ensure uninterrupted services, even during times of connection instability. Marry security and performance with Quantum SD-WAN and explore the comprehensive solution with a demo.

If you’re looking for a more complete overhaul toward SD-WAN, on the other hand, check out Checkpoint Harmony SASE: its full-mesh architecture offers a global private backbone that implements zero-trust security at every connection.