Listen to post:
Happy To Announce the Birth of a New Technology – SD-WAN
It wasn’t that long ago that we oohed and ahhed over the brand-new technology called SD-WAN. The new darling of the networking industry would free us from the shackles of legacy MPLS services. But just as we’re getting used to the toddling SD-WAN, along came yet another even more exciting newborn, the Secure Access Service Edge (SASE). It would give us even more – more security, better remote access, and faster deployment. SD-WAN? That’s so yesteryear – or is it? Is SD-WAN another networking technology to be cast off and forgotten in this SASE world, or does SD-WAN continue to play an important role? Let’s find out.
SD-WAN: The Toddler Years
When SD-WAN was born, there was much to love. It was cute, shiny, and taught enterprises how to walk — walk away, that is, from MPLS – to a network designed for the new world. MPLS came of age when users worked in offices, resources resided in the datacenter, and the Internet was an afterthought. It was hopelessly out of step with a world that needed to move fast and one obsessed with the Internet.
SD-WAN addressed those problems, creating an intelligent overlay that allowed companies to tap commodity Internet connections to overcome the limitations of MPLS. More specifically this meant:
- More capacity to improve application performance
- Reduced network costs by using affordable Internet access, not high-priced MPLS capacity.
- More bandwidth flexibility by aggregating Internet last mile connections
- Improved last-mile availability by connecting sites through active/active connections
- Faster deployments allowing sites to be connected in days not months
SD-WAN: The Teenager That Disappoints
But then the world changed – again. Resources moved into the cloud and the pandemic sent everyone home. Suddenly the office was no longer the focus of work. Solving the site-to-site communications challenge was no longer sufficient. Now companies needed a way to bring advanced security to wherever resources resided, in the cloud or the private data center, and wherever users worked, in the office, at home, or on the road, and do all of that without compromising performance. None of that was in SD-WAN’s job description, making the following use cases particularly challenging:
SD-WAN lacks support for remote access — period. There was no mobile client to join an SD-WAN. But today secure remote access is an essential pillar for guaranteeing business continuity.
SD-WAN is limited in its cloud readiness. As an appliance-based architecture, SD-WAN requires the management and integration of proprietary appliances to connect with the cloud. Expensive premium cloud connectivity solutions, like AWS Direct Connect or Azure ExpressRoute for optimized cloud connectivity.
SD-WAN might perform well enough within a region, but the global Internet is too unpredictable for the enterprise. It’s why all SD-WAN players encourage the use of third-party backbones for global connectivity. Such an approach, though, increases the complexity and costs of a deployment, and fails to deliver the benefits of optimized performance.
SD-WAN lacks the necessary security to protect branch offices. Next-generation firewall (NGFW), Intrusion Prevention Systems (IPS), Secure Web Gateway (SWG), anti-malware – all necessary components for protecting the enterprise and none of which are provided by SD-WAN. Factoring in the necessary appliances and services for delivering these capabilities significantly increases the cost and complexity of SD-WAN deployments.
SD-WAN: The Senior Years
So, SD-WAN isn’t perfect, but you might be wondering, why not let it coexist with the rest of the security and networking infrastructure? Just deploy a SWG or a Security Service Edge (SSE) solution. Doing so, though, leads to a network that’s at best managed with separate brains – one for your SD-WAN and another for your security infrastructure – and more likely additional “brains” for handling the rest of your security infrastructure and the global backbone.
And with multiple brains, everything becomes more complicated:
SD-WAN made noise about claiming to offer zero-touch configuration, but the reality is far different. Without the necessary security capabilities, SD-WANs become far more complicated to deploy, requiring the additional security appliances to be assessed, purchased, delivered to the locations, installed, and integrated.
High Availability (HA) becomes a headache:
With SD-WAN relying on Internet connections, HA is all but required. But with multiple brains, HA becomes far more challenging. There’s no automated provisioning of resilient connections between devices or services. There’s also no associated dynamic failover, requiring companies to install backup appliances and additional operational time testing failover scenarios.
Visibility is limited:
Fragmenting data across multiple networking and security systems means you never have a complete view of your network. You can’t spot the network indicators of new threats. Outages become more difficult to troubleshoot with data hiding within multiple appliance logs.
Relying on SSE offerings or security services in the cloud won’t fully address the problem. Deployment is still a problem as there’s no automated traffic routing and tunnel creation between SD-WAN devices and cloud security PoPs. Security infrastructure is also unable to consume and share security policies (such as segmentation) between SD-WAN and cloud security vendors. Operationally, SD-WAN devices and cloud services remain distinct, making troubleshooting more challenging and depriving security teams of networking information that could be valuable in hunting for threats.
And in the end, reducing to two brains better than four, still leaves you with well, two brains on one network.
SD-WAN: It’s Not Dead Just Part of a Bigger Family
So, is SD-WAN dead? Hardly. It remains what it always was – an important tool for building the enterprise network. But like the crazy uncle who might great for laughs but not be terribly reliable, SD-WAN has limitations that need to be addressed.
What’s needed is an approach that uses SD-WAN to connect locations but addresses its security and deployment limitations. SASE secures and connects the complete enterprise – headquarters, branches in distant locations, users at home or on the road, and resources in the cloud, private datacenters, or on the Internet. With one network securing and connecting the complete enterprise, deployments become easier, visibility improves, and security becomes more consistent.
To make that happen, SASE calls for moving the bulk of security and networking processing into a global network of PoPs. SD-WAN devices connect locations to the nearest PoPs; VPNs clients or clientless access connect remote and mobile users. Native cloud connectivity within the PoPs connects IaaS and SaaS resources.
Cato is the World’s First and Most Robust Global SASE Platform
Cato is the world’s first SASE platform, converging SD-WAN and network security into a global, cloud-native service. Cato optimizes and secures application access for all users and locations, including branch offices, mobile users, and cloud datacenters, and allows enterprises to manage all of them with a single management console with comprehensive network visibility. Cato’s SASE platform has all the advantages of cloud-native architectures, including infinite scalability, elasticity, global reach and low total cost of ownership.
Connecting locations to the Cato SASE Cloud is as simple as plugging in a preconfigured Cato Socket appliance, which connect to the nearest of Cato’s 70+ globally dispersed points of presence (PoPs). Mobile users connect to the same PoPs from any device by running the Cato Client. With Cato, new locations or users can be up and running in hours or even minutes, not days or weeks. Security capabilities include Zero Trust Network Access (ZTNA), Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), Data Loss Prevention (DLP), and Firewall as a Service (FWaaS).
With Cato, customers can easily migrate from MPLS to SD-WAN, optimize global connectivity to on-premises and cloud applications, enable secure branch office Internet access everywhere, and seamlessly integrate cloud datacenters and mobile users into a high-speed network with a zero-trust architecture. So whether it’s mergers and acquisitions, global expansion, rapid deployments, or cloud migration, with Cato, the network and your business are ready for whatever is next in your digital transformation journey.
Learn more about the differences between traditional WAN and SD-WAN.