Network Security and Direct Internet Access: The Foundation of MPLS WAN Transformation

In a recent webinar we conducted at Cato, we asked the audience a poll question: “What is the primary driver for your SD-WAN project?” We were a bit surprised to find out that “secure, direct Internet access” was the top driver. We expected other drivers, such as MPLS cost reduction, eliminating bandwidth constraints, or optimizing cloud access, to be at the top of the list.

Why is security such a big deal with SD-WAN? Because SD-WAN is a “code name” for “MPLS WAN transformation project.” MPLS WANs were never designed with security, and specifically, threat protection, as a core feature. SD-WAN is forcing network architects to rethink their network security design in the post-MPLS era.

The Internet Challenge for MPLS and Hybrid WAN

Traditionally, MPLS was always considered a private network. While MPLS traffic did cross a network service provider’s network to the corporate datacenter, traffic didn’t go over the public Internet. This had two ramifications: many enterprises did not encrypt their MPLS connections or inspected MPLS traffic for threats.

If Internet access was required, branch traffic was backhauled to a central Internet exit point where a full network security stack inspected the traffic for malicious software, phishing sites, and other threats. This network security stack was not distributed to the branches, but rather placed in a datacenter or a regional hub.

For quite a while, backhauling Internet traffic over MPLS made sense, as most applications resided in the datacenter sitting on the MPLS network. But, as Internet traffic grew with the adoption of cloud services, direct internet access at the branch became a priority for obvious reasons:

• Internet traffic could be offloaded from expensive MPLS to allow more bandwidth to datacenter applications, reducing the pressure for costly upgrades.
• And, backhaul elimination reduced the latency added in access to the internet — the so-called “Trombone Effect.”

However, introducing Internet links as a transport alongside MPLS, what’s called “a hybrid WAN,” broke the closed MPLS architecture that relied on a single managed network for all traffic. This exposed a big hole in the legacy MPLS design — security. If users can access cloud applications from the branch, they are exposed to Internet-borne threats. Simply put, to realize the benefits of direct internet access at the branch, network security had to come down to the branch itself.

Secure, Direct Internet Access: SD-WAN’s Self-Made Headache?

Basic SD-WAN solutions address an enterprise’s routing needs. They can dynamically route datacenter and Internet-bound traffic to different transports. They can manage failover scenarios caused by blackout and brownouts, and they can hand off the traffic to a security solution like a branch firewall or UTM.

But, is the cure worse than the disease? MPLS WANs avoided the appliance sprawl challenge because all Internet traffic was backhauled to one secure exit point. Managing numerous new appliances isn’t a recipe for simplicity and cost reduction. It’s a recipe for a massive headache. Cloud-based security solutions help avoid appliance sprawl but add new management consoles to administer, and more costs.

In a nutshell, for your SD-WAN project to realize its full potential, complete, simple, and affordable network security is needed everywhere. A solution that doesn’t burden limited IT resources could be the difference between instant ROI for SD-WAN or much ado about, almost, nothing. This is why security is the top driver for what looks like a networking project.

Cato Cloud: Security Built Into SD-WAN

All SD-WAN players are late to catch up and hastily put together a marketing security story mostly through partnerships with network security vendors. Cato had always viewed networking and security as two sides of the same coin. This is why Cato is the only SD-WAN provider that built cloud-based network security directly into its global SD-WAN architecture. And, our dedicated research staff is rolling out threat hunting and protection capabilities that require no grunt work from our customers, and are typically accessible only to very large enterprises with ample staff. Cato’s approach of converging networking and security is simple, powerful, and affordable.