Executive summary
Network engineering and operations leaders are looking to replace their traditional wide-area network (WAN) architectures with software-defined wide-area networks (SD-WAN) in order to support the ever-increasing traffic demands (and associated connectivity costs) that come with digital innovation (DI). These DI-driven initiatives improve staff productivity and create new business opportunities. Yet, they also impact networking performance and ratchet up security concerns.
SD-WAN adoption is accelerating and many organizations have embarked on SD-WAN implementations. But many SD-WAN solutions present serious challenges—from inadequate security to high total cost of ownership (TCO). Understanding these issues is key to navigating the increasingly complex market for WAN edge technologies.
How DI is impacting corporate networks
Distributed organizations are embracing a wide range of DI technologies. This includes adoption of Software-as-a-Service (SaaS) applications, cloud on-ramping connectivity, Voice over IP (VoIP) and video communications tools, use of DevOps to speed time deployment for new web applications, and Internet-of-Things (IoT) devices for data collection and telemetry.
However, these DI initiatives present new challenges for network engineering and operations leaders who must sustain both performance and security from the data-center campus to branch offices on the network edge. Outdated traditional WANs at remote sites are not designed to support the volume and velocity of traffic that is being pushed to branches and distributed offices. Specifically, these WAN solutions employ a multiprotocol label switching (MPLS)-based network that backhauls all traffic through the corporate data center for filtering and security checks. This hub-and-spoke architecture can lead to bottlenecks at the network edge, which results in sluggish performance for end-users— especially under the ever-increasing bandwidth demands that come with DI adoption.
But that is not the only problem with the traditional WAN solutions. MPLS connections are also expensive, and the costs can quickly compile as branch traffic volumes continue to climb with no end in sight.
“The market for SD-WAN will experience a compound annual growth rate (CAGR) of more than 40% through 2022.” – IDC SD-WAN Infrastructure Research
“The emergence of SD-WAN technology has been one of the fastest industry transformations we have seen in years. Organisations of all sizes are modernising their wide-area networks to provide improved user experience for a range of cloud-enabled applications.” – Rohit Mehra VP, Network Infrastructure IDC
Encountering the challenges of the traditional WAN
In response, many organisations are embracing SD-WAN solutions on the basis that they deliver better network performance. Yet, there are a number of different SD-WAN solutions on the market with varying capabilities, and it can quickly become a challenge determining which one meets core business requirements. Before a network engineering and operations leader can evaluate available options, they need to consider the reasons this is the case with many SD-WANs.
Security: Lack of Threat Protection
Although throughput suffers when a WAN routes all traffic through the data centre, MPLS-based WANs are generally perceived as adequately secure. In contrast, for many SD-WAN solutions, advanced security is not built in or, if included, is insufficient. Specifically, the security capabilities in most SD-WAN solutions do not address the entirety of Layer 3 through Layer 7 advanced security, lacking built-in intrusion prevention system (IPS) technology, web filtering, secure sockets layer (SSL)/transport layer security (TLS) inspection, and other protection types.
To solve these security requirements in branch and remote office networks, network engineering and operations leaders must pair dedicated security appliances alongside their SD-WAN. At bare minimum, this involves the addition of a firewall in each location— though sometimes more (e.g., secure sockets layer [SSL]/transport layer security [TLS] inspection is not available in every firewall on the market). But this creates complexity, which increases TCO—from capital expenditures (CapEx) for the additional appliance to staff time (operational expenditures [OpEx]) spent managing the additional firewall and other appliances.
Even among SD-WAN solutions that do include more advanced technologies, gaps still exist. For example, not every SD-WAN solution has security options that have been thoroughly vetted by third-party experts such as NSS Labs. This objective comparison and analysis of SD-WAN solutions enables network engineering and operations leaders to determine which SD-WAN solutions meet real-world business requirements best.
Performance: A Trade-off With Security
The direct connectivity and load balancing of SD-WAN solutions improve performance over traditional WAN. But, just as is the case with security, this is another area where all SD-WAN solutions are not created equal. In particular, not every SD-WAN solution is able to identify and classify application traffic and apply routing policies at a very granular level. The result is that certain applications cannot be prioritised over others. With this one-size fits- all application traffic model, critical applications, VoIP calls, and video can slow. This impedes end-user productivity.
Furthermore, among the subset of SD-WAN solutions with built-in security, some of the security settings have the potential to degrade network performance. For example, turning on deep inspection of encrypted SSL/TLS can have a huge impact on throughput performance. But for those organisations electing to leave it turned off, they put themselves at heightened risk with 72% of network traffic being encrypted and 60% of attacks using encryption to hide malware with SSL and TLS encryption.4 In addition, if the solution cannot perform encrypted packet inspection, this obstructs correct traffic routing which degrades the quality of experience (QoE) for network users.
- “72% of respondents found that security was their topmost concern when it comes to their WAN.” – Gartner Research
- “Many companies that transition to SD-WAN reap substantial savings on bandwidth connectivity— upwards of 40% in some cases.” – Network World Research
- “72% of network traffic is encrypted, with 60% of attacks using encryption today.” – Gartner Research
- “TCO for SD-WAN solutions ranges from $5 to $496 per megabit per second. Organisations should carefully evaluate SD-WAN solutions to determine which offers the most capabilities at the lowest TCO.” – NSS Labs Report
Cost and resources: TCO remains high
The increasing volume and velocity of network traffic from VoIP, video, and SaaS-based applications are alarming, which dramatically increases network bandwidth costs for many organisations. Considering that MPLS costs are growing by as much as fourfold or fivefold, the cost savings of SD-WAN that uses the public internet is significant.
Still, network engineering and operations leaders who deploy SD-WAN solutions are often surprised to find a much higher TCO than expected. Specifically, adding multiple appliances for different capabilities increases CapEx as well as the amount of time staff need to spend managing them (OpEx). Network staff must manually monitor and compile log information for threat management. This is time-consuming and highly inefficient.
Further, needing to deploy multiple point products for each remote office and branch location—everything from routers, to firewalls, to security web gateways, to WAN optimisation—incurs substantial staff time to manage. Each of these has its own protocols and user interfaces. To achieve visibility and centralised control and demonstrate compliance with various industry and governmental regulations and security standards, network engineering and operations staff must expend manual time aggregating and reconciling data from each technology-specific silo. In the face of a skills shortage, this time expenditure can become quite costly, as network engineering and operations teams struggle to scale to meet these requirements.
Inefficiencies mount in distributed networks where management of networking and security solutions requires staff to travel to remote locations. Specifically, when SD-WAN solutions do not offer either a virtual alternative or zero-touch deployment capabilities, significant time expenditure for initial deployment and ongoing maintenance can add up quickly.
Conclusion: what to look for in SD-WAN
When evaluating the many available SD-WAN solutions, network engineering and operations leaders should ask the following questions about each of the solutions on their shortlist:
- What is included in the SD-WAN solution? How many separate products are needed to obtain effective routing, SD-WAN networking, and security capabilities?
- What real-world results have been documented in independent third-party tests such as those conducted by NSS Labs?
- How has the solution been assessed in third-party analyst reports such as Gartner’s Magic Quadrants?
- Assuming the solution has SSL/TLS inspection capability, what performance impact occurs when it is turned on?
- Is the solution application-aware and does it employ automated path intelligence for optimised routing and prioritisation of business critical SaaS applications, VoIP calls, and video?
- Does the solution integrate with security elements across the enterprise and across different security areas (e.g., mail, cloud, endpoints, among others) for integrated and automated threat-intelligence sharing?
Get in touch
Learn more about how SD-WAN through CyberOne could benefit your business.
Complete the form for a prompt response from our team.