What is SD-WAN?
A Software-defined Wide Area Network (SD-WAN) is a virtual WAN architecture that allows enterprises to leverage any combination of transport services – including MPLS, LTE and broadband internet services – to securely connect users to applications.
The traditional model of backhauling traffic from branch offices to the data center for robust security inspection is no longer optimal as it wastes bandwidth and adds latency, ultimately impairing application performance. There is a real need for a better way to send traffic directly over the internet from branch locations to trusted SaaS and cloud-based applications while maintaining compliance with enterprise security mandates.
An SD‑WAN assures consistent application performance and resiliency, automates traffic steering in an application-driven manner based on business intent, improves network security, and simplifies the WAN architecture. An SD-WAN uses a centralized control function to steer traffic securely and intelligently across the WAN and directly to trusted SaaS and IaaS providers. This increases application performance and delivers a high-quality user experience, which increases business productivity and agility and reduces IT costs.
Traditional WANs based on conventional routers were never designed for the cloud. They typically require backhauling all traffic, including cloud-destined traffic, from branch offices to a hub or headquarters data center where advanced security inspection services can be applied. The delay caused by backhaul impairs application performance resulting in a poor user experience and lost productivity.
Unlike the traditional router-centric WAN architecture, the SD-WAN model is designed to fully support applications hosted in on-premises data centers, public or private clouds, and SaaS services such as Salesforce.com, Workday, Dropbox, Microsoft 365, and more, while delivering the highest levels of application performance.
How does SD-WAN work?
Unlike SD-WAN, the conventional router-centric model distributes the control function across all devices in the network and simply routes traffic based on TCP/IP addresses and ACLs. This traditional model is rigid, complex, inefficient, and not cloud-friendly and results in a poor user experience.
An SD-WAN enables cloud-first enterprises to deliver a superior application quality of experience (QoEx) for users. By identifying applications, an SD-WAN provides intelligent application-aware routing across the WAN. Each class of applications receives the appropriate QoS and security policy enforcement, all in accordance with business needs. Secure local internet breakout of IaaS and SaaS application traffic from the branch provides the highest levels of cloud performance while protecting the enterprise from threats.
Times have changed, and enterprises are using the cloud and subscribing to software-as-a-service (SaaS). While users traditionally connected back to the corporate data center to access business applications, they are now better served by accessing many of those same applications in the cloud.
As a result, the traditional WAN is no longer suitable mainly because backhauling all traffic—including that destined to the cloud—from branch offices to the headquarters introduces latency and impairs application performance. SD-WAN provides WAN simplification, lower costs, bandwidth efficiency and a seamless on-ramp to the cloud with significant application performance especially for critical applications without sacrificing security and data privacy. Better application performance improves business productivity, customer satisfaction, and ultimately profitability. Consistent security reduces business risk.
Basic SD-WAN vs business-driven SD-WAN
- Not all SD-WANs are created equal. Many SD-WAN solutions are basic SD-WAN solutions or “just good enough” solutions. These solutions lack the intelligence, reliability, performance, and scale needed to ensure a superior network experience. And remember, without a fast, secure, and high performing network, enterprise digital transformation initiatives can stall because they rely on apps that rely on services that in turn rely on the network. SD-WAN is a pivotal digital transformation enabler and is driving strategic decisions across the enterprise. So, what is a Business-driven SD-WAN and why is Basic SD-WAN not good enough?
- Lifecycle orchestration and automation. Most basic SD-WAN offerings provide some level of zero-touch provisioning. However, basic SD-WAN solutions do not always provide full end-to-end orchestration of all WAN edge functions such as routing, security services, including service chaining to advanced third-party security services and WAN optimization. When enterprises deploy new applications or when a QoS or security policy change is required, a business-driven SD-WAN supports centralized configuration, enabling the required changes to be deployed in a few minutes instead of weeks or months. Centralized orchestration greatly minimizes human errors that can compromise performance or security.
- Continuous self-learning. A basic SD-WAN solution steers traffic according to pre-defined rules, usually programmed via templates. A business-driven SD-WAN, delivers optimal application performance under any network condition or changes including congestion and when impairments occur. Through continuous monitoring and self-learning, a business-driven SD-WAN responds automatically and in real-time to any changes in the state of the network. A business-driven SD-WAN continuously adapts to changes in the network, automatically adapting in real time to any changes that could impact application performance, including network congestion, brownouts and transport outage conditions, allowing users to always connect to applications without manual IT intervention. For example, should a WAN transport service or cloud security service experience a performance impairment, the network automatically adapts to keep traffic flowing while maintaining compliance with business policies.
- Consistent Quality of Experience (QoEx). A key benefit of an advanced SD-WAN solution is the ability to actively use multiple forms of WAN transport simultaneously. A basic solution can direct traffic on an application basis down a single path, and if that path fails or is underperforming, it can dynamically redirect to a better performing link. However, with many basic solutions, failover times around outages are measured in tens of seconds or longer, often resulting in annoying application interruption. A business-driven SD-WAN intelligently monitors and manages all underlay transport services. It can overcome the challenges of packet loss, latency and jitter to deliver the highest levels of application performance and QoEx to users, even when WAN transport services are impaired. Unlike a basic SD-WAN, a business-driven SD-WAN handles a total transport outage seamlessly and provides sub-second failover that averts interrupting business-critical applications such as voice and video communications.
- End-to-end segmentation. While basic SD-WANs provide the equivalent of a VPN service, a business-driven SD-WAN provides more comprehensive, end-to-end security capabilities. In addition to supporting a next-generation firewall, the SD-WAN platform should orchestrate and enforce end-to-end segmentation spanning the LAN-WAN-Data center and the LAN-WAN-Cloud. Centrally configured security policies are far more consistent due to fewer human errors than with a device-centric WAN model or a basic SD-WAN model that often require configuring policies on a device-by-device basis. If a policy requires a change, it is programmed centrally with a business-driven SD-WAN and pushed to 10s, 100s, or 1000s of nodes across the network, providing a significant increase in operational efficiency while reducing the overall attack surface and avoiding any security breaches.
- Secure local internet breakout for cloud applications. Many basic SD-WANs provide some application classification capabilities based on fixed definitions and manually scripted ACLs to direct SaaS and IaaS traffic directly across the internet. However, cloud applications change constantly. A business-driven SD-WAN continuously adapts to changes and provides automated daily application definition and IP address updates. This eliminates application interruption and user productivity issues.
Ideally, enterprise customers need to shift to a business-driven SD-WAN platform that unifies SD-WAN, firewall, segmentation, routing, WAN optimization and visibility and control functions, all in a single, centrally managed platform.
Advanced SD-WAN functionality for SASE
In 2019, Gartner coined the term secure access service edge, or SASE, that brings a more secure and flexible way to perform advanced security inspection directly in the cloud, instead of backhauling application traffic to a data center before forwarding it to the cloud.
SASE combines SD-WAN with necessary cloud-delivered security functions, otherwise known as Security Service Edge (SSE). SSE defines the set of security services that help deliver on the security vision of SASE.
Ultimately, the goal of SASE is to deliver the best end-user quality of experience for cloud-hosted applications without compromising security. After working with many enterprises that have designed and deployed their SASE architectures, we’ve learned that basic SD-WAN functionality falls short. An SD-WAN with advanced networking capabilities is required to fully enable SASE:
- Identify application traffic on the first packet and granularly steer it to enforce both QoS and security policies as defined by business intent
- Keep cloud application definitions and TCP/IP address ranges up to date, automatically, every day
- Automate orchestration between the SD-WAN and cloud-delivered security services from a single console to make it easy
- Automatically failover to a secondary cloud security enforcement point to avoid any application interruption
- Automatically reconfigure secure connections to cloud security enforcement points if a newer, closer location to the branch becomes available
- Enable customers to adopt cloud security services—and their SASE implementations—at their own pace
- And most importantly, provide the freedom of choice to deploy new security innovations as they become available from any vendor to easily address unknown future threats