SD-WAN means software-defined WAN which is just a part of Software-Defined networking, depending on the vendor, it encompasses a blend of traditional technologies like policy-based routing and IPSec VPN, but it also includes technologies like best path selection, application optimisation and quality of service.
In the instance of utilising multiple upstream networks, an administrator would traditionally configure groups of users or destination to be routed out a particular connection to try and balance traffic, with SD-WAN these configurations are made dynamically on several factors including application priority, the quality of the links, link utilisation and best path to the destination, this allows for aggregating multiple upstream services with varying speeds and ensure the most appropriate links.
To create a full mesh VPNs between three locations to provide a highly-available private WAN an engineer would traditionally configure 6 VPN tunnels, 2 per location, this, however, doubles to 12 tunnels with the addition of one more site and would total 90 VPN tunnels for a 10 site network. SD-WAN handles all VPN connections dynamically aggregating tunnels in central locations and building tunnels between sites as and when required.
SD-WAN for a security perspective offers several additional features, many vendor SD-WAN offerings are built on existing, established Next-Gen (Layer7) firewall and routing platform so they can be seen as intelligent routers with advanced SD-WAN features with built-in Layer7 firewalling capabilities.
The SD-WAN benefits
1. Why SD-WAN over MPLS
MPLS technology is proven and robust and makes sense where the investment has been made but MPLS has several limitations including;
- Supplier lock-in
- Cost of service, traditionally more expensive than direct internet connections
- Time to provision
- Lack of application visibility
- Circuit wastage, secondary failover circuits are only utilised in the event of a circuit failure
SD-WAN allows for all circuits to be used simultaneously, in addition allowing internet facing traffic to go directly from the local site whilst ensuring the traffic complies with company security policies without having to pass all traffic via the Data Centre.
Without SD-WAN Utilisation
With SD-WAN
2. SD-WAN for security
The current Data Centre security architecture is based on traditional firewalls with layer7 firewalls overlain to provide an end to end security (SonicWall), SD-WAN includes true Layer7 firewalling capabilities with IPS and IDS built-in, SD-WAN appliances can be installed directly as internet facing edge in all locations but with keeping SonicWall or ASA on the perimeter in the Data Centre a true air-gapped perimeter can be created, on one hand, this would provide much deeper visibility over traffic entering and leaving via MPLS or Internet, provide the ability to more effectively manage the firewall policies, increasing the security posture, whilst simplifying troubleshooting and providing a single pane of glass view over the entire estate.
3. SD-WAN for availability
SD-WAN removes barriers to obtaining circuits, circuits can be obtained based on costs and lead times and multiple technologies can be combined, i.e. Ethernet, VDSL, Wireless, 4/5G can be used in some or all locations, mixed and prioritised, i.e. VDSL can provide a primary link and only use a 5G connection in the event of a failure or utilisation of the primary. Internet-facing circuits can be used alongside MPLS circuits and only build a link to the Data Centre in the event of an MPLS circuit failure.
4. SD-WAN for flexibility
As SD-WAN is built on existing firewall technology this becomes a viable and cost-effective solution to home-based workers a permanent link into the corporate network.
5. SD-WAN to secure the corporate offices
In many cases offices have a level of segmentation in place, but this is primarily to provide a quasi-style quality of service differentiation for VoIP traffic; SD-WAN as an intelligent route onsite provides true VLAN segmentation, local packet inspection for security and prioritisation inspection and make routing decisions to place packets on the most appropriate paths be that over the internet, an MPLS line or a VPN back to the Data Centre.
ISUMO can help translate all this stuff and to deliver solutions using SD-WAN technology whatever your start point.