Concerned about recent PAN-OS and other firewall/VPN CVEs? Take advantage of Zscaler’s special offer today

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Products & Solutions

SD-WAN is a great choice. Make it a secure one.

May 17, 2019 - 6 min read

If you’re flying from New York to Chicago, a layover in Miami makes the trip unnecessarily long. The same is true of internet connections. If the corporate data center is in San Francisco, and you have a hub-and-spoke architecture, the traffic from a branch office in Philadelphia would have to be routed across the country to the San Francisco data center before accessing the internet, only to then be hair-pinned back to Philadelphia to the user.

Compare that to SD-WAN, which would put that Philadelphia branch office user’s internet-bound traffic right onto the internet, using a local breakout, without that coast-to-coast round trip.

The difference in user experience is notable. With more and more applications in the cloud, the latency introduced by backhauling traffic to a central data center makes for a less-than-optimal user experience for, say, Office 365.

Organizations have been wary of breaking out traffic locally to send it directly to the internet for a number of reasons. First is the complexity of managing all those local breakouts, particularly for companies with dozens or hundreds of branches. Second is handling the security of going direct-to-internet. So, instead of worrying about the security implications of connecting directly to the public internet, companies turned to a private network infrastructure based on a hub-and-spoke architecture that most often leveraged multi-protocol label switching or MPLS. MPLS thus emerged as the standard transport mechanism for companies with multiple branch locations to route their traffic back to their central data center where the traffic would pass through their security stack before being sent to the internet.

But hub-and-spoke architectures using MPLS have led to problems for companies as they move applications to the cloud. MPLS can be both slow and expensive. What’s more, it doesn’t connect users to their applications in the most direct and expedient manner. As a result, many businesses are turning to the software-defined wide area network or SD-WAN. While SD-WAN is gaining in popularity, it’s still not as ubiquitous as MPLS, so it’s worth exploring just what it is and how it will affect enterprise security architectures going forward.

The limits of backhauling over MPLS

With hub-and-spoke architectures, companies funnel all traffic through a central data center where a variety of security technologies—intrusion prevention, sandboxing, firewalls, data loss prevention, URL filters, and more—are housed. While this security “stack” provides the protections businesses desire, routing traffic this way comes with a number of pitfalls. Backhauling internet traffic through corporate data centers over MPLS is expensive and it causes latency, which results in slow performance for users of cloud-based applications and the internet.

Hub-and-spoke networks are also difficult to configure and manage, often with no centralized orchestration tools. In the face of this complexity, rising MPLS costs as internet-bound traffic increases, and a poor user experience, organizations are looking to SD-WAN as a faster, more efficient, and more cost-effective option.

What is SD-WAN technology?

SD-WAN is a new way to route internet traffic that allows organizations to leverage multiple transport services, including broadband, 4G, and LTE, to access the internet and SaaS applications, along with MPLS for traffic to the data center. The technology monitors application and transport options and intelligently determines the best path based on context and conditions. For example, important video conferences can take precedence over other less latency-sensitive traffic. Office 365 users in branch offices experience better performance with their traffic sent directly to the internet, rather than being routed through the central data center, and Microsoft has specified that Office 365 should be accessed directly.

What’s key about SD-WAN is that users are connected through the optimal network path. Many companies that use SD-WAN thus create hybrid networks in which they have multiple paths to the internet and can select one based on what is being accessed.

SD-WAN is already making a tremendous impact by resolving some of the greatest networking challenges for distributed organizations. SD-WAN is built for a world that is becoming increasingly cloud-reliant.

Why is SD-WAN being widely adopted?

Companies are adopting SD-WAN for a variety of reasons, and foremost among them is an improved user experience. With local internet breakout strategies, which are centrally orchestrated through SD-WAN via the cloud, branch office users are able to go straight to the internet for everything from cloud-based applications, like Salesforce and ServiceNow, to checking the latest scores on ESPN.

Another compelling driver of SD-WAN is cost reduction. In some areas, an MPLS line could cost $5,000 per month for 2 Mbps. With SD-WAN, companies can often get a 100 Mbps internet circuit for about $500 a month.

SD-WAN is designed for the cloud and enables access to cloud-based applications using the optimal path, as mentioned earlier. SD-WAN allows companies to make intelligent routing decisions at a very granular level, prioritizing certain types of applications. More and more, companies are moving vital infrastructure and apps to the cloud and using cloud-based applications like Salesforce and Office 365. As companies become more cloud-centric and less network-centric, it becomes even more important to use SD-WAN as opposed to relying on legacy networks and MPLS.

Architecting security for SD-WAN

With the move to the cloud and the adoption of SD-WAN, companies need to reconsider their approach to security. In the past, it made sense to route traffic through the data center because that’s where all applications and security systems were housed. But now the focus is on direct-to-cloud connections using SD-WAN, and, while it is powerful technology for intelligent routing, SD-WAN security is an issue. If security is offered, it likely provides only stateful firewall capabilities, which are inadequate to protect against today’s advanced threats. So how do you secure direct-to-cloud traffic?

One possible approach is to replicate the centralized security stack at each branch office. But this is an expensive and high-maintenance approach. A key benefit of SD-WAN is the ability to provision it remotely and manage it centrally.

With SD-WAN, local breakouts can send traffic through a cloud security provider to deliver all of those same security capabilities at the local level, without backhauling and without deploying costly security appliances in every branch.

Enterprises that use SD-WAN with a tightly integrated cloud security platform can centrally orchestrate policies throughout the entire organization and have them enforced consistently no matter where users connect. From a single management console, IT teams can monitor traffic network-wide and can enable users all over the world to access the internet locally, instead of having their traffic routed to a central or regional data center.

SD-WAN offers simplified, centralized traffic management, better user experience, and reduced costs. It also requires you to rethink your security architecture. With SD-WAN and cloud-delivered security, you can prepare your organization to reap the benefits of an increasingly cloud-first world.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Alex Teteris is Director, Transformation Strategy at Zscaler

form submtited
Thank you for reading

Was this post useful?

dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.