Concerned about VPN vulnerabilities? Learn how you can benefit from our VPN migration offer including 60 days free service.

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Products & Solutions

What you need to know about SD-WAN security.


As enterprises embrace digital transformation, they must find a new way to manage networking and security. Many are turning to SD-WAN to reduce MPLS costs, simplify branch IT, increase agility, and deliver an improved user experience. But, securing SaaS and internet-bound traffic for all users at all locations—without compromising on security—can present obstacles. Unaddressed, these security challenges can undermine the benefits of your SD-WAN deployment. Let’s examine what you really need to know about securing your SD-WAN deployment.

SD-WAN is becoming mainstream

By some estimates, more than 60 percent of enterprise WAN traffic is destined for the internet, and that traffic is growing continuously. In this environment, paying to backhaul traffic to centralized or regional data centers to apply security controls only to send it out to the internet doesn’t make sense. It is expensive, increases latency, and results in a less-than-exceptional user experience. 

SD-WAN addresses these challenges by offering an easy way to enable local internet breakouts and create secure site-to-site connectivity for branches and data centers. Intelligent routing and path optimization reduce dependency upon MPLS by leveraging commodity circuits, like broadband and 4G/5G/LTE. As a result, organizations can offload internet and SaaS-bound traffic locally, thereby reserving MPLS links for traffic destined for the data center and reducing the overall branch hardware footprint. But how do you secure direct-to-internet connections?

Security must change to support SD-WAN

Achieving the intended benefits of SD-WAN while ensuring the branch is not the weakest link in your security architecture requires a new approach to security. Whether your branches have five users or 500, you need to provide identical access and security protections across all locations, wherever users connect. So, your CEO (and any employee for that matter) has the same protections while connecting at corporate headquarters, a branch office, or a customer site halfway around the world.

This means you need the same “stack” of security appliances and services at each location to mirror the protections you would find at your corporate internet gateway, including cloud sandboxing, cloud firewall, advanced threat prevention, and data protection. In addition, your solution must inspect all ports and protocols, including native SSL inspection.

Traditional security appliances were not designed for cloud applications. They cannot scale to meet the growing traffic demands, and replicating the network security stack at every branch is too costly to be a viable solution for most organizations. As a result, most organizations compromise on security, deploying smaller physical appliances or virtual firewall instances at branch locations. But that leaves organizations vulnerable, with limited security capacities and inconsistent protections across the organization. You are left struggling to keep pace, requiring frequent additions of boxes and services to secure growing traffic volumes and user demands.

My SD-WAN has a I really need anything else?

At this point, you may be aware that some SD-WAN solutions have a built-in firewall and provide some security functionality. You may even find yourself wondering if you really need a branch firewall or any additional protection at all. Most built-in SD-WAN security solutions offer basic firewall capabilities with Layer-3 network controls. This enables you to restrict access based on IP addresses and ports. However, to provide the identical protection in branch locations that you would find at your corporate data center still requires advanced Layer-3 through Layer-7 protection, including next-generation firewall capabilities, IPS, advanced threat prevention, SSL inspection, sandboxing, data protection, and local DNS resolution. It quickly becomes clear that you need more than a Layer-3 firewall to secure SD-WAN and protect against modern cyberattacks at the branch.

Secure SD-WAN across your enterprise

Zscaler believes there is a better way to secure SD-WAN. Rather than having to buy, deploy, and manage security at each branch, we suggest you move security into the cloud. Whether you deploy SD-WAN across your entire organization or elect to deploy SD-WAN at small sites and use different equipment (like ISRs) at larger sites, your solution must deliver identical protection across all sites, no matter what equipment sites use for routing. A cloud-based security solution like Zscaler delivers the entire security stack as a cloud service, including proxy, firewall, advanced threat protection, data protection, and native SSL inspection. And, it provides identical protection for all users, no matter where they connect.

A secure SD-WAN solution can help accelerate your cloud transformation journey. SD-WAN can help reduce costs and bring additional functionality and simplification to your branch architecture. But, keep in mind that achieving the benefits of SD-WAN requires a fundamental shift in how you provide security. Let us know how we can help!

To learn more about how to secure SD-WAN and local internet breakouts, watch our webcast, “SD-WAN and security: What you really need to know” or visit

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Jen Toscano is Sr. Product Marketing Manager at Zscaler.

form submtited
Thank you for reading

Was this post useful?

dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.