The third generation of SD-WAN security

If local Internet access is not provided to branch offices, users cannot take full advantage of all the benefits provided by SD-WAN, and users need to access the local Internet under the premise of providing security services. SD-WAN has many advantages, but it does not have the function of providing edge security.

Although some people say that SD-WAN data is encrypted during transmission, and some SD-WAN devices have basic stateful firewall functions. However, with the increase in attacks on the 7th layer, branches need next-generation firewalls (NGFW) and the latest IPS/IDS functions to protect terminal security, and basic firewall functions are already stretched. The demand for 7-layer security in SD-WAN branches has pushed SD-WAN vendors to establish partnerships with security vendors or provide security services in their devices.

[[228940]]

SD-WAN for branch office security will have a profound impact on services. Enterprises spend a lot of time deploying, adjusting and maintaining their security infrastructure, and in the cost competition, security vendors have to adjust their equipment. On the other hand, the increase in traffic load or the enablement of computing-intensive functions often force enterprises to upgrade equipment. Unlike IT teams, security teams are constantly fighting against attackers. When security vendors release patches for the latest threats, deployment time is critical. All of this adds a burden to overloaded IT teams, and outsourcing these to providers is a wise move.

This leads to three types of secure SD-WAN services.

First Generation: Multiple Physical Devices

In the first case, the service provider integrates multiple physical devices to provide the service. The user is relieved of the burden of managing, operating, and tuning the various devices. Unlike cloud services, where the capital expenditure and operating costs are shared among various customers, the user still needs to pay for the equipment and integration. This also means that to troubleshoot, the user still needs to jump between different consoles for each product.

Second Generation: Multiple Virtual Devices

SD-WAN providers offer integration capabilities to run multiple applications as VNFs or virtual appliances on common hardware. These VNFs and appliances still need to be properly tuned and deployed, but it is much easier to implement in software. Of course, the capacity of these appliances is still a priority. Depending on the implementation, the provider can do some integration capabilities to enable seamless troubleshooting and management through a single console. Other providers seem to only offer third-party firewalls as VNFs, but Versa Networks has integrated some next-generation firewall functions into its core product and uses VNFs for third-party applications.

Third Generation: Cloud Services

The last and probably most advanced approach is to rethink networking and security and combine them into cloud services. Disaggregate the functionality of infrastructure devices and you will see that there is a lot of overlap in how they work. They share resources at the lower network layers, and above that they do deep packet inspection, a lot of policies need to be set, etc. As our network and security functions become commoditized, it becomes less important to separate these functions and perform them repeatedly on each device vendor. Moving the security/network stack to the cloud solves the cost of the devices. Because the cloud is elastic, hardware upgrades can be eliminated and there are no scaling issues. Patching is still done by the security provider, but it can only be upgraded once for all functions and customers. Capital and operating costs are shared by all users, making for a very affordable service.