Most SD-WAN Solutions Don’t Provide Enough Security

Just a few years ago, the most frequent challenges experienced by branch offices were the result of a slow connection to the central data center. Over time, this grew to include the inability to deploy reliable latency-sensitive applications and services at the branch, such as VoIP or video conferencing. While MPLS was adopted to resolve these connectivity and performance issues, those connections were also rigid and static, requiring critical data to exist at a single location.

Today, not only do branch transactions, workflows, applications, and data requests need to be fast, the data used to support those transactions is increasingly decentralized across a meshed infrastructure architecture, including private or public clouds, can also be dynamically reassigned locations as resource configurations change. This new reality has outstripped the rigid limitations of MPLS.  

SD-WAN solutions were developed to overcome the networking challenges that traditional MPLS-based branch network strategies couldn’t address. They provide branch users with flexible access to resources located anywhere across the distributed network. They also allow end users to use advanced applications, generate complex workflows, and utilize cloud-based services from a variety of devices, including their BYOD solutions.

While SD-WAN extends the advantages of digital transformation to the branch, many vendor’s solutions are still poorly equipped to deal with the challenges of the digital marketplace. For example, Gartner recently reported that security is the top concern of executives looking to update their wide-area networks to SD-WAN.

Essential SD-WAN Security Requirements

Most SD-WAN solutions only provide minimal security, usually in the form of VPN and some basic stateful firewall functions. Because of this deficiency, organizations are being forced to figure out how to integrate their new SD-WAN solution into their existing security architecture, only to learn that most of the legacy security solutions they have in place can’t scale to meet SD-WAN requirements.

Instead, SD-WAN solutions need to include a native suite of sophisticated security tools, and those tools need to seamlessly integrate with those security tools deployed elsewhere in the distributed network, including remote and mobile devices, cloud solutions, and physical networks.

To meet this requirement, SD-WAN candidates MUST include the following three security characteristics:

  1. SD-WAN solutions need to natively support a comprehensive suite of essential security tools. The security concerns at the branch are identical to those in any other part of the network. As a result, all of the same resources need to be available, including NGFW security that can see and protect traffic from layer 2 to layer 7, IDS and IPS to detect and prevent intrusions, application awareness, web filtering and security, antimalware and antivirus tools, intuitive data encryption, and high performance when inspecting encrypted traffic. Ideally, this solution should also integrate with access points, access control systems, and UEBA solutions to better detect, track, and monitor devices, and be able to share threat intelligence to better identify and respond to threats occurring anywhere across the network.
  2. Security must be fully integrated into the SD-WAN solution itself to reduce the device footprint needed to protect the branch office and allow security to expand and adapt as the number of branch devices and connections continues to grow. Ideally, this would mean deploying SD-WAN functionality through an NGFW device rather than trying to bolt security as an afterthought onto an SD-WAN solution. That way, the SD-WAN device is not only already designed to handle the processing overhead required to run a full suite of security tools, but those tools can be managed, and security policy can be orchestrated through a centralized console—and ideally, all SD-WAN functionality should be able to be managed through that same interface as well.
  3. Finally, any security tools deployed as part of the SD-WAN solution must also seamlessly integrate with other security solutions deployed elsewhere. Single-pane-of-glass management combined with universal threat intelligence collection, correlation, and response not only raises the level of security across the entire distributed network, but also help preserve and consolidate IT resources related to policy creation and the entire deployment, integration, monitoring, and optimization lifecycle.


Secure SD-WAN—a solution that includes natively integrated security controls—is a fundamental requirement for any branch strategy. Security needs to not only protect data and resources, but also ensure that the organizations primary objectives—high performance, meeting digital business requirements, and controlling costs—are met. This includes maintaining exceptional security without impacting latency-sensitive communications, adapting to constantly evolving applications and DevSecOps strategies, and being able to seamlessly straddle different networked environments without losing features or functionality.


Author's Bio

Nirav Shah

Product Marketing at Fortinet