Business & Technology
One of the most common questions network security architects and CISOs ask as they consider their WAN architecture is: "Should I choose SD-WAN over MPLS?" Rightly so. The decision to switch to SD-WAN has significant implications for businesses.
Compared to MPLS, SD-WAN can be less expensive, more secure, and provide higher performance. MPLS can have steep bandwidth costs, while SD-WAN protects your network from vulnerabilities that MPLS cannot. The short answer is that SD-WAN offers better visibility, availability, enhanced performance, and more freedom of action. It’s why the industry has seen interest in SD-WAN rising over the past few years.
Another issue influencing that rise in interest is flexibility. MPLS connections tend to be rigid, fixed connections that can’t easily adapt to the sort of interconnectivity between branch offices that today’s dynamic networks require. They also don’t provide support for things like application recognition or sophisticated bandwidth management for latency-sensitive applications.
So far, so good. But the challenge is that most SD-WAN solutions don’t provide the same level of security as MPLS, which is essentially a secured tunnel running through a Service Provider’s secured network. While Fortinet recognizes that there are a number of considerations to take into account in selecting an SD-WAN solution, to truly provide a more effective strategy over MPLS, SD-WAN must include integrated security, and both security and network functions need to be managed through a single integrated management platform.
But before we get ahead of ourselves, let’s step back and discuss if and when your organization should make the switch from MPLS to SD-WAN in the first place.
Some of the key advantages of SD-WAN MPLS can be found by examining three key areas of difference: cost, security, and performance. Some of these advantages are less cut and dried than others, and there may even be some disadvantages in very specific situations, which will be explained further.
In the past, many organizations connected remote branches and retail locations to the central data center through a hub and spoke WAN model that relied on individual MPLS connections. As a result, all data, workflows, and transactions, including access to cloud services or the internet, required traffic to be backhauled to the data center for processing and redistribution. Compared to an SD-WAN solution, this is extremely cost-inefficient.
SD-WAN reduces costs by providing optimized, multi-point connectivity using distributed, private data traffic exchange and control points to give your users secure, local access to the services they need – whether from the network or the cloud – while securing direct access to cloud and internet resources.
A seeming security advantage of MPLS is that it provides a secured and managed link between branch offices and the data center through the service provider’s internal backbone. Public internet connections do not natively provide that same level of protection.
But this comparison is deceptive. MPLS does not provide any sort of analysis of the data that it delivers. That is still the responsibility of the MPLS client. Even when traversing an MPLS connection, traffic still needs to be inspected for malware or other exploits, which requires deploying a firewall and any additional security functions at one end of the connection or the other at a minimum.
To be fair, many SD-WAN solutions, however, have the same issue. Other than some basic security functionality, most SD-WAN solutions still require security to be added as an overlay solution. And for those organizations that try to add security to their complex SD-WAN connections as an afterthought, the challenge is often more than they bargained for.
Fortinet’s Secure SD-WAN solution is different because connectivity is deployed as an integrated function within an NGFW appliance, so every connection automatically includes dynamic meshed VPN capabilities to secure data in transit, combined with deep inspection of that traffic using the wide array of security tools – including IPS, firewall, WAF, web filtering, anti-virus, and anti-malware – that are already part of every FortiGate NGFW solution that supports SD-WAN. This includes the high-speed inspection of SSL and IPsec VPN connections – a function especially important today as nearly 70% of all internet traffic today is encrypted, with many countries encrypting as much as 85% of all webpages visited.
From a performance perspective, MPLS provides a reliable, fixed level of bandwidth. While that may seem like an advantage, today’s traffic has performance requirements that can be highly unpredictable. As a result, organizations need to lease an MPLS connection for their worst-case traffic load scenario, which means that a lot of the time, expensive bandwidth is being unused, and at other times—due to the continuously expanding volume of data being generated by modern networks and devices—the MPLS connection may be constraining connectivity.
Of course, some MPLS connections provide a sliding scale of connectivity, but even then it is limited due to its inability to understand that nature of the traffic it is handling and dynamically make adjustments accordingly.
Adding to the challenge, while all traffic needs bandwidth to function, some applications—such as voice and video—have latency requirements that need to be continuously monitored. When multiple applications are running through the same connection tunnel, latency-sensitive traffic needs to be prioritized, which requires such things as application recognition, traffic shaping, load-balancing, and prioritization between different connections that MPLS simply doesn’t provide.
SD-WAN recognizes applications and can adapt bandwidth and other services accordingly. It can initiate multiple parallel connections and then provide granular load balancing between them, and even fail over to a new connection should there be a drop in available bandwidth, as well as rate-limitless sensitive applications to ensure that latency-sensitive applications receive all the room and horsepower they require – which is why Fortinet’s Secure SD-WAN is powered by the industry’s first purpose-built SD-WAN ASIC designed to provide faster application steering for over 5,000 commonly used applications.
There are, however, a few cases in which MPLS could be a better choice than SD-WAN alone. For example, MPLS provides a clean and secure connection that is especially desirable for certain types of data, applications, and transactions—especially where a high degree of integrity and privacy is required. However, since MPLS is an option available to any SD-WAN solution, this is not an either-or choice. Critical transactions can still be run over MPLS.
And in some markets – especially in the U.S. – MPLS can be quite expensive. So in those locations, replacing MPLS with a public internet connection can be quite cost effective. However, even in those cases where MPLS is much less expensive, or when concerns about security or reliability are more important than cost differences, SD-WAN can still be run over an MPLS connection to provide more protection and functionality than an MPLS solution alone. That’s because SD-WAN provides a greater amount of flexibility, more granular traffic control, integrated security, and the ability to leverage multiple connection strategies—MPLS, public internet, IPSec, SSL, etc.—using the same SD-WAN deployment.
Fortinet’s experience has shown that the benefits of an SD-WAN solution outweigh MPLS alone. This is because today’s traffic, comprised of advanced web applications and complex workflows, require a more flexible and dynamic connectivity environment than traditionally static MPLS connections are able to provide.
But traditional SD-WAN solutions fall sort when it comes to security. A Secure SD-WAN solution, on the other hand, not only provides a layer of management and flexible connectivity options for remote offices that MPLS does not provide, it also provides deep and deeply integrated security that reduces management overhead and extends visibility and control from the central IT management console or SOC solution out to the very edges of the distributed WAN.
Only you have enough information about your organization to decide whether SD-WAN or MPLS will better suit your needs.
When comparing Secure SD-WAN and MPLS in terms of cost, security, and performance, SD-WAN seems to be the clear winner. Fortinet’s Secure SD-WAN solution gives organizations the interconnectivity capabilities they need, coupled with deeply integrated advanced security and integrated management to provide the confidence they need to keep doing what they do best.
Unlike nearly every other SD-WAN solution on the market, the capabilities of Fortinet’s Secure SD-WAN solution combine advanced networking and traffic management with natively integrated advanced security functionality. Better yet, both of these critical functions—networking and security—can be orchestrated through a single management interface, thereby significantly reducing administrative overhead, while alerting administrators to issues they may not have noticed otherwise.
Are you interested in learning more about getting SD-WAN for your organization? Find more information about Fortinet’s best-in-class SD-WAN solutions.