Business & Technology

Four Roads to Securing SD-WAN, Deep Dive at the SD-WAN Summit 2018 Paris

By Ronen Shpirer | September 26, 2018

Software-defined wide area network (SD-WAN) is quickly becoming a topic de jour. There are over 60 SD-WAN vendors in the market today, and the number continues to rise. Sorting through the different options can be difficult, an undertaking that I hope to help facilitate in my presentation at the SD-WAN Summit 2018 conference later this month at the Novotel Convention and Spa in the Paris suburbs.

My presentation will examine the four different SD-WAN architectural options, as delineated by Gartner in the Research Note—“Secure SD-WAN: Integrated NGFW Security with WAN Transformation.” Gartner acknowledge that “... the future of SD-WAN lies in…balanced security and advanced WAN capabilities.”

Gartner delineates four architectures for securing SD-WAN:  

·      SD-WAN With Embedded Firewall

·      Firewall With Embedded SD-WAN

·      SD-WAN With Cloud-Based Security

·      SD-WAN With Third Party Firewall

Fortinet Secure SD-WAN aligns with three of the four architectural options: “Firewall With Embedded SD-WAN”, “SD-WAN with Cloud-Based Security,” and “SD-WAN With Third Party Firewall.” Each architecture solves different business requirements and come with varying characteristics in terms of costs, operational complexity, security properties, and suitability for specific use cases.

Architecture Pluses and Minuses

Here is a quick breakdown of all four of these architectures:

  • Generally speaking, the first approach (SD-WAN With Embedded Firewall) emphasizes SD-WAN functionality with added security features. This approach is generally the least effective, however, as its security capabilities are generally restricted to basic, L3-related security controls, while advanced—and critical—L4-L7 capabilities, such as intrusion prevention system (IPS), URL filtering, and content-specific controls, are not provided. In today’s world, advanced security can no longer be an afterthought, and the complexity of weaving security into an SD-WAN solution by hand introduces unnecessary overhead and risk. Integrated security is essential to the successful execution of SD-WAN.
  • The second approach, Firewall With Embedded SD-WAN, provides a single implementation for both advanced security and SD-WAN services, requiring a single management console for both. Fortinet’s Secure SD-WAN is the only vendor solution that provides this option. This architecture delivers complete security services, covering OSI’s L3 to L7 with balanced SD-WAN services. Typical use cases span everything from small branch offices to larger regional/central offices with critical activities.
  • The third approach, SD-WAN With Cloud-Based Security, uses security services and enforcement provided by a cloud-based next-generation firewall (NGFW) systems. Use cases focus on smaller remote branch office with noncritical activities.
  • The fourth approach, SD-WAN With Third Party Firewall, combines dedicated SD-WAN hardware with dedicated same-brand or third-party firewalls. This approach delivers both robust SD-WAN and security capabilities, albeit normally at a higher cost. Here, SD-WAN and firewall vendors often work together to optimize the interoperability of their products. However, two separate management consoles may still be required, adding complexity to the solution. With our significant market share, Fortinet’s NGFWs have an advantage, both due to our installed base of solutions, and their ability to “speak” SD-WAN. Use cases include larger branch offices running critical services and activities.

Fortinet SD-WAN Solutions

Selecting an SD-WAN solution needs to be based on the specific circumstances of each deployment. However, considerations need to take both an immediate needs and longer view. You don’t want to select a solution that limits your architectural choices in the future.

Fortinet Secure SD-WAN offers some distinct advances to both end-user customers and service providers in terms of flexibility. For end-user customers, the Firewall With Embedded SD-WAN approach—implemented with FortiOS and FortiGate NGFWs—offers existing end user customers the option of adding SD-WAN services to their existing IT portfolio at no additional cost, while simplifying the deployment and management of both SD-WAN and security services through a single management console.

For security service providers, Fortinet SD-WAN offers the attractive (and economically disruptive) possibility of offering their customers low-cost SD-WAN services as an add-on to their managed security services. This can not only help managed security services providers (MSSPs) positively differentiate themselves from peer competitors, but also help them sharpen their competitive edge against network service providers attempting to move in on their security business.

The lines separating established categories of IT products and services are beginning to blur. Fortinet Secure SD-WAN demonstrates the power of FortiGate NGFWs to deliver software-defined services beyond the market’s current expectations for “security” products.

I welcome this prospect of change for a couple of reasons. First, the history of computing is one of faster-less expensive-more multifunctional products displacing higher priced, more limited functionality alternatives. Second, integrating security with SD-WAN brings us closer to the day when security and IT service delivery will have completely converged. The world will be a much better place when we can be confident that digital transformation of business can occur without disproportionate expansion of the global cybersecurity attack surface.

To learn more, readers should check out our Fortinet Secure SD-WAN solution page. Also, if you happen to be in France at the end of September, I would be delighted to see you at my presentation or to meet up with you at the SD-WAN Summit event.

Read more about the Fortinet Security Fabric and the Third Generation of Network Security

Visit Fortinet’s FortiGate SD-WAN homepage to learn more about this advanced security solution.