Business & Technology

Secure SD-WAN vs NFV: Unraveling the Hidden Costs of WAN Edge Technologies

By Vince Hwang | June 12, 2019

According to Gartner, enterprise consumption of WAN bandwidth is increasing by up to 30% annually. It’s no wonder that enterprises are constantly evaluating their WAN-edge deployment options and looking for alternatives that will enable them to meet their networking and bandwidth needs without equivalent increases in costs and complexity.

Recently, SD-WAN has generally become the best answer to this challenge – even though (because this is such a new market) not all SD-WAN solutions are created equal. In response, however, some vendors have started pushing Network Function Virtualization (NFV) products and services to market as an alternative to SD-WAN. Further adding to the confusion are elaborate claims of cost savings combined with clever packaging and bundles that obscure the true costs of the various options available.

The question is, how do you compare these offerings to determine which is best for your organization?

This article will help highlight key considerations when evaluating WAN-edge technologies and unravel various options to help you make the right decisions for your organization.

A Quick Recap: SD-WAN vs NFV.

SD-WAN can run on top of specific networking hardware, or function as a wholly contained virtualized appliance that can enable deployments and extensions of services across both on-premises and cloud. Enterprises deploying SD-WAN benefit from simpler management, more effective bandwidth use, improved end-user experience, and increased security. And more importantly, they also realize lower deployment and operations costs.

NFV also can run SD-WAN, but does so using standard x86 server platforms running one or more virtual machines. These VMs, in turn, run various software and services to deliver networking and infrastructure capabilities, such as routing, next-gen firewalls (NGFW), SD-WAN, session border control, and WAN optimization, to name a few.

The comparison seems pretty straight-forward. On paper—NFV sounds like a better deal. Who wouldn’t want to be able to run SD-WAN along with a variety of additional services and capability on low-cost, generic hardware? But, not so fast…this is where things begin to break apart:

1. Hidden Costs: Aside from the hardware running an NFV solution, there are additional subscriptions and VMs for each functional capability that need to be purchased and licensed individually, including SD-WAN, routing, next-gen firewalls (NGFW), session border control, and WAN optimization. This can drive up costs several-fold beyond the initial NFV hardware outlay.

A quick search shows bundled NFV solutions leveraging low-cost hardware that start at just $1500. Of course, SD-WAN for the box is licensed separately, and once you add the needed SD-WAN subscription and minimal critical security such as NGFW on top, the costs not only go well beyond the initial cost of the box—they also go beyond the price of other SD-WAN solutions in the market.

For example, take a look at the comparative value matrix report and understand how Fortinet emerged as a top choice for Secure SD-WAN. 

2. Integration: It is just as important to recognize that the responsibility of integrating the various VMs, services, and solutions that might run on an NFV platform rests entirely with the purchases, whereas as fully packaged SD-WAN solutions—such those from Fortinet—are pre-integrated by the vendor.

NFV was originally conceived by Service Providers, who were looking to maximize their infrastructure investments by standardizing on generic hardware. Their business model already includes the overhead required to integrate multiple, disparate solutions together, and they are staffed to handle the complexities that come from this approach.

For enterprises, however, this is typically not the case. So in addition to a significantly higher TCO, there are additional deployment, operational, overhead, and support costs lurking around the corner that enterprises need to account for when considering NFV-type deployments. And let’s not forget, multiple products from multiple vendors means multiple management consoles for your limited staff to operate, monitor, and configure, including trying to correlate network and security policies between them for highly dynamic SD-WAN connections.

It’s pretty clear, based on the true costs and exponential complexities, that NFV really is not ready for “prime time”, especially when it comes to SD-WAN. And it’s not just us saying this. Gartner has cautioned organizations looking at NFV solutions as well:

"...infrastructure and operations leaders should first factor in the additional costs and complexity for this [NFV] relatively immature technology."
Gartner, April 23, 2019. “Pump the Brakes on Network Function Virtualization Services"

Not All SD-WAN Solutions are Created Equal

Of course, the decision isn’t just as simple as choosing between SD-WAN and NFV. SD-WAN itself also comes in basically two versions: “pureplay” SD-WAN vs “secure” SD-WAN. 

  • Pureplay SD-WAN is simply that—just SD-WAN. But ironically, it’s actually not very simple. Enterprises considering a pureplay SD-WAN option will still need to buy and deploy security on top of the SD-WAN solution. This adds costs and complexities similar to the hidden overhead of the NFV-based options that need to be considered.

And, though you might think so, a pureplay SD-WAN solution isn’t necessarily cheaper than one that includes fully integrated security and advanced SD-WAN networking options.  The above chart shows that the comparison of TCO spans all providers of SD-WAN solutions.

  • Secure SD-WAN, on the other hand, enables organizations to deploy, manage, and orchestrate both security and SD-WAN capabilities in a single solution—and single console—to help companies truly implement security-driven networking across their organization.

This is a critical point, since operations and security need to operate hand-in-hand as a best practice. Additionally, customers who opt for secure SD-WAN solutions also save themselves from the added complexities of deploying, integrating, and managing disparate solutions from multiple vendors. And external support is easier when there is only one vendor to call.

A Word about Speed

As a final recommendation, performance is another critical component of an SD-WAN solution that needs to be considered. Cost-effective scalability is essential when choosing secure SD-WAN solutions. And given the IT industry’s continually growing demand for reliable throughput, that demand is only going to grow. Enterprises, therefore, should strongly consider options that utilize custom ASICs and security processors such as those offered by Fortinet.

Custom processors designed specifically to accelerate SD-WAN functionality deliver better price-to-performance points than solutions built using off-the-shelf processors, delivering a better networking experience even with all security functions running concurrently. Fortinet’s custom SD-WAN ASICs for hardware appliances, combined with the industry’s only SPU (Security Processing Unit) designed for virtual appliances, deliver best-in-class security without sacrificing network performance.

This is one of the many reasons why Fortinet is able to deliver an astounding price-to-performance point of 749 Mbps of throughput at just $5/Mbps.

Key Takeaways

To sum up, enterprises need to see and understand the whole picture when evaluating SD-WAN options in order to select the right solution for their organization. When the challenges of integration and management are combined with true TCO, it is clear that NFV options are truly not ready for prime time as they harbor significant costs and complexities that many customers won’t have an appetite for. Instead, organizations should consider a secure SD-WAN solution—one that integrates all functionality into a single solution and management console without all the added and unnecessary complexity and overhead.

Additionally, Fortinet’s SD-WAN and products are fully integrated into the Fortinet Security Fabric to deliver tight integration and true single-pane of glass management and orchestration across Fortinet’s extensive product portfolio and a wide range of third-party solutions, as well as across multiple network ecosystems, including the WAN, mobile edge, and across every major cloud provider—the first security vendor to provide this level of consistent protection everywhere your digital transformation efforts take you. All of this translates to reduced complexity and increased operational savings well beyond the $5/Mbps @ 749 Mbps.

Find out more about NSS Labs’ SD-WAN test results and the hidden costs of many SD-WAN options.

Fortinet’s Secure SD-WAN solution includes best-of-breed next-generation firewall (NGFW) security, SD-WAN, advanced routing, and WAN optimization capabilities, delivering a security-driven networking WAN edge transformation in a unified offering.

Read these customer case studies to see how Warrior Invictus Holding Co., Inc. and the District School Board of Niagara implemented Fortinet’s Secure SD-WAN to alleviate network complexity, increase bandwidth, and reduce security costs.