Business & Technology

Not all Secure SD-WAN Solutions are Created Equal

By Nirav Shah | May 16, 2019

The SD-WAN market is experiencing rapid growth, with about 50% of organizations expected to have deployed SD-WAN by the end of 2019. But since it relies on direct internet access, SD-WAN introduces security risk, especially when compared to their previous MPLS connections.  And given the current state of today’s threat landscape, security can no longer be looked at as something one does after the deployment of an SD-WAN. Instead, it needs to be baked into the architecture.

To address this challenge, organizations concerned about the risks of the public internet and bolt-on security are looking for a security-driven networking approach that enables secure SD-WAN out of the box. Fortinet was one of the first vendors to introduce “Secure SD-WAN” (in 2016) to deliver fully integrated, security-driven networking capabilities. Fortinet also delivered the industry’s first SD-WAN ASIC, enabling best-of-breed NGFW in the same offering without comprising performance and scalability.

Security Driven Networking is the Right Approach for Secure SD-WAN

Today, many of the more than 60 vendors that offer SD-WAN claim that their SD-WAN solutions include or support security. However, in reality, few vendors actually offer full stack security and instead offer stateful firewalls which aren’t as effective. Organizations with a healthy concern for risk need to take note. To address that issue, NSS Labs has recently published their NSS Labs SD-WAN Intelligence Brief research paper designed to help organizations understand strengths and limitations of product offerings to ensure that their SD-WAN implementations do not compromise the security or integrity of their organizations or impose undue challenges in terms of deployment or management.

In this paper, NSS Labs explains why having security built into an SD-WAN solution is the right approach for successful WAN Edge deployments. According to NSS Labs, the security provided in a “Secure SD-WAN” solution should align with the capabilities provided in NGFW technology; “In our (NSS Labs’) opinion, secure SD-WAN products from non-firewall vendors currently do not meet all firewall use cases, and should be evaluated carefully.”

The reason this is important is that organizations have come to expect that they will need to add security to any networking solutions or components they deploy. But given the potential networking complexities of SD-WAN, adding security as an afterthought to dozens or more connected branch offices—especially where there may not be any IT staff located in the branch office being connected—can be overwhelming. Which is why even organizations simply reviewing SD-WAN solution to consolidate point products and reduce operational cost should not reduce their expectations for protection.

Fortinet’s Real Secure SD-WAN Solution Continues to Garner Third-Party Validation

In that regard, Fortinet’s Secure SD-WAN solution is experiencing rapid adoption because Fortinet delivers the most comprehensively Secure SD-WAN solution on the market, in addition to its robust suite of advanced routing and WAN optimization functions. NSS Labs has consistently awarded a wide variety of Fortinet solutions their top “recommended” rating for years, including recent NGFW and SD-WAN group test in which Fortinet received a recommended rating. Few other SD-WAN vendors can make the same claim—especially when it comes to bundling advanced networking and security functions together in the same, unified management interface.

One of the reasons why this designation from NSS Labs is important is because the SD-WAN buying center is usually part of the networking/infrastructure team and not the security team, which means that security decisions are often made after the fact rather than insisting on SD-WAN and other networking decisions be security-led.

The NSS Labs report specifically addresses this common misconception by reporting on the importance of not compromising on security to achieve reduced WAN costs with SD-WAN.

Evaluating Your Need for SD-WAN Security

NSS Labs recommends that organizations looking at SD-WAN solutions begin by asking four fundamental security questions:

  1. How will my risk posture change if I adopt SD-WAN technology? 

  2. Can the SD-WAN technology meet our organization’s anti-threat requirements? 

  3. Are there limits to the types of threats that can be detected? 

  4. Is there an operational cost to implementing anti-threat features, and if so, what is it? 


This information can help guide the critical decision of selecting and implementing the sort of SD-WAN solution your organization needs to not only address your digital transformation requirements, but to do so without compromising on security.

The NSS Labs report recommends that organizations exploring SD-WAN deployment through Proof of Concept (PoC) installations plan to include a rigorous testing of security features, evasions, and SSL inspection capabilities. In this way they can best understand best fit for their organization.

Where to Begin

There are many reasons why organizations—especially those somewhat intolerant to risk—should prefer a seamlessly integrated, best-of-breed NGFW security integrated into their SD-WAN. Advanced WAN networking, overlay VPN, and world-class security (NGFW, IPS, Antivirus, Web Security, and even Sandboxing) woven together into a single-pane-of-glass management solution ensures quick low touch/no touch deployment and robust interconnectivity without compromising on critical protection.

To make sure your organization is getting the solution it needs, keep the following in mind:

  1. Secure SD-WAN Proof of Concept (PoCs) projects should include full stack NGFW testing, whether integrated into a solution or deployed later as an overlay solution, for the comprehensiveness of protection and ease of deployment.
  2. With business traffic—especially across public networks—increasingly encrypted, enterprises must evaluate the performance of inspecting SSL and IPSec encrypted traffic so that security does not become a bottleneck for critical and/or latency-sensitive applications and services. 
  3. Review NSS Labs recent SD-WAN and NGFW public test report for a detailed comparison of vendors, in addition to the NSS Labs SD-WAN Intelligence Brief.

Fortinet’s Secure SD-WAN solution includes best-of-breed next-generation firewall (NGFW) security, SD-WAN, advanced routing, and WAN optimization capabilities, delivering a security-driven networking WAN edge transformation in a unified offering. Find out more about our new SD-WAN ASIC chip.

Read these customer case studies to see how Warrior Invictus Holding Co., Inc. and the District School Board of Niagara implemented Fortinet’s Secure SD-WAN to alleviate network complexity, increase bandwidth, and reduce security costs.  

Tags: