Industry Trends

Moving SD-WAN From a Stand-Alone Appliance to a Feature in a Security Platform

By Nirav Shah | May 26, 2020

Consolidation has been an essential part of digital innovation for decades. Many of the features and functions we now take for granted were once stand-alone solutions. TCP-IP used to be a solution you had to purchase and add to your network separately. VPN concentrators were exclusively sold as separate devices rather than as a feature. SD-WAN is no different.

The Security Platform is the Ideal Location for SD-WAN

The whole idea of an integrated security platform is based around the idea that certain essential functions should be part of a single system. Look at the standard features on a security platform: NGFW, IPS, antivirus, anti-malware, AAA services, web filtering, and sandboxing, and others, depending on the platform.

Network functionality has also been woven into today’s security platform. VPN aggregation, for example, involves managing communications and access control. Wired and wireless access points interoperate with an NGFW platform to secure access, as well as things like Network Access Control (NAC). Integrated network segmentation ensures that devices are assigned to specific, security-controlled segments of the network based on things like user role, device type, and required access to specific resources.

These all have two things in common. First, these solutions have all been placed together into a single device because they all provide a variation on the theme of securing network access and then inspecting and securing data moving between digital environments. And second, they all used to be separate stand-alone solutions.

There is nothing to suggest that SD-WAN should be any different.

Security and SD-WAN Need to Function Hand in Hand

The reality is that without strong security, SD-WAN becomes another conduit for malware and cybercriminals to access your network. The lack of integrated security is the Achilles' heel of SD-WAN, and implementing it as an overlay is not only expensive and cumbersome but leaves huge security gaps when traffic connections shift to ensure consistent bandwidth for critical applications.

Adding a full-featured SD-WAN solution to a security platform as a feature eliminates yet another appliance that needs to be deployed at the edge. And if it is fully integrated into the platform, as it ought to be, it enables the full stack of integrated security solutions to inspect, secure, and monitor all SD-WAN connections and applications by default. And because security platforms come in a variety of form factors, they can be more easily deployed in a variety of settings beyond the traditional branch office.

Not Every Security Platform is Ready for SD-WAN

Of course, this comes with some caveats. First of all, security platforms need to be truly integrated. Far too many are still just a collection of separate security devices rolled together inside a sheet metal box with nothing more than a shell menu from which to launch its different components. A true platform needs tools explicitly designed to interoperate as a single system, ideally with each element running on the same operating system and managed using a single pane of glass interface. This ensures that transactions are all seen and inspected, and any threats or anomalous behaviors are shared between every solution for maximum protection.

As part of such an integrated system, the networking and connectivity functionality of an SD-WAN would not just be more closely associated with the security solutions installed on the platform. They would be the same thing. That way, when a connection needs to failover due to performance degradation, security would failover with it, ensuring seamless protection in even highly dynamic environments.

And unlike trying to add security to an SD-WAN solution, adding the additional functionality of an SD-WAN solution to the underlying operating systems of an integrated security platform is not an issue. It is what that operating system was designed to do, given that it already runs and integrates a wide variety of technologies. And its management console is likewise already designed to configure, orchestrate, and report on multiple solutions simultaneously. By managing SD-WAN policies, SLA requirements, and other baseline functions alongside security functions, visibility and control across the Secure SD-WAN deployment are consolidated and enhanced.

The next challenge is performance. Security platforms are notorious for being a bottleneck, especially when it comes to many of today’s bandwidth-heavy applications, such as videoconferencing or the streaming of rich media. And the problem gets worse when this data is encrypted. Inspecting encrypted data drives the throughput of most security appliances to the floor. That's because, despite their highly specialized functionality, nearly all security appliances still inexplicably rely on generic, off-the-shelf CPUs to process their resource-intensive functions, such as encrypted data inspection.

Other high-tech solutions such as cloud platforms, smartphones, network devices, and even smart cars, all leverage custom-built processors to more efficiently process large amounts of specialized data. Without custom processors of their own, many security manufacturers are ill-prepared to meet any of the needs of tomorrow's resource-intensive processing, let alone the functional requirements of an integrated SD-WAN solution. To that end, more security vendors need to rise to the task of designing their hardware to run optimally in today’s complex and performance-hungry environments.

Secure SD-WAN Supports Security-Driven Networking

The most important use case for the integration of SD-WAN into a security platform, however, is the need for all organizations to transition to a security-driven networking model. Digital innovation continually outstrips the ability of security to protect the expanding attack surface, increasing risk and leaving organizations unnecessarily exposed. A security-driven networking approach, on the other hand, ensures that security is always an integrated function of any network development or expansion project. In such an approach, security isn't just along for the ride. It is an integral part of the new network – adapting and scaling along with the network, even as it expands into new cloud environments, provides more nimble services to branch offices, and moves to the rapidly growing edge.

Moving SD-WAN from a stand-alone appliance to a feature in a security platform may feel like a quick transition. It seems like it barely arrived on the scene. But the rate at which digital innovation is progressing, we don’t have the time or resources to lug yet another appliance out to every remote location. We need agile, integrated, and adaptable solutions designed to support multiple use cases, and transitioning SD-WAN from a stand-alone appliance to a function inside a device we already deploy everywhere is the best way forward.

Take a security-driven approach to networking to improve user experience and simplify operations at the WAN edge with Fortinet’s Secure SD-WAN solution.

Read these customer case studies to see how Warrior Invictus Holding Co., Inc. and the District School Board of Niagara implemented Fortinet’s Secure SD-WAN to alleviate network complexity, increase bandwidth, and reduce security costs.