An intermediate stage is where the SD-WAN vendor, as part of a converged edge offering, includes a full security suite on their managed customer-premises equipment (CPE). This may be native to their SD-WAN stack or, alternatively, running as a network functions virtualization (NFV). This second option is one method by which an enterprise, after selecting an SD-WAN vendor, may maintain its existing security vendor relationship at the branch.
In the recent Aryaka ‘State of the WAN’ survey, the majority of respondents stated that they would prefer a multi-vendor security solution from their SD-WAN supplier, though as expected, the percentage opting for a single-vendor solution was higher in North America than in EMEA or APAC. One challenge is integrating any NFV-based security solution with the enterprise’s installed workflows and third-party instrumentation. Ultimately, the success of deploying one vendor’s virtual firewall on the SD-WAN CPE of another is not driven by the VM hosting but instead by the operational aspects.
As noted earlier, branches in the past would connect via the existing WAN, MPLS included, to the HQ site, leveraging the central firewall for Internet and cloud connectivity. Now, branches connecting to SD-WAN have the same options as above as part of the vendors SD-WAN CPE, though with quicker uptake of cloud-based security as older standalone appliances, where deployed, are retired.
If deploying security solutions from multiple vendors—for example, some security delivered by the SD-WAN provider, NFV or otherwise, and some delivered by an incumbent security vendor—the workflows and visibility need to integrate the two. Any security within the SD-WAN solution must adapt to the existing security architecture of the enterprise, and not the other way around. The actual division of security responsibilities between the edge and the cloud is not as important as maintaining control and visibility.
With more than half of all enterprise WAN traffic moving to and from the cloud, global businesses are moving away from legacy architectures such as MPLS to SD-WAN technologies. As this changeover happens, it’s paramount that security doesn’t become an afterthought. Every enterprise SD-WAN strategy must include a roadmap for how security will fit into the new network architecture.