SD-WAN stands for Software-Defined Wide Area Network, and it brings the advantages of Software-Defined Networking (SDN) to the enterprise Wide Area Network.

It is a cloud-delivered overlay wide area network architecture that enables digital transformation of enterprises. With trends such as applications being moved into the cloud, it has become imperative that we rethink WAN architectures.

Let’s take a quick look at the history of WAN transformation, in the 1980’s we had TDM-based WAN for data and voice, then Frame-Relay based WAN in the 1990’s, ATM based WAN in the mid 90’s, and as from 2000’s we had MPLS, since then the WAN has had very little innovation to date.

Challenges of the traditional WAN:

When designing, deploying and operating a WAN, there are many things that we need to keep in mind, considering that the WAN has a very wide blast radius. These include security, visibility, internet access, applications, branch and data centers connectivity, cloud and remote workers.

The following are some of the notable traditional WAN challenges:

  1. The traditional WAN architecture typically consists of private MPLS links with internet or LTE as a backup. The underlying infrastructure is very static and requires the service provider’s input, consequently, it takes ages for changes to be effected to meet evolving business requirements.
  2. It is complicated to design and implement WAN architectures that are robust enough to support multiple failure scenarios due to complexities involved in trying to load balance traffic in the border edge devices, and aspects such as delay, jitter, round trip time and routing loop prevention features that need to be considered.
  3. The design for the WAN and branch site was conceived in the client-server era, the datacenter being the hub, and the branches being the spokes. Additionally, all applications and data were located in on-premises data centers, behind firewalls and were accessed by workers in the branch locations. Also, there was just one centralized internet breakout at the data center. Today however, hybrid IT and multi-cloud designs are the order of the day. This has made applications and data distributed. This introduces a challenge since the traditional hub and spoke architecture was designed for the client-server model. This model however doesn’t work for today’s cloud based applications that require direct internet breakouts at the branch locations.

SD-WAN is the modern era of the WAN, it is software-defined meaning a lot of complexity can be put in code, making the WAN more capable than it has been in the past. For instance, we can now have more optimal application traffic flows based on predefined service level agreements (SLA) over flexible WAN topologies such as hub and spoke, or meshed networks.

E.g for voice traffic, it is preferable to have low delay and latency, on the other hand file transfers can tolerate more delay but you need more bandwidth, SD-WAN can allow an enterprise in this case to combine multiple WAN transport links into one big pipe since it is transport link agnostic.

It is essentially a mechanism that allows companies to more flexibly interconnect remote sites.

Like SDN, SD-WAN decouples the control and data planes and rearchitects how you build networks and services on top of them. In the case of SD-WAN, the control plane is a software component that usually runs centrally in a cloud environment. The data plane comprises the edge devices deployed at branches. The switching backplane is the actual WAN transport links themselves.

WAN Underlays vs Overlays:

The SD-WAN architecture comprises a centralized SD-WAN controller acting as the brain with a global view of the network, instructing the SD-WAN edge devices on where to steer traffic.

SD-WAN has both an overlay and underlay, the underlay consists of the physical network infrastructure, and the overlay is the SD-WAN virtual WANs where the applications are mapped.

The concept of an underlay and overlay is not new, different technologies have been using this concept for a long time. To dig into it a little further, an underlay network is the physical infrastructure above which the overlay network is built.  It is the responsibility of the overlay to deliver packets like DWDM, L2, L3, MPLS, or internet, etc.

On the other hand, the overlay is a software-based logical network that uses network virtualization to build connectivity on top of physical infrastructure using tunnelling encapsulations such as VXLAN, GRE, and IPSec. We will explore how this is done using GRE in a moment.

Legacy WANs rely almost entirely on MPLS circuits that are offered by service providers to connect remote sites, typically to a centralized HQ location. The advantage of this approach is it provides privacy of data, and SLAs pertaining to traffic parameters such as bandwidth, delay and jitter, and high availability of connections. However, this comes with disadvantages such as high cost, lack of transparency as to what happens on the service provider network and high dependency on the service provider for any new service deployments.

The widespread adoption of new digital innovations has transformed enterprise networks, which have become more hybrid while adding breakthrough capabilities to transform the business. But with the rapid proliferation of the mobile workforce, multiple public and private clouds, and Internet-of-Things (IoT) devices, network attack surfaces have dramatically expanded, with more blind spots obscuring visibility into threats.

This makes extended enterprises more difficult to secure, increasing security risks resulting from internally and externally directed attacks. Legacy WAN architectures are also facing major challenges under this evolving landscape and existing ENTERPRISE WAN is facing similar challenges.

Below are some of the issues being experienced with the current ENTERPRISE WAN:

  • Complex operations
  • Long deployment times and policy changes
  • Limited application visibility
  • Difficulty in securing the network as currently using unsecured GRE tunnels
  • Little to no load balancing of traffic across all available MPLS links.

Insoft Services proposes Fortinet Secure SDWAN for ENTERPRISE existing WAN. The Fortinet FortiGate Network Firewalls (also known as next-generation firewalls [NGFWs]) enable security-driven networking and provide broad, integrated, and automated protection against emerging and sophisticated threats and have inbuilt SDWAN capabilities.

Fortinet has traditionally supported advanced networking features including dynamic routing, IPv4/v6 and multicast support.

Fortinet NGFWs with built-in SD-WAN capabilities provide both networking and security for branch networks in a single consolidated solution. It provides efficient protection across all branch outposts by providing consistent policy enforcement with single-pane-of-glass management. It also allows enterprises to mitigate risks associated with DX.

With over 30,000 customer deployments, Fortinet leads the market with Secure SD-WAN innovation with an integrated SD-WAN and security capabilities. For SD-WAN capabilities, Fortinet combines NGFW, advanced routing, and SD-WAN features in a single solution that improves WAN efficiency and security.

FortiGate Network Firewalls serve as an integral part of the Fortinet Security Fabric—an end-to-end security architecture that provides automated threat-intelligence sharing for effective security posture, all managed by the Fortinet Fabric Management Center.

Why Fortinet SD WAN?

Gartner anticipates that “25% of enterprises will adopt SD-WAN in the next two years.” However, the performance and convenience gains of SD-WAN over traditional WAN come largely at the expense of centralized security provided by backhauling network traffic through the data center, where everything can be checked and filtered in one place. And while the use of public links for direct internet access in an SD-WAN architecture provides improved options for enterprise-wide delivery of cloud applications, this also introduces new vulnerabilities and an expanded attack surface.

It is extremely important to ensure you select the right SD-WAN solution. Fortinet Secure SD-WAN delivers all the essential capabilities needed for maintaining secure operations across multiple branches and remote locations.

Fortinet has been Named a Leader in the 2022 Gartner® Magic Quadrant™ for SD-WAN for Third Consecutive Year as shown below.

Fortinet Secure SD-WAN was designed to address modern complexity and threat exposure to support customers’ critical business needs. It is designed to evolve to future-proof and protect investments as customers embrace a digital-first journey and support work-from-anywhere. The solution delivers the following benefits:

BUSINESS OUTCOMES:

The following are the business outcomes realized from Secure Fortinet SDWAN:

  • Improved User Experience

An application-driven approach provides broad application steering with accurate identification, advanced WAN remediation, and accelerated cloud on-ramp for optimized network and application performance

  • Accelerated Convergence

The industries only organically developed, purpose-built, and ASIC-powered SD-WAN enables thin edge (SD-WAN, routing) and WAN Edge (SD-WAN, routing, NGFW) to secure all applications, users, and data anywhere

  • Efficient Operations

Simplify operations with centralized orchestration and enhanced analytics for SDWAN, security, and SD-Branch at scale

  • Natively Integrated Security

A built-in next-generation firewall (NGFW) combines SD-WAN and security capabilities in a unified solution to preserve the security and availability of the network

Solving Enterprise Problems with SD-WAN:

Keeping in mind all the traditional WAN challenges that we’ve highlighted, SD-WAN aims to solve such enterprise problems in the following ways:

  • Reduce costs. As organizations continue to adopt cloud-based applications, the amount of data traveling over a WAN increases exponentially, increasing operating costs. SD-WAN can cut costs through leveraging low cost internet, providing direct cloud access, and reducing the amount of traffic over the backbone WAN.
  • Improves performance. SD-WAN can be set up to facilitate critical applications through reliable, high performance connections. This helps reduce packet loss and latency issues, thereby improving employee productivity, and boosting staff morale.
  • Boosts security. Many SD-WAN solutions offer built-in security all across the fabric which includes IPSEC tunnels that connect all branches. It also offers wide flexibility in segmenting traffic, chaining services such as firewalls, VPNs and a wide range of integrated security features, such as NGFW, IPS, encryption, AV, and sandboxing capabilities.
  • Lowers complexity. SD-WAN can simplify WAN infrastructure by allowing for automation of tasks, managing traffic through a centralized controller and providing a graphical user interface for management.
  • Enables cloud usage. With organizations increasingly adopting cloud services. SD-WAN enables direct cloud access at the remote branch, thereby eliminating backhauling all cloud and branch office traffic through the data center. This reduces the burden on the core network and enhances application performance.

SD-WAN can also be used to extend security and network functionality deep into the local branch LAN to protect locally deployed devices and secure direct connections to SaaS applications and other online resources.

This modern era WAN architecture can offer enormous business benefits that translate to a much lower total cost of ownership and support an enterprise’s larger SD-Branch initiatives.

References:

https://www.fortinet.com/products/sd-wan

https://www.cisco.com/c/en/us/solutions/enterprise-networks/sd-wan/index.html

https://learningnetwork.cisco.com/s/article/cisco-sd-wan-introduction-part-1