While all SD-WANs encrypt traffic not all SD-WANs incorporate the advanced security functions needed to protect organizations, such as next generation firewall (NGFW), secure web gateway (SWG), and intrusion prevention systems (IPS). Those capabilities are particularly important if companies are to use direct Internet access (DIA) to overcome the backhaul problems that undermined cloud and Internet performance on MPLS networks.

 

SD-WAN edge appliances do not provide advanced security services natively. Their delivery depends on the availability of compute, storage, and memory resources. The more services added to the device, the more resources consumed. This leads to scaling challenges for security and networking appliances, such as Unified Threat Management (UTM), routers, and WAN optimization devices, as traffic grows significantly or when enabling advanced services, such as SSL intercept. Because they contain the analysis and enforcement functions, SD-WAN edge appliances face the same limitation.

 

As such, edge appliances will rely on third-party services to provide advanced capabilities, adding them to the packet flow through SD-WAN service insertion and chaining. With service insertion, the SD-WAN directs packets meeting predefined criteria to and from shared resources. With service chaining, the SD-WAN direct the packets through a set of services in a predetermined sequence.

 

SD-WAN as a service runs the processing logic in the cloud, benefits from its elasticity and scalability. Advanced security services can be built into the SD-WAN, eliminating the need for third-party services,and service insertion and chaining.