Blog

In a world of multi-page product specification sheets, SD-WAN technology can be described in just one sentence: Network technology providing WAN link resilience, bandwidth, and control using network edge appliances (existing firewalls and routers or dedicated controllers) as termination points. The devil is in the details, however—especially considering the complexity of network routes and policies within a modern enterprise IT security architecture. In spite of this complexity, the “basic” SD-WAN is by many accounts a relatively straightforward technology to implement with a clear ROI.

Secure SD-WAN is an entirely different story. Add full security stack capabilities to the SD-WAN feature mix (think NGFW + WAN circuit management + WAN optimization), and deployment complexity ramps to a whole new level. Complexity considerations aside, it isn’t surprising that NSS Labs enterprise clients are investigating replacing branch office NGFW appliances with secure SD-WAN technology. Purchase drivers include vendor consolidation (i.e., enterprises want to simplify multi-vendor firewall deployments) and capex reduction (if secure SD-WAN meets organizational security requirements, hardware can be removed at branch offices without increasing risk).

It is important to maintain perspective amidst the hype. If an enterprise is looking to answer the question of whether or not it should replace its NGFW with secure SD-WAN technology, the answer depends on its tolerance for risk. To be successful as an NGFW replacement, secure SD-WAN technology must meet both firewall and network routing requirements—all requirements, not just high-level anti-threat or basic routing capabilities. Here, the “secondary” features (which are really the primary features when it comes to production use) make the difference: interoperability, policy management, diagnostics, alert handling, logging, management console workflow, signature quality, firmware development speed, capacity planning, etc. We can leave QoS off the table because it is assumed that if an SD-WAN cannot meet basic throughput, latency, jitter, and packet loss requirements, then it isn’t an option

Clearly, an organization must consider many factors before making the switch to secure SD-WAN technology. Even the definition should be evaluated prior to initiating a proof of concept; “security” in SD-WAN varies per vendor; some market it as encryption, others describe it as service chaining, and still others define it as full stack security. Our assessment is that, at least for now, SD-WAN products offered by firewall vendors are the safest choice for organizations intolerant to risk.

While secure SD-WAN technology offers today’s enterprises an enormous opportunity for cost savings, consolidation, and resilience, enterprises must understand all of the factors associated with a successful deployment—the cost advantages of this technology cannot be considered justification for increasing an organization’s risk tolerance. Our new Intelligence Brief on SD-WAN takes a closer look at this technology.

NSS Labs has published a series of Intelligence Briefs on security controls in the US enterprise. The NSS Labs 2019 Intelligence Brief on SD-WAN offers visibility into current enterprise requirements for the technology. The paper is available in our research library.