SD-WAN Shows How Security-Driven Networking Can Fix the Internet

SD-WAN technology is interesting for a variety of reasons. First, it is a next-generation cybersecurity technology. Second, it allows a company to route traffic in complex ways based on a variety of aspects of the traffic. The result is a superior experience that enables new networking paradigms without the need for complex configuration.

But there is an expansive lesson from SD-WAN that is underappreciated. The improvements made by SD-WAN show the way toward an even more powerful paradigm, security-driven networking, a concept developed by Fortinet that shows how to fix some of the major problems in cybersecurity today. We interviewed John Maddison, Fortinet’s CMO and EVP of Products, to examine the power of SD-WAN and the way it foreshadows the power of the security-driven networking vision.

The Power of Secure SD-WAN

Balancing security, speed, and efficiency in enterprise network architecture is a tricky endeavor. The traditional approach has been to backhaul traffic from branch locations to a central data center through private, dedicated MPLS connections. The data center then routes traffic to and from the Internet through a company’s cybersecurity stack. 

One of the biggest problems with relying on MPLS is the impact on branch offices. As Maddison told me, one customer has 15,000 outlets or small branches. To ensure security, the company brought all these connections back to a central data center where the security infrastructure resided. The company soon realized it needed more flexibility, which became the main driver for adopting SD-WAN, as the business could experience greater choice on how they routed traffic, potentially decreasing networking costs. 

The backhaul approach worked fine in a world where the main event was connecting branch office staff to applications based in the data center. But the shift to cloud-based applications, both SaaS and internally developed, and the rise in mobile access put stress on this model. Having all traffic directed to a data center location that could be thousands of miles away can lead to frustrating delays. 

Using secure SD-WAN edge devices, companies can more intelligently route traffic and utilize local Internet connections to speed up their networks, while also ensuring the cybersecurity they desire. 

The new paradigm is to selectively route traffic from branch offices to the central data center over dedicated backhaul connections, or to abandon them entirely and have all traffic from the branches go over the public Internet.

Using the public Internet is attractive because the costs are 25 percent or less of dedicated connections. In addition, when accessing cloud services you need to go over the Internet anyway.

“It just doesn’t make sense anymore to ignore the public internet as a mission critical transport,” said Maddison. “The upside to using commodity connections is too high to ignore given how easy it has become to use such transport securely.”

Better Application Efficiency with SD-WAN

There are two challenges with using the public Internet from a branch. The first is routing the traffic. You may want to route some traffic over the backhaul and other traffic over the public Internet. Or you may want to route traffic across multiple public Internet connections. SD-WAN routers allow routing based policies defined by a large set of metadata to be described at a central management console and then distributed to a large collection of SD-WAN routers. This type of routing was possible in previous generations of routers but implementation required advanced configuration by skilled engineers. In this way, SD-WAN achieved a user-experience victory.

An example I cited in an interview with Brian Talbert of Alaska Airlines. Their entire staff at all airports is mobile but they have lounges where the pilots and the flight attendants can rest between flights. Often, they may want to recuperate by watching Netflix or another streaming service. SD-WAN technology allows Alaska Airlines to create a connection to a mobile device, determine who the user is and the content they’re looking to access, and if it’s something like Netflix, route them over a public Internet connection without having that bandwidth interrupt the traffic for enterprise applications. 

On the other hand, if a worker accesses an airline maintenance application, the SD-WAN router would send them over MPLS with a dedicated connection back to the branch office. SD-WAN uses metadata to ensure the most efficient and cost-effective connections.

“The power of SD-WAN technology to implement sophisticated policies without having to really a high skill network engineer is a testament to the progress we’ve made in creating a simpler and better user experience,” said Maddison.

New Types of Security Needed in SD-WAN

The second challenge in SD-WAN is how to replace the security provided by the cybersecurity product stack in the central office. Implementing that stack in every branch office with current technology  would be prohibitively expensive. Maddison said Fortinet introduced Secure SD-WAN ASIC hardware acceleration to provide high performance for a fully functional cybersecurity stack. “Ninety percent of competing vendors can’t provide integrated security with SD-WAN,” said Maddison.

One alternative is to buy SD-WAN edge devices that include security capabilities. These routers add security capabilities of next generation firewalls to an SD-WAN router. Fortinet offers such routers to fill this gap.

Another alternative is to have a similar stack in the cloud, a cloud-based security stack that provides the same level of security. In this model, the SD-WAN traffic is routed to a cloud-based gateway that implements the security stack and then sends the traffic either to the central office or to locations on the Internet. The problem Maddison sees with this approach is that it adds the complexity of using a new, separate management console to your existing cybersecurity portfolio.

“The right way to secure a branch office depends on a lot of factors,” said Maddison. “We think that there are a huge number of situations where combining the SD-WAN routing capability and integrated security is going to be the right way to go. Our bet is that this market will be large for a long time, even as cloud solutions mature.”

Security-Driven Networking as a Solution

SD-WAN is an example of a broader concept Fortinet has created called security-driven networking that I believe could help save the Internet for the enterprise.

Security-driven networking is paradigm that expands the ideas of SD-WAN to address some of the fundamental security challenges of the Internet. 

Security-driven networking adds an abstraction layer to the network that allows businesses to make more focused and intelligent routing decisions beyond just making those choices based on cost or proximity. 

“We believe that networking and security should be integrated and combined,” said Maddison. “When you build networks, the networking team will make sure connectivity and availability are their first goals. People decide which applications need to be available for which users. Another layer goes on top of that which says we need to make sure it’s secure.”

Maddison said the Fortinet vision is to combine routing and security in a single device.

“Our security-driven networking means that you have one integrated device that does networking and security,” said Maddison. “But as you said, we also take advantage of the additional data. We can see who’s attaching, we can see the devices, we can apply policy end to end from the customer premise through the WAN into the cloud, into the data center. It’s a holistic concept instead of a layered concept of making sure you can connect applications securely to users.”

A security-driven networking device would be able to assess the risk level of the traffic and understand how to route it to optimized performance and security. High-risk traffic, for example, could be routed away from dangerous parts of the Internet. As Maddison told me, “Within that wide area network, security-driven networking relies on a map of the risk levels of different transport mechanisms or ISPs or different connections. Once you have that information, you can prioritize business applications and steer traffic toward the WAN link that has the best security posture.”

Essentially, security-driven networking allows companies to make the public Internet safer. Fortinet’s security-driven networking services allow companies to identify which parts of a public network are dangerous by using ISP security rankings or employing encryption and funneling that information back to the SD-WAN controller. Security-driven networking empowers companies to operate on public networks with greater intelligence about security threats. 

While the security-driven networking vision does not yet exist in practice, SD-WAN foreshadows some of its benefits and some of the thinking companies will have to do when designing and deploying networks constructed of smarter, more powerful components.

“It has taken a while, but now it is reasonable to think of a much smarter internet, one that has security in mind,” said Maddison. “It won’t be easy, but if we all keep working toward this vision, security-driven networking can come to life.”