A number of solutions exist for implementing a corporate wide area network (WAN). Commonly mentioned options include the use of multiprotocol label switching (MPLS) circuits and software-defined WAN (SD-WAN).
However, simply comparing SD-WAN vs MPLS is not enough when trying to implement a WAN that meets the needs of the modern enterprise. One reason for this is that neither of these technologies operates alone. By default, MPLS and SD-WAN only solve the networking issues associated with a WAN, ignoring security completely. Organizations must either layer on additional security solutions or select a secure SD-WAN product that integrates both networking and security functionality.
The other issue with comparing SD-WAN and MPLS when discussing WAN implementations is that, in reality, both of these are legacy technologies designed for networks that no longer exist. As the corporate WAN changes and evolves, modern WAN networking and security solutions are required to meet its needs.
The evolution of WAN networking and security
“Optimal” WAN networking and security is a moving target. As the corporate network – and how it is used on a daily basis – has changed over time, its networking and security needs have evolved as well. This has resulted in several generations of WAN solutions, each designed to improve on the previous and better meet the needs of the modern company.
MPLS, VPNs, and Perimeter-Based Security
MPLS is designed to provide reliable, high-performance network connectivity. Since these are important features for a number of applications within the modern enterprise, many companies have invested heavily in MPLS circuits. The problem with these circuits is that they don’t scale well and have a fixed geographic footprint. If an organization needs more bandwidth than current infrastructure supports or wishes to open up a new physical location, then additional circuits must be installed (which is very costly).
MPLS is also limited because it focuses only on networking functionality. Since MPLS circuits are not encrypted, many organizations have deployed virtual private networks (VPNs) on top of them. While VPNs are effective at securing network traffic between two points, they also have scalability issues associated with this point-to-point focus. As the number of users/sites grows, the number of VPN connections required to provide full connectivity grows exponentially.
MPLS and VPNs together are insufficient to secure a corporate WAN. Beyond traffic routing and confidentiality, organizations require the ability to inspect traffic for inbound malicious content and outbound data exfiltration. This requires additional security solutions, such as a next-generation firewall (NGFW) and secure web gateway (SWG) deployed at the network boundary.
(Secure) SD-WAN
Attempting to use legacy solutions such as MPLS, VPNs, and standalone perimeter-based security solutions creates an inefficient and complex network architecture. The lack of visibility into the corporate WAN impedes incident detection and response.
SD-WAN is designed to make reliable, high-performance network connectivity more cost effective. Unlike MPLS, SD-WAN derives its performance guarantees from use of multiple different transport media rather than dedicated circuits. This enables it to route different types of application traffic over the optimum choice of transport media to meet its particular needs.
Secure SD-WAN builds upon traditional SD-WAN by incorporating security functionality into the SD-WAN appliance. This eliminates the need to deploy, monitor, and maintain an array of standalone security appliances. An organization achieves greater network visibility and security through full integration of networking and security functionality and can reap the benefits of solutions optimized to work together.
Additionally, the full integration of network and security functionality within secure SD-WAN solutions enables these capabilities to be moved from the enterprise LAN to the network edge. Instead of forcing users to route all traffic through the corporate network for security inspection, traffic can be routed through the nearest security appliance and receive the same level of protection. This can dramatically improve the efficiency and performance of the corporate WAN since traffic between remote workers, cloud infrastructure, and/or remote sites no longer needs to detour through the primary enterprise LAN for security inspection.
Secure Access Service Edge
While SD-WAN can dramatically improve the efficiency and security of the corporate WAN, it still has its limitations. Namely, the benefits of SD-WAN are limited by the footprint of sites where the organization can deploy SD-WAN appliances. For remote workers or cloud infrastructure located far from an organization’s physical location, the need to pass through an SD-WAN appliance means that traffic may take a significant detour on its way to its destination.
Secure Access Service Edge (SASE) eliminates this issue by moving secure SD-WAN functionality to the cloud. Since cloud-based SASE points of presence (PoPs) can be deployed geographically near cloud-based infrastructure and remote users, the impacts on network latency of routing traffic through a PoP are minimal. These cloud-based PoPs also have integrated security functionality (such as a NGFW and SWG), providing an organization with comprehensive network visibility and security inspection of business traffic.
Building the modern WAN
In the past, most employees and endpoints were located on-premises on corporate LANs. This made traditional approaches to WAN networking and security usable since their scalability constraints had minimal impact.
However, corporate WANs are rapidly evolving, and users and critical data storage and processing are moving off of the enterprise LANs. This evolution has driven the development of SD-WAN and, more recently, SASE to meet the needs of the modern enterprise.
As organizations’ networks continue to change, legacy approaches to implementing and securing WANs will become increasingly ineffective and inefficient. Making the transition to SASE early enables an organization to maximize the benefits of adopting a WAN solution designed for the modern enterprise.