You are here:  Home  >  Data Education  >  Data Architecture News, Articles, & Education  >  Data Architecture Blogs  >  Current Article

Shifting to an SD-WAN Architecture: The Best IT Move You’ll Make This Year

By   /  March 13, 2017  /  No Comments

Click here to learn more about Ofir Agasi.

Mobility, BYOD (Bring Your Own Device), Cloud-based services, SaaS applications, fast growing, sophisticated cyber-security threats – all are bringing massive changes to the organizational IT landscape.  Software-Defined Wide Area Networks (SD-WANs), are subtly, but assuredly, essential to these shifts, reshaping not only how we think about networking, but also about how we safeguard our digital assets, and IT in general. Which is why a multidisciplinary team is so critical to effectively assessing and evaluating SD-WAN architecture solutions.

Dissolving Perimeters, Ineffective Backhauling and More

Today’s applications and hardware components are built to readily adapt to new requirements.  However, there comes a point where “older” technologies simply can’t keep up with the pace and need to be augmented or replaced altogether.  Networking is a case in point.

Where Does my Network End?

Traditional network perimeters, the virtual-physical boundary between private and public networks, used to be well-defined.  Today, however, with users just as apt to be working outside the office than inside and resources shifting to the cloud, the borders between private and public networks are becoming blurred and less relevant, something we refer to as the “dissolving perimeter.

The implications of this dissipation are far reaching, and include:

  • Skyrocketing security risks: BYOD devices, direct Internet access (DIA) connections, and more, simultaneously enlarge the threat “surface” and provide for additional methods for penetrating and harming the organizational network.
  • Incremental approach is costly and ineffective: Adding more network and security resources on a localized basis, such as adding appliances or implementing identical functionality, drives the need for requires additional monitoring and management resources not to mention increasing capital and operational costs.

Owing to the dissolving perimeter and other technical and cultural factors, networking, security, and mobility technologies are often deployed and operated independently of one another. Consequently, critical information is compartmentalized into “silos” behind systems and tools.  These silos force IT to search for information across domains when solving problems. Such “treasure hunts” can be complex and time consuming, hindering an organization’s ability to resolve issues and to improve operational efficiencies, such as through automation.

The Long Backhaul

The conventional way in which remote offices send Internet traffic over the Internet is costly and wasteful. Typically, Internet-bound traffic must be first backhauled, or sent, across a costly MPLS (Multiprotocol Label Switching) connection to a central location with a secure Internet connection. Such an approach helps manage and secure legacy WANs without duplicating security resources. Today, however, backhauling is becoming untenable for several reasons:

  • Cloud adoption has greatly amplified Internet traffic, increasing MPLS traffic loads creating the opportunity for the Trombone Effect.
  • The Trombone Effect so called because of the shape of the traffic, describes how latency is added to a cloud or Internet session when a portal is out-of-path or far from an Internet destination. A Tokyo user who wants to browse a Tokyo-based site, for example, must first send traffic to the company’s Internet portal in San Francisco before the traffic can be sent onto Tokyo forming the shape of a trombone.
  • An imperfect network is the nature of the Internet. Routing is unpredictable and un-optimized. Moreover, Internet routing does not account for individual applications, such as voice and video, which are sensitive to Internet routing, but are treated the same as other traffic.

SD-WANs address these issues by creating an application-aware, secured overlay – the SD-WAN – across any kind of data service, including DIA, such as xDSL, cable, and 4G/LTE, as well as MPLS services. SD-WAN nodes in the offices connect, ideally to multiple data services, and gather low-level information about those connections. The nodes can then use this information to route traffic across the optimal network. Email replication, file transfers, and other bandwidth-intensive, latency-tolerant applications, for example, may be sent across an Internet path, while VoIP sessions, which are sensitive to jitter and packet loss, would be sent across MPLS (or an Internet path with low jitter and packet loss).

Rethinking the WAN – A Team Effort

Deploying an SD-WAN architecture gives companies a range of new networking options to help IT as well as creating a slew of new risks to consider. As such, it’s important that SD-WANs be evaluated by an interdisciplinary team. This team should include line-of-business members, application team-leads, and networking, security and mobility representatives.  Their goal: to understand how proposed networking architectures will address the legacy problems and impact IT disciplines and the business.  Some of the issues they should consider include:

Quality of User Experience

We have already seen how legacy WANs, backhauling, and MPLS solutions cannot sufficiently address present network demands.  By analyzing and knowing the location of applications and of mobile and fixed users, CIOs and their networking team can anticipate and address performance challenges with the SD-WAN.


IT departments need to allocate funds and resources to ensure differing levels of availability depending on the importance of applications and business locations.  On the resource side, SD-WAN architectures offer various solutions for improving availability, each with their own cost-value tradeoff.  These include hybrid designs working with DIA and existing MPLS services, and adding redundant DIA or 4G Internet connections.  On the needs side, CIOs, CISOs and SD-WAN teams will need to determine where to deploy the selected resources, for example:  Do branches requires redundancy in security measures?  For mobility, does IT need to assure ongoing VPN access to WAN resources?


SD-WANs offer greater flexibility and lesser costs largely because they make use of DIA at branch offices, but opening every DIA to the Internet (instead of VPNing back to a central location) significantly expands the attack surface. The simple firewalls provided in some SD-WAN appliances do not sufficiently address these concerns.  Additional security functions, such as malware prevention and next-generation firewalls (NGFWs), will be needed at every branch – a significant investment. These and other security topics need to be considered by the security specialists of the SD-WAN team.


By separating data services from applications, SD-WANs allow networking teams to respond quickly to changing business requirements.  New offices can be brought up instantly using Zero Touch Provisioning (ZTP), which automatically configuring components when plugged into the network. Increasing application bandwidth or adding more users is also made much simpler than with MPLS services.


WAN architectures impact management and operations differently.  As opposed to MPLS services, SD-WANs require multiple suppliers, presenting a greater operational challenge, and missing out on other single supplier benefits (such as, consolidated billing).


As we have seen, the network perimeter is dissolving.  With more users working outside of the office and most traffic destined for the Internet, organizations need to evaluate the capacity of any WAN architecture to extend beyond its current borders. Can mobile users connect to the overlay (an SD WAN’s network virtualization layer) and easily access enterprise applications? Policy configuration and distribution, performance, and security – how are these extended to mobile users and the cloud?

A New Kind of WAN

By taking a well-rounded view of the challenges stemming from the dissolved perimeter and other issues facing the world of networking, and by including a broad spectrum of employees in discussions, organizations are in a better position to evaluate and select SD-WAN architectures. A fresh approach to SD-WANs is most assuredly worth a closer look at.


About the author

Ofir Agasi, Director of Product Marketing at Cato Networks.   Ofir has over 12 years of network security expertise in systems engineering, product management, and research and development. Prior to Cato Networks, Ofir was a product manager at Check Point Software Technologies, where he led mobile security, cloud security, remote access and data protection product lines. Ofir holds a B.Sc. degree in Communication Systems Engineering. Follow Ofir Agasi and Cato Networks at: LinkedIn, Twitter, Facebook

You might also like...

Data People Must Build the Bridge to Your Cyber Security People

Read More →