Reducing WAN OpEx with High SD-WAN Performance

As DX continuously redefines how businesses, employees, and consumers interact, bandwidth requirements continue to increase as operating expenses (OpEx) escalate. Keeping up with digital business requirements while keeping costs under control is the top priority for many organizations. Other top priorities include network flexibility, the ability to access and use business-critical applications and data, and wrapping the entire solutions in flexible and adaptive security.

Many legacy branch solutions can simply no longer provide the level of functionality, performance, and security that today’s digital business environment requires. In response, many organizations have begun migrating away from traditional WAN (including expensive and rigid MPLS connectivity) and turning to SD-WAN.

Four critical components of SD-WAN performance

To ensure that the SD-WAN solution you select is able to meet the performance requirements of your branch users, here are four critical issues you need to consider:

1. Automated WAN Efficiency. As organizations adopt low-cost WAN connectivity running across the public internet, they often run into issues with application performance—especially for bandwidth-hungry and latency-sensitive communications tools like VoIP and videoconferencing. Resolving this challenge, in part, requires selecting an SD-WAN solution capable of transforming legacy WAN edge infrastructures to provide enhanced application performance, a better user experience, and improved security.

WAN efficiency requires policies that understand and support application criticality, performance requirements, security policies, and other considerations. This begins with a solution capable of managing the critical routing challenges being introduced by flexible and dynamic SD-WAN connectivity, including:

• Application awareness in order to prioritize application routing across available network bandwidth based on a specific application and user, including the ability to collect granular WAN path data to ensure optimal business-critical traffic.
• Automated multi-path intelligence selects the most efficient route for SaaS, VoIP, and other business-critical traffic to and from the branch office.
• WAN Path Remediation, especially for Unified Communications applications, provides forward error correction (FEC) to overcome adverse WAN conditions such as poor or noisy links to enhance data reliability and deliver a better user experience.
• Tunnel bandwidth aggregation supports applications that require greater bandwidth by combining two overlay tunnels and then applying per-packet load balancing and delivery to maximize network capacity.
• Faster and more responsive overlay VPN capabilities enable a better overall WAN experience for branch users

However, organizations also need a solution that can adequately address theintersection of security and SD-WAN to ensure that data is not only safe, but also being managed correctly. For example, it needs to provide fast and accurate application identification for encrypted traffic, otherwise it is not meeting fundamental SD-WAN requirements.

So, in addition to selecting an SD-WAN solution that provides critical traffic management and performance tools, it needs to include robust security solutions that can operate at today’s digital business speeds.

2. Application Performance. Maintaining high-quality performance for communications applications without compromising on protection is especially important for branch offices that rely on collaborative interaction for productive operations. To ensure optimal application performance, SD-WAN solutions must be able to identify a broad range of applications and apply routing policies at a very granular level. Without these capabilities, business-critical SaaS and unified communication applications can slow, thereby impeding end-user productivity.

However, because the SD-WAN market is so new, and has been flooded with vendors offering a wide range of solutions, it can be difficult to separate the hype from reality. In these situations, third-party test labs may be your best friend. In their most recent 2018 SD-WAN Group Test Results, for example, NSS Labs measured the quality of experience (QoE) of VoIP and video application performance offered by different SD-WAN solutions, enabling organizations to compare apples to apples across multiple SD-WAN providers.

3. Secure Remote Connectivity. Of course, one of the reasons why organizations originally chose MPLS connections for their branch offices was its inherent security. SD-WAN vendors address this need with virtual private networks (VPNs) to ensure a secure remote network connection through a protected “tunnel” laid over a less secure network transport connection (e.g., the public internet). Its use of public networks is another of the reasons for SD-WAN’s popularity, as there is no comparison between the cost-performance benefits and agility of internet-based VPNs against those of an MPLS connection.

However, like security, VPN connectivity should not be something treated as an afterthought. Truly effective SD-WAN solutions need to provide native management of remote VPN connectivity combined with advanced routing functionality. This allows organizations to maintain appropriate levels of security protection and inspection, ensure extended visibility and control across the entire VPN overlay, and include advanced routing and traffic management functionality to ensure that the best possible and most efficient pathways are identified and monitored.

Even more importantly, SD-WAN VPN needs to also be integrated into an organization’s larger connectivity strategy to ensure that protections and policies not only apply to data and applications passing through the SD-WAN environment but also across the entire distributed network. Maintaining a single, holistic connectivity strategy ensures that malicious users are unable to exploit gaps of differences between different connectivity policies and enforcement as data and workloads pass between and through networked environments.

For those organizations with a large number of remote locations, high-performance scale for virtual VPN overlay is another critical feature of a secure and effective SD-WAN solution. VPN overlays typically include multiple layers of network tunnels per branch. When multiplied across an organization with a large number of branches or remote locations, however, network performance can seriously degrade. Closely examining real VPN connectivity performance, therefore, is a fundamental requirement for any IT team scoping out a potential SD-WAN solution.

4. High-Performance Security. Finally, the last thing anyone is willing to put up with is after deigning an optimal high-performance SD-WAN solution is for security to become a performance bottleneck. End users dealing with a security solution that cannot keep up with performance requirements are certain to begin looking for ways to circumvent it. Security solutions need to operate at SD-WAN connectivity speeds, and they need to do it in an affordable form factor that can be deployed and run with a zero-touch model.

To meet this requirement, several things need to be taken into consideration:

1. Security needs to be natively integrated directly into the SD-WAN solution. This allows for faster performance, simplified single-console management, and less IT overhead.
2. SD-WAN security needs to be able to provide deep inspection of your encrypted VPN traffic at digital speeds. SSL and IPSec inspection is the Achilles’ heel of most security solutions. Devices operating at blazing speeds otherwise are brought to their knees when encountering encrypted traffic. Unfortunately, because of this very issue, many security vendors don’t even publish those numbers. Fortunately, many third-party test labs do, and this is an item you should pay close attention to.
3. Secure SD-WAN needs to provide a full range of security protection. Your branch office is no different from any other element of your network, and it requires the same level of robust protection, including NGFW, IPS, web security, antimalware and antivirus, sandboxing, and more.
4. Any Secure SD-WAN solution also needs to seamlessly integrate with the larger enterprise security framework to reduce one-off management overhead and ensure consistent security enforcement across the entire distributed network.

Realizing the benefits of SD-WAN

With exponential growth in SaaS, VoIP, and video applications expected over the next several year, SD-WAN can help distributed enterprises embrace the benefits of DX without bottlenecking network performance or impacting the productivity of end users.

Organizations need to implement an SD-WAN solution that allows them to rapidly adopt cloud applications while keeping security a top priority. This approach helps reduce OpEx costs while maintaining high-quality performance for business-critical applications such as VoIP, video, and VPN. And ideally, it is able to simplifies the branch network infrastructure beyond just connectivity by combining networking and advanced security into a single, unified solution.

Learn more about Fortinet's secure SD-WAN solutions.

Read more about how Fortinet’s security-first approach to SD-WAN continues to gain momentum.

Read our blog: “IT Leaders Are Concerned About SD-WAN Security”