Taking on the Secure SD-WAN Fight

Dec 02, 2021
6 minutes

As we’re all now well aware, traditional hardware-based approaches to direct network traffic, connecting employees and offices to necessary resources and applications, simply doesn’t cut it anymore. Backhauling traffic to a central data center is inefficient, costly and impacts the user experience due to performance issues when accessing cloud and SaaS resources. However, these centralized data centers are often where the full security stack resides, creating the uncomfortable debate of security versus performance. Work is an activity, not a place, and inconsistencies in network performance, visibility and security for users at home or in offices are challenges for our cyber and IT teams.

Why Secure SD-WAN is Important

While software-defined wide area network (SD-WAN) was a revolutionary way to replace the traditional costly multiprotocol label switching (MPLS), those legacy SD-WAN solutions lack the necessary security required when connecting users from remote locations and branch offices to corporate applications and data. Some SD-WAN solutions that are delivered as a service (SD-WANaaS) can extend the fabric to employees at home and mobile devices. As seen in the diagram below, legacy SD-WAN gateways used across the organization’s connection points open up an organization's attack surface.

Illustrations of a Typical WAN Design

With legacy SD-WAN solutions, all those vectors - endpoints and employees at home, on the road, at branch office or in HQ - lack the necessary security like firewalls, zero trust, web gateways and cloud security when connecting to corporate resources. In order to provide secure SD-WAN to your branches, organizations should consider the following.

Don’t Leave the Branch Behind

Visibility and security go hand-in-hand. If you can’t see something, how can you secure it? Next-generation SD-WAN takes an application-centric approach to traffic steering. Having Layer 7 visibility for network policy creation and traffic engineering is necessary for network teams to deliver SLAs for all apps, including Cloud, SaaS and UCaaS. A next-generation SD-WAN can offer the Layer 7 visibility organizations need to adequately secure their branches and apps. Securing legacy SD-WAN internet traffic is possible by forwarding it to an upstream cloud-delivered security solution. However, this often winds up being an “all or nothing” approach of sending all internet-bound app traffic out of the SD-WAN forwarding interface. This is problematic when the security cloud is only capable of securing web traffic, thus requiring a security bypass for the non-web apps. This action introduces brand new security risks.

A next-gen SD-WAN, like Prisma SD-WAN, uses app-based policies to intelligently send desired traffic (even private apps) to a security cloud for security inspection, or direct-to-app. This ensures optimal performance and security. Integration with a true layer 7 Security Service Edge (SSE), like Prisma Access, inspects any public or private applications sent to it for threats and data loss. Prisma Access offers the most comprehensive security platform in the industry, providing best-in-class security from the cloud, and protecting branch offices worldwide.

A next-gen SD-WAN solution should also include advanced capabilities like machine learning (ML) and artificial intelligence (AI) to simplify network and security operations, and autonomous digital experience management (ADEM) to provide full visibility of the application delivery path. With ML and data science, network trouble tickets can be reduced by 99%, as proven in this case study. With artificial intelligence of IT operations (AIOps), event correlation and analysis with policy control can reduce and even eliminate repetitive, manual tasks for admins.

Autonomous digital experience management (ADEM) assists IT Operations teams with ensuring a good user experience by providing full visibility of the application delivery path, scoring app performance based on real user and synthetic monitoring, and instantly identifying the cause of service disruption. Resolving issues quickly minimizes or prevents impact to all other users. Additionally, next-gen SD-WAN customers can reduce outages by 90% and improve end-user experience by taking advantage of a 10x increase in bandwidth with an application-centric approach to traffic steering.

According to Gartner, by 2024, more than 70% of software-defined wide-area network (SD-WAN) customers will have implemented a secure access service edge (SASE) architecture, compared with 40% in 2021. SASE is the convergence of networking and security services into a single cloud-delivered solution. Organizations are turning to SASE to consolidate multiple point products, including zero trust network access (ZTNA), cloud secure web gateway (SWG), cloud access security broker (CASB), firewall as a service (FWaaS), and SD-WAN, into a single integrated service, reducing network and security complexity while increasing organizational agility.

SD-WAN, Say Hello to SASE

With SASE, organizations get secure SD-WAN, protecting all vectors, no matter where users are connecting from, as seen in the diagram below.

WAN Design Incorporating SASE

According to Gartner, by 2024, at least 60% of global SASE services will be offered integrated with an optimized internet backbone to ensure performance of global internet WAN connectivity, up from less than 10% year-end 2020. There are only a few vendors out there that can offer an integrated SASE solution. Palo Alto Networks is one of them, offering the industry’s most complete SASE solution, converging network security, SD-WAN, and ADEM into a single cloud-delivered service.

Prisma Access offers the industry’s most complete cloud-delivered security platform that protects all application traffic so organizations can safely enable hybrid workforces. Prisma SD-WAN is the industry’s first next-generation SD-WAN solution that makes the secure cloud-delivered branch possible, delivering an ROI of up to 243%. Together they make Prisma SASE, which converges best-of-breed networking and security into a single solution purpose-built for agile, cloud-enabled organizations.

Gartner’s Best Security Practices for SD-WAN provides insight for security and risk management leaders as they look to secure their branch offices and remote users. Learn why Gartner analysts recognized Palo Alto Networks as one of only eight vendors that can deliver a single SASE solution. Read the full report with your complimentary copy today.


Gartner, Best Security Practices for SD-WAN, Bjarne Munch | Craig Lawson, 23 June 2021

Gartner, Magic Quadrant WAN Edge Infrastructure, 20 September 2021, Jonathan Forest | Naresh Singh

Gartner does not endorse any vendor, product, or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner’s research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. GARTNER and MAGIC QUADRANT are registered trademark and service marks of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved.


Subscribe to Sase Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.