SD-WAN Technology

SD-WAN Technology Overview

SD-WAN technology, built upon cloud principals, makes branch deployments easy and straightforward. SD-WAN delivered from the cloud encompasses multiple functions and capabilities that ease provisioning, deployment, and ongoing management and monitoring.


Hybrid WAN has very little operational intelligence. It simply directs traffic over the same route each time, only using a different path if the primary path is no longer available. But when SD-WAN manages the hybrid WAN, traffic is automatically manipulated and controlled to ensure the right traffic flows over the best connections and paths at all times. The control uses integrated business policies that automatically and proactively adjust traffic depending on changing network conditions, and based on application requirements. Multiple connections of any type are virtualized through a software overlay that leverages the entire aggregated bandwidth, and orchestrated with granular automated policies.


Secure SD-WAN identifies over 2800 specific applications and uses that knowledge to apply a range of network and security policies to the network connections. This includes mapping applications to particular WAN connections (e.g. core business applications to MPLS and consumer web traffic to broadband), prioritizing applications, and assigning application security policies and enforcement (e.g. blocking certain types of web content), etc.


A Secure SD-WAN architecture, is a software-based and cloud-native, multi-tenant, multi-service software platform, with primary components including routing, SD-WAN and multi-layered security functions.

Secure SD-WAN enables organizations to migrate from legacy WANs, transforming them into software-defined branch networks with superior business agility, robust security and reliability, and lower TCO.


Secure SD-WAN is a software-based NFV solution with a broad set of deployment options. It can be deployed directly on bare metal x86 servers, white-box appliances, virtual machines (VMware ESXi, KVM) and containers. Customers can select the best infrastructure for their SD-WAN deployment at both the data center/PoP and branch offices, without being constrained by proprietary hardware. This results in significantly lower CapEx and design flexibility.


Secure SD-WAN is built with a VNF-based architecture that includes network and security functions that eliminate costly and complex single-function appliance sprawl. Customers benefit from zero-touch provisioning when deploying a full-featured set of network and security capabilities, all within a single branch appliance.


IT teams can decide where to run each layer of required security – either on-premises in branch offices, or centrally in the data center or co-location point-of-presence (PoP). For example, compute-intensive services such as malware sandboxing, intrusion prevention (IPS) and AV filtering can be run centrally, while key branch services like firewall and secure web gateway, can be run locally, with the overall set of layered security services defined centrally with a simple policy template.


A key aspect of Secure SD-WAN’s software-defined security is the contextual intelligence and awareness of users, devices, sites, circuits and clouds. This enables robust and dynamic policies that support a multi-layered security posture. For example, IT can deploy contextual network and security policies for specific users and devices, like anti-virus and URL-filtering, when utilizing certain site-to-site or Internet links. The IT security team can even set unique security policies, differentiated services and security service-chains for guest access, corporate access and partner access networks at the branch. This enables the enterprise to meet business security and compliance policies – all with a single unified software platform.


When deploying SD-WAN through a network functions virtualization (NFV) model, capacity can dynamically scale up or down without replacing or adding proprietary hardware. For example, branch bandwidth can be doubled in minutes either automatically, or using commands from the central provisioning portal – with no truck roll or appliance swap-out. If a branch needs more capacity due to a network traffic spike, the SD-WAN can automatically scale up to meet the demand. When the network spike subsides, the SD-WAN will scale down as needed.


Multi-Tenancy enables the partitioning of a single network to support multiple customers, departments and job functions, with each customer or user only able see and manage their own tenant segment. Secure SD-WAN is a carrier-grade solution with full multi-tenancy at both the head-end and branch. Service providers operating SD-WAN managed services and large enterprises operating different SD-WANs for separate business entities, can support up to 250 customers per single 1RU server running the Secure SD-WAN controller. Secure SD-WAN Director and Analytics are also fully multi-tenant. At the branch, a single Secure SD-WAN software instance can support multiple local tenants or business entities. The result is much lower infrastructure costs and more agile service delivery.


Cyberattacks and network breaches are on the rise, as enterprise branch office attack surfaces increase. SD-WAN can reduce these attack surfaces, by segmenting the network by class of traffic and based on responsibilities or job functions. However, this can only be implemented with an SD-WAN that has full network and security services within a single edge device or image. It also requires multi-tenancy capability across the entire enterprise network perimeter.


With NFV, service providers and large Enterprise have the flexibility to decide where to deploy and run each layer of network or security functions – either on-premises in the branch office, or centrally in the enterprise data center or service provider point-of-presence (PoP). For example, compute-intensive services such as anti-virus and IPS can run centrally, while services that are key in the branch, like application identification, SD-WAN, routing and firewall, can run locally. In addition, Secure SD-WAN can integrate critical network services using service chain definitions for local and remote functions, depending on the business need.


A software-defined and NFV-based approach to SD-WAN simplifies provisioning of branch devices, and delivers network and security services from a single point of control. This avoids the need for technical personnel on-site to deploy and configure the solution. Instead, SD-WAN services can be deployed, bandwidth and service capacity increased or enhanced with additional functions automatically, all without requiring any on-site presence, hardware refreshes or manual interaction. Additionally, if a branch site(s) requires a unique set of network or security functions, the branch can be serviced individually and automatically from a single management portal, including role-based administration for flexible configuration and ongoing policy management.