Home | Reports | Technical Documents | Tech-Blog | One-Shot Gallery | Korea ICT News | About Us | List of Contributors | Become a Contributor |  How to Advertise  
  KT SK Telecom LG U+ Korean Vendors Network Architectures  
Section 5G 4G LTE C-RAN/Fronthaul Gigabit Internet IPTV/Video Streaming IoT SDN/NFV Wi-Fi KT SK Telecom LG U+ Network Protocol Samsung  
CHANNELS HFRFRONTHAUL NetvisionMPTCP Springwave1588 PTP   Korea Communication Review      
SD-WAN vs Security
July 03, 2017 | By Michel Boulay @ FMlogistic
Online viewer:
Comments (0)

We are pleased to share with you all an interesting article contributed by Michel Boulay who is expert in networks, security and architecture, specialized in SD-WAN and teacher in some IT engineer schools.


Michel Boulay

Expert network engineer and architect at FMlogistic



All Articles by Michel Boulay

  How to contribute your article to Netmanias.com !  
  List of Contributors  



Recently i mixed my experience of ONUG, SD-WAN summit and my personnal LABs tests to point security implementations and risks of SD-WAN solutions. (i'll take some real exemples and some random names that are better than "manufacturer A" and "manufacturer B"). My goal is not to say if a product is good or bad, i'm not in the roadmaps or secret strategy and i want to remain independant and credible ;)


Most of SD-WAN players focus on site-to-site links (through MPLS or VPNs) or site-to-cloud (mainly AWS and Azure). This means that this devices will be exposed on internet. Are they strong enough to protect themselves from botnets, scripts kiddies or some other basic attaks? Most of SD-WAN manufacturer don't care about it, they request no security certification to prove that they are not a security flow to our business.


Most of pure SD-WAN products are very young (1-3 years) and will need time to pass a security certification. Are we ready to take a risk to replace our firewalls by this kinds of products???


Of course nice UI, automation, easy setup, 0 touch, 0 IT, etc... are a good marketing arguments and are really amazing. There are wonderfull products on the market, they do the job for some usecases.


Take, for exemple, Steelconnect from Riverbed that have a very simple, intuitive and nice UI to manage interconnections between your sites and some cloud players. Steelconnect is a great SD-WAN product, it works great and it will answer to many uses cases today. What are the possible strategies for this type of product ? If they develop their own security layer (it's a real job) it can take long. If they choose to integrate another product, let's say Checkpoint for this exemple, what will happen? Can i dream of an unique management console to manage riverbed SD-WAN and checkpoint security? Difficult, and a crazy challange to maintain compatibility when an OS upgrade is deployed. So, 2 different consoles to manage? create all objects, networks, routing policies twice? check logs on differents products to troubleshoot issues? How to check packets comming from internet with the checkpoint and check the packets coming from the LAN with the checkpoint too? Make a sandwitch of VMs? checkpoint-riverbed-checkpoint ? And what about 1 or 2 DMZs for guests or clients on site? What will happen the day a big issue occurs? Riverbed support will tell that it's an issue with checkpoint (auto-update?) and Checkpoint support will argue that they have no issue on their own products and it must be a Riverbed issue... A long ping-pong match that can be very expensive for our business. A real architecture and strategy challange too. There is no easy solution.


Versa networks has the best multilink, multiprovider agregation system that i saw, with high quality algorithm and many metrics for link QoS analyse. It's the only tested product where i loss not a single ping when i cut one of the internet links. Of course it needs extra implementation time as they use VXLAN through VPNs, so it's not as easy as some other product but it works fine once installed. Nevertheless management system needs more maturity. I use this exemple to point another security issue. In real SD-WAN, all devices needs to discuss with their controler. So the controllers are themselves a critical SPOF. Of course, we can put some controllers in HA and synchronize their configurations and datas. But what if? What happens if controlers fail? DDoS attack, hacking, major bug in the code, human error, licence expire, certificate expire? Then you'll instantly loss your whole WAN and your business will be stopped. This is a major risk of SD-WAN pure player, and some of them has only SaaS controlers that are more exposed to attacks than your company controlers... Another challange to address by products architects.


On the other side we have some pure security players that begin to implement SD-WAN. Forcepoint products are very powerfull and featured and works very fine. It's not real SD-WAN yet but it allow ISP aggregation, full mesh links, path analysis (with fixed metrics only, you can't change them yet). And all of this with top security suite (IPS, APT, DLP, ssl interception, etc...)


And then you have fortinet, that has an oppisite UI strategy than riverbed : a crazy management console for maniacs, complex and confuse but that allow to do nearly anything with exceptions in exceptions to match all usecases. It's not SD-WAN but it can be an opportunity for them in the future. NB: fortinet just published that they'll invest in SD-WAN R&D ;)


Then, what happen if your company have some autonomy zones? Imagine 600 sites shared accross the world : Russia choose to deploy Velocloud, France decide to deploy Infovista (ipanema), USA deploy Steelconnect and Asia deploy Versa. How can we do an any to any network between different products that use their own standards and own algorythmes ? Manufacturers will say : "oh, but you can establish a basic IPSEC tunnel between your areas HQs". Of course, but you'll loss SD-WAN features, link aggregation, redondancy, visibility, QoS on links and you'll overload your HQs (new SPOF) for transit to other countries... And it will be a pain to setup and manage. So, in my mind, it should be great that all manufacturers works a little together to define a standard to have a minimum compatibility between them. As spanning-tree, ethernet or WiFi can work with different manufacturers. For exemple ONUG can be a good opportunity to work on this ;)


So we have, in right corner, security players that are focusing on SD-WAN, and in left corner SD-WAN players that should focus on security. Who will be the winner?

Thank you for visiting Netmanias! Please leave your comment if you have a question or suggestion.






Subscribe FREE >>

Currently, 47,000+ subscribed to Netmanias.

  • You can get Netmanias Newsletter

    (New contents, Korea ICT News)

  • You can view all netmanias' contents

  • You can download all netmanias'

    contents in pdf file












SK Telecom's Massive IoT Deployment through LoRa for Small Things



SK Telecom commercialized the world’s first nationwide LoRa-based, IoT dedicated network in the end of June. This report will discuss how well SK Telecom is poised for the emerging IoST sector, and where it is heading.









How to contribute articles to Netmanias!

We always welcome contributed articles. Share your expertise and inspire others!






View All (662)
4.5G (1) 5G (58) AI (2) AR (1) ARP (3) AT&T (1) Akamai (1) Authentication (4) Big Data (2) C-RAN/Fronthaul (17) CDN (4) CPRI (4) Carrier Ethernet (3) China Mobile (2) Cloud (2) CoMP (6) Connected Car (3) DHCP (5) Ericsson (1) FTTH (6) GSLB (1) GiGAtopia (2) Gigabit Internet (19) Google (7) Google Global Cache (3) HLS (5) HTTP Adaptive Streaming (5) Handover (1) Huawei (1) IEEE 802.1 (1) IP Routing (7) IPTV (20) IoST (3) IoT (42) KT (40) Korea (18) Korea ICT Market (1) Korea ICT Service (13) Korea ICT Vendor (1) LG U+ (18) LTE (67) LTE-A (16) LTE-B (1) LTE-H (2) LTE-M (3) LTE-U (4) LoRa (7) MPTCP (2) MWC 2015 (8) NB-IoT (5) Netflix (2) Network Protocol (17) Network Slicing (4) Nokia (1) OSPF (2) OTT (3) PCRF (1) QoS (3) RCS (3) SD-WAN (10) SDN/NFV (48) SK Broadband (2) SK Telecom (33) Samsung (5) Security (10) Self-Driving (1) Small Cell (2) Spectrum Sharing (2) Switching (6) TAU (2) UHD (5) VR (2) Video Streaming (12) VoLTE (8) VoWiFi (2) Wi-Fi (19) YouTube (6) eICIC (1) eMBMS (1)
Password confirmation
Please enter your registered comment password.