Logo Teldat
SD-WAN advantages compared to VPN

sd-wan-outdates-vpn-security-visibility-scalability

In the past year, COVID-19 has forced many companies to accelerate their digitalization process. Employees have had to perform their duties from remote locations (mainly from home) in places that, up until now, were outside the corporate perimeter.

This has posed a great many challenges because of the multiple types of existing lines and connections (xDSL, FTTH, 4G…), which, in addition, being internet lines, do not meet the business requirements met by the dedicated lines such as MPLS links.

“Newer solutions like SD-WAN networks, offer many advantages for the connection of any company profile, and ensure the confidentiality and security connections” on Twitter

These  ensure privacy, security, and quality of service, whereas residential lines alone cannot guarantee stable communications for critical applications. In these cases, up until now, companies have relied on tools like VPN connections to allow certain mobility profiles (like Sales or Marketing) to securely connect to corporate resources, encrypting communications between the user’s device and the data center. However, these solutions were only for a few employees and limited to specific occasional situations, such as connections from hotels, trade fairs or public transport. Also, nowadays, users no longer only access applications housed at a central point; indeed, access to SaaS cloud applications and services has shot up because of the many advantages it has to offer. Hence, the situation prior to COVID-19 has changed radically, with the demand for these types of connections multiplying in the corporate context. And not just occasionally either; employees are expected to stay connected over the course of the entire workday and in any situation.

Traditional VPN solutions have therefore fallen a few steps behind newer solutions like SD-WAN network solutions, which offer many advantages for the connection of any company profile, ensuring the confidentiality and security of the connections, and providing the right quality of service for any application, both in the data center and in the cloud. We will now compare the two solutions with respect to four key areas:

Security – ensuring confidentiality and security

    • VPN Security

      • Configurations have to be performed manually for each remote connection, which can lead to failures due to human error and create security gaps when parameters are missing.
      • No advanced functionalities like those found in next-generation firewalls (NGFW), as they only encrypt defined traffic independently of content.
      • Encryption can only be applied to networks (Layers 3 or 4), which means you cannot choose between different applications.
      • There is no separation when connecting remote networks to central networks. This can lead to malware or virus infections spreading uncontrollably and affecting multiple users who are not even on the network where the malware originated.
    • SD-WAN products and solutions Security

      • A centralized portal generates configurations automatically, unifying criteria and policies and allowing templates to be easily replicated, thus avoiding each site having to be configured each time.
      • Offers advanced security functionalities such as IDS/IPS, Antivirus, Antimalware, Antibot, application control, URL filtering, Sandboxing, etc., and user authentication through LDAP (for applying custom policies).
      • Security and routing policies can be based on Layer 7 applications, allowing you to classify traffic and select trusted destinations (giving them different policies to untrusted traffic).
      • The process of dividing a network into logical subnets is called segmentation. It is based on partitioning the network into various domains or zones, so that traffic in one domain cannot reach destinations in other domains, thus ensuring data confidentiality and preventing malicious elements from spreading to other networks

Visibility – traffic and layers

  • VPN Visibility

          • Only delivers link-by-link visibility, and each link must be accessed individually.
          • No application layer data is shown, only networks and IP addresses.
          • No SLA information is provided – you can only report if a link is down or up, but not the link quality.
          • The amount of traffic sent directly to SaaS applications cannot be viewed.
  • SD-WAN products and solutions Visibility

          • Thanks to network analysis tools, it is possible to view detailed traffic data for each link and the total aggregate traffic. You can show traffic for each interface and ascertain whether the overlay or underlay is being used at any time.
          • Through enrichment layers, you can include Layer 7 data to classify categories and reference traffic to SaaS applications. You can also detect any access to websites classified as potentially dangerous, and determine whether a connection has been established or the security systems have done their job and blocked it.
          • All data is displayed in customized dashboards with key parameters for each client and scenario. Additionally, there is the option of setting alerts and alarms that notify the operations team.

Scalability – deployment, policies and networks

  • VPN Scalability

            • As mentioned earlier, configurations are performed manually for each remote site – requiring specialized personnel and spending a lot of time and effort – which makes deploying new connections slow and complex.
            • Policies are static, site-by-site and network-by-network. All places where a policy is applied must be modified whenever a new change is made, making the process of generating new rules, adding new sites/devices, or routing traffic to new applications very tedious.
            • A hub-and-spoke architecture means that remote sites must always use the hub as a gateway. This can cause traffic delays and bad user experiences when sending time-sensitive traffic like voice or video.
  • SD-WAN products and solutions Scalability

            • Site configurations are dynamic and can be easily replicated using graphical wizards, enabling a very small number of low- to medium-skilled personnel to manage the network.
            • All policies can be applied dynamically with the push of a button. Rules can be quickly and safely modified, created, or removed, and applied massively in minutes, saving time and unifying the network.
            • Zero-touch deployment (ZTP) means devices can be pre-configured and sent to remote sites where they only need to be connected to the network link and power supply. Remote users or employees at home can do this without having network knowledge, thus simplifying the creation of new sites.
            • You can either have hub and spoke architecture or generate a mesh network, where office traffic is dynamically and safely tunneled, fully automated, thus avoiding communication delays. Once traffic between sites is finished, the tunnels are closed to free up resources, allowing the devices to regain their full performance capacity.

Costs – control and resources

  • VPN Costs

              • For all the reasons discussed thus far, VPN environments require a high degree of specialization and long deployment times, consuming a great deal of expensive resources.
              • Sending traffic through only one link can produce downtime on the link, which can have significant monetary costs resulting from lost sales or critical applications not being carried out. Similarly, certain applications can suffer a degradation in communications performance because quality of service cannot be measured.
  • SD-WAN products and solutions costs

              • Again, as indicated above, generating configurations that are flexible and simple means less highly-trained personnel and less time spent on maintenance tasks, which implies a marked reduction in infrastructure costs.
              • Since you can have multiple links, and monitor their status and quality, you can guarantee access to critical services or applications. Business-critical applications will always be up and running, generating sales.
              • By using multiple links and types of links and generating the overlay on them, you can look for different providers to get better prices for communications services.
              • The main model is OPEX, with flexible monthly rates based on consumption.

As we have seen, SD-WAN solutions offer countless advantages compared to traditional VPN solutions. These include greater flexibility, unified management and costs savings, greatly contributing to improving the quality of communications. Teldat’s CNM SD-WAN Suite is a fully equipped competitive SD-WAN solution, which offers all of the above mentioned advantages and more.

Ignacio Esnoz

Ignacio Esnoz

With a degree in Technical Telecomunications Engineering (specialized in Telematics). Cybersecurity product specialist at Teldat.  

Related Posts