What Qualifies as An SD-WAN Device
I would like to start by prefacing that this article represents Peplink SD-WAN. I am not trying to misrepresent any other SD-WAN solutions. However, I would assume that this applies to any SD-WAN solution. In my opinion, what qualifies an SD-WAN device is provided by these characteristics.
- First, the device, either virtual or physical, must support more than one WAN source.
- Second, it needs to use all WAN sources simultaneously.
- Third, it must be able to use software to define (get it, “SD”) how those sources are used. For instance, being able to send HTTP traffic over WAN 1 and Voice traffic over WAN 2.
- Additionally, a good SD-WAN router should be able to load balance incoming traffic as well as outgoing traffic and able to bond all WAN sources between SD-WAN appliances.
Benefits of Multiple WANs and Bandwidth Bonding
The ability to have multiple WANs for incoming access can improve security and reliability in several ways. First, it protects from carrier failure, ensuring continuity of services. Additionally, incoming VPNs and SSL traffic can be distributed on all WANs which increases service speeds and reliability for external users. In terms of security, enabling L2TP VPN traffic for employees into the network secures their access allowing them to encrypt their traffic on public networks. Peplink uses L2TP VPNs, which can be enabled on all devices for simplified connectivity for remote workers.
Multiple WANs helps outbound security and reliability by distributing outgoing communications over all circuits. Further, you can use DNS services like WebTitan with Peplink’s built in DNS proxy to prevent users from defining their own DNS provider and bypassing DNS based security. Peplink routers also have subscription free content blocking. When you combine that with a good default deny policy on the firewall, we can reduce unwanted outgoing traffic. Additionally, using multiple WANs makes it more difficult for an attacker to listen to your traffic as standard load balanced sessions are split among all available WANs reducing your attack surface. Adding bonding to your solution makes it even better.
Bonding increases reliability and security while reducing costs by encrypting all WANs, splitting traffic over those WANs, and centralizing your security architecture. If you previously thought a VPN was secure, imagine a VPN that splits the data over several WANs. Basically, only a small piece of each 256bit AES encrypted packet flows through each WAN, that sounds secure to me. For added security, when setting up remote sites, with Peplink SpeedFusion VPN, we set “deny all in / deny all out” as their default firewall rule. You might ask, “What about next gen firewall?” We can setup any firewall at your central site to be the default route for all internet-based traffic. Now you have a single, easy to monitor point of entry and exit. By centralizing your firewall, either at a corporate headquarters or in the cloud, you can easily manage total security in your organization.
A Peplink SD-WAN Design
Security and Reliability are accomplished by:
- Using Peplink routers with multiple WANs which will protect your business from WAN failures and add multiple outbound and inbound paths.
- Adding bonding which allows VPN traffic to be encrypted with 256bit AES and adds packet distribution over all available WANs.
- Bonding for session persistence over all WANs for unbreakable communications.
- When combined with centralized security, Bonding, allows remote sites to enforce a deny all in and out to minimize attack surface.
- Bonding with centralized security provides a single point of entry and exit which is easier to monitor and secure with a single appliance
Achieving Cost Reduction
You might ask, “How does any of this reduce costs?” Typically, a multisite company might implement technologies like MPLS or P2P ethernet to achieve accessibility between sites. The issue with these solutions is communication and reliability are limited to a single carrier. That carrier is marking up the cost of the circuit exponentially. For the same price as a 5mbps MPLS, most companies can get a 30mbps commodity circuit. When you compare the costs of MPLS/Leased/P2P connections to the cost of quality internet, the cost of quality internet is significantly less. Also, by opting for multiple internet connections, you have carrier redundancy and more power to control your costs. Additionally, centralizing security leaves you with one next gen appliance with one subscription, and a simplified network design. This allows for lower TCO and simplified management with increased reliability. You can see these savings through:
- Lowering individual circuit costs by replacing managed circuits with commonly available ones.
- Using Peplink SpeedFusion VPN to create and manage your own site to site WAN network.
- Replacing MPLS/P2P and IPSec and their expensive hardware and service fees
- Eliminating expensive service contracts
- Reducing management overhead
- Taking ownership of your network allowing you to leverage discounts from carriers for lower costs and increased speeds as new option are available
- Adding bonding with centralized security. You’ll simplify hardware and reduce the cost of expensive firewall subscriptions