Home | Reports | Technical Documents | Tech-Blog | One-Shot Gallery | Korea ICT News | Korea Communication Market Data | List of Contributors | Become a Contributor |    
Section 5G 4G LTE C-RAN/Fronthaul Gigabit Internet IPTV/Video Streaming IoT SDN/NFV Wi-Fi KT SK Telecom LG U+ Network Protocol Samsung   Korean Vendors
Real World Private 5G Cases   4 Deployment Models On-Premise Cases 5G Core Control Plane Sharing Cases

5G Core Sharing Cases

Private 5G Deployment   • Private 5G Frequency Allocation Status in Korea  South Korean government's regulations on private 5G and KT's strategy for entering the market
Cases in Korea   Private 5G Operators |   SK Networks Service (SI) Sejong Telecom (Wire-line Carrier) KT MOS (Affiliate of KT) • Newgens (SI) • NAVER Cloud more >>  
    Enterprise DIY |   Korea Hydro & Nuclear Power (Power Plant) Korea Electric Power Corporation (Energy) • Republic of Korea Navy more >>
CHANNELS     HFR Private 5G Solution (my5G)       my5G Solution Components       my5G Key Features        my5G Resources        my5G News          
SD-WAN vs Security
July 03, 2017 | By Michel Boulay @ FMlogistic
Online viewer:
Comments (7)

We are pleased to share with you all an interesting article contributed by Michel Boulay who is expert in networks, security and architecture, specialized in SD-WAN and teacher in some IT engineer schools.


Michel Boulay

Expert network engineer and architect at FMlogistic



All Articles by Michel Boulay

  How to contribute your article to Netmanias.com !  
  List of Contributors  



Recently i mixed my experience of ONUG, SD-WAN summit and my personnal LABs tests to point security implementations and risks of SD-WAN solutions. (i'll take some real exemples and some random names that are better than "manufacturer A" and "manufacturer B"). My goal is not to say if a product is good or bad, i'm not in the roadmaps or secret strategy and i want to remain independant and credible ;)


Most of SD-WAN players focus on site-to-site links (through MPLS or VPNs) or site-to-cloud (mainly AWS and Azure). This means that this devices will be exposed on internet. Are they strong enough to protect themselves from botnets, scripts kiddies or some other basic attaks? Most of SD-WAN manufacturer don't care about it, they request no security certification to prove that they are not a security flow to our business.


Most of pure SD-WAN products are very young (1-3 years) and will need time to pass a security certification. Are we ready to take a risk to replace our firewalls by this kinds of products???


Of course nice UI, automation, easy setup, 0 touch, 0 IT, etc... are a good marketing arguments and are really amazing. There are wonderfull products on the market, they do the job for some usecases.


Take, for exemple, Steelconnect from Riverbed that have a very simple, intuitive and nice UI to manage interconnections between your sites and some cloud players. Steelconnect is a great SD-WAN product, it works great and it will answer to many uses cases today. What are the possible strategies for this type of product ? If they develop their own security layer (it's a real job) it can take long. If they choose to integrate another product, let's say Checkpoint for this exemple, what will happen? Can i dream of an unique management console to manage riverbed SD-WAN and checkpoint security? Difficult, and a crazy challange to maintain compatibility when an OS upgrade is deployed. So, 2 different consoles to manage? create all objects, networks, routing policies twice? check logs on differents products to troubleshoot issues? How to check packets comming from internet with the checkpoint and check the packets coming from the LAN with the checkpoint too? Make a sandwitch of VMs? checkpoint-riverbed-checkpoint ? And what about 1 or 2 DMZs for guests or clients on site? What will happen the day a big issue occurs? Riverbed support will tell that it's an issue with checkpoint (auto-update?) and Checkpoint support will argue that they have no issue on their own products and it must be a Riverbed issue... A long ping-pong match that can be very expensive for our business. A real architecture and strategy challange too. There is no easy solution.


Versa networks has the best multilink, multiprovider agregation system that i saw, with high quality algorithm and many metrics for link QoS analyse. It's the only tested product where i loss not a single ping when i cut one of the internet links. Of course it needs extra implementation time as they use VXLAN through VPNs, so it's not as easy as some other product but it works fine once installed. Nevertheless management system needs more maturity. I use this exemple to point another security issue. In real SD-WAN, all devices needs to discuss with their controler. So the controllers are themselves a critical SPOF. Of course, we can put some controllers in HA and synchronize their configurations and datas. But what if? What happens if controlers fail? DDoS attack, hacking, major bug in the code, human error, licence expire, certificate expire? Then you'll instantly loss your whole WAN and your business will be stopped. This is a major risk of SD-WAN pure player, and some of them has only SaaS controlers that are more exposed to attacks than your company controlers... Another challange to address by products architects.


On the other side we have some pure security players that begin to implement SD-WAN. Forcepoint products are very powerfull and featured and works very fine. It's not real SD-WAN yet but it allow ISP aggregation, full mesh links, path analysis (with fixed metrics only, you can't change them yet). And all of this with top security suite (IPS, APT, DLP, ssl interception, etc...)


And then you have fortinet, that has an oppisite UI strategy than riverbed : a crazy management console for maniacs, complex and confuse but that allow to do nearly anything with exceptions in exceptions to match all usecases. It's not SD-WAN but it can be an opportunity for them in the future. NB: fortinet just published that they'll invest in SD-WAN R&D ;)


Then, what happen if your company have some autonomy zones? Imagine 600 sites shared accross the world : Russia choose to deploy Velocloud, France decide to deploy Infovista (ipanema), USA deploy Steelconnect and Asia deploy Versa. How can we do an any to any network between different products that use their own standards and own algorythmes ? Manufacturers will say : "oh, but you can establish a basic IPSEC tunnel between your areas HQs". Of course, but you'll loss SD-WAN features, link aggregation, redondancy, visibility, QoS on links and you'll overload your HQs (new SPOF) for transit to other countries... And it will be a pain to setup and manage. So, in my mind, it should be great that all manufacturers works a little together to define a standard to have a minimum compatibility between them. As spanning-tree, ethernet or WiFi can work with different manufacturers. For exemple ONUG can be a good opportunity to work on this ;)


So we have, in right corner, security players that are focusing on SD-WAN, and in left corner SD-WAN players that should focus on security. Who will be the winner?

Yishay Yovel 2017-08-01 16:16:33

Why not SD-WAN and Security? Cato Networks solves exactly this challenge by converging SD-WAN and Network Security into a single cloud service with one management interface.  

Rahul (Arconic Innovations) via LinkedIn 2017-08-03 10:16:01

Following & Reading all articles, good one. 
Every time new and informative post.

Andy (First Communications) via LinkedIn 2017-08-03 10:18:13

I saw no mention of VeloCloud SD-WAN or mention of the integration of VeloCloud with Fortinet (though that wont be public for a little while). Why did you only review Versa Networks and Riverbed? (just curious) The largest area of question with SD-WAN vs MPLS is when security is of the highest concern. Traffic over the open internet requires a lot of "devils advocate" and a good security fabric. Good review and read! Thank you for posting this! 

Arnold (Klas Telecom) via LinkedIn 2017-08-03 11:04:35

Good read and food for thought on SD-WAN

Nic (NetFoundry) via LinkedIn 2017-08-03 15:57:38

Many options for many needs. Until the likes of Microsoft or Google drop everything they are doing, there will never be an all encompassing SDx solution. The answer is definitely in integration. Give me APIs and good documentation and I'll buy from the market what I need. Also, security is all about being the least tasty, fastest fish in the sea, and not necessarily the one that can simply disappear.

Alex (SecureSet Accelerator) via LinkedI 2017-08-04 10:22:17

SD-WAN isn't inherently opposed to security like the title suggests. In fact, solid SD-WAN implementations can increase security, visibility, control, and functionality

유창모 2017-08-04 11:13:06

that's why we focus on SECURE SDWAN because the market is neglecting this. SDWAN is more secure and with the right feature much more than just smart path control.

Thank you for visiting Netmanias! Please leave your comment if you have a question or suggestion.

[HFR Private 5G: my5G]


Details >>







Subscribe FREE >>

Currently, 55,000+ subscribed to Netmanias.

  • You can get Netmanias Newsletter

  • You can view all netmanias' contents

  • You can download all netmanias'

    contents in pdf file







View All (858)
4.5G (1) 5G (102) AI (8) AR (1) ARP (3) AT&T (1) Akamai (1) Authentication (5) BSS (1) Big Data (2) Billing (1) Blockchain (3) C-RAN/Fronthaul (18) CDN (4) CPRI (4) Carrier Ethernet (3) Charging (1) China (1) China Mobile (2) Cisco (1) Cloud (5) CoMP (6) Connected Car (4) DHCP (5) EDGE (1) Edge Computing (1) Ericsson (2) FTTH (6) GSLB (1) GiGAtopia (2) Gigabit Internet (19) Google (7) Google Global Cache (3) HLS (5) HSDPA (2) HTTP Adaptive Streaming (5) Handover (1) Huawei (1) IEEE 802.1 (1) IP Routing (7) IPTV (21) IoST (3) IoT (56) KT (43) Korea (20) Korea ICT Market (1) Korea ICT Service (13) Korea ICT Vendor (1) LG U+ (18) LSC (1) LTE (78) LTE-A (16) LTE-B (1) LTE-H (2) LTE-M (3) LTE-U (4) LoRa (7) MEC (4) MPLS (2) MPTCP (3) MWC 2015 (8) NB-IoT (6) Netflix (2) Network Protocol (21) Network Slice (1) Network Slicing (4) New Radio (9) Nokia (1) OSPF (2) OTT (3) PCRF (1) Platform (2) Private 5G (11) QoS (3) RCS (4) Railway (1) Roaming (1) SD-WAN (17) SDN/NFV (71) SIM (1) SK Broadband (2) SK Telecom (35) Samsung (5) Security (16) Self-Driving (1) Small Cell (2) Spectrum Sharing (2) Switching (6) TAU (2) UHD (5) VR (2) Video Streaming (12) VoLTE (8) VoWiFi (2) Wi-Fi (31) YouTube (6) blockchain (1) eICIC (1) eMBMS (1) iBeacon (1) security (1) telecoin (1) uCPE (2)
Password confirmation
Please enter your registered comment password.