User Experience/App Performance vs. Network Security | Enterprise SD-WAN Trade-Offs | Riverbed

Joshua Dobies

Is it possible to meet user expectations and maintain SD-WAN security?

One benefit of SD-WAN is that it makes it easy to steer certain traffic from remote sites toward your on-premises data centers and steer other traffic from remote sites directly to the Internet. Once selective traffic steering is made easy, there’s less of a reason to backhaul Internet-bound traffic from remote sites through your data center. Doing so only adds latency between users and their Internet-hosted apps and adds unnecessary traffic on your network. Instead, steer Internet-bound traffic directly from the branch to the Internet. Less latency. Less overall network traffic. Better performance. There’s a catch, however.

SD-WAN security trade-offs - skydiver in air

The problem is that steering traffic directly from the branch to the Internet comes with it the cost of increasing the threat perimeter of your network. You’ve traded network security for app performance. In order to navigate this trade-off, let’s investigate the following:

  • What are the best ways to effectively protect the edges of my network without breaking the bank?
  • What if I have to continue backhauling Internet-bound traffic (e.g. due to regulatory compliance or corporate policy)?
  • Is there a way to overcome the negative effects of higher latency that may arise?

Protect the edges of your network without breaking the bank

A decision about which security solution(s) to use is a critical one for an IT department—and one which is rarely met with casual points of view. First of all, when considering network security services as part of an SD-WAN transformation, start by making sure your SD-WAN solution has you covered regardless of the path you choose. Namely…

  • Your SD-WAN solution should make it easy to service chain with 3rd party security services, AND
  • Your SD-WAN should offer a set of native security functions out of the box

Let’s double click on each of those statements to further explore why it’s important and what to look for in each.

Your SD-WAN security should make it easy to service chain with third-party security services

SD-WAN security must support service chaining - cogs

It’s important that your SD-WAN solution does not require you to abandon the use of security services from vendors that are already in use and trusted within your organization. It’s typical (and recommended) that an SD-WAN transformation project be done in collaboration with the IT security team. They’re a critical stakeholder. You want to offload Internet-bound traffic at the source—near the user. They see that as throwing a bomb into their traditional approach to security, which looks to limit the number of access points to the big bad Internet.

As a starting point, look for an SD-WAN solution that enables the network team to meet your security team. Be mindful of the following:

Does the SD-WAN solution integrate with ANY other third-party security vendor products?

You’ll find that with basic SD-WAN solutions, as well as those offered by vendors who began their life as a network security vendor, that there’s little choice about which security solutions integrate well with the SD-WAN functions. This is obviously the least desirable scenario.

Does the SD-WAN solution integrate with a specific but limited number of third-party security vendor products?

Obviously, this is better than nothing but only works well if the integration includes support for the security vendor required by your security team.

Does the SD-WAN solution provide third-party security service chaining in a one-box configuration?

As you evaluate different SD-WAN offerings this is what really separates the wheat from the chaff. Very few SD-WAN solutions provide one-box service chaining supporting the integration of virtual instances of third-party security services. This can make a big difference in both the capital and operational cost of managing the edge of your network. Multiply the number of boxes in each site by the total number of sites and the numbers can get really big, really fast.

Your SD-WAN security should offer native security functions out of the box

SD-WAN security must offer native advanced securityWhile it’s often wise and pragmatic to first focus on integration with third-party security functions (e.g. from a vendor your security team already knows and/or uses), there’s an opportunity to further reduce total costs by leveraging native security functions provided by your SD-WAN solution out of the box. Look for SD-WAN solutions that provide a complete set of capabilities to maximize your savings, including:

  • Next-Gen Firewall
  • Next-Gen IPS/IDS
  • Malware Protection
  • Antivirus Protection
  • Unified Threat Management

Deliver exceptional user experience for backhauled Internet traffic

While SD-WAN may unlock new opportunities to steer Internet-bound traffic from remote sites directly to the Internet, bypassing any backhaul to a centralized data center or hub, it’s unlikely this will happen all at once for all traffic types. It’s more likely that many sites will continue to backhaul for some time (e.g. those that haven’t yet migrated to SD-WAN). Even once a site has migrated to SD-WAN, it’s likely that certain Internet-bound traffic will continue to be backhauled. For example, a business application delivered via SaaS may be more trustworthy than recreational Internet traffic. In this case, it’s prudent to keep backhauling all Internet-bound traffic except for a specific whitelist of apps that are steered directly from the branch to the Internet.

Every site and/or app that leverages backhauling will continue to face higher latency vs. direct steering from the branch. And, if the backhauled traffic is traversing conventional circuits (e.g. MPLS), you may also be facing bandwidth constraints as well.

Your SD-WAN solution should overcome high latency and limited bandwidth for backhauled traffic

Most SD-WAN solutions use app-centric policies to determine when Internet-bound packets are steered directly from branch to the Internet or backhauled. But, once the packets are placed on the network, the user’s experience is entirely determined by circuit conditions of the chosen path.

Look for an SD-WAN solution that offers WAN optimization and app acceleration services, especially for SaaS and cloud-hosted apps.

SD-WAN security and user experience should not be a trade-off

As you modernize your WAN, you will face trade-offs between network security and user experience / app performance. There’s no question about that. However, you can break through these trade-offs so long as your SD-WAN solution provides the right set of capabilities. Ensure your solution supports: (i) extensible service chaining, (ii) advanced native security functions and (iii) app acceleration for SaaS/cloud-based apps.

- Sign posts - impossible and possible. SD-WAN security and user experience will not be a trade-off if you consider the capabilities carefully

With those capabilities in hand, you’ll have the freedom to transform your WAN over time. You can maintain SD-WAN security requirements AND meeting user expectations for fast and reliable app performance.


  • You can find an SD-WAN solution that provides all of the functions described in this blog post here.
  • This blog is part of a broader series on breaking through important trade-offs you’ll encounter while modernizing your network with SD-WAN.
  • Learn more about the differences between SD-WAN and WAN optimization.

This post was first first published on Riverbed Blog’s website by Joshua Dobies. You can view it by clickinghere