Full replacement of existing branch office functionality: Modern branch routers provide a wide range of functionality include QoS, IPSec VPNs, dynamic routing, NetFlow, SNMP, logs, access control lists, event management, support for protocols like BGP and OSPF. The SD-WAN needs to be able to do all of that, plus.
Transport Independence: The SD-WAN should be able to leverage high-speed bandwidth across multiple transports, including MPLS, Internet, 3G/4G/LTE and 5G.
Path control: The ability to use multiple active paths for bandwidth efficiency, resiliency and failover is critical. The system needs to be able to dynamically steer traffic based on policies in response to changing network conditions, such as packet loss, latency, and jitter.
Application Optimization: The true benefit of SD-WAN is the ability to optimize application performance. The systems must be able to recognize all of the applications in my portfolio and be able to actively monitor application performance as traffic moves across the WAN, including voice and video traffic, as well as SaaS applications.
Encryption: If you’re reducing reliance on VPN technology, the SD-WAN must be able to encrypt WAN traffic based on policy. In addition, automated key rotation is important so that encryption keys can be swapped out on a regular basis?
Security: Since the SD-WAN topology now connects the branch office directly with the public Internet (rather than funneling traffic back to the central office), security must be distributed to each branch office site. Look for an integrated next-generation, application-aware firewall that offers anti-virus, anti-malware, URL/content filtering, data loss prevention, segmentation, IDS/IPS, and sandboxing.
Zero-touch deployment: With zero-touch deployment, an SD-WAN box can be sent out to a branch office and a non-technical person can simply connect it to power and the WAN links, and the device will phone home and configure itself.
Automation and Orchestration: Management of SD-WAN services should be automated, and the overlay software should be able to orchestrate monitoring, troubleshooting, reporting, and other functions across the entire WAN.
Microsegmentation: Opening up two-way traffic between the Internet and branch offices creates a potential security vulnerability in which an attacker gains access to a branch office device and uses that as a launching pad to attack data center resources. Microsegmentation allows the company to restrict hacker movement by limiting lateral movement.
Service Chaining: Centralized models and de-centralized models each have their pros and cons. SD-WAN replaces the centralized MPLS model, but it does create a level of complexity because now the enterprise is managing so many distributed devices, each handling multiple functions. Service chaining is a middle ground technique that enables enterprises to re-route and aggregate traffic in order to reduce branch office clutter and improve efficiency. For example, a company could use the SD-WAN for routing and optimization, but send traffic to a cloud-based service provider who handles all of the security functionality before allowing traffic to hit the open Internet.
For many companies, implementing SD-WAN is part of a larger digital transformation initiative that moves application development functions, mission critical applications, storage, backups, disaster recovery, and data analytics in the cloud. SD-WAN is focused on giving branch office employees a way to access those cloud resources quickly, securely and efficiently. But the industry is moving onto a broader product category called SASE, or secure access service edge, which puts more functionality directly in the cloud and enables secure access from all endpoints, including home offices.
Another way to think of a SASE architecture is that it combines SD-WAN with cloud access security brokers (CASB), firewalls-as-a-service (FWaaS) and Zero Trust network access in a cloud-based service.