One of the most common questions network security architects and information security Directors ask themselves when planning their WAN architecture is what technology it will be built on – will it be SD-WAN or MPLS? The question is really important. The decision to switch to SD-WAN has significant business implications. In short, the answer is: SD-WAN technology provides greater transparency, better availability, and increased performance, as well as giving you more leeway. That is why in the last few years we have seen an increase in interest in SD-WAN.
Another important aspect that drives the growth of this interest is the flexibility of this technology. Switching by means of MPLS as a rule leads to creation of more rigid, fixed connections which are more difficult to adapt for the organization of dynamic interconnection so demanded today at Association of branches in one network. In addition, MPLS does not support things like application recognition or comprehensive bandwidth management to run network latency-demanding applications.
The conclusion seems to be obvious. However, not everything is so simple: the main difficulty is that most solutions based on SD-WAN do not provide the same level of security as MPLS. Essentially, MPLS allows you to create a secure tunnel on top of a network service provider’s secure network. We believe that a number of different aspects need to be taken into account when choosing an SD-WAN solution, but in order to implement a more effective strategy than is possible with MPLS, SD-WAN technologies must include integrated security, with both security and network functions coordinated through a single integrated management platform.
But before we go any further, let’s stop and first discuss when and under what conditions your organization should consider moving from MPLS to SD-WAN.
Advantages of SD-WAN over MPLS
To highlight the key advantages of SD-WAN over MPLS, it is enough to pay attention to the following three parameters: cost, security and performance. Somewhere these advantages will be not so unambiguous, and in some certain situations these advantages and at all can appear shortcomings, but about everything in order.
SD-WAN solutions can be more cost-effective and cost-effective than MPLS
In the past, many organizations connected remote branches and outlets to a single data center through a hub and used a WAN model that relied on separate MPLS connections. As a result, all data, workflows, and transactions, including access to cloud services or the Internet, required a backbone to the data center, where traffic was processed and redistributed. Compared to the SD-WAN solution, this approach was extremely inefficient from an economic point of view.
SD-WAN technology reduces costs by providing optimized multi-point connectivity using distributed private exchange points and traffic control, ensuring users have secure local access to the services they need – whether they are on the network or in the cloud – while providing direct access to the cloud and Internet resources.
Secure SD-WAN provides a higher level of security than MPLS solutions
At first glance, the undoubted advantage of MPLS is that this technology allows you to organize a secure and managed channel between branches and the data center on top of the communications provider’s own backbone network. Connections in a public network, without installing additional solutions, do not provide such a high level of protection.
But such a comparison would not be entirely correct. MPLS will not allow any analysis of the transmitted data. In MPLS architecture such tasks are still assigned to the client. Even when traffic passes through an MPLS connection, that traffic must be inspected for malicious code or other vulnerabilities, which requires the deployment of a firewall and the addition of a number of security features on at least one of the nodes between which the connection is established.
But let’s be honest, many SD-WAN solutions also have similar problems. Most SD-WAN solutions offer only basic security features, but require additional security solutions to be installed on top of the underlying infrastructure. And if an organization tries to add security features to its SD-WAN connections after the infrastructure is deployed, it is often more difficult than what they originally hoped for.
SD-WAN has higher performance than MPLS
In terms of performance, MPLS technology reliably guarantees a fixed level of bandwidth. While this may initially seem like an advantage, today’s traffic is highly unpredictable. As a result, organizations have to lease MPLS connections based on the worst – case load scenario, which means that most of the time expensive channels are not used, and in other cases-due to the ever – increasing amount of data generated by modern networks and devices-fixed MPLS connections can limit network performance.
Of course, some MPLS connections involve the use of a sliding scale, but even in this case, you will face limitations due to the fact that your infrastructure will not be able to analyze the nature of the transmitted traffic and dynamically make appropriate changes to the network.
The situation is compounded by the fact that in addition to a certain bandwidth, some applications-for example, voice or video services – require a certain level of network latency, and constantly monitor this parameter. When using the same network tunnel by several different applications, priority should be given to traffic that imposes increased requirements for network delays, and for this you need to be able to recognize traffic from different applications, shape and align this traffic (shaping), load balance and configure priorities for different connections, which is simply not provided in MPLS.
SD-WAN solutions are capable of recognizing applications and can adapt network bandwidth and adjust other services accordingly. This technology can initiate multiple parallel connections at once, and then provide accurate load balancing between them, and even add new connections in the event of a drop in available bandwidth, to ensure that network latency-demanding applications need the speed and bandwidth they need. This is why Fortinet’s Secure SD-WAN solution is based on the industry’s first dedicated SD-WAN processor, which is designed to provide even faster application management and supports more than 5,000 commonly used applications.
When can MPLS-based solutions be better than just an SD-WAN solution
However, there are several cases where an MPLS-based solution may be a better choice than a bare SD-WAN solution alone. For example, MPLS provides a clean and secure connection, which is especially important when transferring certain types of data, when running some special applications or when performing certain transactions-especially in cases where it is extremely important to ensure a high level of data integrity and prevent unauthorized access. However, since MPLS technology can be used in conjunction with any SD-WAN solution, this is not a dilemma. Critical transactions can still be made using MPLS connections.
Moreover, in some markets – particularly in the US – MPLS-based connections can be very expensive. Therefore, in these regions, replacing MPLS with connections on top of a public Internet network can be a fairly cost-effective solution. However, even in cases where MPLS connections are not as expensive, or where security and reliability concerns are far more important than cost differences, SD-WAN can still be deployed on top of MPLS connections to provide more protection and functionality than is possible with a single MPLS solution. All this is achieved due to the fact that SD-WAN provides greater flexibility, more complete and accurate traffic control, integrated security features, as well as the ability to simultaneously use different connection strategies-MPLS, public Internet, IPSec, SSL, etc., and all this – using the same SD-WAN infrastructure.
Secure SD-WAN wins over MPLS in almost any scenario
Fortinet practice shows that the benefits of an SD-WAN solution outweigh those of a single MPLS solution. This is because today’s traffic, which includes traffic from modern web applications and complex workflows, requires a more flexible and dynamic network infrastructure than traditional static MPLS-based connections can provide.
But traditional SD-WAN solutions are inferior when it comes to security. On the other hand, the Secure SD-WAN solution not only provides an additional layer of management and flexible connectivity for remote branch offices that are not available in MPLS, but also offers deep, well-integrated protection. All this reduces management costs and extends control and management capabilities through a centralized it infrastructure management console or SOC solutions that can be used in the most remote periphery of a distributed WAN network.
Thus, only you have enough information to decide which infrastructure – based on SD-WAN or MPLS-will best suit your needs.