The development of software-defined wide area networking (SD-WAN) has given enterprise administrators flexibility akin to virtualization to manage distributed networks and users globally.
Wide area networks have come a long way over the decades, and the introduction of cloud, edge, and virtual workloads only adds to the complexity of managing modern networks. As organizations embrace hybrid IT environments, SD-WAN and the tools combine to form a Secure Access Service Edge (SASE) offering that gives organizations the latest capabilities for optimizing WANs and securing hybrid enterprise workloads.
The emergence of SD-WAN and SASE technologies bundled together has led many vendors to address both advanced routing and network security vendors for clients. Networking specialists like Cisco and HPE’s Aruba are moving deeper into security. Meanwhile, network security vendors like Fortinet and Palo Alto Networks are extending their networking capabilities.
This article looks at the top SD-WAN vendors for enterprise security and how each is addressing exposure through built-in security functionality or integrated capabilities.
- Top SD-WAN Solutions for Enterprise Cybersecurity
- Honorable Mention Secure SD-WAN Solutions
- What is an SD-WAN Solution?
- SD-WAN Solution Features
- How Does SD-WAN Work?
- SD WAN vs SASE
- How to Choose a Secure SD-WAN Solution
Top SD-WAN Solutions for Enterprise Cybersecurity
|Open Systems||Palo Alto Networks|
Launched in 2002 and specializing in wireless networking, Aruba Networks’ success led to its acquisition by Hewlett-Packard in 2015. Already a leading SD-WAN pick, the HPE subsidiary boosted its market position with acquisitions of security vendor Cape Networks in 2018 and WAN specialist Silver Peak Systems in 2020.
The Aruba EdgeConnect Enterprise SD-WAN platform addresses several common problems for enterprise organizations, including WAN optimization, multi-cloud management, cloud application performance, and edge-to-cloud security. EdgeConnect Enterprise critically comes with firewall, segmentation, and application control capabilities. With Aruba, clients can also bundle SD-WAN coverage with the company’s security solutions for virtual private network (VPN), network access control (NAC), and unified threat management (UTM).
Features: Aruba EdgeConnect Enterprise SD-WAN
- Designed for zero trust and SASE security frameworks
- Identity-based intrusion detection and prevention (IDPS) and access control
- Automated integrations with leading cloud-hosted security vendors
- Integrated threat defense for DDoS, phishing, and ransomware attacks
- Insights into client devices with AI-based discovery and profiling techniques
The first traditional cybersecurity vendor featured is Barracuda Networks, with consistent recognition for its email security, next-generation firewalls (NGFW), web application security, and backups. The vendor’s Secure SD-WAN product sits under Barracuda’s Network Protection solutions alongside zero trust access, industrial security for OT and IoT networks, and SASE.
The Barracuda CloudGen Firewall and Secure SD-WAN provide the expected benefits of software-defined networking with the vendor’s enterprise security capabilities. The CloudGen WAN is a global SASE service built on Azure; meanwhile, the CloudGen Firewall offers an advanced firewall for today’s hybrid workloads.
Features: Barracuda CloudGen Firewall and Secure SD-WAN
- Threat protection with malware scanning for web content, email, and file transfers
- Azure AD for two-factor authentication and directory services
- Intrusion prevention system for real-time network exposure management
- URL filtering for blocking malicious applications and web content from network resources
- Manage access control, privilege escalations, XSS attacks, and SQL injections
The youngest secure SD-WAN pick is SASE technology vendor Cato Networks. In 2015, the co-founders behind Check Point, Imperva, and Incapsula started one of the hottest cybersecurity startups in recent years. The cloud-based company’s more extensive portfolio includes security as a service (SECaaS), secure remote access, and cloud infrastructure management to round out its SASE approach.
Administrators can deploy, configure, and monitor a range of network controls and traffic from the Cato Edge SD-WAN portal. Cato’s edge models include zero-touch deployment for instant operational status when connected to power and an IP address. With Cato’s cloud-based enterprise security solutions, clients can also stay in-house for firewall-as-a-service (FWaaS), cloud access security broker (CASB), secure web gateway (SWG), managed detection and response (MDR), and more.
Features: Cato Edge SD-WAN and SASE
- Deep packet inspection (DPI) engine with robust third-party library and ML algorithms
- Identity-aware network rules with policy-based routing and dynamic path selection
- Packet loss mitigation to guard against remote desktop and VoIP attacks
- Primary and secondary sockets via VRRP for seamless switching and high availability
- Advanced hunting of network and security events with Cato-hosted data warehouse
Networking and IT giant Cisco is an undisputed leader in the secure SD-WAN solution space. Alongside its over 200 acquisitions in four decades, Cisco acquired SD-WAN market innovator Viptela in 2017 to cement its commitment to internet-based networking solutions. Cisco, like other vendors, recognizes securing SD-WAN means moving towards SASE for clients.
Cisco SD-WAN solutions are available as a subscription or on-premises SD-WAN routers. Through the company’s cloud security solution – Cisco Umbrella, formerly OpenDNS – clients can add coverage for FWaaS, CASB, and SWG capabilities. Administrators can quickly connect and establish an SD-WAN overlay fabric with the Cisco vManage console.
Features: Cisco SD-WAN
- Built-in edge security, including encryption, URL filtering, and malware protection
- Cloud-agnostic branch connectivity, SaaS optimization, and IaaS integrations
- Application aware enterprise NGFW, Snort IPS, and malware sandboxing
- Microsegmentation and identity-based policy management
- Self-healing firmware to prevent exploitation of vulnerabilities
Veteran cybersecurity vendor Fortinet is an SD-WAN leader building off its existing network security portfolio to enable clients’ wide area networks. The Fortinet Secure SD-WAN solution contains many features to address hybrid deployment, routing, security, redundancy, and orchestration. The network security innovator’s NGFW, FortiGate, comes with FortiGuard threat intelligence at the center of it all.
Using an ASIC-accelerated platform, administrators can manage advanced routing, NGFW management, and application prioritization from Fortinet’s unified solution for SD-WAN. Fortinet’s range of product specifications is impressive, with solutions for private and public cloud, hub, and branch appliances for home offices, small and medium businesses, and enterprise organizations.
Features: Fortinet Secure SD-WAN
- Micro, macro, single task VDOM, and multi-VDOM segmentation options
- Anti-virus, web filtering, SSL inspection, and app control for web security
- Site-to-site dynamic VPN tunnels with a range of encryption algorithm support
- Forward error correction (FEC) for packet loss compensation and duplication
- RESTful API for zero touch provisioning, configuration, reporting, and integrations
Launched in 1996, Juniper Networks covers the gamut of networking hardware, but with the acquisition of NetScreen Technologies in 2004, the vendor also has almost two decades in the cybersecurity space. Juniper’s security portfolio includes firewalls and advanced threat protection (ATP). ATP has an extensive list of enterprise features, including threat intelligence, risk profiling, network access control, and malware sandboxing.
Through Juniper’s Session Smart Routers (SSR), clients get an SD-WAN powered by AI to manage routing and network security. Juniper’s FWaaS comes with the company’s Secure Edge solution and includes anti-malware, web filtering, and intrusion prevention systems (IPS). Administrators can also automate the design, deployment, and management of networks spanning hybrid IT environments with Juniper’s SDN solutions.
Features: Juniper Session Smart Routers and SASE
- Tenant-based security architecture for behavioral awareness in management
- Designed to meet Forrester and NIST’s zero trust principles
- Support for AES-256 encryption and HMAC-SHA-256 authentication
- Compliant with PCI DSS, ICSA, and FIPS 140-2
- Context-specific access control list (ACL) for authenticating users
Open Systems has over three decades of experience in the cybersecurity space and specializes in MDR, cloud security, and integrations for Microsoft security services. The award-winning channel partner helps clients assess and enable Microsoft security infrastructure through cloud or managed service offerings.
Hailing from Zürich, Switzerland, Open Systems’ SD-WAN sits alongside the vendor’s complete SASE bundle, including network detection and response (NDR), cloud sandboxes, CASB, SWG, and ZTNA. All three of the cybersecurity vendor’s SASE service plans come with asset lifecycle management, architecture design and consulting, and SD-WAN, with the option to add a list of other tools.
Features: Open Systems Secure SD-WAN and SASE
- DNS filter for end-to-end web traffic protection, scanning, and authentication
- Application monitoring to act on network traffic usage and control bandwidth
- Automatic site-to-site encryption for all traffic and advanced routing
- SASE Atlas tool monitors and analyzes the real-time health of network connections
- Hybrid packet inspection for fast, efficient application matching for visibility
Palo Alto Networks
Founded in 2005, Palo Alto Networks is a leading network security provider whose reputation extends to its SD-WAN capabilities. The enterprise vendor’s solutions cover security operations, threat intelligence, zero trust networks, cloud security, and SASE.
Palo Alto Networks makes the list for its Prisma Access and SD-WAN solutions, bundled together to give administrators optimized networking and security capabilities for enterprise hybrid networks. Prisma Access SASE technologies, including SWG, CASB, FWaaS, and autonomous digital experience management (ADEM). Notable integrations for Prisma SD-WAN include AWS, Azure, Google Cloud Platform, Microsoft Teams, and ServiceNow.
Features: Palo Alto Networks Prisma Access and SD-WAN
- Cloud-based firewall offering URL filtering, sandboxing, and threat prevention
- Zero trust principles like continuous trust verification and least-privileged access
- Machine learning and static analysis to guard against web-based threats
- Analyze inline and API-based controls and contextual policies for SaaS apps
- Okyo Enterprise Edition for securing work-from-home employees
Ten years after its launch, Versa Networks is a leader in SD-WAN technology as part of the vendor’s approach to SASE. Versa offers everything – endpoints, appliances, cloud gateways, and controllers – allowing enterprise organizations to deploy networks across on-premises, cloud, and hybrid IT environments.
Versa’s list of SASE capabilities includes zero trust network access (ZTNA), CASB, FWaaS, remote browser isolation (RBI), and real-time analytics. With the boom in IoT devices and work-from-home connections, the Versa SASE solution builds security policies on identity, context, and communication sessions rather than the traditional, physical edge.
Features: Versa SASE
- Deep packet inspection (DPI) engine recognizes over 3,600 applications automatically
- DNS Proxy with SD-WAN traffic steering, MP-BGP route exchange, and stateful HA
- Packet loss reduction via link avoidance, packet replication, and FEC
- Ongoing analysis and risk assessment of communication sessions
- Overlay encryption encapsulation options for VXLAN or MPLS/GRE and dynamic IPsec
The virtualization pioneer VMware continues to solidify its position as an enterprise IT infrastructure provider and a leader in the budding SD-WAN space. Within the vendor’s cloud and edge infrastructure solutions, organizations can evaluate VMware’s products for merging wide area networking, security, and processing from a central cloud console.
The VMware SD-WAN solution bundles the company’s network server gateways, enterprise edge appliances, and the SD-WAN Orchestrator to enable enterprise-wide management. VMware’s approach to SASE gives clients access to ZTNA, SWG, and CASB security tools. Administrators can also deploy virtual network functions (VNF) as VMs for typical network roles with VMware.
Features: VMware SD-WAN and SASE
- Pre-defined or customizable policies for business network application prioritization
- Data loss prevention (DLP) and remote browser isolation (RBI) for web security
- Compliant and certification ready for PCI DSS 3.2
- Identity, location, and context-based approach for granting authorization
- AI and ML-based analytics and automation for engaging with network intelligence
Honorable Mention Secure SD-WAN Solutions
What is an SD-WAN Solution?
A software-defined wide-area network (SD-WAN) is the latest networking architecture to manage and optimize enterprise offices and networks across hybrid IT environments from a central cloud console.
Unlike legacy WANs, which backhauled all traffic through a core network or data center, SD-WAN allows administrators to connect on-premises devices to SaaS applications and improve performance for local users. By separating the data and control plane, SD-WAN gives organizations more flexibility to optimize WANs and secure cloud, edge, and IoT networks.
Other foundational SD-WAN characteristics include support for dynamic path selection, multiple connection types (MPLS, Fiber, 4G LTE, and 5G), and third-party security integrations through a central interface.
SD-WAN Solution Features
- Central console offering configuration management over SD-WAN architecture
- IPsec and VPN for authentication and encryption of web packets
- Application awareness to track and control pertinent traffic and bandwidth
- Web traffic protection, including SSL inspections and URL filtering
- Aggregate connectivity for load balancing and reducing downtime
- Edge caching to optimize application performance
- Threat protection with standard anti-virus and threat detection
How Does SD-WAN Work?
SD-WAN solutions include pre-configured hardware appliances for edge networks, remote locations, branch offices, and data centers, and the software designed to connect and support SD-WAN capabilities.
Organizations can purchase the needed hardware for different WAN segments, plug those appliances in, and have almost instant access to configure network operations. Administrators can familiarize themselves with the SD-WAN systems and controls through the cloud console. Though most solutions come with some level of pre-configuration, additional changes to meet the specific organization’s networking and security requirements are essential.
SD-WAN vs SASE
SD-WAN predates the naming of the Secure Access Service Edge by a few years and is a declared component of SASE architectures. While SD-WAN addresses managing various distributions of WANs, advanced routing, and network optimization, SASE is a comprehensive IT service umbrella covering the latest hybrid network architectures.
SD-WAN plays a critical role as the software enabling the virtualization of distant hardware networks and advanced management capabilities. Other SASE components are what Gartner refers to as Security Service Edge (SSE).
The Security Service Edge (SSE)
Defined by Gartner as “a convergence of network security services delivered from a purpose-built cloud platform,” the SSE is a subset of SASE addressing everything outside of WAN edge infrastructure.
Standard security tools found within SSE frameworks include:
- Browser isolation
- Cloud access security broker (CASB)
- Cloud security posture management (CSPM)
- Data loss prevention (DLP)
- Data protection
- Encryption and decryption
- Firewall-as-a-Service (FWaaS)
- Secure web gateway (SWG)
- Zero trust network access (ZTNA)
How to Choose a Secure SD-WAN Solution
Given that SASE and SD-WAN are comprehensive solutions for enterprise networks, vendor choice is difficult. Relative to traditional networks, SASE components are largely software-defined, helping organizations reduce hardware costs while enabling advanced IT networking. Interested organizations can choose from several models with varying features for data center, branch, and office nodes – all of which can lead to a heavy initial investment.
Because SASE combines a swath of critical services for businesses and organizations, clients must have the utmost confidence in the vendor’s lineup of services for WAN edge infrastructure and security.
SASE is not a managed SOC solution, but it does put several eggs in one basket. There is no single answer for diversifying third-party vendors; however, the depth of SASE means organizations need to be vigilant in understanding the value added and any gaps in service. Though comprehensive, SASE remains a part of a more significant security architecture that includes endpoint detection and response (EDR) and XDR, network monitoring, security event information managers (SIEM), and risk management.