SD-WAN or MPLS: why SD-WAN is the best choice

One of the most common questions that network security architects and information security Directors ask themselves when planning their WAN architecture is what technology it will be built on – will it be SD-WAN or MPLS? The question is really important. The decision to switch to SD-WAN has significant business implications. In short, the answer is: SD-WAN technology provides higher transparency, better availability, and improved performance, as well as additional freedom of action. This is why we have seen an increase in interest in SD-WAN over the past few years.

Another important aspect that causes this interest to grow is the flexibility of this technology. Switching using MPLS usually leads to the creation of more rigid, fixed connections, which are more difficult to adapt to the organization of dynamic inter-network interaction that is so popular today when combining branches into one network. In addition, MPLS does not support things like application recognition or comprehensive bandwidth management for running network latency-demanding applications.

It seems that the conclusion is obvious. However, not everything is so simple: the main difficulty is that most solutions based on SD-WAN do not provide the same level of security as MPLS. In essence, MPLS allows you to create a secure tunnel on top of the network provider's secure network. We believe that a number of different aspects must be taken into account when choosing an SD-WAN solution, but to implement a more effective strategy than is possible with MPLS, SD-WAN technologies must include integrated security, and both security and network functions must be coordinated through a single integrated management platform.

But before we go any further, let's stop and first discuss when and under what conditions your organization should consider switching from MPLS to SD-WAN.

Advantages of SD-WAN instead MPLS

To highlight the key advantages of SD-WAN over MPLS, just pay attention to the following three parameters: cost, security, and performance. In some cases, these advantages will not be so clear, and in some specific situations, these advantages may turn out to be disadvantages at all, but let's talk about everything in order.

SD-WAN Solutions may be more cost-effective and cost-effective than MPLS

In the past, many organizations connected remote branches and retail outlets to a single data center through a hub and used the WAN model, which was based on separate MPLS connections. As a result, all data, workflows, and transactions, including access to cloud services or the Internet, required a backbone to the data center.

 SD -WAN technology reduces costs by providing optimized multi-point connectivity using distributed private exchange points and traffic control, which guarantees users secure local access to the services they need – whether they are on the network or in the cloud – while providing direct access to the cloud and Internet resources.

Secure SD-WAN Provides a higher level of security than MPLS solutions

At first glance, the obvious advantage of MPLS is that this technology allows you to organize a secure and managed channel between branches and the data center on top of the communications service provider's own backbone network. Connections in the public network, without installing additional solutions, do not provide such a high level of protection.

But such a comparison would not be entirely correct. MPLS will not allow any analysis of the transmitted data. In the MPLS architecture, such tasks are still assigned to the client. Even when traffic passes through an MPLS connection, this traffic must be inspected for malicious code or other vulnerabilities, which requires the deployment of a firewall and the addition of a number of security features on at least one of the nodes between which the connection is established.

But let's be honest, many SD-WAN solutions also have similar problems. Most SD-WAN solutions offer only basic security features, but require additional security solutions to be installed on top of the underlying infrastructure. And if an organization tries to add security features to its SD-WAN connections after the infrastructure is deployed, this task is often more difficult than what they originally expected.

SD-WAN has higher performance than MPLS

In terms of performance, MPLS technology reliably guarantees a fixed level of throughput. Although this may initially seem like an advantage, today's traffic is highly unpredictable. As a result, organizations have to lease MPLS connections based on the worst – case load scenario, which means that most of the time expensive channels are not used, and in other cases-due to the ever – growing volume of data generated by modern networks and devices-fixed MPLS connections can limit network performance.

Of course, some MPLS connections involve the use of a sliding scale, but even in this case, you will face limitations due to the fact that your infrastructure will not be able to analyze the nature of the transmitted traffic and dynamically make appropriate changes to the network operation.

The situation is compounded by the fact that in addition to a certain bandwidth, some applications – for example, voice or video services-require a certain level of network latency, and constantly monitor this parameter. When using the same network tunnel by several different applications, priority should be given to traffic that has high requirements for network latency. to do this, you need to be able to recognize traffic from different applications, shape and align this traffic (shaping), load balance and set priorities for different connections, which is simply not provided in MPLS.

SD-WAN solutions are capable of recognizing applications and can adapt network bandwidth and adjust the performance of other services accordingly. This technology can initiate multiple parallel connections at once, and then provide accurate load balancing between them, and even add new connections if the available bandwidth drops, to ensure that applications that are demanding for network latency need the necessary speed and bandwidth. This is why Fortinet's Secure SD-WAN solution is based on the industry's first dedicated SD-WAN processor, which is designed to provide even faster application management and supports more than 5,000 frequently used applications.

When MPLS-based solutions can be better than just an SD-WAN solution

However, there are several cases where an MPLS-based solution may be a better choice than just a bare SD-WAN solution. For example, MPLS provides a clean and secure connection, which is especially important when transmitting certain types of data, when running certain special applications, or when performing certain transactions-especially in cases where it is extremely important to ensure a high level of data integrity and prevent unauthorized access. However, since MPLS technology can be used together with any SD-WAN solution, this is not a dilemma. Critical transactions can still be performed using MPLS connections.

Moreover, MPLS-based connections can be very expensive in some markets – such as the United States. Therefore, in these regions, replacing MPLS with connections on top of a public Internet network can be a fairly cost-effective solution. However, even in cases where MPLS connections are not as expensive, or where concerns about security and reliability are much more important than the difference in cost, SD-WAN can still be deployed on top of the MPLS connection to provide additional protection and functionality than is possible with a single MPLS solution. All this is achieved due to the fact that SD-WAN provides higher flexibility, more complete and accurate traffic control, integrated security features, as well as the ability to simultaneously use different connection strategies – MPLS, public Internet, IPSec, SSL, etc., and all this using the same SD – WAN infrastructure.

Secure SD-WAN wins over MPLS in almost any scenario

Fortinet practice shows that the advantages of an SD-WAN solution outweigh those of a single MPLS solution. This is because today's traffic, which includes traffic from modern web applications and complex workflows, requires a more flexible and dynamic network infrastructure than traditional static MPLS-based connections can provide.

But traditional SD-WAN solutions are inferior when it comes to security. On the other hand, the Secure SD-WAN solution not only provides an additional layer of management and flexible connectivity for remote branches that are not available in MPLS, but also offers deep, well-integrated protection. All this reduces management costs and extends control and management capabilities through a centralized it infrastructure management console or SOC solutions that can be used in the most remote periphery of a distributed WAN network.

Thus, only you have enough information to decide which infrastructure – based on SD-WAN or MPLS-will best meet your needs.

Unique Fortinet Secure SD-WAN solution

When comparing Secure SD-WAN and MPLS in terms of cost, security, and performance, SD-WAN seems the obvious winner. The Fortinet Secure SD-WAN solution provides organizations with the networking capabilities they need, combined with deeply integrated advanced security and integrated management features, and gives them confidence in their work.

Unlike almost any other SD-WAN solution on the market today, the capabilities of the Fortinet Secure SD-WAN solution combine advanced network and traffic management features with native advanced security features. Moreover, both of these important functions – networking and security-can be managed using a single interface, which significantly reduces administrative costs and at the same time warns administrators of problems that they might have overlooked. 

Alexey Andriyashin
05/11.2019


Tags SD-WAN gateway Fortinet

New articles

Read also:

Protecting the company's network with Zyxel USG Flex 100AX

Zyxel USG Flex 100AX is an entry–level security gateway that is designed for installation in small offices and branches, in cases where the company has strict security requirements or there is a complex multi-rank network in whi...