SD-WAN: Comparing 3 Different Network Security Model Architectures

A failsafe SD-WAN is a catalyst for digital transformation of an organization's branches.  Enterprises count on failsafe SD-WANs for tangible user benefits like enhanced Quality of Experience (QoE) for real-time and highly interactive applications even as they are using Internet links to augment or replace their expensive, low-bandwidth MPLS WANs.  But this cannot come at the expense of network security.
Rather than sometimes requiring costly rip-and-replace approaches, it's important that an enterprise SD-WAN solution support the network security model that the enterprise prefers, or simply has in place today. Three distinctly different options here – centralized, distributed and cloud-based architectures – naturally prompt security concerns and specific benefits.  How does an SD-WAN solution protect enterprise network traffic?  What are the cost and network management implications?  Are there any upgrades required to the rest of the enterprise WAN or LAN?

Failsafe SD-WANs are multilayered and offer high business value for fault-tolerant networks. To uncover the truth about an SD-WAN platform, let's focus now on the general network security capabilities for the 3 specific architectures.

The fundamentals of SD-WAN security

Regardless of the network security architecture, encryption is table stakes for a modern SD-WAN. Data-level security, via 128- or 256-bit AES encryption, meets this requirement by ensuring traffic is secure for traffic between branches, from branch to data center and between branches or private data centers and the cloud. Additional features such as per-session rotating keys, IPsec termination, virtual routing and forwarding and extended packet authentication headers further shore up security on this front.  All of these features are fundamental to a secure failsafe SD-WAN. Now let's look at the differences based on the 3 network security models mentioned earlier:


The most common network security model for larger enterprises has traditionally entailed using low-bandwidth, expensive MPLS links to backhaul branch traffic to a central data center or HQ, which serves as the point for centralized network security policy and Internet egress. The setup is meant to balance overall performance and security concerns and security costs (both CapEx and OpEx) by harnessing the reliability of private MPLS links and centralizing complex, expensive network security functionality at a small number of locations, but  in addition to the obvious issue of the higher average latency for cloud and SaaS access, there are problems in terms of scaling the WAN for bandwith-intensive applications.

In contrast, businesses using a Talari SD-WAN gain reliable backhaul transport via high-bandwidth, inexpensive broadband instead of MPLS. Moreover, it delivers this benefit without requiring a forklift upgrade of existing infrastructure.


Distributed internet access is the common alternative to the centralized model for new SD-WAN deployments. While it does offer lower average latency for Internet and cloud access than the centralized approach, it carries its own set of security, QoE and reliability issues.  Network security is much more expensive to deploy and harder to manage with this distributed approach. This makes it particularly expensive to deploy and maintain advanced next-generation firewall (NGFW) capabilities. A lapse at just one branch is enough to cause an incident, making it important to ensure the presence of sufficient threat management capability. As with centralized security, Talari supports a fully distributed model without the need for an infrastructure overhaul.


Looking ahead, cloud-based network security deployments may end up being the most viable network security model for addressing cloud and SaaS access with SD-WAN deployments since it doesn't require ongoing reliance on advanced distributed network security infrastructure, while still delivering lower average latency for cloud access.  The key, though, is ensuring the reliability and security of the connection to the cloud.  Existing integrations with services such as Zscaler and Palo Alto Networks' Global Protect Cloud are a start, as they simplify internet traffic flows and eliminate complex setups. And new solutions like Talari Cloud Connect go even further in streamlining SaaS connectivity and delivering reliability and QoE without the hassle of deploying infrastructure in the cloud, so stay tuned for more news on this topic.

For now, the changes required under the cloud model bear watching for many organizations with substantial WAN investments. Fortunately, with a Talari failsafe SD-WAN, customers don't have to change their network security model simply to meet the requirement of the SD-WAN solution. Instead, customers can be confident that SD-WAN innovation will seamlessly match all their architectural choices today and tomorrow.

Learn more by requesting a demo or reviewing our FAQ.

Categories: Network Reliability, Branch Office Simplification