What is an SD-WAN - graphic

A Software-defined Wide Area Network (SD-WAN) offers a technique to securely unify geographically spread endpoints into a central network.

A contiguous network in one location is called a “local area network” (LAN) Some companies operate several locations and have a network at each place. These separate networks can be linked together to form one network that can be administered centrally. This is a “wide area network,” or WAN.

Many companies now use cloud services, which could also be integrated into the LAN, forming a WAN. So, there are many different reasons for network administrators to consider creating a WAN.

There isn’t much choice over how to link the WAN together. Those remote networks and resources can be contacted over the internet and that medium provides the cheapest and easiest way to form a WAN.

The only problem with the internet is that it is not within the control of the network administrator. It is outside of the building and the cables that make it are owned by other organizations. That loss of control puts off a lot of businesses from exploiting the internet to connect together scattered sites.

The benefits of SD-WAN

Software-defined Wide Area Networks (SD-WAN) solve the problem of control on a public medium. The gateway that connects the LAN to the internet applies encryption to traffic that passes between sites, giving them privacy protection.

SD-WAN systems can route traffic using the Internet Protocol’s conventions, or shorten addresses through the Multiprotocol Label Switching (MPLS) system. It is also able to send traffic over the LTE network to mobile devices.

Although the technology is termed “software-defined”, it can also be implemented by an appliance, which is a hardware solution.

See also: Best SD-WAN Vendors & Providers

SD-WANs vs internet connections

Employees on separate sites can easily communicate with one another over the internet, so why bother with an SD-WAN? The main difference between a system that operates a series of LANs connected by the internet and a WAN is that the address space of a WAN is unified.

LANs use private IP addresses that are only valid within that network and so it doesn’t matter that an endpoint on some other network somewhere else has the same IP address. That also applies to the LAN of another site of the same company. All addresses on a WAN have to be unique. So, creating a WAN through SD-WAN technology creates a single address space across all sites.

The WAN can have one central DHCP server, one DNS server, and one IP address manager. It is still possible to centralize network support at one location if each site of the business keeps its own LAN. However, that means the one network administrator has to keep track of several address spaces and that can get complicated.

The SD-WAN software overlays the intervening internet addressing issues and just presents one address space to the administrator for the private network even though that network is physically scattered.

SD-WANs and VPNs

The working procedures of SD-WANs are very similar to those of virtual private networks (VPNs). Businesses have been using VPNs for some time. Their application allows remote workers to connect to the company network and be treated as though they were in the same building. The link to the remote worker is carried over the internet and is protected by encryption.

The difference between the functions of a VPN and an SD-WAN is that the VPN connects a single endpoint to a network, whereas SD-WAN creates a link between two networks, each serving many endpoints. SD-WAN software can also provide VPN connections to individual workers.

Both VPNs and SD-WANs employ a method that is called “encapsulation.” This involves placing an entire packet inside the payload of another packet. The outer packet has its own header, which does not relate to the routing information contained in the header of the original, inner packet. The outer packet only exists for long enough to get the inner packet across the internet.

The main purpose of encapsulation is to enable the entire original packet to be encrypted and so protected from snoopers. This means that the routing information contained in the header packet is temporarily rendered unreadable, and therefore useless as a source of information to routers across the internet. This effectively makes the inner packet “invisible” to all devices on the internet. An analogy to this process is where someone on a journey passes through a tunnel for part of the way and so would be temporarily invisible to anyone tracking that person by helicopter. For this reason, encapsulation is known as “tunneling.”

SD-WAN connection protection

The most commonly used protection method for SD-WAN traffic as it passes over the internet is IPSec. This presents another similarity with VPN technology because IPSec is one of the security options frequently used to secure VPNs. However, the most common security system used for VPNs is OpenVPN.

IPSec is an open standard, published by the Internet Engineering Taskforce (IETF) originally as RFC 1825, RFC 1826, and RFC 1827. An open standard means that anyone can access the definition of the protocol and implement it without paying a fee. There are no restrictions on the commercial use of the standard.

IPSec is a “Layer 3” (OSI terminology) protocol. It is part of the TCP/IP protocol suite and is below the Transport Layer. This protocol layer is usually implemented by routers – switches being “Layer 2” devices. Being below the Transport Layer, IPSec isn’t able to establish a session. However, it is able to authenticate the remote router and exchange encryption keys. Effectively these procedures emulate the work done by TCP to establish a session.

The security systems in IPSec endure across links, so it covers the entire journey across the internet. The encryption encompasses the packet headers of network traffic, readdressing all packets with an outer header in order to get it across the internet to the corresponding gateway at the remote site.

The encapsulation of IPSec reconciles the difference between the private scope of network IP addresses and the uniqueness requirement of the public internet address space. The IPSec protocol defines two different extents of encryption. The protocol can be used in “transport mode.” In that case, only the body of the carried packet is encrypted. The other option is “tunnel mode,” which encrypts the entire packet including the header and puts it inside an outer packet with a readable header. In SD-WANs, IPSec is always used in tunnel mode.

The encryption method that can be deployed with IPSec is left to the choice of the developer of the implementing software. It can be TripleDES-CBC, AES-CBC, AES-GCM, or ChaCha20 with Poly 1305.

SD-WAN implementation

As a Layer 3 system, SD-WANs should be implemented by the router. However, it is possible to buy software for a computer that captures all traffic before it reaches the router, manages the SD-WAN tasks and then sends it all out onto the internet through the router. This is a virtual appliance solution. An alternative method is to replace the router with an appliance that has the SD-WAN software embedded in it.

The appliance or the software-router combination should be able to optionally route the traffic over the SD-WAN or out on the internet to other destinations. This flexibility is called “split tunneling” because corporate data destined for a remote site of the WAN will travel through the SD-WAN tunnel, while regular internet traffic will go out on the internet without encapsulation.

SD-WAN terminology has only been around since 2014, although the underlying technology has existed longer. However, the methodology is already being absorbed into Cloud computing. Cloud computing bundles software with supporting hardware and is termed “Software as a Service” (SaaS). SD-WAN software can be hosted on a remote server, creating the networking software as a service. This category of service is termed “Unified Communications as a Service,” or UCaaS.

In the UCaaS architecture, the client company doesn’t need to buy any special software or appliance. Instead, a VPN connection from the company to the cloud server channels all traffic to the UCaaS service. The SD-WAN processes are applied at that point and traffic is forwarded on to the appropriate remote site, which is also connected to the UCaaS system via a VPN.

As all traffic from all sites goes through the UCaaS server, decisions over whether to route traffic through the tunnel to another site or send it out over the regular internet are made at the cloud server.

The strategy of routing all traffic through a cloud service is becoming increasingly common and is termed an “edge service.” This is a new method used by cybersecurity companies to provide firewall protection to networks and the UCaaS service can add on security protection, including email monitoring. Other extras that the UCaaS system can provide include continuity, backup, and archiving systems.

Cloud-based SD-WANs are more cost-effective than on-site solutions because they remove the upfront costs of buying the necessary hardware and software to create the WAN and they don’t require technicians to maintain them. UCaaS systems are usually charged for on a subscription basis which costs a fraction of the price of buying the hardware and software to run in-house.

Image attribution: Network Internet from Pixabay. Public domain.